feat: added a new [secrets](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/modules/secrets) terraform module for adding secrets into secrets groups in an existing Secrets Manager instance (#157)

Author: Aashiq-J

README.md

@@ -17,6 +17,7 @@ This module is used to provision and configure an IBM Cloud [Secrets Manager](ht
 * [terraform-ibm-secrets-manager](#terraform-ibm-secrets-manager)
 * [Submodules](./modules)
     * [fscloud](./modules/fscloud)
+    * [secrets](./modules/secrets)
 * [Examples](./examples)
     * [Basic example](./examples/basic)
     * [Complete example with BYOK encryption](./examples/complete)
@@ -75,6 +76,7 @@ You need the following permissions to run this module.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.22.2 |
+| <a name="module_secrets"></a> [secrets](#module\_secrets) | ./modules/secrets | n/a |
 
 ### Resources
 
@@ -100,6 +102,7 @@ You need the following permissions to run this module.
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for encryption. Only used if `kms_encryption_enabled` is set to true. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision the Secrets Manager instance to. | `string` | n/a | yes |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group to provision the Secrets Manager instance to. | `string` | n/a | yes |
+| <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br>    secret_group_name        = string<br>    secret_group_description = optional(string)<br>    existing_secret_group    = optional(bool, false)<br>    secrets = optional(list(object({<br>      secret_name                             = string<br>      secret_description                      = optional(string)<br>      secret_type                             = optional(string)<br>      imported_cert_certificate               = optional(string)<br>      imported_cert_private_key               = optional(string)<br>      imported_cert_intermediate              = optional(string)<br>      secret_username                         = optional(string)<br>      secret_labels                           = optional(list(string), [])<br>      secret_payload_password                 = optional(string, "")<br>      secret_auto_rotation                    = optional(bool, true)<br>      secret_auto_rotation_unit               = optional(string, "day")<br>      secret_auto_rotation_interval           = optional(number, 89)<br>      service_credentials_ttl                 = optional(string, "7776000") # 90 days<br>      service_credentials_source_service_crn  = optional(string)<br>      service_credentials_source_service_role = optional(string)<br>    })))<br>  }))</pre> | `[]` | no |
 | <a name="input_secrets_manager_name"></a> [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name to give the Secrets Manager instance. | `string` | n/a | yes |
 | <a name="input_skip_en_iam_authorization_policy"></a> [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no |
 | <a name="input_skip_kms_iam_authorization_policy"></a> [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_guid` variable. In addition, no policy is created if `kms_encryption_enabled` is set to false. | `bool` | `false` | no |
@@ -110,6 +113,8 @@ You need the following permissions to run this module.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_secret_groups"></a> [secret\_groups](#output\_secret\_groups) | IDs of the created Secret Group |
+| <a name="output_secrets"></a> [secrets](#output\_secrets) | List of secret mananger secret config data |
 | <a name="output_secrets_manager_crn"></a> [secrets\_manager\_crn](#output\_secrets\_manager\_crn) | CRN of the Secrets Manager instance |
 | <a name="output_secrets_manager_guid"></a> [secrets\_manager\_guid](#output\_secrets\_manager\_guid) | GUID of Secrets Manager instance |
 | <a name="output_secrets_manager_id"></a> [secrets\_manager\_id](#output\_secrets\_manager\_id) | ID of the Secrets Manager instance |

examples/complete/main.tf

@@ -49,4 +49,25 @@ module "secrets_manager" {
   kms_key_crn                = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn
   enable_event_notification  = true
   existing_en_instance_crn   = module.event_notification.crn
+  secrets = [
+    {
+      secret_group_name = "${var.prefix}-secret-group"
+      secrets = [{
+        secret_name             = "${var.prefix}-kp-key-crn"
+        secret_type             = "arbitrary"
+        secret_payload_password = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn
+        }
+      ]
+    },
+    {
+      secret_group_name     = "default"
+      existing_secret_group = true
+      secrets = [{
+        secret_name             = "${var.prefix}-kp-key-id"
+        secret_type             = "arbitrary"
+        secret_payload_password = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].key_id
+        }
+      ]
+    }
+  ]
 }

