feat: the following variables have been removed create_resource_key, resource_key_name, resource_key_role, generate_hmac_credentials, resource_key_existing_serviceid_crn and replaced by the resource_keys variable which gives more flexibility for creating resource keys.<br>* added new resource_keys output. (#522)

shemau · web-flow · commit e6825853190b · 2024-03-27T16:35:33.000Z
BREAKING CHANGE: If you were consuming the module with `create_resource_key = true` and are now upgrading to this version, you will see that your plan will attempt to destroy a resource key. You should now use the new `resource_keys` variable to manage resource keys. Please plan accordingly before upgrading incase you are using the resource key planned for destroy else where. Please note that before this version was released, the module did not output the resource key details, so unless you were extracting the resource key from some other method, its possible you were not using the key that is getting identified for destroy.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-12-20T23:33:56Z",
+  "generated_at": "2024-03-26T13:48:41Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -85,6 +85,14 @@
         "line_number": 41,
         "type": "Secret Keyword",
         "verified_result": null
+      },
+      {
+        "hashed_secret": "a7c93faaa770c377154ea9d4d0d17a9056dbfa95",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 191,
+        "type": "Secret Keyword",
+        "verified_result": null
       }
     ],
     "modules/buckets/README.md": [
@@ -105,6 +113,14 @@
         "line_number": 15,
         "type": "Secret Keyword",
         "verified_result": null
+      },
+      {
+        "hashed_secret": "a7c93faaa770c377154ea9d4d0d17a9056dbfa95",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 119,
+        "type": "Secret Keyword",
+        "verified_result": null
       }
     ],
     "tests/pr_test.go": [
diff --git a/README.md b/README.md
@@ -152,11 +152,9 @@ You need the following permissions to run this module.
 | [ibm_cos_bucket.cos_bucket1](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/cos_bucket) | resource |
 | [ibm_iam_authorization_policy.policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_resource_instance.cos_instance](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource |
-| [ibm_resource_key.resource_key](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
+| [ibm_resource_key.resource_keys](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
 | [ibm_resource_tag.cos_access_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource |
 | [random_string.bucket_name_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
-| [terraform_data.generate_hmac_credentials](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
-| [terraform_data.resource_key_existing_serviceid_crn](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 
 ### Inputs
@@ -177,13 +175,11 @@ You need the following permissions to run this module.
 | <a name="input_cos_tags"></a> [cos\_tags](#input\_cos\_tags) | Optional list of tags to be added to cloud object storage instance. Only used if 'create\_cos\_instance' it true. | `list(string)` | `[]` | no |
 | <a name="input_create_cos_bucket"></a> [create\_cos\_bucket](#input\_create\_cos\_bucket) | Set as true to create a new Cloud Object Storage bucket | `bool` | `true` | no |
 | <a name="input_create_cos_instance"></a> [create\_cos\_instance](#input\_create\_cos\_instance) | Set as true to create a new Cloud Object Storage instance. | `bool` | `true` | no |
-| <a name="input_create_resource_key"></a> [create\_resource\_key](#input\_create\_resource\_key) | Set as true to create a new resource key for the Cloud Object Storage instance. | `bool` | `true` | no |
 | <a name="input_cross_region_location"></a> [cross\_region\_location](#input\_cross\_region\_location) | Specify the cross-regional bucket location. Supported values are 'us', 'eu', and 'ap'. If you pass a value for this, ensure to set the value of var.region and var.single\_site\_location to null. | `string` | `null` | no |
 | <a name="input_existing_cos_instance_id"></a> [existing\_cos\_instance\_id](#input\_existing\_cos\_instance\_id) | The ID of an existing cloud object storage instance. Required if 'var.create\_cos\_instance' is false. | `string` | `null` | no |
 | <a name="input_existing_kms_instance_guid"></a> [existing\_kms\_instance\_guid](#input\_existing\_kms\_instance\_guid) | The GUID of the Key Protect or Hyper Protect instance in which the key specified in var.kms\_key\_crn is coming from. Required if var.skip\_iam\_authorization\_policy is false in order to create an IAM Access Policy to allow Key Protect or Hyper Protect to access the newly created COS instance. | `string` | `null` | no |
 | <a name="input_expire_days"></a> [expire\_days](#input\_expire\_days) | Specifies the number of days when the expire rule action takes effect. Only used if 'create\_cos\_bucket' is true. | `number` | `365` | no |
 | <a name="input_force_delete"></a> [force\_delete](#input\_force\_delete) | Deletes all the objects in the COS Bucket before bucket is deleted. | `bool` | `true` | no |
-| <a name="input_generate_hmac_credentials"></a> [generate\_hmac\_credentials](#input\_generate\_hmac\_credentials) | Set as true to generate an HMAC key in the resource key. Only used when create\_resource\_key is `true`. | `bool` | `false` | no |
 | <a name="input_hard_quota"></a> [hard\_quota](#input\_hard\_quota) | Sets a maximum amount of storage (in bytes) available for a bucket. If it is set to `null` then quota is disabled. | `number` | `null` | no |
 | <a name="input_instance_cbr_rules"></a> [instance\_cbr\_rules](#input\_instance\_cbr\_rules) | (Optional, list) List of CBR rules to create for the instance | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>    tags = optional(list(object({<br>      name  = string<br>      value = string<br>    })), [])<br>    operations = optional(list(object({<br>      api_types = list(object({<br>        api_type_id = string<br>      }))<br>    })))<br>  }))</pre> | `[]` | no |
