fix: add missing SM IAM secrets engine (#496)

terraform-ibm-modules · Oct 15, 2024 · 477e28b · 477e28b
1 parent 6719614
commit 477e28b
Show file tree

Hide file tree

Showing 11 changed files with 107 additions and 68 deletions.
diff --git a/README.md b/README.md
@@ -476,10 +476,12 @@ statement instead the previous block.
 | <a name="input_create_cd_instance"></a> [create\_cd\_instance](#input\_create\_cd\_instance) | Set to `true` to create Continuous Delivery Service. | `bool` | `false` | no |
 | <a name="input_create_cd_toolchain"></a> [create\_cd\_toolchain](#input\_create\_cd\_toolchain) | Boolean flag which determines if the DevSecOps CD toolchain is created. | `bool` | `true` | no |
 | <a name="input_create_ci_toolchain"></a> [create\_ci\_toolchain](#input\_create\_ci\_toolchain) | Flag which determines if the DevSecOps CI toolchain is created. If this toolchain is not created then values must be set for the following variables, evidence\_repo\_url, issues\_repo\_url and inventory\_repo\_url. | `bool` | `true` | no |
+| <a name="input_create_code_engine_access_policy"></a> [create\_code\_engine\_access\_policy](#input\_create\_code\_engine\_access\_policy) | Add a Code Engine access policy to the generated IAM access key. See `create_ibmcloud_api_key`. | `bool` | `false` | no |
 | <a name="input_create_cos_api_key"></a> [create\_cos\_api\_key](#input\_create\_cos\_api\_key) | Set to `true` to create and add a `cos-api-key` to the Secrets Provider. | `bool` | `false` | no |
 | <a name="input_create_git_token"></a> [create\_git\_token](#input\_create\_git\_token) | Set to `true` to create and add the specified personal access token secret to the Secrets Provider. | `bool` | `false` | no |
 | <a name="input_create_ibmcloud_api_key"></a> [create\_ibmcloud\_api\_key](#input\_create\_ibmcloud\_api\_key) | Set to `true` to create and add an `ibmcloud-api-key` to the Secrets Provider. | `bool` | `false` | no |
 | <a name="input_create_icr_namespace"></a> [create\_icr\_namespace](#input\_create\_icr\_namespace) | Set to `true` to have Terraform create the registry namespace. Setting to `false` will have the CI pipeline create the namespace if it does not already exist. Note: If a Terraform destroy is used, the ICR namespace along with all images will be removed. | `bool` | `false` | no |
+| <a name="input_create_kubernetes_access_policy"></a> [create\_kubernetes\_access\_policy](#input\_create\_kubernetes\_access\_policy) | Add a Kubernetes access policy to the generated IAM access key. See `create_ibmcloud_api_key`. | `bool` | `false` | no |
 | <a name="input_create_secret_group"></a> [create\_secret\_group](#input\_create\_secret\_group) | Set to `true` to create the specified Secrets Manager secret group. | `bool` | `false` | no |
 | <a name="input_create_signing_certificate"></a> [create\_signing\_certificate](#input\_create\_signing\_certificate) | Set to `true` to create and add the `signing-certificate` to the Secrets Provider. | `bool` | `false` | no |
 | <a name="input_create_signing_key"></a> [create\_signing\_key](#input\_create\_signing\_key) | Set to `true` to create and add a `signing_key`to the Secrets Provider. | `bool` | `false` | no |
@@ -584,7 +586,6 @@ statement instead the previous block.
 | <a name="input_sonarqube_secret_name"></a> [sonarqube\_secret\_name](#input\_sonarqube\_secret\_name) | The name of the SonarQube secret in the secrets provider. | `string` | `"sonarqube-secret"` | no |
 | <a name="input_sonarqube_server_url"></a> [sonarqube\_server\_url](#input\_sonarqube\_server\_url) | The URL to the SonarQube server. | `string` | `""` | no |
 | <a name="input_sonarqube_user"></a> [sonarqube\_user](#input\_sonarqube\_user) | The name of the SonarQube user. | `string` | `""` | no |
-| <a name="input_target_deployment"></a> [target\_deployment](#input\_target\_deployment) | The target deployment ,`kubernetes` or `code-engine` to create the relevant access policy. | `string` | `"kubernetes"` | no |
 | <a name="input_toolchain_name"></a> [toolchain\_name](#input\_toolchain\_name) | This variable specifies the root name for the CI, CD and CC toolchain names. A fixed suffix will automatically be appended. Setting `DevSecOps` will generate toolchains with the names `DevSecOps-CI-Toolchain`,  `DevSecOps-CD-Toolchain` and `DevSecOps-CC-Toolchain`. The full name of each toolchain can be set independently using `ci_toolchain_name`, `cd_toolchain_name`, and `cc_toolchain_name`. | `string` | `"DevSecOps"` | no |
 | <a name="input_toolchain_region"></a> [toolchain\_region](#input\_toolchain\_region) | The region identifier that will be used, by default, for all resource creation and service instance lookup. | `string` | `"us-south"` | no |
 | <a name="input_toolchain_resource_group"></a> [toolchain\_resource\_group](#input\_toolchain\_resource\_group) | The resource group that will be used, by default, for all resource creation and service instance lookups. This can be overridden on a per resource/service basis. | `string` | `"Default"` | no |

