From 317590f25790e19b32a586c4af63b43ffd150913 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 15 Nov 2023 13:19:45 +0200 Subject: [PATCH 01/18] SC addition --- ibm/provider/provider.go | 2 + ...ource_ibm_sm_service_credentials_secret.go | 601 ++++++++++++ ...ource_ibm_sm_service_credentilas_secret.go | 868 ++++++++++++++++++ ...m_service_credentials_secret.html.markdown | 166 ++++ 4 files changed, 1637 insertions(+) create mode 100644 ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go create mode 100644 ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go create mode 100644 website/docs/r/sm_service_credentials_secret.html.markdown diff --git a/ibm/provider/provider.go b/ibm/provider/provider.go index bdc22fc9a53..936814aded4 100644 --- a/ibm/provider/provider.go +++ b/ibm/provider/provider.go @@ -710,6 +710,7 @@ func Provider() *schema.Provider { "ibm_sm_iam_credentials_secret": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmIamCredentialsSecret()), "ibm_sm_kv_secret": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmKvSecret()), "ibm_sm_username_password_secret": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmUsernamePasswordSecret()), + "ibm_sm_service_credentials_secret": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmServiceCredentialsSecret()), "ibm_sm_en_registration": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmEnRegistration()), // //Added for Satellite @@ -1234,6 +1235,7 @@ func Provider() *schema.Provider { "ibm_sm_public_certificate": secretsmanager.AddInstanceFields(secretsmanager.ResourceIbmSmPublicCertificate()), "ibm_sm_private_certificate": secretsmanager.AddInstanceFields(secretsmanager.ResourceIbmSmPrivateCertificate()), "ibm_sm_iam_credentials_secret": secretsmanager.AddInstanceFields(secretsmanager.ResourceIbmSmIamCredentialsSecret()), + "ibm_sm_service_credentials_secret": secretsmanager.AddInstanceFields(secretsmanager.ResourceIbmSmServiceCredentialsSecret()), "ibm_sm_username_password_secret": secretsmanager.AddInstanceFields(secretsmanager.ResourceIbmSmUsernamePasswordSecret()), "ibm_sm_kv_secret": secretsmanager.AddInstanceFields(secretsmanager.ResourceIbmSmKvSecret()), "ibm_sm_public_certificate_configuration_ca_lets_encrypt": secretsmanager.AddInstanceFields(secretsmanager.ResourceIbmSmPublicCertificateConfigurationCALetsEncrypt()), diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go new file mode 100644 index 00000000000..8e23da68633 --- /dev/null +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go @@ -0,0 +1,601 @@ +// Copyright IBM Corp. 2023 All Rights Reserved. +// Licensed under the Mozilla Public License v2.0 + +package secretsmanager + +import ( + "context" + "fmt" + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex" + "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +func DataSourceIbmSmServiceCredentialsSecret() *schema.Resource { + return &schema.Resource{ + ReadContext: dataSourceIbmSmServiceCredentialsSecretRead, + + Schema: map[string]*schema.Schema{ + "secret_id": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Computed: true, + ExactlyOneOf: []string{"secret_id", "name"}, + Description: "The ID of the secret.", + }, + "created_by": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The unique identifier that is associated with the entity that created the secret.", + }, + "created_at": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date when a resource was created. The date format follows RFC 3339.", + }, + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A CRN that uniquely identifies an IBM Cloud resource.", + }, + "custom_metadata": &schema.Schema{ + Type: schema.TypeMap, + Computed: true, + Description: "The secret metadata that a user can customize.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group.", + }, + "downloaded": &schema.Schema{ + Type: schema.TypeBool, + Computed: true, + Description: "Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API.", + }, + "labels": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "Labels that you can use to search for secrets in your instance.Up to 30 labels can be created.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "locks_total": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The number of locks of the secret.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Computed: true, + ExactlyOneOf: []string{"secret_id", "name"}, + RequiredWith: []string{"secret_group_name"}, + Description: "The human-readable name of your secret.", + }, + + "secret_group_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + ForceNew: true, + Description: "A v4 UUID identifier, or `default` secret group.", + }, + "secret_group_name": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + RequiredWith: []string{"name"}, + Description: "The human-readable name of your secret group.", + }, + "secret_type": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials.", + }, + "state": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values.", + }, + "state_description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A text representation of the secret state.", + }, + "updated_at": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date when a resource was recently modified. The date format follows RFC 3339.", + }, + "versions_total": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The number of versions of the secret.", + }, + "ttl": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The time-to-live (TTL) or lease duration to assign to generated credentials.", + }, + "rotation": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "Determines whether Secrets Manager rotates your secrets automatically.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "auto_rotate": &schema.Schema{ + Type: schema.TypeBool, + Computed: true, + Description: "Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval.", + }, + "interval": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The length of the secret rotation time interval.", + }, + "unit": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The units for the secret rotation time interval.", + }, + }, + }, + }, + "next_rotation_date": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date that the secret is scheduled for automatic rotation. The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy.", + }, + "credentials": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The properties of the service credentials secret payload.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "apikey": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Sensitive: true, + Description: "The API key that is generated for this secret.", + }, + "cos_hmac_keys": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The Cloud Object Storage HMAC keys that are returned after you create a service credentials secret.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "access_key_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The access key ID for Cloud Object Storage HMAC credentials.", + }, + "secret_access_key": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The secret access key ID for Cloud Object Storage HMAC credentials.", + }, + }, + }, + }, + "endpoints": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The endpoints that are returned after you create a service credentials secret.", + }, + "iam_apikey_description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The description of the generated IAM API key.", + }, + "iam_apikey_name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The name of the generated IAM API key.", + }, + "iam_role_crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM role CRN that is returned after you create a service credentials secret.", + }, + "iam_serviceid_crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM serviceId CRN that is returned after you create a service credentials secret.", + }, + "resource_instance_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource instance CRN that is returned after you create a service credentials secret.", + }, + }, + }, + }, + "source_service": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The properties required for creating the service credentials for the specified source service instance.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "instance": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service instance identifier.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A CRN that uniquely identifies a service credentials target.", + }, + }, + }, + }, + "role": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The CRN role identifier for creating a service-id.", + }, + }, + }, + }, + "iam": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service IAM data is returned in case IAM credentials where created for this secret.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "apikey": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM apikey metadata for the IAM credentials that were generated.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM API key name for the generated service credentials.", + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM API key description for the generated service credentials.", + }, + }, + }, + }, + "role": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM role for the generate service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM role CRN assigned to the generated service credentials.", + }, + }, + }, + }, + "serviceid": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM serviceid for the generated service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM Service ID CRN.", + }, + }, + }, + }, + }, + }, + }, + "resource_key": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service resource key data of the generated service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource key CRN of the generated service credentials.