feat: updated DA variable allowed_network to default to 'private-only'<br> added new DA input variable existing_secrets_endpoint_type (#123)

ocofaigh · web-flow · commit a6b1c9e1ac66 · 2024-05-13T17:43:01.000+01:00
diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
@@ -67,6 +67,7 @@ locals {
   secrets_manager_guid                = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[7] : null) : module.secrets_manager[0].secrets_manager_guid
   secrets_manager_crn                 = var.existing_secrets_manager_crn != null ? var.existing_secrets_manager_crn : module.secrets_manager[0].secrets_manager_crn
   secrets_manager_region              = var.existing_secrets_manager_crn != null ? (length(local.parsed_existing_secrets_manager_crn) > 0 ? local.parsed_existing_secrets_manager_crn[5] : null) : module.secrets_manager[0].secrets_manager_region
+  sm_endpoint_type                    = var.existing_secrets_manager_crn != null ? var.existing_secrets_endpoint_type : var.allowed_network == "private-only" ? "private" : "public"
 }
 
 module "secrets_manager" {
@@ -87,7 +88,7 @@ module "secrets_manager" {
   enable_event_notification        = var.existing_event_notification_instance_crn != null ? true : false
   existing_en_instance_crn         = var.existing_event_notification_instance_crn
   skip_en_iam_authorization_policy = var.skip_event_notification_iam_authorization_policy
-  endpoint_type                    = var.allowed_network == "private-only" ? "private" : "public"
+  endpoint_type                    = local.sm_endpoint_type
 }
 
 # Configure an IBM Secrets Manager IAM credentials engine for an existing IBM Secrets Manager instance.
@@ -98,7 +99,7 @@ module "iam_secrets_engine" {
   region               = local.secrets_manager_region
   iam_engine_name      = var.prefix != null ? "${var.prefix}-${var.iam_engine_name}" : var.iam_engine_name
   secrets_manager_guid = local.secrets_manager_guid
-  endpoint_type        = var.allowed_network == "private-only" ? "private" : "public"
+  endpoint_type        = local.sm_endpoint_type
 }
 
 locals {
@@ -124,7 +125,7 @@ module "secrets_manager_public_cert_engine" {
   dns_config_name              = var.dns_provider_name
   ca_config_name               = var.ca_name
   acme_letsencrypt_private_key = var.acme_letsencrypt_private_key
-  service_endpoints            = var.allowed_network == "private-only" ? "private" : "public"
+  service_endpoints            = local.sm_endpoint_type
 }
 
 
@@ -140,7 +141,7 @@ module "private_secret_engine" {
   root_ca_max_ttl           = var.root_ca_max_ttl
   intermediate_ca_name      = var.intermediate_ca_name
   certificate_template_name = var.certificate_template_name
-  endpoint_type             = var.allowed_network == "private-only" ? "private" : "public"
+  endpoint_type             = local.sm_endpoint_type
 }
 
 data "ibm_resource_instance" "existing_sm" {
diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf
@@ -48,6 +48,16 @@ variable "existing_secrets_manager_crn" {
   default     = null
 }
 
+variable "existing_secrets_endpoint_type" {
+  type        = string
+  description = "The endpoint type to use if passing a value for `existing_secrets_manager_crn`."
+  default     = "private"
+  validation {
+    condition     = contains(["public", "private"], var.existing_secrets_endpoint_type)
+    error_message = "Allowed values for 'existing_secrets_endpoint_type' are \"public\" and \"private\"."
+  }
+}
+
 variable "service_plan" {
   type        = string
   description = "The service/pricing plan to use when provisioning a new Secrets Manager instance. Allowed values: 'standard' and 'trial'. Only used if `provision_sm_instance` is set to true."
@@ -61,7 +71,7 @@ variable "service_plan" {
 variable "allowed_network" {
   type        = string
   description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`."
-  default     = "public-and-private"
+  default     = "private-only"
   validation {
     condition     = contains(["private-only", "public-and-private"], var.allowed_network)
     error_message = "The specified allowed_network is not a valid selection!"
diff --git a/tests/pr_test.go b/tests/pr_test.go
@@ -108,7 +108,6 @@ func TestRunDASolutionSchematics(t *testing.T) {
 		{Name: "region", Value: validRegions[rand.Intn(len(validRegions))], DataType: "string"},
 		{Name: "resource_group_name", Value: options.Prefix, DataType: "string"},
 		{Name: "service_plan", Value: "trial", DataType: "string"},
-		{Name: "allowed_network", Value: "private-only", DataType: "string"},
 		{Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"},
 		{Name: "iam_engine_enabled", Value: true, DataType: "bool"},
 		{Name: "public_engine_enabled", Value: true, DataType: "bool"},
@@ -198,6 +197,7 @@ func TestRunExistingResourcesInstances(t *testing.T) {
 				"existing_secrets_manager_crn":             terraform.Output(t, existingTerraformOptions, "secrets_manager_instance_crn"),
 				"iam_engine_enabled":                       true,
 				"private_engine_enabled":                   true,
+				"existing_secrets_endpoint_type":           "public",
 			},
 		})
 