diff --git a/main.tf b/main.tf
@@ -227,31 +227,33 @@ resource "ibm_cr_namespace" "cr_namespace" {
 
 ################ Experimental #####################
 module "prereqs" {
-  count                          = (local.enable_prereqs) ? 1 : 0
-  source                         = "./prereqs"
-  create_ibmcloud_api_key        = var.create_ibmcloud_api_key
-  create_cos_api_key             = var.create_cos_api_key
-  create_git_token               = var.create_git_token
-  create_signing_key             = var.create_signing_key
-  create_signing_certificate     = var.create_signing_certificate
-  service_name_pipeline          = var.service_name_pipeline
-  service_name_cos               = var.service_name_cos
-  sm_name                        = var.sm_name
-  sm_location                    = var.sm_location
-  sm_secret_group_name           = var.sm_secret_group
-  sm_resource_group              = var.sm_resource_group
-  create_secret_group            = var.create_secret_group
-  cos_api_key_secret_name        = var.cos_api_key_secret_name
-  iam_api_key_secret_name        = var.pipeline_ibmcloud_api_key_secret_name
-  signing_key_secret_name        = var.ci_signing_key_secret_name
-  signing_certifcate_secret_name = var.cd_code_signing_cert_secret_name
-  repo_git_token_secret_name     = var.repo_git_token_secret_name
-  repo_git_token_secret_value    = var.repo_git_token_secret_value
-  rotation_period                = var.rotation_period
-  sm_secret_expiration_period    = var.sm_secret_expiration_period
-  sm_exists                      = var.enable_secrets_manager
-  sm_endpoint_type               = var.sm_endpoint_type
-  target_deployment              = var.target_deployment
+  count                            = (local.enable_prereqs) ? 1 : 0
+  source                           = "./prereqs"
+  ibmcloud_api_key                 = var.ibmcloud_api_key
+  create_ibmcloud_api_key          = var.create_ibmcloud_api_key
+  create_cos_api_key               = var.create_cos_api_key
+  create_git_token                 = var.create_git_token
+  create_signing_key               = var.create_signing_key
+  create_signing_certificate       = var.create_signing_certificate
+  service_name_pipeline            = var.service_name_pipeline
+  service_name_cos                 = var.service_name_cos
+  sm_name                          = var.sm_name
+  sm_location                      = var.sm_location
+  sm_secret_group_name             = var.sm_secret_group
+  sm_resource_group                = var.sm_resource_group
+  create_secret_group              = var.create_secret_group
+  cos_api_key_secret_name          = var.cos_api_key_secret_name
+  iam_api_key_secret_name          = var.pipeline_ibmcloud_api_key_secret_name
+  signing_key_secret_name          = var.ci_signing_key_secret_name
+  signing_certifcate_secret_name   = var.cd_code_signing_cert_secret_name
+  repo_git_token_secret_name       = var.repo_git_token_secret_name
+  repo_git_token_secret_value      = var.repo_git_token_secret_value
+  rotation_period                  = var.rotation_period
+  sm_secret_expiration_period      = var.sm_secret_expiration_period
+  sm_exists                        = var.enable_secrets_manager
+  sm_endpoint_type                 = var.sm_endpoint_type
+  create_code_engine_access_policy = var.create_code_engine_access_policy
+  create_kubernetes_access_policy  = var.create_kubernetes_access_policy
 }
 