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource key name of the generated service credentials.", + }, + }, + }, + }, + "parameters": &schema.Schema{ + Type: schema.TypeMap, + Computed: true, + Description: "The collection of parameters for the service credentials target.", + }, + }, + }, + }, + }, + } +} + +func dataSourceIbmSmServiceCredentialsSecretRead(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + ServiceCredentialsSecretIntf, region, instanceId, diagError := getSecretByIdOrByName(context, d, meta, ServiceCredentialsSecretType) + if diagError != nil { + return diagError + } + + ServiceCredentialsSecret := ServiceCredentialsSecretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) + d.SetId(fmt.Sprintf("%s/%s/%s", region, instanceId, *ServiceCredentialsSecret.ID)) + + var err error + if err = d.Set("region", region); err != nil { + return diag.FromErr(fmt.Errorf("Error setting region: %s", err)) + } + if err = d.Set("created_by", ServiceCredentialsSecret.CreatedBy); err != nil { + return diag.FromErr(fmt.Errorf("Error setting created_by: %s", err)) + } + + if err = d.Set("created_at", DateTimeToRFC3339(ServiceCredentialsSecret.CreatedAt)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting created_at: %s", err)) + } + + if err = d.Set("crn", ServiceCredentialsSecret.Crn); err != nil { + return diag.FromErr(fmt.Errorf("Error setting crn: %s", err)) + } + + if ServiceCredentialsSecret.CustomMetadata != nil { + convertedMap := make(map[string]interface{}, len(ServiceCredentialsSecret.CustomMetadata)) + for k, v := range ServiceCredentialsSecret.CustomMetadata { + convertedMap[k] = v + } + + if err = d.Set("custom_metadata", flex.Flatten(convertedMap)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting custom_metadata: %s", err)) + } + if err != nil { + return diag.FromErr(fmt.Errorf("Error setting custom_metadata %s", err)) + } + } + + if err = d.Set("description", ServiceCredentialsSecret.Description); err != nil { + return diag.FromErr(fmt.Errorf("Error setting description: %s", err)) + } + + if err = d.Set("downloaded", ServiceCredentialsSecret.Downloaded); err != nil { + return diag.FromErr(fmt.Errorf("Error setting downloaded: %s", err)) + } + + if ServiceCredentialsSecret.Labels != nil { + if err = d.Set("labels", ServiceCredentialsSecret.Labels); err != nil { + return diag.FromErr(fmt.Errorf("Error setting labels: %s", err)) + } + } + + if err = d.Set("locks_total", flex.IntValue(ServiceCredentialsSecret.LocksTotal)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting locks_total: %s", err)) + } + + if err = d.Set("name", ServiceCredentialsSecret.Name); err != nil { + return diag.FromErr(fmt.Errorf("Error setting name: %s", err)) + } + + if err = d.Set("secret_group_id", ServiceCredentialsSecret.SecretGroupID); err != nil { + return diag.FromErr(fmt.Errorf("Error setting secret_group_id: %s", err)) + } + + if err = d.Set("secret_type", ServiceCredentialsSecret.SecretType); err != nil { + return diag.FromErr(fmt.Errorf("Error setting secret_type: %s", err)) + } + + if err = d.Set("state", flex.IntValue(ServiceCredentialsSecret.State)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting state: %s", err)) + } + + if err = d.Set("state_description", ServiceCredentialsSecret.StateDescription); err != nil { + return diag.FromErr(fmt.Errorf("Error setting state_description: %s", err)) + } + + if err = d.Set("updated_at", DateTimeToRFC3339(ServiceCredentialsSecret.UpdatedAt)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting updated_at: %s", err)) + } + + if err = d.Set("versions_total", flex.IntValue(ServiceCredentialsSecret.VersionsTotal)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting versions_total: %s", err)) + } + + if err = d.Set("ttl", ServiceCredentialsSecret.TTL); err != nil { + return diag.FromErr(fmt.Errorf("Error setting ttl: %s", err)) + } + + rotation := []map[string]interface{}{} + if ServiceCredentialsSecret.Rotation != nil { + modelMap, err := dataSourceIbmSmServiceCredentialsSecretRotationPolicyToMap(ServiceCredentialsSecret.Rotation.(*secretsmanagerv2.RotationPolicy)) + if err != nil { + return diag.FromErr(err) + } + rotation = append(rotation, modelMap) + } + if err = d.Set("rotation", rotation); err != nil { + return diag.FromErr(fmt.Errorf("Error setting rotation %s", err)) + } + + if err = d.Set("next_rotation_date", DateTimeToRFC3339(ServiceCredentialsSecret.NextRotationDate)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting next_rotation_date: %s", err)) + } + + if ServiceCredentialsSecret.Credentials != nil { + credentialsMap, err := dataSourceIbmSmServiceCredentialsSecretCredentialsToMap(ServiceCredentialsSecret.Credentials) + if err != nil { + return diag.FromErr(err) + } + if len(credentialsMap) > 0 { + if err = d.Set("credentials", []map[string]interface{}{credentialsMap}); err != nil { + return diag.FromErr(fmt.Errorf("Error setting credentialsMap: %s", err)) + } + } + } + + sourceServiceMap, err := dataSourceIbmSmServiceCredentialsSecretSourceServiceToMap(ServiceCredentialsSecret.SourceService) + if err != nil { + return diag.FromErr(err) + } + if len(sourceServiceMap) > 0 { + if err = d.Set("source_service", []map[string]interface{}{sourceServiceMap}); err != nil { + return diag.FromErr(fmt.Errorf("Error setting source_service: %s", err)) + } + } + + return nil +} + +func dataSourceIbmSmServiceCredentialsSecretRotationPolicyToMap(model *secretsmanagerv2.RotationPolicy) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + if model.AutoRotate != nil { + modelMap["auto_rotate"] = *model.AutoRotate + } + if model.Interval != nil { + modelMap["interval"] = *model.Interval + } + if model.Unit != nil { + modelMap["unit"] = *model.Unit + } + return modelMap, nil +} + +func dataSourceIbmSmServiceCredentialsSecretCredentialsToMap(credentials *secretsmanagerv2.ServiceCredentialsSecretCredentials) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + if credentials.IamApikeyDescription != nil { + modelMap["iam_apikey_description"] = credentials.IamApikeyDescription + } + if credentials.Apikey != nil { + modelMap["apikey"] = credentials.Apikey + } + if credentials.Endpoints != nil { + modelMap["endpoints"] = credentials.Endpoints + } + if credentials.IamApikeyName != nil { + modelMap["iam_apikey_name"] = credentials.IamApikeyName + } + if credentials.IamRoleCrn != nil { + modelMap["iam_role_crn"] = credentials.IamRoleCrn + } + if credentials.IamServiceidCrn != nil { + modelMap["iam_serviceid_crn"] = credentials.IamServiceidCrn + } + if credentials.ResourceInstanceID != nil { + modelMap["resource_instance_id"] = credentials.ResourceInstanceID + } + if credentials.CosHmacKeys != nil { + cosHmacKeys := [1]map[string]interface{}{} + m := map[string]interface{}{} + if credentials.CosHmacKeys.AccessKeyID != nil { + m["access_key_id"] = credentials.CosHmacKeys.AccessKeyID + } + if credentials.CosHmacKeys.SecretAccessKey != nil { + m["secret_access_key"] = credentials.CosHmacKeys.SecretAccessKey + } + cosHmacKeys[0] = m + modelMap["cos_hmac_keys"] = cosHmacKeys + } + return modelMap, nil +} + +func dataSourceIbmSmServiceCredentialsSecretSourceServiceToMap(sourceService *secretsmanagerv2.ServiceCredentialsSecretSourceService) (map[string]interface{}, error) { + mainModelMap := make(map[string]interface{}) + if sourceService.Instance != nil { + instanceMap := make(map[string]interface{}) + instanceModel := sourceService.Instance + if instanceModel.Crn != nil { + instanceMap["crn"] = instanceModel.Crn + } + mainModelMap["instance"] = []map[string]interface{}{instanceMap} + } + + if sourceService.Role != nil { + roleMap := make(map[string]interface{}) + roleModel := sourceService.Role + if roleModel.Crn != nil { + roleMap["crn"] = roleModel.Crn + } + mainModelMap["role"] = []map[string]interface{}{roleMap} + } + + if sourceService.Iam != nil { + iamMap := make(map[string]interface{}) + iamModel := sourceService.Iam + + // apikey + if iamModel.Apikey != nil { + iamApikeyMap := make(map[string]interface{}) + iamApikeyModel := iamModel.Apikey + if iamApikeyModel.Name != nil { + iamApikeyMap["name"] = iamApikeyModel.Name + } + if iamApikeyModel.Description != nil { + iamApikeyMap["description"] = iamApikeyModel.Description + } + iamMap["apikey"] = []map[string]interface{}{iamApikeyMap} + } + + // role + if iamModel.Role != nil { + iamRoleMap := make(map[string]interface{}) + iamRoleModel := iamModel.Role + if iamRoleModel.Crn != nil { + iamRoleMap["crn"] = iamRoleModel.Crn + } + iamMap["role"] = []map[string]interface{}{iamRoleMap} + } + + // service id + if iamModel.Serviceid != nil { + iamServiceidMap := make(map[string]interface{}) + iamServiceidModel := iamModel.Serviceid + if iamServiceidModel.Crn != nil { + iamServiceidMap["crn"] = iamServiceidModel.Crn + } + iamMap["serviceid"] = []map[string]interface{}{iamServiceidMap} + } + + mainModelMap["iam"] = []map[string]interface{}{iamMap} + + } + + if sourceService.ResourceKey != nil { + resourceKeyMap := make(map[string]interface{}) + resourceKeyModel := sourceService.ResourceKey + if resourceKeyModel.Crn != nil { + resourceKeyMap["crn"] = resourceKeyModel.Crn + } + if resourceKeyModel.Name != nil { + resourceKeyMap["name"] = resourceKeyModel.Name + } + mainModelMap["resource_key"] = []map[string]interface{}{resourceKeyMap} + } + + if sourceService.Parameters != nil { + parametersMap := sourceService.Parameters.GetProperties() + for k, v := range parametersMap { + parametersMap[k] = fmt.Sprint(v) + } + if sourceService.Parameters.ServiceidCrn != nil { + parametersMap["serviceid_crn"] = sourceService.Parameters.ServiceidCrn + } + mainModelMap["parameters"] = parametersMap + } + + return mainModelMap, nil +} diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go new file mode 100644 index 00000000000..1f1f813e830 --- /dev/null +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go @@ -0,0 +1,868 @@ +// Copyright IBM Corp. 2023 All Rights Reserved. +// Licensed under the Mozilla Public License v2.0 + +package secretsmanager + +import ( + "context" + "fmt" + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns" + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex" + "github.com/IBM/go-sdk-core/v5/core" + "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "log" + "strconv" + "strings" +) + +func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { + return &schema.Resource{ + CreateContext: resourceIbmSmServiceCredentialsSecretCreate, + ReadContext: resourceIbmSmServiceCredentialsSecretRead, + UpdateContext: resourceIbmSmServiceCredentialsSecretUpdate, + DeleteContext: resourceIbmSmServiceCredentialsSecretDelete, + Importer: &schema.ResourceImporter{}, + + Schema: map[string]*schema.Schema{ + "secret_type": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Required: true, + Description: "A human-readable name to assign to your secret.To protect your privacy, do not use personal data, such as your name or location, as a name for your secret.", + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Description: "An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group.", + }, + "secret_group_id": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Computed: true, + ForceNew: true, + Description: "A v4 UUID identifier, or `default` secret group.", + }, + "labels": &schema.Schema{ + Type: schema.TypeList, + Optional: true, + Computed: true, + Description: "Labels that you can use to search for secrets in your instance.Up to 30 labels can be created.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "custom_metadata": &schema.Schema{ + Type: schema.TypeMap, + Optional: true, + Computed: true, + Description: "The secret metadata that a user can customize.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "version_custom_metadata": &schema.Schema{ + Type: schema.TypeMap, + Optional: true, + Computed: true, + Description: "The secret version metadata that a user can customize.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "created_by": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The unique identifier that is associated with the entity that created the secret.", + }, + "created_at": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date when a resource was created. The date format follows RFC 3339.", + }, + "credentials": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The properties of the service credentials secret payload.