 | <a name="input_kms_encryption_enabled"></a> [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set as true to use KMS key encryption to encrypt data in COS bucket (only applicable when var.create\_cos\_bucket is true). | `bool` | `true` | no |
@@ -192,9 +188,7 @@ You need the following permissions to run this module.
 | <a name="input_object_versioning_enabled"></a> [object\_versioning\_enabled](#input\_object\_versioning\_enabled) | Enable object versioning to keep multiple versions of an object in a bucket. Cannot be used with retention rule. Only used if 'create\_cos\_bucket' is true. | `bool` | `false` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision the bucket. If you pass a value for this, do not pass one for var.cross\_region\_location or var.single\_site\_location. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where The COS instance will be provisioned. It is required if setting input variable create\_cos\_instance to true. | `string` | `null` | no |
-| <a name="input_resource_key_existing_serviceid_crn"></a> [resource\_key\_existing\_serviceid\_crn](#input\_resource\_key\_existing\_serviceid\_crn) | CRN of existing serviceID to bind with resource key to be created. If null a new ServiceID is created for the resource key. | `string` | `null` | no |
-| <a name="input_resource_key_name"></a> [resource\_key\_name](#input\_resource\_key\_name) | The name of the resource key to be created. | `string` | `"cos-resource-key"` | no |
-| <a name="input_resource_key_role"></a> [resource\_key\_role](#input\_resource\_key\_role) | The role you want to be associated with your new resource key. Valid roles are 'Writer', 'Reader', 'Manager', 'Content Reader', 'Object Reader', 'Object Writer'. | `string` | `"Manager"` | no |
+| <a name="input_resource_keys"></a> [resource\_keys](#input\_resource\_keys) | The definition of any resource keys to be generated | <pre>list(object({<br>    name                      = string<br>    generate_hmac_credentials = optional(bool, false)<br>    role                      = optional(string, "Reader")<br>    service_id_crn            = optional(string, null)<br>  }))</pre> | `[]` | no |
 | <a name="input_retention_default"></a> [retention\_default](#input\_retention\_default) | Specifies default duration of time an object that can be kept unmodified for COS bucket. Only used if 'create\_cos\_bucket' is true. | `number` | `90` | no |
 | <a name="input_retention_enabled"></a> [retention\_enabled](#input\_retention\_enabled) | Retention enabled for COS bucket. Only used if 'create\_cos\_bucket' is true. | `bool` | `false` | no |
 | <a name="input_retention_maximum"></a> [retention\_maximum](#input\_retention\_maximum) | Specifies maximum duration of time an object that can be kept unmodified for COS bucket. Only used if 'create\_cos\_bucket' is true. | `number` | `350` | no |
@@ -222,6 +216,7 @@ You need the following permissions to run this module.
 | <a name="output_instance_cbr_rules"></a> [instance\_cbr\_rules](#output\_instance\_cbr\_rules) | COS instance rules |
 | <a name="output_kms_key_crn"></a> [kms\_key\_crn](#output\_kms\_key\_crn) | The CRN of the KMS key used to encrypt the COS bucket |
 | <a name="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id) | Resource Group ID |
+| <a name="output_resource_keys"></a> [resource\_keys](#output\_resource\_keys) | List of resource keys |
 | <a name="output_s3_endpoint_direct"></a> [s3\_endpoint\_direct](#output\_s3\_endpoint\_direct) | S3 direct endpoint |
 | <a name="output_s3_endpoint_private"></a> [s3\_endpoint\_private](#output\_s3\_endpoint\_private) | S3 private endpoint |
 | <a name="output_s3_endpoint_public"></a> [s3\_endpoint\_public](#output\_s3\_endpoint\_public) | S3 public endpoint |
diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf
@@ -13,10 +13,9 @@ module "resource_group" {
 ##############################################################################
 # Create serviceID to use for resource key hmac
 #
-# NOTE: The module itself supports creating one, but this example shows how
-# you can use an existing one
+# NOTE: The module itself supports creating internally, but this example shows
+# how to use an existing ones
 ##############################################################################
-
 resource "ibm_iam_service_id" "resource_key_existing_serviceid" {
   name        = "${var.prefix}-reskey-serviceid"
   description = "ServiceID for ${var.prefix} env to use for resource key credentials"
@@ -144,10 +143,34 @@ module "cos_bucket1" {
   existing_kms_instance_guid          = module.key_protect_all_inclusive.kms_guid
   kms_key_crn                         = module.key_protect_all_inclusive.keys["${local.key_ring_name}.${local.key_name}"].crn
   sysdig_crn                          = module.observability_instances.cloud_monitoring_crn
-  # If no value is passed for this variable, the module will create a new service ID for the resource key
-  resource_key_existing_serviceid_crn = ibm_iam_service_id.resource_key_existing_serviceid.crn
   retention_enabled                   = false # disable retention for test environments - enable for stage/prod
   activity_tracker_crn                = local.at_crn
+  resource_keys = [
+    {
+      name           = "${var.prefix}-writer-key"
+      role           = "Writer"
+      service_id_crn = ibm_iam_service_id.resource_key_existing_serviceid.crn
+    },
+    {
+      name = "${var.prefix}-reader-key"
+    },
+    {
+      name = "${var.prefix}-manager-key"
+      role = "Manager"
+    },
+    {
+      name = "${var.prefix}-content-reader-key"
+      role = "Content Reader"
+    },
+    {
+      name = "${var.prefix}-object-reader-key"
+      role = "Object Reader"
+    },
+    {
+      name = "${var.prefix}-object-writer-key"
+      role = "Object Writer"
+    }
+  ]
   bucket_cbr_rules = [
     {
       description      = "sample rule for bucket 1"
diff --git a/main.tf b/main.tf
@@ -62,27 +62,15 @@ resource "ibm_resource_tag" "cos_access_tag" {
   tag_type    = "access"
 }
 
