feat: updated the DA to support configuring the private and public cert engines (#90)

Author: jor2

examples/basic/variables.tf

@@ -7,7 +7,7 @@ variable "ibmcloud_api_key" {
 variable "prefix" {
   type        = string
   description = "Prefix for sm instance"
-  default     = "secrets-manager-basic"
+  default     = "sm-bas"
 }
 
 variable "region" {

examples/complete/README.md

@@ -29,7 +29,7 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_en_region"></a> [en\_region](#input\_en\_region) | Region where event notification will be created | `string` | `"au-syd"` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key this account authenticates to | `string` | n/a | yes |
-| <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix for sm instance | `string` | `"secrets-manager-test"` | no |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix for sm instance | `string` | `"sm-com"` | no |
 | <a name="input_region"></a> [region](#input\_region) | Region where resources will be created | `string` | `"us-east"` | no |
 | <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | An existing resource group name to use for this example, if unset a new resource group will be created | `string` | `null` | no |
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Optional list of tags to be added to created resources | `list(string)` | `[]` | no |

examples/complete/variables.tf

@@ -7,7 +7,7 @@ variable "ibmcloud_api_key" {
 variable "prefix" {
   type        = string
   description = "Prefix for sm instance"
-  default     = "secrets-manager-test"
+  default     = "sm-com"
 }
 variable "sm_service_plan" {
   type        = string

examples/fscloud/main.tf

@@ -1,8 +1,12 @@
+##############################################################################
+# Resource Group
+##############################################################################
 module "resource_group" {
-  source                       = "terraform-ibm-modules/resource-group/ibm"
-  version                      = "1.1.4"
-  resource_group_name          = var.existing_resource_group == false ? var.resource_group : null
-  existing_resource_group_name = var.existing_resource_group == true ? var.resource_group : null
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.5"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
 }
 
 ##############################################################################

examples/fscloud/variables.tf

@@ -7,7 +7,7 @@ variable "ibmcloud_api_key" {
 variable "prefix" {
   type        = string
   description = "Prefix for sm instance"
-  default     = "secrets-manager-test"
+  default     = "sm-fsc"
 }
 
 variable "region" {
@@ -16,16 +16,10 @@ variable "region" {
   default     = "us-south"
 }
 
-variable "existing_resource_group" {
-  type        = bool
-  description = "Whether to use an existing resource group."
-  default     = false
-}
-
 variable "resource_group" {
   type        = string
   description = "A resource group name to use for this example, if `existing_resource_group` is false a new resource group will be created"
-  default     = "sm-fscloud"
+  default     = null
 }
 
 variable "resource_tags" {

ibm_catalog.json

@@ -121,6 +121,45 @@
             {
               "key": "iam_engine_name"
             },
+            {
+              "key": "public_engine_enabled"
+            },
+            {
+              "key": "public_engine_name"
+            },
+            {
+              "key": "cis_id"
+            },
+            {
+              "key": "dns_provider_name"
+            },
+            {
+              "key": "ca_name"
+            },
+            {
+              "key": "acme_letsencrypt_private_key"
+            },
+            {
+              "key": "private_engine_enabled"
+            },
+            {
+              "key": "private_engine_name"
+            },
+            {
+              "key": "root_ca_name"
+            },
+            {
+              "key": "root_ca_common_name"
+            },
+            {
+              "key": "root_ca_max_ttl"
+            },
+            {
+              "key": "intermediate_ca_name"
+            },
+            {
+              "key": "certificate_template_name"
+            },
             {
               "key": "skip_kms_iam_authorization_policy"
             },