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "apikey": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Sensitive: true, + Description: "The API key that is generated for this secret.", + }, + "cos_hmac_keys": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The Cloud Object Storage HMAC keys that are returned after you create a service credentials secret.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "access_key_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The access key ID for Cloud Object Storage HMAC credentials.", + }, + "secret_access_key": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The secret access key ID for Cloud Object Storage HMAC credentials.", + }, + }, + }, + }, + "endpoints": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The endpoints that are returned after you create a service credentials secret.", + }, + "iam_apikey_description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The description of the generated IAM API key.", + }, + "iam_apikey_name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The name of the generated IAM API key.", + }, + "iam_role_crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM role CRN that is returned after you create a service credentials secret.", + }, + "iam_serviceid_crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM serviceId CRN that is returned after you create a service credentials secret.", + }, + "resource_instance_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource instance CRN that is returned after you create a service credentials secret.", + }, + }, + }, + }, + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A CRN that uniquely identifies an IBM Cloud resource.", + }, + "downloaded": &schema.Schema{ + Type: schema.TypeBool, + Computed: true, + Description: "Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API.", + }, + "locks_total": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The number of locks of the secret.", + }, + "next_rotation_date": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date that the secret is scheduled for automatic rotation. The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy.", + }, + "rotation": &schema.Schema{ + Type: schema.TypeList, + MaxItems: 1, + Optional: true, + Computed: true, + Description: "Determines whether Secrets Manager rotates your secrets automatically.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "auto_rotate": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + Computed: true, + Description: "Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval.", + }, + "interval": &schema.Schema{ + Type: schema.TypeInt, + Optional: true, + Computed: true, + Description: "The length of the secret rotation time interval.", + DiffSuppressFunc: rotationAttributesDiffSuppress, + }, + "unit": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Computed: true, + Description: "The units for the secret rotation time interval.", + DiffSuppressFunc: rotationAttributesDiffSuppress, + }, + }, + }, + }, + "source_service": &schema.Schema{ + Type: schema.TypeList, + MaxItems: 1, + Required: true, + ForceNew: true, + Description: "The properties required for creating the service credentials for the specified source service instance.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "instance": &schema.Schema{ + Type: schema.TypeList, + Required: true, + MaxItems: 1, + Description: "The source service instance identifier.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Required: true, + Description: "A CRN that uniquely identifies a service credentials target.", + }, + }, + }, + }, + "role": &schema.Schema{ + Type: schema.TypeList, + Optional: true, + Computed: true, + MaxItems: 1, + Description: "The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Computed: true, + Description: "The CRN role identifier for creating a service-id.", + }, + }, + }, + }, + "iam": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service IAM data is returned in case IAM credentials where created for this secret.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "apikey": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM apikey metadata for the IAM credentials that were generated.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM API key name for the generated service credentials.", + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM API key description for the generated service credentials.", + }, + }, + }, + }, + "role": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM role for the generate service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM role CRN assigned to the generated service credentials.", + }, + }, + }, + }, + "serviceid": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM serviceid for the generated service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM Service ID CRN.", + }, + }, + }, + }, + }, + }, + }, + "resource_key": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service resource key data of the generated service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource key CRN of the generated service credentials.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource key name of the generated service credentials.", + }, + }, + }, + }, + "parameters": &schema.Schema{ + Type: schema.TypeMap, + Optional: true, + Description: "The collection of parameters for the service credentials target.", + }, + }, + }, + }, + "state": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values.", + }, + "state_description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A text representation of the secret state.", + }, + "ttl": &schema.Schema{ + Type: schema.TypeString, + Required: true, + ValidateFunc: StringIsIntBetween(60, 7776000), + Description: "The time-to-live (TTL) or lease duration to assign to generated credentials.", + }, + "updated_at": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date when a resource was recently modified. The date format follows RFC 3339.", + }, + "versions_total": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The number of versions of the secret.", + }, + "secret_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A v4 UUID identifier.", + }, + }, + } +} + +func resourceIbmSmServiceCredentialsSecretCreate(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() + if err != nil { + return diag.FromErr(err) + } + + region := getRegion(secretsManagerClient, d) + instanceId := d.Get("instance_id").(string) + secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) + + createSecretOptions := &secretsmanagerv2.CreateSecretOptions{} + + secretPrototypeModel, err := resourceIbmSmServiceCredentialsSecretMapToSecretPrototype(d) + if err != nil { + return diag.FromErr(err) + } + createSecretOptions.SetSecretPrototype(secretPrototypeModel) + + secretIntf, response, err := secretsManagerClient.CreateSecretWithContext(context, createSecretOptions) + if err != nil { + log.Printf("[DEBUG] CreateSecretWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("CreateSecretWithContext failed %s\n%s", err, response)) + } + + secret := secretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) + d.SetId(fmt.Sprintf("%s/%s/%s", region, instanceId, *secret.ID)) + d.Set("secret_id", *secret.ID) + + return resourceIbmSmServiceCredentialsSecretRead(context, d, meta) +} + +func resourceIbmSmServiceCredentialsSecretRead(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() + if err != nil { + return diag.FromErr(err) + } + + id := strings.Split(d.Id(), "/") + if len(id) != 3 { + return diag.Errorf("Wrong format of resource ID. To import a secret use the format `//`") + } + region := id[0] + instanceId := id[1] + secretId := id[2] + secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) + + getSecretOptions := &secretsmanagerv2.GetSecretOptions{} + + getSecretOptions.SetID(secretId) + + secretIntf, response, err := secretsManagerClient.GetSecretWithContext(context, getSecretOptions) + if err != nil { + if response != nil && response.StatusCode == 404 { + d.SetId("") + return nil + } + log.Printf("[DEBUG] GetSecretWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("GetSecretWithContext failed %s\n%s", err, response)) + } + + secret := secretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) + + if err = d.Set("secret_id", secretId); err != nil { + return diag.FromErr(fmt.Errorf("Error setting secret_id: %s", err)) + } + if err = d.Set("instance_id", instanceId); err != nil { + return diag.FromErr(fmt.Errorf("Error setting instance_id: %s", err)) + } + if err = d.Set("region", region); err != nil { + return diag.FromErr(fmt.Errorf("Error setting region: %s", err)) + } + if err = d.Set("created_by", secret.CreatedBy); err != nil { + return diag.FromErr(fmt.Errorf("Error setting created_by: %s", err)) + } + if err = d.Set("created_at", DateTimeToRFC3339(secret.CreatedAt)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting created_at: %s", err)) + } + if err = d.Set("crn", secret.Crn); err != nil { + return diag.FromErr(fmt.Errorf("Error setting crn: %s", err)) + } + if err = d.Set("downloaded", secret.Downloaded); err != nil { + return diag.FromErr(fmt.Errorf("Error setting downloaded: %s", err)) + } + if err = d.Set("locks_total", flex.IntValue(secret.LocksTotal)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting locks_total: %s", err)) + } + if err = d.Set("name", secret.Name); err != nil { + return diag.FromErr(fmt.Errorf("Error setting name: %s", err)) + } + if err = d.Set("secret_group_id", secret.SecretGroupID); err != nil { + return diag.FromErr(fmt.Errorf("Error setting secret_group_id: %s", err)) + } + if err = d.Set("secret_type", secret.SecretType); err != nil { + return diag.FromErr(fmt.Errorf("Error setting secret_type: %s", err)) + } + if err = d.Set("state", flex.IntValue(secret.State)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting state: %s", err)) + } + if err = d.Set("state_description", secret.StateDescription); err != nil { + return diag.FromErr(fmt.Errorf("Error setting state_description: %s", err)) + } + if err = d.Set("updated_at", DateTimeToRFC3339(secret.UpdatedAt)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting updated_at: %s", err)) + } + if err = d.Set("versions_total", flex.IntValue(secret.VersionsTotal)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting versions_total: %s", err)) + } + if secret.CustomMetadata != nil { + d.Set("custom_metadata", secret.CustomMetadata) + } + if err = d.Set("description", secret.Description); err != nil { + return diag.FromErr(fmt.Errorf("Error setting description: %s", err)) + } + if secret.Labels != nil { + if err = d.Set("labels", secret.Labels); err != nil { + return diag.FromErr(fmt.Errorf("Error setting labels: %s", err)) + } + } + rotationMap, err := resourceIbmSmServiceCredentialsSecretRotationPolicyToMap(secret.Rotation) + if