Secrets Manager IAM engine module

Use this module to configure an IBM Secrets Manager IAM credentials engine for an existing IBM Secrets Manager instance.

The module supports the following operations:

• Creates a new Service ID.
• Assigns the new Service ID "Editor" role access for iam-groups.
• Assigns the new Service ID "Operator" and "Service ID creator" role access for iam-identity.
• Creates a new API key for the Service ID.
• Optionally creates a secrets group, if an existing one is not passed in.
• Creates a new arbitrary secret in the Secret Group with the generated Service ID API key value. Because it is an arbitrary secret, the IAM engine does not create the key or manage its rotation.
• Configures the Secret Manager instance with the IAM credentials engine using the Service ID API key.

Overview

• terraform-ibm-secrets-manager-iam-engine
• Examples
  • Basic example
  • Private only example
• Contributing

terraform-ibm-secrets-manager-iam-engine

Usage

provider "ibm" {
  ibmcloud_api_key = "XXXXXXXXXXXXX"
  region           = "us-south" # secrets manager instance region
}

module "iam_secrets_engine" {
  source               = "terraform-ibm-modules/secrets-manager-iam-engine/ibm"
  version              = "X.X.X"  # Replace "X.X.X" with a release version to lock into a specific release
  region               = "us-south"  # secrets manager instance region
  iam_engine_name      = "iam-engine"
  secrets_manager_guid = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}

Required IAM access policies

You need the following permissions to run this module.

• Account Management
  • IAM Access Groups service
    • Editor platform access
  • IAM Identity service
    • Operator platform access
    • Service ID creator service access if the service id creation is disabled in the iam settings
  • Resource Group service
    • Viewer platform access
• IAM Services
  • Secrets Manager service
    • Administrator platform access
    • Manager service access

Requirements

Name	Version
terraform	>= 1.3.0
ibm	>= 1.76.0, <2.0.0

Modules

Name	Source	Version
secrets_manager_group_acct	terraform-ibm-modules/secrets-manager-secret-group/ibm	1.2.2
secrets_manager_secret_iam_secret_generator_apikey	terraform-ibm-modules/secrets-manager-secret/ibm	1.7.0

Resources

Name	Type
ibm_iam_service_api_key.iam_serviceid_apikey	resource
ibm_iam_service_id.iam_secret_generator	resource
ibm_iam_service_policy.iam_secret_generator_policy1	resource
ibm_iam_service_policy.iam_secret_generator_policy2	resource
ibm_sm_iam_credentials_configuration.sm_iam_engine_configuration	resource

Inputs

Name	Description	Type	Default	Required
display_iam_secret_generator_apikey	Set to true to display the iam_secret_generator_apikey serviceID API Key in output. Should only be used by account admins.	bool	false	no
endpoint_type	The endpoint type to communicate with the provided secrets manager instance. Possible values are public or private	string	"public"	no
existing_secret_group_id	The ID of an existing secret group that the Service ID (used to configure IAM secret engine) apikey secret will be added to. If null, a new group is created using the value in var.new_secret_group_name.	string	null	no
iam_engine_name	The name of the IAM Engine to create.	string	n/a	yes
iam_secret_generator_apikey_description	Description of ServiceID API Key to be created for Secrets Manager IAM Secret engine	string	"ServiceID API Key to be created for Secrets Manager IAM Secret engine"	no
iam_secret_generator_apikey_name	Name of ServiceID API Key to be created for Secrets Manager IAM Secret engine	string	"iam-secret-generator-apikey"	no
iam_secret_generator_apikey_secret_labels	Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|).	list(string)	[]	no
iam_secret_generator_apikey_secret_name	Name of the secret to add to secrets-manager which contains the ServiceID API Key	string	"iam-secret-generator-apikey-secret"	no
iam_secret_generator_service_id_name	Optionally override the name of the Service ID that will be created to configure the secrets-manager IAM secret engine. If null, the default value will be "sid:0.0.1:${secrets_manager_name}-iam-secret-generator:automated:simple-service:secret-manager:"	string	null	no
new_secret_group_name	The name of a new secret group to create. This is the group that the Service ID (used to configure IAM secret engine) apikey secret will be added to. Ignored if value passed for var.existing_secret_group_id.	string	"account-secret-group"	no
region	The region in which the secrets-manager instance exists.	string	n/a	yes
secrets_manager_guid	The GUID of the secrets-manager instance.	string	n/a	yes

Outputs

Name	Description
acct_secret_group_id	ID of created group_acct secret-group
iam_secret_generator_apikey	API Key value of ServiceID used to configure the Secrets-Manager IAM engine
iam_secret_generator_apikey_secret_id	Secret ID containing IAM secret generator serviceID API key

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.