Secrets Manager module

This module is used to provision and configure an IBM Cloud Secrets Manager instance.

Overview

• terraform-ibm-secrets-manager
• Submodules
  • fscloud
  • secrets
• Examples
  • Basic example
  • Complete example with BYOK encryption
  • Financial Services Cloud profile example with KYOK encryption
• Contributing

terraform-ibm-secrets-manager

Usage

provider "ibm" {
  ibmcloud_api_key     = "XXXXXXXXXXXXXX"  # pragma: allowlist secret
  region               = "us-south"
}

module "secrets_manager" {
  source               = "terraform-ibm-modules/secrets-manager/ibm"
  version              = "X.X.X"  # Replace "X.X.X" with a release version to lock into a specific release
  resource_group_id    = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
  region               = "us-south"
  secrets_manager_name = "my-secrets-manager"
  sm_service_plan      = "trial"
}

Required IAM access policies

You need the following permissions to run this module.

• Account Management
  • Resource Group service
    • Viewer platform access
  • IAM Services
    • Secrets Manager service
      • Administrator platform access
      • Manager service access

Requirements

Name	Version
terraform	>= v1.9.0
ibm	>= 1.79.0, <2.0.0
time	>= 0.9.1, < 1.0.0

Modules

Name	Source	Version
cbr_rule	terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module	1.33.0
kms_key_crn_parser	terraform-ibm-modules/common-utilities/ibm//modules/crn-parser	1.2.0
secrets	./modules/secrets	n/a

Resources

Name	Type
ibm_iam_authorization_policy.en_policy	resource
ibm_iam_authorization_policy.iam_groups_policy	resource
ibm_iam_authorization_policy.iam_identity_policy	resource
ibm_iam_authorization_policy.kms_policy	resource
ibm_iam_authorization_policy.secrets_manager_hpcs_policy	resource
ibm_resource_instance.secrets_manager_instance	resource
ibm_sm_en_registration.sm_en_registration	resource
time_sleep.wait_for_authorization_policy	resource
time_sleep.wait_for_sm_hpcs_authorization_policy	resource
ibm_resource_instance.sm_instance	data source

Inputs

Name	Description	Type	Default	Required
allowed_network	The types of service endpoints to set on the Secrets Manager instance. Possible values are private-only or public-and-private. Learn more.	string	"public-and-private"	no
cbr_rules	(Optional, list) List of context-based restriction rules to create	list(object({ description = string account_id = string rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string operations = optional(list(object({ api_types = list(object({ api_type_id = string })) }))) }))	[]	no
enable_event_notification	Set to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When set to true, a value must be passed for existing_en_instance_crn and existing_sm_instance_crn must be set to null.	bool	false	no
endpoint_type	The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications.	string	"public"	no
existing_en_instance_crn	The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance.	string	null	no
existing_sm_instance_crn	An existing Secrets Manager instance CRN. If not provided, a new instance is created.	string	null	no
is_hpcs_key	Set to true if the key provided through the kms_key_crn is a Hyper Protect Crypto Services key.	bool	false	no
kms_encryption_enabled	Set to true to control the encryption keys that are used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, go to About customer-managed keys.	bool	false	no
kms_key_crn	The root key CRN of a key management service like Key Protect or Hyper Protect Crypto Services that you want to use for encryption. Only used if kms_encryption_enabled is set to true.	string	null	no
region	The region where the instance is created. Not required if passing a value for existing_sm_instance_crn.	string	null	no
resource_group_id	The ID of the resource group that contains the Secrets Manager instance.	string	n/a	yes
secrets	Secret Manager secrets configurations.	list(object({ secret_group_name = string secret_group_description = optional(string) existing_secret_group = optional(bool, false) create_access_group = optional(bool, false) access_group_name = optional(string) access_group_roles = optional(list(string)) access_group_tags = optional(list(string)) secrets = optional(list(object({ secret_name = string secret_description = optional(string) secret_type = optional(string) imported_cert_certificate = optional(string) imported_cert_private_key = optional(string) imported_cert_intermediate = optional(string) secret_username = optional(string) secret_labels = optional(list(string), []) secret_payload_password = optional(string, "") secret_auto_rotation = optional(bool, true) secret_auto_rotation_unit = optional(string, "day") secret_auto_rotation_interval = optional(number, 89) service_credentials_ttl = optional(string, "7776000") # 90 days service_credentials_source_service_crn = optional(string) service_credentials_source_service_role_crn = optional(string) }))) }))	[]	no
secrets_manager_name	The name of the Secrets Manager instance to create	string	n/a	yes
skip_en_iam_authorization_policy	Set to true to skip creating an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the existing_en_instance_crn input variable. No policy is created if enable_event_notification is set to false.	bool	false	no
skip_iam_authorization_policy	Whether to skip creating the IAM authorization policies that are required to enable the IAM credentials engine. If set to false, policies are created that grant the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manager' access to the IAM groups service.	bool	false	no
skip_kms_iam_authorization_policy	Whether to skip creating the IAM authorization policies that are required to enable the IAM credentials engine. If set to false, policies are created that grant the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manager' access to the IAM groups service.	bool	false	no
sm_service_plan	The Secrets Manager plan to provision.	string	"standard"	no
sm_tags	The list of resource tags to associate with your Secrets Manager instance.	list(string)	[]	no

Outputs

Name	Description
secret_groups	IDs of the secret groups
secrets	List of Secrets Manager secret configuration data
secrets_manager_crn	CRN of the Secrets Manager instance
secrets_manager_guid	GUID of Secrets Manager instance
secrets_manager_id	ID of the Secrets Manager instance
secrets_manager_name	Name of the Secrets Manager instance
secrets_manager_region	Region of the Secrets Manager instance

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.