err != nil { + return diag.FromErr(err) + } + if len(rotationMap) > 0 { + if err = d.Set("rotation", []map[string]interface{}{rotationMap}); err != nil { + return diag.FromErr(fmt.Errorf("Error setting rotation: %s", err)) + } + } + sourceServiceMap, err := resourceIbmSmServiceCredentialsSecretSourceServiceToMap(secret.SourceService) + if err != nil { + return diag.FromErr(err) + } + if len(sourceServiceMap) > 0 { + if err = d.Set("source_service", []map[string]interface{}{sourceServiceMap}); err != nil { + return diag.FromErr(fmt.Errorf("Error setting source_service: %s", err)) + } + } + if secret.Credentials != nil { + credentialsMap, err := resourceIbmSmServiceCredentialsSecretCredentialsToMap(secret.Credentials) + if err != nil { + return diag.FromErr(err) + } + if len(credentialsMap) > 0 { + if err = d.Set("credentials", []map[string]interface{}{credentialsMap}); err != nil { + return diag.FromErr(fmt.Errorf("Error setting credentialsMap: %s", err)) + } + } + } + if err = d.Set("next_rotation_date", DateTimeToRFC3339(secret.NextRotationDate)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting next_rotation_date: %s", err)) + } + + // Call get version metadata API to get the current version_custom_metadata + getVersionMetdataOptions := &secretsmanagerv2.GetSecretVersionMetadataOptions{} + getVersionMetdataOptions.SetSecretID(secretId) + getVersionMetdataOptions.SetID("current") + + versionMetadataIntf, response, err := secretsManagerClient.GetSecretVersionMetadataWithContext(context, getVersionMetdataOptions) + if err != nil { + log.Printf("[DEBUG] GetSecretVersionMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("GetSecretVersionMetadataWithContext failed %s\n%s", err, response)) + } + + versionMetadata := versionMetadataIntf.(*secretsmanagerv2.ServiceCredentialsSecretVersionMetadata) + if versionMetadata.VersionCustomMetadata != nil { + if err = d.Set("version_custom_metadata", versionMetadata.VersionCustomMetadata); err != nil { + return diag.FromErr(fmt.Errorf("Error setting version_custom_metadata: %s", err)) + } + } + + return nil +} + +func resourceIbmSmServiceCredentialsSecretUpdate(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() + if err != nil { + return diag.FromErr(err) + } + + id := strings.Split(d.Id(), "/") + region := id[0] + instanceId := id[1] + secretId := id[2] + secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) + + updateSecretMetadataOptions := &secretsmanagerv2.UpdateSecretMetadataOptions{} + + updateSecretMetadataOptions.SetID(secretId) + + hasChange := false + + patchVals := &secretsmanagerv2.SecretMetadataPatch{} + + if d.HasChange("name") { + patchVals.Name = core.StringPtr(d.Get("name").(string)) + hasChange = true + } + if d.HasChange("description") { + patchVals.Description = core.StringPtr(d.Get("description").(string)) + hasChange = true + } + if d.HasChange("labels") { + labels := d.Get("labels").([]interface{}) + labelsParsed := make([]string, len(labels)) + for i, v := range labels { + labelsParsed[i] = fmt.Sprint(v) + } + patchVals.Labels = labelsParsed + hasChange = true + } + if d.HasChange("custom_metadata") { + patchVals.CustomMetadata = d.Get("custom_metadata").(map[string]interface{}) + hasChange = true + } + + // Apply change in metadata (if changed) + if hasChange { + updateSecretMetadataOptions.SecretMetadataPatch, _ = patchVals.AsPatch() + _, response, err := secretsManagerClient.UpdateSecretMetadataWithContext(context, updateSecretMetadataOptions) + if err != nil { + log.Printf("[DEBUG] UpdateSecretMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("UpdateSecretMetadataWithContext failed %s\n%s", err, response)) + } + } + + if d.HasChange("version_custom_metadata") { + // Apply change to version_custom_metadata in current version + secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) + secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) + secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() + + updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} + updateSecretVersionOptions.SetSecretID(secretId) + updateSecretVersionOptions.SetID("current") + updateSecretVersionOptions.SetSecretVersionMetadataPatch(secretVersionMetadataPatchModelAsPatch) + _, response, err := secretsManagerClient.UpdateSecretVersionMetadataWithContext(context, updateSecretVersionOptions) + if err != nil { + if hasChange { + // Call the read function to update the Terraform state with the change already applied to the metadata + resourceIbmSmServiceCredentialsSecretRead(context, d, meta) + } + log.Printf("[DEBUG] UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response)) + } + } + + return resourceIbmSmServiceCredentialsSecretRead(context, d, meta) +} + +func resourceIbmSmServiceCredentialsSecretDelete(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() + if err != nil { + return diag.FromErr(err) + } + + id := strings.Split(d.Id(), "/") + region := id[0] + instanceId := id[1] + secretId := id[2] + secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) + + deleteSecretOptions := &secretsmanagerv2.DeleteSecretOptions{} + + deleteSecretOptions.SetID(secretId) + + response, err := secretsManagerClient.DeleteSecretWithContext(context, deleteSecretOptions) + if err != nil { + log.Printf("[DEBUG] DeleteSecretWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("DeleteSecretWithContext failed %s\n%s", err, response)) + } + + d.SetId("") + + return nil +} + +func resourceIbmSmServiceCredentialsSecretMapToSecretPrototype(d *schema.ResourceData) (*secretsmanagerv2.ServiceCredentialsSecretPrototype, error) { + model := &secretsmanagerv2.ServiceCredentialsSecretPrototype{} + model.SecretType = core.StringPtr("service_credentials") + + if _, ok := d.GetOk("name"); ok { + model.Name = core.StringPtr(d.Get("name").(string)) + } + if _, ok := d.GetOk("description"); ok { + model.Description = core.StringPtr(d.Get("description").(string)) + } + if _, ok := d.GetOk("secret_group_id"); ok { + model.SecretGroupID = core.StringPtr(d.Get("secret_group_id").(string)) + } + if _, ok := d.GetOk("labels"); ok { + labels := d.Get("labels").([]interface{}) + labelsParsed := make([]string, len(labels)) + for i, v := range labels { + labelsParsed[i] = fmt.Sprint(v) + } + model.Labels = labelsParsed + } + if _, ok := d.GetOk("ttl"); ok { + model.TTL = core.StringPtr(d.Get("ttl").(string)) + } + if _, ok := d.GetOk("rotation"); ok { + RotationModel, err := resourceIbmSmServiceCredentialsSecretMapToRotationPolicy(d.Get("rotation").([]interface{})[0].(map[string]interface{})) + if err != nil { + return model, err + } + model.Rotation = RotationModel + } + if _, ok := d.GetOk("source_service"); ok { + SourceServiceModel, err := resourceIbmSmServiceCredentialsSecretMapToSourceService(d.Get("source_service").([]interface{})[0].(map[string]interface{})) + if err != nil { + return model, err + } + model.SourceService = SourceServiceModel + } + if _, ok := d.GetOk("custom_metadata"); ok { + model.CustomMetadata = d.Get("custom_metadata").(map[string]interface{}) + } + if _, ok := d.GetOk("version_custom_metadata"); ok { + model.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) + } + return model, nil +} + +func resourceIbmSmServiceCredentialsSecretMapToRotationPolicy(modelMap map[string]interface{}) (secretsmanagerv2.RotationPolicyIntf, error) { + model := &secretsmanagerv2.RotationPolicy{} + if modelMap["auto_rotate"] != nil { + model.AutoRotate = core.BoolPtr(modelMap["auto_rotate"].(bool)) + } + if modelMap["interval"].(int) == 0 { + model.Interval = nil + } else { + model.Interval = core.Int64Ptr(int64(modelMap["interval"].(int))) + } + if modelMap["unit"] != nil && modelMap["unit"].(string) != "" { + model.Unit = core.StringPtr(modelMap["unit"].(string)) + } + return model, nil +} + +func resourceIbmSmServiceCredentialsSecretMapToSourceService(modelMap map[string]interface{}) (*secretsmanagerv2.ServiceCredentialsSecretSourceService, error) { + mainModel := &secretsmanagerv2.ServiceCredentialsSecretSourceService{} + + if modelMap["instance"] != nil && len(modelMap["instance"].([]interface{})) > 0 { + instanceModel := &secretsmanagerv2.ServiceCredentialsSourceServiceInstance{} + if modelMap["instance"].([]interface{})[0].(map[string]interface{})["crn"].(string) != "" { + instanceModel.Crn = core.StringPtr(modelMap["instance"].([]interface{})[0].(map[string]interface{})["crn"].(string)) + mainModel.Instance = instanceModel + } + } + + if modelMap["role"] != nil && len(modelMap["role"].([]interface{})) > 0 { + roleModel := &secretsmanagerv2.ServiceCredentialsSourceServiceRole{} + if modelMap["role"].([]interface{})[0].(map[string]interface{})["crn"].(string) != "" { + roleModel.Crn = core.StringPtr(modelMap["role"].([]interface{})[0].(map[string]interface{})["crn"].(string)) + mainModel.Role = roleModel + } + } + + if modelMap["parameters"] != nil { + mainModel.Parameters = &secretsmanagerv2.ServiceCredentialsSourceServiceParameters{} + parametersMap := modelMap["parameters"].(map[string]interface{}) + for k, v := range parametersMap { + if k == "serviceid_crn" { + serviceIdCrn := v.(string) + mainModel.Parameters.ServiceidCrn = &serviceIdCrn + } else if v == "true" || v == "false" { + b, _ := strconv.ParseBool(v.(string)) + mainModel.Parameters.SetProperty(k, b) + } else { + mainModel.Parameters.SetProperty(k, v) + } + } + } + return mainModel, nil +} + +func resourceIbmSmServiceCredentialsSecretRotationPolicyToMap(modelIntf secretsmanagerv2.RotationPolicyIntf) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + model := modelIntf.