Replace service endpoints with allowed networks

README.md

@@ -44,7 +44,6 @@ module "secrets_manager" {
   region               = "us-south"
   secrets_manager_name = "my-secrets-manager"
   sm_service_plan      = "trial"
-  service_endpoints    = "public-and-private"
 }
 ```
 
@@ -91,6 +90,7 @@ You need the following permissions to run this module.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_allowed_network"></a> [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. | `string` | `"public-and-private"` | no |
 | <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create | <pre>list(object({<br>    description = string<br>    account_id  = string<br>    rule_contexts = list(object({<br>      attributes = optional(list(object({<br>        name  = string<br>        value = string<br>    }))) }))<br>    enforcement_mode = string<br>  }))</pre> | `[]` | no |
 | <a name="input_enable_event_notification"></a> [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` variable. | `bool` | `false` | no |
 | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"public"` | no |
@@ -101,7 +101,6 @@ You need the following permissions to run this module.
 | <a name="input_region"></a> [region](#input\_region) | The region to provision the Secrets Manager instance to. | `string` | n/a | yes |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group to provision the Secrets Manager instance to. | `string` | n/a | yes |
 | <a name="input_secrets_manager_name"></a> [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name to give the Secrets Manager instance. | `string` | n/a | yes |
-| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `public`, `private` or `public-and-private`. | `string` | `"public-and-private"` | no |
 | <a name="input_skip_en_iam_authorization_policy"></a> [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no |
 | <a name="input_skip_kms_iam_authorization_policy"></a> [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_guid` variable. In addition, no policy is created if `kms_encryption_enabled` is set to false. | `bool` | `false` | no |
 | <a name="input_sm_service_plan"></a> [sm\_service\_plan](#input\_sm\_service\_plan) | The Secrets Manager plan to provision. | `string` | `"standard"` | no |

examples/complete/main.tf

@@ -42,7 +42,6 @@ module "secrets_manager" {
   secrets_manager_name       = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure
   sm_service_plan            = var.sm_service_plan
   sm_tags                    = var.resource_tags
-  service_endpoints          = "public-and-private"
   kms_encryption_enabled     = true
   existing_kms_instance_guid = module.key_protect.kms_guid
   kms_key_crn                = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn

main.tf

@@ -4,8 +4,6 @@
 
 # Validation
 locals {
-  allowed_network = var.service_endpoints == "private" ? "private-only" : "public-and-private"
-
   # Validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
   # tflint-ignore: terraform_unused_declarations
   validate_kms_values = (!var.kms_encryption_enabled && var.kms_key_crn != null) ? tobool("When passing values for var.kms_key_crn, you must set var.kms_encryption_enabled to true. Otherwise unset them to use default encryption") : (!var.kms_encryption_enabled && var.existing_kms_instance_guid != null) ? tobool("When passing values for var.existing_kms_instance_guid, you must set var.kms_encryption_enabled to true. Otherwise unset them to use default encryption") : true
@@ -16,21 +14,20 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   validate_event_notification = var.enable_event_notification && var.existing_en_instance_crn == null ? tobool("When setting var.enable_event_notification to true, a value must be passed for var.existing_en_instance_crn") : true
   # tflint-ignore: terraform_unused_declarations
-  validate_endpoint = var.enable_event_notification && (var.endpoint_type == "public" && var.service_endpoints == "private") || (var.endpoint_type == "private" && var.service_endpoints == "public") ? tobool("It is not allowed to have conflicting var.endpoint_type and var.service_endpoints values.") : true
+  validate_endpoint = var.enable_event_notification && var.endpoint_type == "public" && var.allowed_network == "private-only" ? tobool("It is not allowed to have conflicting var.endpoint_type and var.allowed_network values.") : true
 }
 
 # Create Secrets Manager Instance
 resource "ibm_resource_instance" "secrets_manager_instance" {
   depends_on        = [ibm_iam_authorization_policy.kms_policy]