solutions/standard/main.tf

@@ -87,3 +87,45 @@ module "iam_secrets_engine" {
   secrets_manager_guid = module.secrets_manager.secrets_manager_guid
   endpoint_type        = var.allowed_network == "private-only" ? "private" : "public"
 }
+
+locals {
+  # tflint-ignore: terraform_unused_declarations
+  validate_public_secret_engine = var.public_engine_enabled && var.public_engine_name == null ? tobool("When setting var.public_engine_enabled to true, a value must be passed for var.public_engine_name") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_private_secret_engine = var.private_engine_enabled && var.private_engine_name == null ? tobool("When setting var.private_engine_enabled to true, a value must be passed for var.private_engine_name") : true
+}
+
+# Configure an IBM Secrets Manager public certificate engine for an existing IBM Secrets Manager instance.
+module "secrets_manager_public_cert_engine" {
+  count   = var.public_engine_enabled ? 1 : 0
+  source  = "terraform-ibm-modules/secrets-manager-public-cert-engine/ibm"
+  version = "1.0.0"
+  providers = {
+    ibm              = ibm
+    ibm.secret-store = ibm
+  }
+  secrets_manager_guid         = module.secrets_manager.secrets_manager_guid
+  region                       = module.secrets_manager.secrets_manager_region
+  internet_services_crn        = var.cis_id
+  ibmcloud_cis_api_key         = var.ibmcloud_api_key
+  dns_config_name              = var.dns_provider_name
+  ca_config_name               = var.ca_name
+  acme_letsencrypt_private_key = var.acme_letsencrypt_private_key
+  service_endpoints            = var.allowed_network == "private-only" ? "private" : "public"
+}
+
+
+# Configure an IBM Secrets Manager private certificate engine for an existing IBM Secrets Manager instance.
+module "private_secret_engine" {
+  count                     = var.private_engine_enabled ? 1 : 0
+  source                    = "terraform-ibm-modules/secrets-manager-private-cert-engine/ibm"
+  version                   = "1.3.0"
+  secrets_manager_guid      = module.secrets_manager.secrets_manager_guid
+  region                    = var.region
+  root_ca_name              = var.root_ca_name
+  root_ca_common_name       = var.root_ca_common_name
+  root_ca_max_ttl           = var.root_ca_max_ttl
+  intermediate_ca_name      = var.intermediate_ca_name
+  certificate_template_name = var.certificate_template_name
+  endpoint_type             = var.allowed_network == "private-only" ? "private" : "public"
+}

solutions/standard/variables.tf

@@ -67,6 +67,87 @@ variable "secret_manager_tags" {
   default     = []
 }
 
+variable "public_engine_enabled" {
+  type        = bool
+  description = "Set this to true to to configure an IBM Secrets Manager public certificate engine for an existing IBM Secrets Manager instance. If set to false, no public certificate engine will be configured for your secrets manager instance. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-prepare-order-certificates."
+  default     = false
+}
+
+# Public cert engine config
+variable "public_engine_name" {
+  type        = string
+  description = "The name of the IAM Engine used to configure an IBM Secrets Manager public certificate engine for an existing IBM Secrets Manager instance."
+  default     = "public-engine-sm"
+}
+
+variable "cis_id" {
+  type        = string
+  description = "Cloud Internet Service ID"
+  default     = null
+}
+
+variable "dns_provider_name" {
+  type        = string
+  description = "Name of the DNS provider for the public_cert secrets engine"
+  default     = "certificate-dns"
+}
+
+variable "ca_name" {
+  type        = string
+  description = "Secret Managers certificate authority name"
+  default     = "cert-auth"
+}
+
+variable "acme_letsencrypt_private_key" {
+  type        = string
+  description = "The private key generated by the ACME account creation tool."
+  sensitive   = true
+  default     = null
+}
+
+# Private cert engine config
+variable "private_engine_enabled" {
+  type        = bool
+  description = "Set this to true to to configure an IBM Secrets Manager private certificate engine for an existing IBM Secrets Manager instance. If set to false, no private certificate engine will be configured for your secrets manager instance. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-prepare-create-certificates#:~:text=In%20Secrets%20Manager%2C%20the%20private,and%20manage%20in%20the%20service."
+  default     = false
+}
+
+variable "private_engine_name" {
+  type        = string
+  description = "The name of the IAM Engine used to configure an IBM Secrets Manager private certificate engine for an existing IBM Secrets Manager instance."
+  default     = "private-engine-sm"
+}
+
+variable "root_ca_name" {
+  type        = string
+  description = "Name of the Root CA to create for a private_cert secret engine"
+  default     = "root-ca"
+}
+
+variable "root_ca_common_name" {
+  type        = string
+  description = "Fully qualified domain name or host domain name for the certificate to be created"
+  default     = "terraform-modules.ibm.com"
+}
+
+variable "root_ca_max_ttl" {
+  type        = string
+  description = "Maximum TTL value for the root CA"
+  default     = "87600h"
+}
+
+variable "intermediate_ca_name" {
+  type        = string
+  description = "A human-readable unique name to assign to the intermediate CA configuration."
+  default     = "intermediate-ca"
+}
+
+variable "certificate_template_name" {
+  type        = string
+  description = "The name of the certificate template."
+  default     = "default-cert-template"
+}
+
 variable "iam_engine_enabled" {
   type        = bool
   description = "Set this to true to to configure an IBM Secrets Manager IAM credentials engine. If set to false, no iam engine will be configured for your secrets manager instance. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-configure-iam-engine."