(*secretsmanagerv2.RotationPolicy) + if model.AutoRotate != nil { + modelMap["auto_rotate"] = model.AutoRotate + } + if model.Interval != nil { + modelMap["interval"] = flex.IntValue(model.Interval) + } + if model.Unit != nil { + modelMap["unit"] = model.Unit + } + return modelMap, nil +} + +func resourceIbmSmServiceCredentialsSecretSourceServiceToMap(sourceService *secretsmanagerv2.ServiceCredentialsSecretSourceService) (map[string]interface{}, error) { + mainModelMap := make(map[string]interface{}) + if sourceService.Instance != nil { + instanceMap := make(map[string]interface{}) + instanceModel := sourceService.Instance + if instanceModel.Crn != nil { + instanceMap["crn"] = instanceModel.Crn + } + mainModelMap["instance"] = []map[string]interface{}{instanceMap} + } + + if sourceService.Role != nil { + roleMap := make(map[string]interface{}) + roleModel := sourceService.Role + if roleModel.Crn != nil { + roleMap["crn"] = roleModel.Crn + } + mainModelMap["role"] = []map[string]interface{}{roleMap} + } + + if sourceService.Iam != nil { + iamMap := make(map[string]interface{}) + iamModel := sourceService.Iam + + // apikey + if iamModel.Apikey != nil { + iamApikeyMap := make(map[string]interface{}) + iamApikeyModel := iamModel.Apikey + if iamApikeyModel.Name != nil { + iamApikeyMap["name"] = iamApikeyModel.Name + } + if iamApikeyModel.Description != nil { + iamApikeyMap["description"] = iamApikeyModel.Description + } + iamMap["apikey"] = []map[string]interface{}{iamApikeyMap} + } + + // role + if iamModel.Role != nil { + iamRoleMap := make(map[string]interface{}) + iamRoleModel := iamModel.Role + if iamRoleModel.Crn != nil { + iamRoleMap["crn"] = iamRoleModel.Crn + } + iamMap["role"] = []map[string]interface{}{iamRoleMap} + } + + // service id + if iamModel.Serviceid != nil { + iamServiceidMap := make(map[string]interface{}) + iamServiceidModel := iamModel.Serviceid + if iamServiceidModel.Crn != nil { + iamServiceidMap["crn"] = iamServiceidModel.Crn + } + iamMap["serviceid"] = []map[string]interface{}{iamServiceidMap} + } + + mainModelMap["iam"] = []map[string]interface{}{iamMap} + + } + + if sourceService.ResourceKey != nil { + resourceKeyMap := make(map[string]interface{}) + resourceKeyModel := sourceService.ResourceKey + if resourceKeyModel.Crn != nil { + resourceKeyMap["crn"] = resourceKeyModel.Crn + } + if resourceKeyModel.Name != nil { + resourceKeyMap["name"] = resourceKeyModel.Name + } + mainModelMap["resource_key"] = []map[string]interface{}{resourceKeyMap} + } + + if sourceService.Parameters != nil { + parametersMap := sourceService.Parameters.GetProperties() + for k, v := range parametersMap { + parametersMap[k] = fmt.Sprint(v) + } + if sourceService.Parameters.ServiceidCrn != nil { + parametersMap["serviceid_crn"] = sourceService.Parameters.ServiceidCrn + } + mainModelMap["parameters"] = parametersMap + } + + return mainModelMap, nil +} + +func resourceIbmSmServiceCredentialsSecretCredentialsToMap(credentials *secretsmanagerv2.ServiceCredentialsSecretCredentials) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + if credentials.IamApikeyDescription != nil { + modelMap["iam_apikey_description"] = credentials.IamApikeyDescription + } + if credentials.Apikey != nil { + modelMap["apikey"] = credentials.Apikey + } + if credentials.Endpoints != nil { + modelMap["endpoints"] = credentials.Endpoints + } + if credentials.IamApikeyName != nil { + modelMap["iam_apikey_name"] = credentials.IamApikeyName + } + if credentials.IamRoleCrn != nil { + modelMap["iam_role_crn"] = credentials.IamRoleCrn + } + if credentials.IamServiceidCrn != nil { + modelMap["iam_serviceid_crn"] = credentials.IamServiceidCrn + } + if credentials.ResourceInstanceID != nil { + modelMap["resource_instance_id"] = credentials.ResourceInstanceID + } + if credentials.CosHmacKeys != nil { + cosHmacKeys := [1]map[string]interface{}{} + m := map[string]interface{}{} + if credentials.CosHmacKeys.AccessKeyID != nil { + m["access_key_id"] = credentials.CosHmacKeys.AccessKeyID + } + if credentials.CosHmacKeys.SecretAccessKey != nil { + m["secret_access_key"] = credentials.CosHmacKeys.SecretAccessKey + } + cosHmacKeys[0] = m + modelMap["cos_hmac_keys"] = cosHmacKeys + } + return modelMap, nil +} diff --git a/website/docs/r/sm_service_credentials_secret.html.markdown b/website/docs/r/sm_service_credentials_secret.html.markdown new file mode 100644 index 00000000000..b86d6093a6c --- /dev/null +++ b/website/docs/r/sm_service_credentials_secret.html.markdown @@ -0,0 +1,166 @@ +--- +layout: "ibm" +page_title: "IBM : ibm_sm_service_credentials_secret" +description: |- + Manages ServiceCredentialsSecret. +subcategory: "Secrets Manager" +--- + +# ibm_sm_service_credentials_secret + +Provides a resource for ServiceCredentialsSecret. This allows ServiceCredentialsSecret to be created, updated and deleted. + +## Example Usage + +```hcl +resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { + instance_id = ibm_resource_instance.sm_instance.guid + region = "us-south" + name = "secret-name" + custom_metadata = {"key":"value"} + description = "Extended description for this secret." + labels = ["my-label"] + rotation { + auto_rotate = true + interval = 1 + unit = "day" + } + secret_group_id = ibm_sm_secret_group.sm_secret_group.secret_group_id + ttl = "1800" +} +``` + +## Argument Reference + +Review the argument reference that you can specify for your resource. + +* `instance_id` - (Required, Forces new resource, String) The GUID of the Secrets Manager instance. +* `region` - (Optional, Forces new resource, String) The region of the Secrets Manager instance. If not provided defaults to the region defined in the IBM provider configuration. +* `endpoint_type` - (Optional, String) - The endpoint type. If not provided the endpoint type is determined by the `visibility` argument provided in the provider configuration. + * Constraints: Allowable values are: `private`, `public`. +* `custom_metadata` - (Optional, Map) The secret metadata that a user can customize. +* `description` - (Optional, String) An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. + * Constraints: The maximum length is `1024` characters. The minimum length is `0` characters. The value must match regular expression `/(.*?)/`. +* `labels` - (Optional, List) Labels that you can use to search for secrets in your instance.Up to 30 labels can be created. + * Constraints: The list items must match regular expression `/(.*?)/`. The maximum length is `30` items. The minimum length is `0` items. +* `name` - (Required, String) The human-readable name of your secret. + * Constraints: The maximum length is `256` characters. The minimum length is `2` characters. The value must match regular expression `^[A-Za-z0-9][A-Za-z0-9]*(?:_*-*\\.*[A-Za-z0-9]+)*$`. +* `rotation` - (Optional, List) Determines whether Secrets Manager rotates your secrets automatically. +Nested scheme for **rotation**: + * `auto_rotate` - (Optional, Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. + * `interval` - (Optional, Integer) The length of the secret rotation time interval. + * Constraints: The minimum value is `1`. + * `rotate_keys` - (Optional, Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. + * `unit` - (Optional, String) The units for the secret rotation time interval. + * Constraints: Allowable values are: `day`, `month`. +* `secret_group_id` - (Optional, Forces new resource, String) A v4 UUID identifier, or `default` secret group. + * Constraints: The maximum length is `36` characters. The minimum length is `7` characters. The value must match regular expression `/^([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|default)$/`. +* `source_service` - (Optional, List) The properties required for creating the service credentials for the specified source service instance. +Nested scheme for **source_service**: + * `instance` - (Optional, List) The source service instance identifier. + Nested scheme for **instance**: + * `crn` - (Optional, String) A CRN that uniquely identifies a service credentials source. + * `parameters` - (Optional, List) Configuration options represented as key-value pairs. Service-defined options are used in the generation of credentials for some services. For example, Cloud Object Storage accepts the optional boolean parameter HMAC for creating specific kind of credentials. + * `role` - (Optional, List) The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles. + Nested scheme for **role**: + * `crn` - (Optional, String) The service role CRN. + * `iam` - (Optional, List) The source service IAM data is returned in case IAM credentials where created for this secret. + Nested scheme for **iam**: + * `apikey` - (Optional, String) The IAM apikey metadata for the IAM credentials that were generated. + * `role` - (Optional, String) The IAM role for the generate service credentials. + * `serviceid` - (Optional, String) The IAM serviceid for the generated service credentials. + * `resource_key` - (Optional, List) The source service resource key data of the generated service credentials. + Nested scheme for **resource_key**: + * `crn` - (Optional, String) The resource key CRN of the generated service credentials. + * `name` - (Optional, String) The resource key name of the generated service credentials. +* `ttl` - (Required, String) The time-to-live (TTL) or lease duration to assign to generated credentials. The TTL defines for how long each generated API key remains valid. The value should be an integer that specifies the number of seconds. Minimum duration is 60 seconds. Maximum is 7776000 seconds (90 days). + * Constraints: The maximum length is `7` characters. The minimum length is `2` characters. + +## Attribute Reference + +In addition to all argument references listed, you can access the following attribute references after your resource is created. + +* `secret_id` - The unique identifier of the ServiceCredentialsSecret. +* `created_at` - (String) The date when a resource was created. The date format follows RFC 3339. +* `created_by` - (String) The unique identifier that is associated with the entity that created the secret. + * Constraints: The maximum length is `128` characters. The minimum length is `4` characters. +* `crn` - (String) A CRN that uniquely identifies an IBM Cloud resource. + * Constraints: The maximum length is `512` characters. The minimum length is `9` characters. The value must match regular expression `/^crn:v[0-9](:([A-Za-z0-9-._~!$&'()*+,;=@\/]|%[0-9A-Z]{2})*){8}$/`. +* `downloaded` - (Boolean) Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API. +* `locks_total` - (Integer) The number of locks of the secret. + * Constraints: The maximum value is `1000`. The minimum value is `0`. +* `next_rotation_date` - (String) The date that the secret is scheduled for automatic rotation.The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy. +* `state` - (Integer) The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values. + * Constraints: Allowable values are: `0`, `1`, `2`, `3`, `5`. +* `state_description` - (String) A text representation of the secret state. + * Constraints: Allowable values are: `pre_activation`, `active`, `suspended`, `deactivated`, `destroyed`. +* `secret_type` - (String) The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials. + * Constraints: Allowable values are: `arbitrary`, `imported_cert`, `public_cert`, `iam_credentials`, `kv`, `username_password`, `private_cert`. +* `updated_at` - (String) The date when a resource was recently modified. The date format follows RFC 3339. +* `versions_total` - (Integer) The number of versions of the secret. + * Constraints: The maximum value is `50`. The minimum value is `0`. + +## Provider Configuration + +The IBM Cloud provider offers a flexible means of providing credentials for authentication. The following methods are supported, in this order, and explained below: + +- Static credentials +- Environment variables + +To find which credentials are required for this resource, see the service table [here](https://cloud.ibm.com/docs/ibm-cloud-provider-for-terraform?topic=ibm-cloud-provider-for-terraform-provider-reference#required-parameters). + +### Static credentials + +You can provide your static credentials by adding the `ibmcloud_api_key`, `iaas_classic_username`, and `iaas_classic_api_key` arguments in the IBM Cloud provider block. + +Usage: +``` +provider "ibm" { + ibmcloud_api_key = "" + iaas_classic_username = "" + iaas_classic_api_key = "" +} +``` + +### Environment