feat: The following DA variables have been renamed:<br>- skip_event_notifications_iam_authorization_policy -> skip_secrets_manager_event_notifications_iam_auth_policy<br>- skip_sm_kms_iam_authorization_policy -> skip_secrets_manager_kms_iam_auth_policy<br>- skip_sm_ce_iam_authorization_policy -> skip_secrets_manager_iam_auth_policy (#336)

Author: alex-reiff

README.md

@@ -98,7 +98,7 @@ You need the following permissions to run this module.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_allowed_network"></a> [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. | `string` | `"public-and-private"` | no |
+| <a name="input_allowed_network"></a> [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints | `string` | `"public-and-private"` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_enable_event_notification"></a> [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null. | `bool` | `false` | no |
 | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"public"` | no |

ibm_catalog.json

@@ -192,7 +192,7 @@
               }
             },
             {
-              "key": "skip_sm_ce_iam_authorization_policy"
+              "key": "skip_secrets_manager_iam_auth_policy"
             },
             {
               "key": "allowed_network",
@@ -217,32 +217,31 @@
               "key": "existing_secrets_manager_kms_key_crn"
             },
             {
-              "key": "skip_sm_kms_iam_authorization_policy"
+              "key": "skip_secrets_manager_kms_iam_auth_policy"
             },
             {
               "key": "ibmcloud_kms_api_key"
             },
-            {
-              "key": "kms_endpoint_type",
-              "options": [
-                {
-                  "displayname": "Public",
-                  "value": "public"
-                },
-                {
-                  "displayname": "Private",
-                  "value": "private"
-                }
-              ]
-            },
             {
               "key": "kms_key_ring_name"
             },
             {
               "key": "kms_key_name"
             },
             {
-              "key": "event_notifications_email_list"
+              "key": "kms_endpoint_type",
+              "hidden": true
+            },
+            {
+              "key": "event_notifications_email_list",
+              "type": "array",
+              "custom_config": {
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "config_constraints": {
+                  "type": "string"
+                }
+              }
             },
             {
               "key": "event_notifications_from_email"
@@ -254,7 +253,7 @@
               "key": "existing_event_notifications_instance_crn"
             },
             {
-              "key": "skip_event_notifications_iam_authorization_policy"
+              "key": "skip_secrets_manager_event_notifications_iam_auth_policy"
             },
             {
               "key": "secrets_manager_cbr_rules"
@@ -425,7 +424,7 @@
               }
             },
             {
-              "key": "skip_sm_ce_iam_authorization_policy"
+              "key": "skip_secrets_manager_iam_auth_policy"
             },
             {
               "key": "existing_resource_group_name",
@@ -443,7 +442,7 @@
               "key": "existing_secrets_manager_kms_key_crn"
             },
             {
-              "key": "skip_sm_kms_iam_authorization_policy"
+              "key": "skip_secrets_manager_kms_iam_auth_policy"
             },
             {
               "key": "ibmcloud_kms_api_key"
@@ -455,7 +454,15 @@
               "key": "kms_key_name"
             },
             {
-              "key": "event_notifications_email_list"
+              "key": "event_notifications_email_list",
+              "type": "array",
+              "custom_config": {
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "config_constraints": {
+                  "type": "string"
+                }
+              }
             },
             {
               "key": "event_notifications_from_email"
@@ -467,7 +474,7 @@
               "key": "existing_event_notifications_instance_crn"
             },
             {
-              "key": "skip_event_notifications_iam_authorization_policy"
+              "key": "skip_secrets_manager_event_notifications_iam_auth_policy"
             },
             {
               "key": "secrets_manager_cbr_rules"

solutions/fully-configurable/README.md

@@ -49,7 +49,7 @@ This solution supports the following:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_allowed_network"></a> [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. | `string` | `"private-only"` | no |
+| <a name="input_allowed_network"></a> [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints). | `string` | `"private-only"` | no |
 | <a name="input_event_notifications_email_list"></a> [event\_notifications\_email\_list](#input\_event\_notifications\_email\_list) | The list of email address to target out when Secrets Manager triggers an event | `list(string)` | `[]` | no |
 | <a name="input_event_notifications_from_email"></a> [event\_notifications\_from\_email](#input\_event\_notifications\_from\_email) | The email address used to send any Secrets Manager event coming via Event Notifications | `string` | `"compliancealert@ibm.com"` | no |
 | <a name="input_event_notifications_reply_to_email"></a> [event\_notifications\_reply\_to\_email](#input\_event\_notifications\_reply\_to\_email) | The email address specified in the 'reply\_to' section for any Secret Manager event coming via Event Notifications | `string` | `"no-reply@ibm.com"` | no |
@@ -73,9 +73,9 @@ This solution supports the following:
 | <a name="input_secrets_manager_instance_name"></a> [secrets\_manager\_instance\_name](#input\_secrets\_manager\_instance\_name) | The name to give the Secrets Manager instance provisioned by this solution. If a prefix input variable is specified, it is added to the value in the `<prefix>-value` format. Applies only if `existing_secrets_manager_crn` is not provided. | `string` | `"secrets-manager"` | no |
 | <a name="input_secrets_manager_resource_tags"></a> [secrets\_manager\_resource\_tags](#input\_secrets\_manager\_resource\_tags) | The list of resource tags you want to associate with your Secrets Manager instance. Applies only if `existing_secrets_manager_crn` is not provided. | `list(any)` | `[]` | no |
 | <a name="input_service_plan"></a> [service\_plan](#input\_service\_plan) | The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard). | `string` | n/a | yes |
-| <a name="input_skip_event_notifications_iam_authorization_policy"></a> [skip\_event\_notifications\_iam\_authorization\_policy](#input\_skip\_event\_notifications\_iam\_authorization\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no |
-| <a name="input_skip_sm_ce_iam_authorization_policy"></a> [skip\_sm\_ce\_iam\_authorization\_policy](#input\_skip\_sm\_ce\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |
-| <a name="input_skip_sm_kms_iam_authorization_policy"></a> [skip\_sm\_kms\_iam\_authorization\_policy](#input\_skip\_sm\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
+| <a name="input_skip_secrets_manager_event_notifications_iam_auth_policy"></a> [skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_event\_notifications\_iam\_auth\_policy) | If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created. | `bool` | `false` | no |
+| <a name="input_skip_secrets_manager_iam_auth_policy"></a> [skip\_secrets\_manager\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_iam\_auth\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |
+| <a name="input_skip_secrets_manager_kms_iam_auth_policy"></a> [skip\_secrets\_manager\_kms\_iam\_auth\_policy](#input\_skip\_secrets\_manager\_kms\_iam\_auth\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
 