solutions/standard/version.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"
-      version = "1.64.0"
+      version = "1.64.2"
     }
   }
 }

tests/go.mod

@@ -22,6 +22,7 @@ require (
 	github.com/IBM/go-sdk-core/v5 v5.16.3 // indirect
 	github.com/IBM/platform-services-go-sdk v0.62.2 // indirect
 	github.com/IBM/schematics-go-sdk v0.2.3 // indirect
+	github.com/IBM/secrets-manager-go-sdk/v2 v2.0.4 // indirect
 	github.com/IBM/vpc-go-sdk v1.0.2 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/ProtonMail/go-crypto v1.0.0 // indirect

tests/go.sum

@@ -203,6 +203,8 @@ github.com/IBM/platform-services-go-sdk v0.62.2 h1:MgngCFHBLrlvM1HS522agIMnjshHR
 github.com/IBM/platform-services-go-sdk v0.62.2/go.mod h1:fd7gUOmsuQYhYLTZVLL+posObT/ISxVV+6JzsfDs5qE=
 github.com/IBM/schematics-go-sdk v0.2.3 h1:lgTt0Sbudii3cuSk1YSQgrtiZAXDbBABAoVj3eQuBrU=
 github.com/IBM/schematics-go-sdk v0.2.3/go.mod h1:Tw2OSAPdpC69AxcwoyqcYYaGTTW6YpERF9uNEU+BFRQ=
+github.com/IBM/secrets-manager-go-sdk/v2 v2.0.4 h1:xa9e+POVqaXxXHXkSMCOVAbKdUNEu86jQmo5hcpd+L4=
+github.com/IBM/secrets-manager-go-sdk/v2 v2.0.4/go.mod h1:5gq8D8uWOIbqOm1uztay6lpOysgJaxxEsaVZLWGWb40=
 github.com/IBM/vpc-go-sdk v1.0.2 h1:WhI1Cb8atA8glUdFg0SEUh9u8afjnKHxZAj9onQBi04=
 github.com/IBM/vpc-go-sdk v1.0.2/go.mod h1:42NO/XCXsyrYqpvtxoX5xwSEv/jBU1MKEoyaYkIUico=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=

tests/pr_test.go

@@ -7,6 +7,8 @@ import (
 	"os"
 	"testing"
 
+	"github.com/IBM/go-sdk-core/v5/core"
+	"github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2"
 	"github.com/stretchr/testify/assert"
 	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common"
 	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
@@ -112,6 +114,11 @@ func TestRunDASolutionSchematics(t *testing.T) {
 	t.Parallel()
 
 	const region = "us-south"
+	acme_letsencrypt_private_key := GetSecretsManagerKey( // pragma: allowlist secret
+		permanentResources["acme_letsencrypt_private_key_sm_id"].(string),
+		permanentResources["acme_letsencrypt_private_key_sm_region"].(string),
+		permanentResources["acme_letsencrypt_private_key_secret_id"].(string),
+	)
 
 	// Set up a schematics test
 	options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
@@ -135,8 +142,36 @@ func TestRunDASolutionSchematics(t *testing.T) {
 		{Name: "allowed_network", Value: "private-only", DataType: "string"},
 		{Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"},
 		{Name: "iam_engine_enabled", Value: true, DataType: "bool"},
+		{Name: "public_engine_enabled", Value: true, DataType: "bool"},
+		{Name: "private_engine_enabled", Value: true, DataType: "bool"},
+		{Name: "cis_id", Value: permanentResources["cisInstanceId"], DataType: "string"},
+		{Name: "ca_name", Value: permanentResources["certificateAuthorityName"], DataType: "string"},
+		{Name: "dns_provider_name", Value: permanentResources["dnsProviderName"], DataType: "string"},
+		{Name: "acme_letsencrypt_private_key", Value: *acme_letsencrypt_private_key, DataType: "string"},
 	}
 
 	err := options.RunSchematicTest()
 	assert.NoError(t, err, "Schematic Test had unexpected error")
 }
+
+func GetSecretsManagerKey(sm_id string, sm_region string, sm_key_id string) *string {
+	secretsManagerService, err := secretsmanagerv2.NewSecretsManagerV2(&secretsmanagerv2.SecretsManagerV2Options{
+		URL: fmt.Sprintf("https://%s.%s.secrets-manager.appdomain.cloud", sm_id, sm_region),
+		Authenticator: &core.IamAuthenticator{
+			ApiKey: os.Getenv("TF_VAR_ibmcloud_api_key"),
+		},
+	})
+	if err != nil {
+		panic(err)
+	}
+
+	getSecretOptions := secretsManagerService.NewGetSecretOptions(
+		sm_key_id,
+	)
+
+	secret, _, err := secretsManagerService.GetSecret(getSecretOptions)
+	if err != nil {
+		panic(err)
+	}
+	return secret.(*secretsmanagerv2.ArbitrarySecret).Payload
+}