variables + +You can provide your credentials by exporting the `IC_API_KEY`, `IAAS_CLASSIC_USERNAME`, and `IAAS_CLASSIC_API_KEY` environment variables, representing your IBM Cloud platform API key, IBM Cloud Classic Infrastructure (SoftLayer) user name, and IBM Cloud infrastructure API key, respectively. + +``` +provider "ibm" {} +``` + +Usage: +``` +export IC_API_KEY="ibmcloud_api_key" +export IAAS_CLASSIC_USERNAME="iaas_classic_username" +export IAAS_CLASSIC_API_KEY="iaas_classic_api_key" +terraform plan +``` + +Note: + +1. Create or find your `ibmcloud_api_key` and `iaas_classic_api_key` [here](https://cloud.ibm.com/iam/apikeys). + - Select `My IBM Cloud API Keys` option from view dropdown for `ibmcloud_api_key` + - Select `Classic Infrastructure API Keys` option from view dropdown for `iaas_classic_api_key` +2. For iaas_classic_username + - Go to [Users](https://cloud.ibm.com/iam/users) + - Click on user. + - Find user name in the `VPN password` section under `User Details` tab + +For more informaton, see [here](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs#authentication). + +## Import + +You can import the `ibm_sm_service_credentials_secret` resource by using `region`, `instance_id`, and `secret_id`. +For more information, see [the documentation](https://cloud.ibm.com/docs/secrets-manager) + +# Syntax +```bash +$ terraform import ibm_sm_service_credentials_secret.sm_service_credentials_secret // +``` + +# Example +```bash +$ terraform import ibm_sm_service_credentials_secret.sm_service_credentials_secret us-east/6ebc4224-e983-496a-8a54-f40a0bfa9175/b49ad24d-81d4-5ebc-b9b9-b0937d1c84d5 +``` From babc0f9a9e52c3255d433975f8458067e699e52b Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 15 Nov 2023 14:31:44 +0200 Subject: [PATCH 02/18] SC addition --- ibm/service/secretsmanager/utils.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/ibm/service/secretsmanager/utils.go b/ibm/service/secretsmanager/utils.go index a00f44c9afd..07a23380be2 100644 --- a/ibm/service/secretsmanager/utils.go +++ b/ibm/service/secretsmanager/utils.go @@ -17,13 +17,14 @@ import ( ) const ( - ArbitrarySecretType = "arbitrary" - UsernamePasswordSecretType = "username_password" - IAMCredentialsSecretType = "iam_credentials" - KvSecretType = "kv" - ImportedCertSecretType = "imported_cert" - PublicCertSecretType = "public_cert" - PrivateCertSecretType = "private_cert" + ArbitrarySecretType = "arbitrary" + UsernamePasswordSecretType = "username_password" + IAMCredentialsSecretType = "iam_credentials" + ServiceCredentialsSecretType = "service_credentials" + KvSecretType = "kv" + ImportedCertSecretType = "imported_cert" + PublicCertSecretType = "public_cert" + PrivateCertSecretType = "private_cert" ) func getRegion(originalClient *secretsmanagerv2.SecretsManagerV2, d *schema.ResourceData) string { From 80716674288963e6e64f30ba91de967a9465249c Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 15 Nov 2023 18:23:34 +0200 Subject: [PATCH 03/18] SC addition --- examples/ibm-secrets-manager/README.md | 238 +++++---- examples/ibm-secrets-manager/main.tf | 43 ++ examples/ibm-secrets-manager/outputs.tf | 6 + examples/ibm-secrets-manager/variables.tf | 63 +++ ibm/provider/provider.go | 1 + ..._sm_service_credentials_secret_metadata.go | 491 ++++++++++++++++++ ...ource_ibm_sm_service_credentilas_secret.go | 2 +- ...m_service_credentials_secret.html.markdown | 140 +++++ ..._credentials_secret_metadata.html.markdown | 113 ++++ ...m_service_credentials_secret.html.markdown | 62 ++- 10 files changed, 1046 insertions(+), 113 deletions(-) create mode 100644 ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go create mode 100644 website/docs/d/sm_service_credentials_secret.html.markdown create mode 100644 website/docs/d/sm_service_credentials_secret_metadata.html.markdown diff --git a/examples/ibm-secrets-manager/README.md b/examples/ibm-secrets-manager/README.md index 04a144758a4..f68677dec56 100644 --- a/examples/ibm-secrets-manager/README.md +++ b/examples/ibm-secrets-manager/README.md @@ -131,6 +131,31 @@ resource "sm_iam_credentials_secret" "sm_iam_credentials_secret_instance" { rotation = var.sm_iam_credentials_secret_rotation } ``` +sm_service_credentials_secret resource: + +```hcl +resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { + instance_id = var.secrets_manager_instance_id + region = var.region + endpoint_type = var.endpoint_type + name = var.sm_service_credentials_secret_name + custom_metadata = { my_key = jsonencode(var.sm_service_credentials_secret_custom_metadata) } + description = var.sm_service_credentials_secret_description + labels = var.sm_service_credentials_secret_labels + rotation = var.sm_service_credentials_secret_rotation + secret_group_id = var.sm_service_credentials_secret_secret_group_id + source_service { + instance { + crn = var.sm_service_credentials_secret_source_service_instance_crn + } + role { + crn = var.sm_service_credentials_secret_source_service_role_crn + } + parameters = var.sm_service_credentials_secret_source_service_parameters + } + ttl = var.sm_service_credentials_secret_ttl +} +``` sm_arbitrary_secret resource: ```hcl @@ -349,6 +374,15 @@ data "sm_iam_credentials_secret_metadata" "sm_iam_credentials_secret_metadata_in secret_id = var.sm_iam_credentials_secret_metadata_id } ``` +sm_service_credentials_secret_metadata data source: + +```hcl +data "sm_service_credentials_secret_metadata" "sm_service_credentials_secret_metadata_instance" { + instance_id = var.secrets_manager_instance_id + region = var.region + secret_id = var.sm_service_credentials_secret_metadata_id +} +``` sm_arbitrary_secret_metadata data source: ```hcl @@ -403,6 +437,15 @@ data "sm_iam_credentials_secret" "sm_iam_credentials_secret_instance" { secret_id = var.sm_iam_credentials_secret_id } ``` +sm_service_credentials_secret data source: + +```hcl +data "sm_service_credentials_secret" "sm_service_credentials_secret_instance" { + instance_id = var.secrets_manager_instance_id + region = var.region + secret_id = var.sm_service_credentials_secret_id +} +``` sm_arbitrary_secret data source: ```hcl @@ -524,103 +567,106 @@ data "sm_en_registration" "sm_en_registration_instance" { ## Inputs -| Name | Description | Type | Default | Required | -|----------------------------------------|-------------|------|---------|----------| -| ibmcloud\_api\_key | IBM Cloud API key | `string` | | true | -| region | Secrets Manager Instance region | `string` | us-south | false | -| secrets\_manager\_instance\_id | Secrets Manager Instance GUID | `string` | | true | -| instance\_id | Secrets Manager Instance GUID | `string` | | true | -| endpoint\_type | Secrets manager endpoint type | `string` | `private` | false | -| description | An extended description of your secret group.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. | `string` | false | -| custom_metadata | The secret metadata that a user can customize. | `map()` | false | -| description | An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. | `string` | false | -| expiration_date | The date a secret is expired. The date format follows RFC 3339. | `` | false | -| labels | Labels that you can use to search for secrets in your instance.Up to 30 labels can be created. | `list(string)` | false | -| secret_group_id | A v4 UUID identifier, or `default` secret group. | `string` | false | -| secret_type | The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials. | `string` | false | -| certificate | The PEM-encoded contents of your certificate. | `string` | false | -| intermediate | (Optional) The PEM-encoded intermediate certificate to associate with the root certificate. | `string` | false | -| private_key | (Optional) The PEM-encoded private key to associate with the certificate. | `string` | false | -| custom_metadata | The secret metadata that a user can customize. | `map()` | false | -| rotation | Determines whether Secrets Manager rotates your secrets automatically. | `` | false | -| data | The payload data of a key-value secret. | `map()` | false | -| ttl | The time-to-live (TTL) or lease duration to assign to generated credentials.For `iam_credentials` secrets, the TTL defines for how long each generated API key remains valid. The value can be either an integer that specifies the number of seconds, or the string representation of a duration, such as `120m` or `24h`.Minimum duration is 1 minute. Maximum is 90 days. | `string` | false | -| access_groups | Access Groups that you can use for an `iam_credentials` secret.Up to 10 Access Groups can be used for each secret. | `list(string)` | false | -| service_id | The service ID under which the API key (see the `api_key` field) is created.If you omit this parameter, Secrets Manager generates a new service ID for your secret at its creation and adds it to the access groups that you assign.Optionally, you can use this field to provide your own service ID if you prefer to manage its access directly or retain the service ID after your secret expires, is rotated, or deleted. If you provide a service ID, do not include the `access_groups` parameter. | `string` | false | -| reuse_api_key | Determines whether to use the same service ID and API key for future read operations on an`iam_credentials` secret.If it is set to `true`, the service reuses the current credentials. If it is set to `false`, a new service ID and API key are generated each time that the secret is read or accessed. | `bool` | false | -| payload | The arbitrary secret's data payload. | `string` | false | -| username | The username that is assigned to the secret. | `string` | false | -| password | The password that is assigned to the secret. | `string` | false | -| secret_id | The ID of the secret. | `string` | true | -| certificate_template | The name of the certificate template. | `string` | false | -| config_type | Th configuration type. | `string` | false | -| crl_disable | Disables or enables certificate revocation list (CRL) building.If CRL building is disabled, a signed but zero-length CRL is returned when downloading the CRL. If CRL building is enabled, it will rebuild the CRL. | `bool` | false | -| crl_distribution_points_encoded | Determines whether to encode the certificate revocation list (CRL) distribution points in the certificates that are issued by this certificate authority. | `bool` | false | -| issuing_certificates_urls_encoded | Determines whether to encode the URL of the issuing certificate in the certificates that are issued by this certificate authority. | `bool` | false | -| ttl | The requested time-to-live (TTL) for certificates that are created by this CA. This field's value cannot be longer than the `max_ttl` limit.The value can be supplied as a string representation of a duration in hours, for example '8760h'. In the API response, this value is returned in seconds (integer). | `string` | false | -| signing_method | The signing method to use with this certificate authority to generate private certificates.You can choose between internal or externally signed options. For more information, see the [docs](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-intermediate-certificate-authorities). | `string` | false | -| certificate_authority | The name of the intermediate certificate authority. | `string` | false | -| allowed_secret_groups | Scopes the creation of private certificates to only the secret groups that you specify.This field can be supplied as a comma-delimited list of secret group IDs. | `string` | false | -| allow_localhost | Determines whether to allow `localhost` to be included as one of the requested common names. | `bool` | false | -| allowed_domains | The domains to define for the certificate template. This property is used along with the `allow_bare_domains` and `allow_subdomains` options. | `list(string)` | false | -| allowed_domains_template | Determines whether to allow the domains that are supplied in the `allowed_domains` field to contain access control list (ACL) templates. | `bool` | false | -| allow_bare_domains | Determines whether to allow clients to request private certificates that match the value of the actual domains on the final certificate.For example, if you specify `example.com` in the `allowed_domains` field, you grant clients the ability to request a certificate that contains the name `example.com` as one of the DNS values on the final certificate.