generated from terraform-ibm-modules/terraform-ibm-module-template
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.tf
106 lines (92 loc) · 4.03 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# Variable validation - approach based on https://stackoverflow.com/a/66682419
locals {
validate_group_cnd = var.existing_secret_group_id == null && (var.new_secret_group_name == null || var.new_secret_group_name == "")
validate_group_msg = "A value must be passed for either var.existing_secret_group_id or var.new_secret_group_name"
# tflint-ignore: terraform_unused_declarations
validate_group_code_chk = regex(
"^${local.validate_group_msg}$",
(!local.validate_group_cnd
? local.validate_group_msg
: ""))
}
# Create ServiceID to be used in SM IAM engine
locals {
service_id_name = var.iam_secret_generator_service_id_name != null ? var.iam_secret_generator_service_id_name : "sid:0.0.1:${var.secrets_manager_guid}-iam-secret-generator:automated:simple-service:secret-manager:"
}
resource "ibm_iam_service_id" "iam_secret_generator" {
name = local.service_id_name
description = "ServiceID that can generate IAM ServiceID API Keys stored in Secrets Manager secrets"
}
# Create ServiceID policies to generate IAM secrets
resource "ibm_iam_service_policy" "iam_secret_generator_policy1" {
iam_service_id = ibm_iam_service_id.iam_secret_generator.id
roles = ["Editor"]
resources {
service = "iam-groups"
}
}
# create policy for iam identity service.
locals {
iam_identity_roles = ["Operator", "Service ID creator"]
}
resource "ibm_iam_service_policy" "iam_secret_generator_policy2" {
iam_service_id = ibm_iam_service_id.iam_secret_generator.id
roles = local.iam_identity_roles
resources {
service = "iam-identity"
}
}
resource "ibm_iam_service_api_key" "iam_serviceid_apikey" {
name = var.iam_secret_generator_apikey_name
description = var.iam_secret_generator_apikey_description
iam_service_id = ibm_iam_service_id.iam_secret_generator.iam_id
}
moved {
from = ibm_iam_service_api_key.sdnlb_serviceid_apikey
to = ibm_iam_service_api_key.iam_serviceid_apikey
}
# Variable to extract API key value
locals {
apikey = one(ibm_iam_service_api_key.iam_serviceid_apikey[*])["apikey"]
apikey_output = var.display_iam_secret_generator_apikey == true ? nonsensitive(local.apikey) : "not-displayed"
}
# Create secrets-manager secret group if an existing secret group ID not passed in
module "secrets_manager_group_acct" {
count = (var.existing_secret_group_id == null) ? 1 : 0
source = "terraform-ibm-modules/secrets-manager-secret-group/ibm"
version = "1.2.2"
region = var.region
secrets_manager_guid = var.secrets_manager_guid
secret_group_name = var.new_secret_group_name
secret_group_description = "Secret-Group for storing account credentials"
endpoint_type = var.endpoint_type
}
# Determine the secret group ID
locals {
secret_group_id = var.existing_secret_group_id != null ? var.existing_secret_group_id : module.secrets_manager_group_acct[0].secret_group_id
}
# Create secrets-manager secret
module "secrets_manager_secret_iam_secret_generator_apikey" {
source = "terraform-ibm-modules/secrets-manager-secret/ibm"
version = "1.7.0"
region = var.region
secrets_manager_guid = var.secrets_manager_guid
secret_name = var.iam_secret_generator_apikey_secret_name
secret_description = "Secret containing API key of SM iam_secret_generator service ID"
secret_payload_password = local.apikey
secret_group_id = local.secret_group_id
secret_labels = var.iam_secret_generator_apikey_secret_labels
secret_type = "arbitrary"
endpoint_type = var.endpoint_type
}
# Create IAM Engine
resource "ibm_sm_iam_credentials_configuration" "sm_iam_engine_configuration" {
instance_id = var.secrets_manager_guid
region = var.region
endpoint_type = var.endpoint_type
name = var.iam_engine_name
api_key = local.apikey
depends_on = [
ibm_iam_service_policy.iam_secret_generator_policy2, ibm_iam_service_policy.iam_secret_generator_policy1
]
}