   name              = var.secrets_manager_name
   service           = "secrets-manager"
-  service_endpoints = var.service_endpoints
   plan              = var.sm_service_plan
   location          = var.region
   resource_group_id = var.resource_group_id
   tags              = var.sm_tags
   parameters = {
-    "allowed_network" = local.allowed_network
+    "allowed_network" = var.allowed_network
     "kms_instance"    = var.existing_kms_instance_guid
     "kms_key"         = var.kms_key_crn
   }

modules/fscloud/main.tf

@@ -5,7 +5,7 @@ module "secrets_manager" {
   secrets_manager_name             = var.secrets_manager_name #tfsec:ignore:general-secrets-no-plaintext-exposure
   sm_service_plan                  = var.service_plan
   sm_tags                          = var.sm_tags
-  service_endpoints                = "private"
+  allowed_network                  = "private-only"
   endpoint_type                    = "private"
   kms_encryption_enabled           = true
   existing_kms_instance_guid       = var.existing_kms_instance_guid

solutions/standard/main.tf

@@ -56,7 +56,7 @@ module "secrets_manager" {
   region               = var.region
   secrets_manager_name = var.secrets_manager_instance_name
   sm_service_plan      = var.service_plan
-  service_endpoints    = var.service_endpoints
+  allowed_network      = var.allowed_network
   sm_tags              = var.secret_manager_tags
   # kms dependency
   kms_encryption_enabled            = true
@@ -67,5 +67,5 @@ module "secrets_manager" {
   enable_event_notification        = var.existing_en_instance_crn != null ? true : false
   existing_en_instance_crn         = var.existing_en_instance_crn
   skip_en_iam_authorization_policy = var.skip_en_iam_authorization_policy
-  endpoint_type                    = var.service_endpoints == "private" ? var.service_endpoints : "public"
+  endpoint_type                    = var.allowed_network == "private-only" ? "private" : "public"
 }

solutions/standard/variables.tf

@@ -45,14 +45,13 @@ variable "service_plan" {
   }
 }
 
-variable "service_endpoints" {
-  # public-and-private until IBM Console connects to SM via private endpoints
+variable "allowed_network" {
   type        = string
-  description = "The service endpoints to enable for all services deployed by this solution. Allowed values are `private` or `public-and-private`. If selecting `public-and-private`, communication to the instances will all be done over the public endpoints. Ensure to enable virtual routing and forwarding (VRF) in your account if using `private`, and that the terraform runtime has access to the the IBM Cloud private network."
+  description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`."
   default     = "public-and-private"
   validation {
-    condition     = contains(["private", "public-and-private"], var.service_endpoints)
-    error_message = "The specified service_endpoints is not a valid selection. Allowed values are `private` or `public-and-private`."
+    condition     = contains(["private-only", "public-and-private"], var.allowed_network)
+    error_message = "The specified allowed_network is not a valid selection!"
   }
 }
 

tests/pr_test.go

@@ -131,7 +131,7 @@ func TestRunDASolutionSchematics(t *testing.T) {
 		{Name: "region", Value: options.Region, DataType: "string"},
 		{Name: "resource_group_name", Value: options.Prefix, DataType: "string"},
 		{Name: "service_plan", Value: "trial", DataType: "string"},
-		{Name: "service_endpoints", Value: "private", DataType: "string"},
+		{Name: "allowed_network", Value: "private-only", DataType: "string"},
 		{Name: "existing_kms_guid", Value: permanentResources["hpcs_south"], DataType: "string"},
 		{Name: "kms_region", Value: "us-south", DataType: "string"}, // KMS instance is in us-south
 	}

variables.tf

@@ -33,13 +33,13 @@ variable "sm_tags" {
   default     = []
 }
 
-variable "service_endpoints" {
+variable "allowed_network" {
   type        = string
-  description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `public`, `private` or `public-and-private`."
+  description = "The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`."
   default     = "public-and-private"
   validation {
-    condition     = contains(["public", "private", "public-and-private"], var.service_endpoints)
-    error_message = "The specified service_endpoints is not a valid selection!"
+    condition     = contains(["private-only", "public-and-private"], var.allowed_network)
+    error_message = "The specified allowed_network is not a valid selection!"
   }
 }