**Important:** In some scenarios, allowing bare domains can be considered a security risk. | `bool` | false | -| allow_subdomains | Determines whether to allow clients to request private certificates with common names (CN) that are subdomains of the CNs that are allowed by the other certificate template options. This includes wildcard subdomains.For example, if `allowed_domains` has a value of `example.com` and `allow_subdomains`is set to `true`, then the following subdomains are allowed: `foo.example.com`, `bar.example.com`, `*.example.com`.**Note:** This field is redundant if you use the `allow_any_name` option. | `bool` | false | -| allow_glob_domains | Determines whether to allow glob patterns, for example, `ftp*.example.com`, in the names that are specified in the `allowed_domains` field.If set to `true`, clients are allowed to request private certificates with names that match the glob patterns. | `bool` | false | -| allow_any_name | Determines whether to allow clients to request a private certificate that matches any common name. | `bool` | false | -| enforce_hostnames | Determines whether to enforce only valid host names for common names, DNS Subject Alternative Names, and the host section of email addresses. | `bool` | false | -| allow_ip_sans | Determines whether to allow clients to request a private certificate with IP Subject Alternative Names. | `bool` | false | -| allowed_uri_sans | The URI Subject Alternative Names to allow for private certificates.Values can contain glob patterns, for example `spiffe://hostname/_*`. | `list(string)` | false | -| allowed_other_sans | The custom Object Identifier (OID) or UTF8-string Subject Alternative Names (SANs) to allow for private certificates.The format for each element in the list is the same as OpenSSL: `::` where the current valid type is `UTF8`. To allow any value for an OID, use `*` as its value. Alternatively, specify a single `*` to allow any `other_sans` input. | `list(string)` | false | -| server_flag | Determines whether private certificates are flagged for server use. | `bool` | false | -| client_flag | Determines whether private certificates are flagged for client use. | `bool` | false | -| code_signing_flag | Determines whether private certificates are flagged for code signing use. | `bool` | false | -| email_protection_flag | Determines whether private certificates are flagged for email protection use. | `bool` | false | -| key_usage | The allowed key usage constraint to define for private certificates.You can find valid values in the [Go x509 package documentation](https://pkg.go.dev/crypto/x509#KeyUsage). Omit the `KeyUsage` part of the value. Values are not case-sensitive. To specify no key usage constraints, set this field to an empty list. | `list(string)` | false | -| ext_key_usage | The allowed extended key usage constraint on private certificates.You can find valid values in the [Go x509 package documentation](https://golang.org/pkg/crypto/x509/#ExtKeyUsage). Omit the `ExtKeyUsage` part of the value. Values are not case-sensitive. To specify no key usage constraints, set this field to an empty list. | `list(string)` | false | -| ext_key_usage_oids | A list of extended key usage Object Identifiers (OIDs). | `list(string)` | false | -| use_csr_common_name | When used with the `private_cert_configuration_action_sign_csr` action, this field determines whether to use the common name (CN) from a certificate signing request (CSR) instead of the CN that's included in the data of the certificate.Does not include any requested Subject Alternative Names (SANs) in the CSR. To use the alternative names, include the `use_csr_sans` property. | `bool` | false | -| use_csr_sans | When used with the `private_cert_configuration_action_sign_csr` action, this field determines whether to use the Subject Alternative Names(SANs) from a certificate signing request (CSR) instead of the SANs that are included in the data of the certificate.Does not include the common name in the CSR. To use the common name, include the `use_csr_common_name` property. | `bool` | false | -| require_cn | Determines whether to require a common name to create a private certificate.By default, a common name is required to generate a certificate. To make the `common_name` field optional, set the `require_cn` option to `false`. | `bool` | false | -| policy_identifiers | A list of policy Object Identifiers (OIDs). | `list(string)` | false | -| basic_constraints_valid_for_non_ca | Determines whether to mark the Basic Constraints extension of an issued private certificate as valid for non-CA certificates. | `bool` | false | -| lets_encrypt_environment | The configuration of the Let's Encrypt CA environment. | `string` | false | -| lets_encrypt_private_key | The PEM encoded private key of your Lets Encrypt account. | `string` | false | -| lets_encrypt_preferred_chain | Prefer the chain with an issuer matching this Subject Common Name. | `string` | false | -| event_notifications_instance_crn | A CRN that uniquely identifies an IBM Cloud resource. | `string` | true | -| event_notifications_source_name | The name that is displayed as a source that is in your Event Notifications instance. | `string` | true | -| event_notifications_source_description | An optional description for the source that is in your Event Notifications instance. | `string` | false | -| secret_group_id | The ID of the secret group. | `string` | true | -| secret_id | The ID of the secret. | `string` | true | -| name | The name of the configuration. | `string` | true | +| Name | Description | Type | Default | Required | +|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|-----------|----------| +| ibmcloud\_api\_key | IBM Cloud API key | `string` | | true | +| region | Secrets Manager Instance region | `string` | us-south | false | +| secrets\_manager\_instance\_id | Secrets Manager Instance GUID | `string` | | true | +| instance\_id | Secrets Manager Instance GUID | `string` | | true | +| endpoint\_type | Secrets manager endpoint type | `string` | `private` | false | +| description | An extended description of your secret group.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. | `string` | false | +| custom_metadata | The secret metadata that a user can customize. | `map()` | false | +| description | An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. | `string` | false | +| expiration_date | The date a secret is expired. The date format follows RFC 3339. | `` | false | +| labels | Labels that you can use to search for secrets in your instance.Up to 30 labels can be created. | `list(string)` | false | +| secret_group_id | A v4 UUID identifier, or `default` secret group. | `string` | false | +| secret_type | The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials. | `string` | false | +| certificate | The PEM-encoded contents of your certificate. | `string` | false | +| intermediate | (Optional) The PEM-encoded intermediate certificate to associate with the root certificate. | `string` | false | +| private_key | (Optional) The PEM-encoded private key to associate with the certificate. | `string` | false | +| custom_metadata | The secret metadata that a user can customize. | `map()` | false | +| rotation | Determines whether Secrets Manager rotates your secrets automatically. | `` | false | +| source_service | The properties required for creating the service credentials for the specified source service instance. | `` | false | +| data | The payload data of a key-value secret. | `map()` | false | +| ttl | The time-to-live (TTL) or lease duration to assign to generated credentials.The TTL defines for how long generated credentials remain valid. For iam_credentials secret TTL is mandatory. The minimum duration is 1 minute. The maximum is 90 days. For service_credentials secret TTL is optional, if set the minimum duration is 1 day. The maximum is 90 days. The TTL defaults to 0 which means no TTL. | `string` | false | +| access_groups | Access Groups that you can use for an `iam_credentials` secret.Up to 10 Access Groups can be used for each secret. | `list(string)` | false | +| service_id | The service ID under which the API key (see the `api_key` field) is created.If you omit this parameter, Secrets Manager generates a new service ID for your secret at its creation and adds it to the access groups that you assign.Optionally, you can use this field to provide your own service ID if you prefer to manage its access directly or retain the service ID after your secret expires, is rotated, or deleted. If you provide a service ID, do not include the `access_groups` parameter. | `string` | false | +| reuse_api_key | Determines whether to use the same service ID and API key for future read operations on an`iam_credentials` secret.If it is set to `true`, the service reuses the current credentials. If it is set to `false`, a new service ID and API key are generated each time that the secret is read or accessed. | `bool` | false | +| payload | The arbitrary secret's data payload. | `string` | false | +| username | The username that is assigned to the secret. | `string` | false | +| password | The password that is assigned to the secret. | `string` | false | +| secret_id | The ID of the secret. | `string` | true | +| certificate_template | The name of the certificate template. | `string` | false | +| config_type | Th configuration type. | `string` | false | +| crl_disable | Disables or enables certificate revocation list (CRL) building.If CRL building is disabled, a signed but zero-length CRL is returned when downloading the CRL. If CRL building is enabled, it will rebuild the CRL. | `bool` | false | +| crl_distribution_points_encoded | Determines