 module "devsecops_ci_toolchain" {

diff --git a/prereqs/main.tf b/prereqs/main.tf
@@ -19,6 +19,9 @@ locals {
   sm_secret_expiration_period_hours = ((var.sm_secret_expiration_period != "") && (var.sm_secret_expiration_period != "0")) ? var.sm_secret_expiration_period * 24 : null
 
   expiration_date = (local.sm_secret_expiration_period_hours != null) ? timeadd(time_static.timestamp[0].rfc3339, "${local.sm_secret_expiration_period_hours}h") : null
+
+  create_pipeline_api_key = ((var.create_ibmcloud_api_key == true) && (var.sm_exists == true)) ? true : false
+  create_cos_api_key      = ((var.create_cos_api_key == true) && (var.sm_exists == true)) ? true : false
 }
 
 resource "time_static" "timestamp" {
@@ -92,7 +95,7 @@ resource "ibm_iam_service_policy" "cd_policy" {
 }
 
 resource "ibm_iam_service_policy" "kube_policy" {
-  count          = (var.target_deployment == "kubernetes") ? 1 : 0
+  count          = (var.create_kubernetes_access_policy) ? 1 : 0
   iam_service_id = ibm_iam_service_id.pipeline_service_id.id
   roles          = ["Editor"]
   resources {
@@ -102,7 +105,7 @@ resource "ibm_iam_service_policy" "kube_policy" {
 }
 
 resource "ibm_iam_service_policy" "ce_policy" {
-  count          = (var.target_deployment == "code-engine") ? 1 : 0
+  count          = (var.create_code_engine_access_policy) ? 1 : 0
   iam_service_id = ibm_iam_service_id.pipeline_service_id.id
   roles          = ["Editor"]
   resources {
@@ -133,16 +136,6 @@ data "ibm_sm_secret_groups" "secret_groups" {
 }
 
 #################### SECRETS #######################
-resource "ibm_iam_api_key" "iam_api_key" {
-  count = (var.create_ibmcloud_api_key) ? 1 : 0
-  name  = "ibmcloud-api-key"
-}
-
-resource "ibm_iam_api_key" "cos_iam_api_key" {
-  count = (var.create_cos_api_key) ? 1 : 0
-  name  = "cos-api-key"
-}
-
 data "external" "signing_keys" {
   count   = ((var.create_signing_key == true) || (var.create_signing_certificate == true)) ? 1 : 0
   program = ["bash", "${path.module}/scripts/gpg_keys.sh"]
@@ -213,9 +206,18 @@ resource "ibm_sm_arbitrary_secret" "git_token" {
 }
 
 ################## IAM CREDENTIALS###############################
+
+resource "ibm_sm_iam_credentials_configuration" "iam_credentials_configuration" {
+  count       = ((local.create_pipeline_api_key) || (local.create_cos_api_key)) ? 1 : 0
+  instance_id = (local.sm_instance_id != "") ? local.sm_instance_id : var.sm_instance_id
+  region      = var.sm_location
+  name        = "iam_credentials_config"
+  api_key     = var.ibmcloud_api_key
+}
+
 resource "ibm_sm_iam_credentials_secret" "iam_pipeline_apikey_credentials_secret" {
-  count       = ((var.create_ibmcloud_api_key == true) && (var.sm_exists == true)) ? 1 : 0
-  depends_on  = [ibm_sm_secret_group.sm_secret_group]
+  count       = (local.create_pipeline_api_key) ? 1 : 0
+  depends_on  = [ibm_sm_secret_group.sm_secret_group, ibm_sm_iam_credentials_configuration.iam_credentials_configuration]
   instance_id = data.ibm_resource_instance.sm_instance[0].guid
   region      = var.sm_location
   name        = var.iam_api_key_secret_name
@@ -231,8 +233,8 @@ resource "ibm_sm_iam_credentials_secret" "iam_pipeline_apikey_credentials_secret
 }
 