main.tf

@@ -129,3 +129,15 @@ resource "ibm_sm_en_registration" "sm_en_registration" {
   event_notifications_source_name        = var.secrets_manager_name
   endpoint_type                          = var.endpoint_type
 }
+
+##############################################################################
+# Secret Groups/Secrets
+##############################################################################
+
+module "secrets" {
+  source                      = "./modules/secrets"
+  existing_sm_instance_guid   = local.secrets_manager_guid
+  existing_sm_instance_region = var.region
+  secrets                     = var.secrets
+  endpoint_type               = var.endpoint_type
+}

modules/fscloud/README.md

@@ -54,6 +54,7 @@ No resources.
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of Hyper Protect Crypto Services (HPCS) that you want to use for encryption. | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The region to provision the Secrets Manager instance to. | `string` | n/a | yes |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group to provision the Secrets Manager instance to. | `string` | n/a | yes |
+| <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br>    secret_group_name        = string<br>    secret_group_description = optional(string)<br>    existing_secret_group    = optional(bool, false)<br>    secrets = optional(list(object({<br>      secret_name                             = string<br>      secret_description                      = optional(string)<br>      secret_type                             = optional(string)<br>      imported_cert_certificate               = optional(string)<br>      imported_cert_private_key               = optional(string)<br>      imported_cert_intermediate              = optional(string)<br>      secret_username                         = optional(string)<br>      secret_labels                           = optional(list(string), [])<br>      secret_payload_password                 = optional(string, "")<br>      secret_auto_rotation                    = optional(bool, true)<br>      secret_auto_rotation_unit               = optional(string, "day")<br>      secret_auto_rotation_interval           = optional(number, 89)<br>      service_credentials_ttl                 = optional(string, "7776000") # 90 days<br>      service_credentials_source_service_crn  = optional(string)<br>      service_credentials_source_service_role = optional(string)<br>    })))<br>  }))</pre> | `[]` | no |
 | <a name="input_secrets_manager_name"></a> [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name to give the Secrets Manager instance. | `string` | n/a | yes |
 | <a name="input_service_plan"></a> [service\_plan](#input\_service\_plan) | The Secrets Manager plan to provision. | `string` | `"standard"` | no |
 | <a name="input_skip_en_iam_authorization_policy"></a> [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no |
@@ -63,6 +64,8 @@ No resources.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_secret_groups"></a> [secret\_groups](#output\_secret\_groups) | IDs of the created Secret Group |
+| <a name="output_secrets"></a> [secrets](#output\_secrets) | List of secret mananger secret config data |
 | <a name="output_secrets_manager_crn"></a> [secrets\_manager\_crn](#output\_secrets\_manager\_crn) | CRN of the Secrets Manager instance |
 | <a name="output_secrets_manager_guid"></a> [secrets\_manager\_guid](#output\_secrets\_manager\_guid) | GUID of Secrets Manager instance |
 | <a name="output_secrets_manager_id"></a> [secrets\_manager\_id](#output\_secrets\_manager\_id) | ID of the Secrets Manager instance |

modules/fscloud/main.tf

@@ -14,4 +14,5 @@ module "secrets_manager" {
   skip_en_iam_authorization_policy = var.skip_en_iam_authorization_policy
   kms_key_crn                      = var.kms_key_crn
   cbr_rules                        = var.cbr_rules
+  secrets                          = var.secrets
 }

modules/fscloud/outputs.tf

@@ -26,3 +26,13 @@ output "secrets_manager_region" {
   value       = module.secrets_manager.secrets_manager_region
   description = "Region of the Secrets Manager instance"
 }
+
+output "secret_groups" {
+  value       = module.secrets_manager.secret_groups
+  description = "IDs of the created Secret Group"
+}
+
+output "secrets" {
+  value       = module.secrets_manager.secrets
+  description = "List of secret mananger secret config data"
+}