-# To force IBM resource key replacement when input changes
-resource "terraform_data" "generate_hmac_credentials" {
-  input = var.generate_hmac_credentials
-}
-
-# To force IBM resource key replacement when input changes
-resource "terraform_data" "resource_key_existing_serviceid_crn" {
-  input = var.resource_key_existing_serviceid_crn
-}
-
-resource "ibm_resource_key" "resource_key" {
-  count                = var.create_resource_key && var.create_cos_instance ? 1 : 0
-  name                 = var.resource_key_name
-  resource_instance_id = ibm_resource_instance.cos_instance[count.index].id
+resource "ibm_resource_key" "resource_keys" {
+  for_each             = { for key in var.resource_keys : key.name => key }
+  name                 = each.key
+  resource_instance_id = local.cos_instance_id
+  role                 = each.value.role
   parameters = {
-    "serviceid_crn" = var.resource_key_existing_serviceid_crn
-    "HMAC"          = var.generate_hmac_credentials
+    "serviceid_crn" = each.value.service_id_crn
+    "HMAC"          = each.value.generate_hmac_credentials
   }
-  role = var.resource_key_role
-  # parameters block is outside lifecycle, this force replacement if values change
-  lifecycle { replace_triggered_by = [terraform_data.generate_hmac_credentials, terraform_data.resource_key_existing_serviceid_crn] }
 }
 