 resource "ibm_sm_iam_credentials_secret" "iam_cos_apikey_credentials_secret" {
-  count       = ((var.create_cos_api_key == true) && (var.sm_exists == true)) ? 1 : 0
-  depends_on  = [ibm_sm_secret_group.sm_secret_group]
+  count       = (local.create_cos_api_key) ? 1 : 0
+  depends_on  = [ibm_sm_secret_group.sm_secret_group, ibm_sm_iam_credentials_configuration.iam_credentials_configuration]
   instance_id = data.ibm_resource_instance.sm_instance[0].guid
   region      = var.sm_location
   name        = var.cos_api_key_secret_name

diff --git a/prereqs/variables.tf b/prereqs/variables.tf
@@ -1,3 +1,9 @@
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The API key used to create the toolchains. (See deployment guide.)"
+  sensitive   = true
+}
+
 variable "gpg_name" {
   type        = string
   description = "The name to be associated with the GPG key."
@@ -145,10 +151,16 @@ variable "signing_key_secret_name" {
   default     = "signing_key"
 }
 
-variable "target_deployment" {
-  type        = string
-  description = "The target deployment ,`kubernetes` or `code-engine` to create the relevant access policy."
-  default     = "kubernetes"
+variable "create_kubernetes_access_policy" {
+  type        = bool
+  description = "Add a Kubernetes access policy to the generated IAM access key."
+  default     = false
+}
+
+variable "create_code_engine_access_policy" {
+  type        = bool
+  description = "Add a Code Engine access policy to the generated IAM access key."
+  default     = false
 }
 