modules/fscloud/variables.tf

@@ -89,3 +89,34 @@ variable "cbr_rules" {
   default     = []
   # Validation happens in the rule module
 }
+
+##############################################################
+# Secrets
+##############################################################
+
+variable "secrets" {
+  type = list(object({
+    secret_group_name        = string
+    secret_group_description = optional(string)
+    existing_secret_group    = optional(bool, false)
+    secrets = optional(list(object({
+      secret_name                             = string
+      secret_description                      = optional(string)
+      secret_type                             = optional(string)
+      imported_cert_certificate               = optional(string)
+      imported_cert_private_key               = optional(string)
+      imported_cert_intermediate              = optional(string)
+      secret_username                         = optional(string)
+      secret_labels                           = optional(list(string), [])
+      secret_payload_password                 = optional(string, "")
+      secret_auto_rotation                    = optional(bool, true)
+      secret_auto_rotation_unit               = optional(string, "day")
+      secret_auto_rotation_interval           = optional(number, 89)
+      service_credentials_ttl                 = optional(string, "7776000") # 90 days
+      service_credentials_source_service_crn  = optional(string)
+      service_credentials_source_service_role = optional(string)
+    })))
+  }))
+  description = "Secret Manager secrets configurations."
+  default     = []
+}

modules/secrets/README.md

@@ -0,0 +1,77 @@
+# Secret Manager secrets module
+
+You can use this submodule to create of secret groups or secrets in an existing Secret Manager instance.
+
+The submodule extends the [secrets](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-secret) and [secret_group](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-secret-group) module by including support for multiple secrets.
+
+### Usage
+
+```hcl
+provider "ibm" {
+  ibmcloud_api_key     = "XXXXXXXXXXXXXX"  # pragma: allowlist secret
+  region               = "us-south"
+}
+
+module "secrets_manager" {
+  source                     = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
+  version                     = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
+  existing_sm_instance_guid   = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
+  existing_sm_instance_region = "us-south"
+  endpoint_type               = "public"
+  secrets = [{
+    secret_group_name = "secret-group"
+    secrets = [{
+      secret_name             = "secret1"
+      secret_type             = "arbitrary"
+      secret_username         = "test"
+      secret_payload_password = "test"
+      },
+      {
+        secret_name             = "secret2"
+        secret_type             = "arbitrary"
+        secret_username         = "test"
+        secret_payload_password = "test"
+      }
+    ]
+    }
+  ]
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >=1.62.0, <2.0.0 |
+
+### Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_secret_groups"></a> [secret\_groups](#module\_secret\_groups) | terraform-ibm-modules/secrets-manager-secret-group/ibm | 1.2.2 |
+| <a name="module_secrets"></a> [secrets](#module\_secrets) | terraform-ibm-modules/secrets-manager-secret/ibm | 1.3.2 |
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [ibm_sm_secret_groups.existing_secret_groups](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/sm_secret_groups) | data source |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The service endpoint type to communicate with the provided secrets manager instance. Possible values are `public` or `private` | `string` | `"public"` | no |
+| <a name="input_existing_sm_instance_guid"></a> [existing\_sm\_instance\_guid](#input\_existing\_sm\_instance\_guid) | Instance ID of Secrets Manager instance in which the Secret will be added. | `string` | n/a | yes |
+| <a name="input_existing_sm_instance_region"></a> [existing\_sm\_instance\_region](#input\_existing\_sm\_instance\_region) | Region which the Secret Manager is deployed. | `string` | n/a | yes |
+| <a name="input_secrets"></a> [secrets](#input\_secrets) | Secret Manager secrets configurations. | <pre>list(object({<br>    secret_group_name        = string<br>    secret_group_description = optional(string)<br>    existing_secret_group    = optional(bool, false)<br>    secrets = optional(list(object({<br>      secret_name                             = string<br>      secret_description                      = optional(string)<br>      secret_type                             = optional(string)<br>      imported_cert_certificate               = optional(string)<br>      imported_cert_private_key               = optional(string)<br>      imported_cert_intermediate              = optional(string)<br>      secret_username                         = optional(string)<br>      secret_labels                           = optional(list(string), [])<br>      secret_payload_password                 = optional(string, "")<br>      secret_auto_rotation                    = optional(bool, true)<br>      secret_auto_rotation_unit               = optional(string, "day")<br>      secret_auto_rotation_interval           = optional(number, 89)<br>      service_credentials_ttl                 = optional(string, "7776000") # 90 days<br>      service_credentials_source_service_crn  = optional(string)<br>      service_credentials_source_service_role = optional(string)<br>    })))<br>  }))</pre> | `[]` | no |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_secret_groups"></a> [secret\_groups](#output\_secret\_groups) | IDs of the created Secret Group |
+| <a name="output_secrets"></a> [secrets](#output\_secrets) | List of secret mananger secret config data |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->