 locals {
diff --git a/modules/buckets/main.tf b/modules/buckets/main.tf
@@ -1,16 +1,8 @@
 ##############################################################################
 # terraform-ibm-cos
 #
-# Create COS buckets
-##############################################################################
-
-locals {
-  # input variable validation
-  # tflint-ignore: terraform_unused_declarations
-  # validate_key_inputs = var.create_cos_bucket && var.encryption_enabled && var.kms_key_crn == null ? tobool("A value must be passed for var.kms_key_crn when both var.create_cos_bucket and var.encryption_enabled are true") : true
-}
-
 # Create COS buckets from bucket_configs
+##############################################################################
 
 module "buckets" {
   for_each = {
diff --git a/modules/buckets/outputs.tf b/modules/buckets/outputs.tf
@@ -1,9 +1,27 @@
 ##############################################################################
 # Outputs
 ##############################################################################
+# expand buckets, pull all elements except bucket_resource_key
+# iterate over list (...) and merge() back to map
 output "buckets" {
   description = "Map of buckets created in the Cloud Object Storage Instance"
-  value       = module.buckets
+  value = merge([for name, bucket in module.buckets : { (name) = {
+    "resource_group_id"    = bucket.resource_group_id
+    "s3_endpoint_private"  = bucket.s3_endpoint_private
+    "s3_endpoint_public"   = bucket.s3_endpoint_public
+    "s3_endpoint_direct"   = bucket.s3_endpoint_direct
+    "bucket_id"            = bucket.bucket_id
+    "bucket_crn"           = bucket.bucket_crn
+    "bucket_name"          = bucket.bucket_name
+    "bucket_storage_class" = bucket.bucket_storage_class
+    "kms_key_crn"          = bucket.kms_key_crn
+    "cos_instance_id"      = bucket.cos_instance_id
+    "cos_instance_guid"    = bucket.cos_instance_guid
+    "bucket_cbr_rules"     = bucket.bucket_cbr_rules
+    "instance_cbr_rules"   = bucket.instance_cbr_rules
+    "cbr_rule_ids"         = bucket.cbr_rule_ids
+    # skip resource_keys because it is sensitive
+  } }]...)
 }
 