 ##################### ICR ################

diff --git a/solutions/code-engine/README.md b/solutions/code-engine/README.md
@@ -460,10 +460,12 @@ No resources.
 | <a name="input_create_cd_instance"></a> [create\_cd\_instance](#input\_create\_cd\_instance) | Set to `true` to create Continuous Delivery Service. | `bool` | `false` | no |
 | <a name="input_create_cd_toolchain"></a> [create\_cd\_toolchain](#input\_create\_cd\_toolchain) | Boolean flag which determines if the DevSecOps CD toolchain is created. | `bool` | `true` | no |
 | <a name="input_create_ci_toolchain"></a> [create\_ci\_toolchain](#input\_create\_ci\_toolchain) | Flag which determines if the DevSecOps CI toolchain is created. If this toolchain is not created then values must be set for the following variables, evidence\_repo\_url, issues\_repo\_url and inventory\_repo\_url. | `bool` | `true` | no |
+| <a name="input_create_code_engine_access_policy"></a> [create\_code\_engine\_access\_policy](#input\_create\_code\_engine\_access\_policy) | Add a Code Engine access policy to the generated IAM access key. See `create_ibmcloud_api_key`. | `bool` | `true` | no |
 | <a name="input_create_cos_api_key"></a> [create\_cos\_api\_key](#input\_create\_cos\_api\_key) | Set to `true` to create and add a `cos-api-key` to the Secrets Provider. | `bool` | `false` | no |
 | <a name="input_create_git_token"></a> [create\_git\_token](#input\_create\_git\_token) | Set to `true` to create and add the specified personal access token secret to the Secrets Provider. | `bool` | `false` | no |
 | <a name="input_create_ibmcloud_api_key"></a> [create\_ibmcloud\_api\_key](#input\_create\_ibmcloud\_api\_key) | Set to `true` to create and add an `ibmcloud-api-key` to the Secrets Provider. | `bool` | `false` | no |
 | <a name="input_create_icr_namespace"></a> [create\_icr\_namespace](#input\_create\_icr\_namespace) | Set to `true` to have Terraform create the registry namespace. Setting to `false` will have the CI pipeline create the namespace if it does not already exist. Note: If a Terraform destroy is used, the ICR namespace along with all images will be removed. | `bool` | `false` | no |
+| <a name="input_create_kubernetes_access_policy"></a> [create\_kubernetes\_access\_policy](#input\_create\_kubernetes\_access\_policy) | Add a Kubernetes access policy to the generated IAM access key. See `create_ibmcloud_api_key`. | `bool` | `false` | no |
 | <a name="input_create_secret_group"></a> [create\_secret\_group](#input\_create\_secret\_group) | Set to `true` to create the specified Secrets Manager secret group. | `bool` | `false` | no |
 | <a name="input_create_signing_certificate"></a> [create\_signing\_certificate](#input\_create\_signing\_certificate) | Set to `true` to create and add the `signing-certificate` to the Secrets Provider. | `bool` | `false` | no |
 | <a name="input_create_signing_key"></a> [create\_signing\_key](#input\_create\_signing\_key) | Set to `true` to create and add a `signing_key`to the Secrets Provider. | `bool` | `false` | no |
@@ -565,7 +567,6 @@ No resources.
 | <a name="input_sonarqube_secret_name"></a> [sonarqube\_secret\_name](#input\_sonarqube\_secret\_name) | The name of the SonarQube secret in the secrets provider. | `string` | `"sonarqube-secret"` | no |
 | <a name="input_sonarqube_server_url"></a> [sonarqube\_server\_url](#input\_sonarqube\_server\_url) | The URL to the SonarQube server. | `string` | `""` | no |
 | <a name="input_sonarqube_user"></a> [sonarqube\_user](#input\_sonarqube\_user) | The name of the SonarQube user. | `string` | `""` | no |
-| <a name="input_target_deployment"></a> [target\_deployment](#input\_target\_deployment) | The target deployment ,`kubernetes` or `code-engine` to create the relevant access policy. | `string` | `"code-engine"` | no |
 | <a name="input_toolchain_name"></a> [toolchain\_name](#input\_toolchain\_name) | This variable specifies the root name for the CI, CD and CC toolchain names. A fixed suffix will automatically be appended. Setting `DevSecOps` will generate toolchains with the names `DevSecOps-CI-Toolchain`,  `DevSecOps-CD-Toolchain` and `DevSecOps-CC-Toolchain`. The full name of each toolchain can be set independently using `ci_toolchain_name`, `cd_toolchain_name`, and `cc_toolchain_name`. | `string` | `"DevSecOps"` | no |
 | <a name="input_toolchain_region"></a> [toolchain\_region](#input\_toolchain\_region) | The region identifier that will be used, by default, for all resource creation and service instance lookup. This can be overridden on a per resource/service basis. | `string` | `"us-south"` | no |
 | <a name="input_toolchain_resource_group"></a> [toolchain\_resource\_group](#input\_toolchain\_resource\_group) | The resource group that will be used, by default, for all resource creation and service instance lookups. This can be overridden on a per resource/service basis. | `string` | `"Default"` | no |

diff --git a/solutions/code-engine/main.tf b/solutions/code-engine/main.tf
@@ -34,10 +34,12 @@ module "devsecops_da" {
   create_cd_instance                                = var.create_cd_instance
   create_cd_toolchain                               = var.create_cd_toolchain
   create_ci_toolchain                               = var.create_ci_toolchain
+  create_code_engine_access_policy                  = var.create_code_engine_access_policy
   create_cos_api_key                                = var.create_cos_api_key
   create_git_token                                  = var.create_git_token
   create_ibmcloud_api_key                           = var.create_ibmcloud_api_key
   create_icr_namespace                              = var.create_icr_namespace
+  create_kubernetes_access_policy                   = var.create_kubernetes_access_policy
   create_secret_group                               = var.create_secret_group
   create_signing_certificate                        = var.create_signing_certificate
   create_signing_key                                = var.create_signing_key
@@ -138,7 +140,6 @@ module "devsecops_da" {
   sonarqube_secret_name                             = var.sonarqube_secret_name
   sonarqube_server_url                              = var.sonarqube_server_url
   sonarqube_user                                    = var.sonarqube_user
-  target_deployment                                 = var.target_deployment
   toolchain_name                                    = var.toolchain_name
   toolchain_resource_group                          = var.toolchain_resource_group
   toolchain_region                                  = var.toolchain_region