 ### Outputs
 

solutions/fully-configurable/main.tf

@@ -24,7 +24,7 @@ locals {
   parsed_service_name = var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser[0].service_name : (var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : null)
   is_hpcs_key         = local.parsed_service_name == "hs-crypto" ? true : false
 
-  create_cross_account_auth_policy      = var.existing_secrets_manager_crn == null && !var.skip_sm_kms_iam_authorization_policy && var.ibmcloud_kms_api_key != null
+  create_cross_account_auth_policy      = var.existing_secrets_manager_crn == null && !var.skip_secrets_manager_kms_iam_auth_policy && var.ibmcloud_kms_api_key != null
   create_cross_account_hpcs_auth_policy = local.create_cross_account_auth_policy == true && local.is_hpcs_key ? 1 : 0
 
   kms_service_name  = var.existing_secrets_manager_kms_key_crn != null ? module.kms_key_crn_parser[0].service_name : (var.existing_kms_instance_crn != null ? module.kms_instance_crn_parser[0].service_name : null)
@@ -174,16 +174,16 @@ module "secrets_manager" {
   secrets_manager_name          = "${local.prefix}${var.secrets_manager_instance_name}"
   sm_service_plan               = var.service_plan
   sm_tags                       = var.secrets_manager_resource_tags
-  skip_iam_authorization_policy = var.skip_sm_ce_iam_authorization_policy
+  skip_iam_authorization_policy = var.skip_secrets_manager_iam_auth_policy
   # kms dependency
   is_hpcs_key                       = local.is_hpcs_key
   kms_encryption_enabled            = var.kms_encryption_enabled
   kms_key_crn                       = local.kms_key_crn
-  skip_kms_iam_authorization_policy = var.skip_sm_kms_iam_authorization_policy || local.create_cross_account_auth_policy
+  skip_kms_iam_authorization_policy = var.skip_secrets_manager_kms_iam_auth_policy || local.create_cross_account_auth_policy
   # event notifications dependency
   enable_event_notification        = local.enable_event_notifications
   existing_en_instance_crn         = var.existing_event_notifications_instance_crn
-  skip_en_iam_authorization_policy = var.skip_event_notifications_iam_authorization_policy
+  skip_en_iam_authorization_policy = var.skip_secrets_manager_event_notifications_iam_auth_policy
   cbr_rules                        = var.secrets_manager_cbr_rules
   endpoint_type                    = var.secrets_manager_endpoint_type
   allowed_network                  = var.allowed_network

solutions/fully-configurable/variables.tf

@@ -76,9 +76,9 @@ variable "service_plan" {
   }
 }
 
-variable "skip_sm_ce_iam_authorization_policy" {
+variable "skip_secrets_manager_iam_auth_policy" {
   type        = bool
-  description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service."
+  description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine (if you are using an existing Secrets Manager isntance, attempting to re-create can cause conflicts if the policies already exist). If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service."
   default     = false
 }
 
@@ -100,7 +100,7 @@ variable "secrets_manager_endpoint_type" {
 
 variable "allowed_network" {
   type        = string
-  description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`."
+  description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-endpoints#service-endpoints)."
   default     = "private-only"
   validation {
     condition     = contains(["private-only", "public-and-private"], var.allowed_network)
@@ -149,7 +149,7 @@ variable "secret_groups" {
 # Key Protect
 ########################################################################################################################
 
-variable "skip_sm_kms_iam_authorization_policy" {
+variable "skip_secrets_manager_kms_iam_auth_policy" {
   type        = bool
   description = "Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account."
   default     = false
@@ -249,7 +249,7 @@ variable "existing_event_notifications_instance_crn" {
   default     = null
 }
 
-variable "skip_event_notifications_iam_authorization_policy" {
+variable "skip_secrets_manager_event_notifications_iam_auth_policy" {
   type        = bool
   description = "If set to true, this skips the creation of a service to service authorization from Secrets Manager to Event Notifications. If false, the service to service authorization is created."
   default     = false