 output "bucket_configs" {
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
@@ -113,13 +113,10 @@ No resources.
 | <a name="input_cos_plan"></a> [cos\_plan](#input\_cos\_plan) | Plan to be used for creating cloud object storage instance. Only used if 'create\_cos\_instance' it true. | `string` | `"standard"` | no |
 | <a name="input_cos_tags"></a> [cos\_tags](#input\_cos\_tags) | Optional list of tags to be added to cloud object storage instance. Only used if 'create\_cos\_instance' it true. | `list(string)` | `[]` | no |
 | <a name="input_create_cos_instance"></a> [create\_cos\_instance](#input\_create\_cos\_instance) | Set as true to create a new Cloud Object Storage instance. | `bool` | `true` | no |
-| <a name="input_create_resource_key"></a> [create\_resource\_key](#input\_create\_resource\_key) | Set as true to create a new resource key for the Cloud Object Storage instance. | `bool` | `false` | no |
 | <a name="input_existing_cos_instance_id"></a> [existing\_cos\_instance\_id](#input\_existing\_cos\_instance\_id) | The ID of an existing cloud object storage instance. Required if 'var.create\_cos\_instance' is false. | `string` | `null` | no |
-| <a name="input_generate_hmac_credentials"></a> [generate\_hmac\_credentials](#input\_generate\_hmac\_credentials) | Set as true to generate an HMAC key in the resource key. Only used when create\_resource\_key is `true`. | `bool` | `false` | no |
 | <a name="input_instance_cbr_rules"></a> [instance\_cbr\_rules](#input\_instance\_cbr\_rules) | (Optional, list) List of CBR rule to create for the instance | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>    tags = optional(list(object({<br>      name  = string<br>      value = string<br>    })), [])<br>    operations = optional(list(object({<br>      api_types = list(object({<br>        api_type_id = string<br>      }))<br>    })))<br>  }))</pre> | `[]` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where resources will be provisioned. | `string` | n/a | yes |
-| <a name="input_resource_key_name"></a> [resource\_key\_name](#input\_resource\_key\_name) | The name of the resource key to be created. | `string` | `"cos-resource-key"` | no |
-| <a name="input_resource_key_role"></a> [resource\_key\_role](#input\_resource\_key\_role) | The role you want to be associated with your new resource key. Valid roles are 'Writer', 'Reader', 'Manager', 'Content Reader', 'Object Reader', 'Object Writer'. | `string` | `"Manager"` | no |
+| <a name="input_resource_keys"></a> [resource\_keys](#input\_resource\_keys) | The definition of any resource keys to be generated | <pre>list(object({<br>    name                      = string<br>    generate_hmac_credentials = optional(bool, false)<br>    role                      = optional(string, "Reader")<br>    service_id_crn            = string<br>  }))</pre> | `[]` | no |
 
 ### Outputs
 
@@ -134,4 +131,5 @@ No resources.
 | <a name="output_cos_instance_name"></a> [cos\_instance\_name](#output\_cos\_instance\_name) | COS instance name |
 | <a name="output_instance_cbr_rules"></a> [instance\_cbr\_rules](#output\_instance\_cbr\_rules) | COS instance rules |
 | <a name="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id) | Resource Group ID |
+| <a name="output_resource_keys"></a> [resource\_keys](#output\_resource\_keys) | List of resource keys |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
@@ -24,17 +24,14 @@ module "cos_instance" {
   create_cos_bucket             = false
   skip_iam_authorization_policy = true
   cos_instance_name             = var.cos_instance_name
-  create_resource_key           = var.create_resource_key
-  resource_key_name             = var.resource_key_name
-  resource_key_role             = var.resource_key_role
-  generate_hmac_credentials     = var.generate_hmac_credentials
+  resource_keys                 = var.resource_keys
   cos_plan                      = var.cos_plan
   cos_tags                      = var.cos_tags
   access_tags                   = var.access_tags
 }
 
 locals {
-  #  Add the cos instance id to the bucket configs
+  # Add the cos instance id to the bucket configs
   bucket_configs = [
     for config in var.bucket_configs :
     {
diff --git a/modules/fscloud/outputs.tf b/modules/fscloud/outputs.tf
@@ -31,6 +31,12 @@ output "cos_instance_crn" {
   value       = local.cos_instance_crn
 }
 
+output "resource_keys" {
+  description = "List of resource keys"
+  value       = module.cos_instance[0].resource_keys
+  sensitive   = true
+}
+
 output "bucket_cbr_rules" {
   description = "COS bucket rules"
   value       = module.buckets.cbr_rules
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
diff --git a/outputs.tf b/outputs.tf
diff --git a/variables.tf b/variables.tf