whether to encode the certificate revocation list (CRL) distribution points in the certificates that are issued by this certificate authority. | `bool` | false | +| issuing_certificates_urls_encoded | Determines whether to encode the URL of the issuing certificate in the certificates that are issued by this certificate authority. | `bool` | false | +| ttl | The requested time-to-live (TTL) for certificates that are created by this CA. This field's value cannot be longer than the `max_ttl` limit.The value can be supplied as a string representation of a duration in hours, for example '8760h'. In the API response, this value is returned in seconds (integer). | `string` | false | +| signing_method | The signing method to use with this certificate authority to generate private certificates.You can choose between internal or externally signed options. For more information, see the [docs](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-intermediate-certificate-authorities). | `string` | false | +| certificate_authority | The name of the intermediate certificate authority. | `string` | false | +| allowed_secret_groups | Scopes the creation of private certificates to only the secret groups that you specify.This field can be supplied as a comma-delimited list of secret group IDs. | `string` | false | +| allow_localhost | Determines whether to allow `localhost` to be included as one of the requested common names. | `bool` | false | +| allowed_domains | The domains to define for the certificate template. This property is used along with the `allow_bare_domains` and `allow_subdomains` options. | `list(string)` | false | +| allowed_domains_template | Determines whether to allow the domains that are supplied in the `allowed_domains` field to contain access control list (ACL) templates. | `bool` | false | +| allow_bare_domains | Determines whether to allow clients to request private certificates that match the value of the actual domains on the final certificate.For example, if you specify `example.com` in the `allowed_domains` field, you grant clients the ability to request a certificate that contains the name `example.com` as one of the DNS values on the final certificate.**Important:** In some scenarios, allowing bare domains can be considered a security risk. | `bool` | false | +| allow_subdomains | Determines whether to allow clients to request private certificates with common names (CN) that are subdomains of the CNs that are allowed by the other certificate template options. This includes wildcard subdomains.For example, if `allowed_domains` has a value of `example.com` and `allow_subdomains`is set to `true`, then the following subdomains are allowed: `foo.example.com`, `bar.example.com`, `*.example.com`.**Note:** This field is redundant if you use the `allow_any_name` option. | `bool` | false | +| allow_glob_domains | Determines whether to allow glob patterns, for example, `ftp*.example.com`, in the names that are specified in the `allowed_domains` field.If set to `true`, clients are allowed to request private certificates with names that match the glob patterns. | `bool` | false | +| allow_any_name | Determines whether to allow clients to request a private certificate that matches any common name. | `bool` | false | +| enforce_hostnames | Determines whether to enforce only valid host names for common names, DNS Subject Alternative Names, and the host section of email addresses. | `bool` | false | +| allow_ip_sans | Determines whether to allow clients to request a private certificate with IP Subject Alternative Names. | `bool` | false | +| allowed_uri_sans | The URI Subject Alternative Names to allow for private certificates.Values can contain glob patterns, for example `spiffe://hostname/_*`. | `list(string)` | false | +| allowed_other_sans | The custom Object Identifier (OID) or UTF8-string Subject Alternative Names (SANs) to allow for private certificates.The format for each element in the list is the same as OpenSSL: `::` where the current valid type is `UTF8`. To allow any value for an OID, use `*` as its value. Alternatively, specify a single `*` to allow any `other_sans` input. | `list(string)` | false | +| server_flag | Determines whether private certificates are flagged for server use. | `bool` | false | +| client_flag | Determines whether private certificates are flagged for client use. | `bool` | false | +| code_signing_flag | Determines whether private certificates are flagged for code signing use. | `bool` | false | +| email_protection_flag | Determines whether private certificates are flagged for email protection use. | `bool` | false | +| key_usage | The allowed key usage constraint to define for private certificates.You can find valid values in the [Go x509 package documentation](https://pkg.go.dev/crypto/x509#KeyUsage). Omit the `KeyUsage` part of the value. Values are not case-sensitive. To specify no key usage constraints, set this field to an empty list. | `list(string)` | false | +| ext_key_usage | The allowed extended key usage constraint on private certificates.You can find valid values in the [Go x509 package documentation](https://golang.org/pkg/crypto/x509/#ExtKeyUsage). Omit the `ExtKeyUsage` part of the value. Values are not case-sensitive. To specify no key usage constraints, set this field to an empty list. | `list(string)` | false | +| ext_key_usage_oids | A list of extended key usage Object Identifiers (OIDs). | `list(string)` | false | +| use_csr_common_name | When used with the `private_cert_configuration_action_sign_csr` action, this field determines whether to use the common name (CN) from a certificate signing request (CSR) instead of the CN that's included in the data of the certificate.Does not include any requested Subject Alternative Names (SANs) in the CSR. To use the alternative names, include the `use_csr_sans` property. | `bool` | false | +| use_csr_sans | When used with the `private_cert_configuration_action_sign_csr` action, this field determines whether to use the Subject Alternative Names(SANs) from a certificate signing request (CSR) instead of the SANs that are included in the data of the certificate.Does not include the common name in the CSR. To use the common name, include the `use_csr_common_name` property. | `bool` | false | +| require_cn | Determines whether to require a common name to create a private certificate.By default, a common name is required to generate a certificate. To make the `common_name` field optional, set the `require_cn` option to `false`. | `bool` | false | +| policy_identifiers | A list of policy Object Identifiers (OIDs). | `list(string)` | false | +| basic_constraints_valid_for_non_ca | Determines whether to mark the Basic Constraints extension of an issued private certificate as valid for non-CA certificates. | `bool` | false | +| lets_encrypt_environment | The configuration of the Let's Encrypt CA environment. | `string` | false | +| lets_encrypt_private_key | The PEM encoded private key of your Lets Encrypt account. | `string` | false | +| lets_encrypt_preferred_chain | Prefer the chain with an issuer matching this Subject Common Name. | `string` | false | +| event_notifications_instance_crn | A CRN that uniquely identifies an IBM Cloud resource. | `string` | true | +| event_notifications_source_name | The name that is displayed as a source that is in your Event Notifications instance. | `string` | true | +| event_notifications_source_description | An optional description for the source that is in your Event Notifications instance. | `string` | false | +| secret_group_id | The ID of the secret group. | `string` | true | +| secret_id | The ID of the secret. | `string` | true | +| name | The name of the configuration. | `string` | true | ## Outputs -| Name | Description | -|------|-------------| -| secrets\_manager\_secrets | secrets\_manager\_secrets object | -| secrets\_manager\_secret | secrets\_manager\_secret object | -| sm_secret_group | sm_secret_group object | -| sm_imported_certificate | sm_imported_certificate object | -| sm_public_certificate | sm_public_certificate object | -| sm_kv_secret | sm_kv_secret object | -| sm_iam_credentials_secret | sm_iam_credentials_secret object | -| sm_arbitrary_secret | sm_arbitrary_secret object | -| sm_username_password_secret | sm_username_password_secret object | -| sm_private_certificate | sm_private_certificate object | -| sm_private_certificate_configuration_root_ca | sm_private_certificate_configuration_root_ca object | +| Name | Description | +|------------------------------------------------------|-------------------------------------------------------------| +| secrets\_manager\_secrets | secrets\_manager\_secrets object | +| secrets\_manager\_secret | secrets\_manager\_secret object | +| sm_secret_group | sm_secret_group object | +| sm_imported_certificate | sm_imported_certificate object | +| sm_public_certificate | sm_public_certificate object | +| sm_kv_secret | sm_kv_secret object | +| sm_iam_credentials_secret | sm_iam_credentials_secret object | +| sm_service_credentials_secret | sm_service_credentials_secret object | +| sm_arbitrary_secret | sm_arbitrary_secret object | +| sm_username_password_secret | sm_username_password_secret object | +| sm_private_certificate | sm_private_certificate object | +| sm_private_certificate_configuration_root_ca | sm_private_certificate_configuration_root_ca object | | sm_private_certificate_configuration_intermediate_ca | sm_private_certificate_configuration_intermediate_ca object | -| sm_private_certificate_configuration_template | sm_private_certificate_configuration_template object | -| sm_public_certificate_configuration_ca_lets_encrypt | sm_public_certificate_configuration_ca_lets_encrypt object | -| sm_en_registration | sm_en_registration object | -| sm_secret_group | sm_secret_group object | -| sm_secret_groups | sm_secret_groups object | -| sm_secrets | sm_secrets object | -| sm_imported_certificate_metadata | sm_imported_certificate_metadata object | -| sm_public_certificate_metadata | sm_public_certificate_metadata object | -| sm_kv_secret_metadata | sm_kv_secret_metadata object | -| sm_iam_credentials_secret_metadata | sm_iam_credentials_secret_metadata object | -| sm_arbitrary_secret_metadata | sm_arbitrary_secret_metadata object | -| sm_username_password_secret_metadata | sm_username_password_secret_metadata object | -| sm_private_certificate_metadata | sm_private_certificate_metadata object | -| sm_configurations | sm_configurations object | +| sm_private_certificate_configuration_template | sm_private_certificate_configuration_template object | +| sm_public_certificate_configuration_ca_lets_encrypt | sm_public_certificate_configuration_ca_lets_encrypt object | +| sm_en_registration | sm_en_registration object | +| sm_secret_group | sm_secret_group object | +| sm_secret_groups | sm_secret_groups object | +| sm_secrets | sm_secrets object | +| sm_imported_certificate_metadata | sm_imported_certificate_metadata object | +| sm_public_certificate_metadata | sm_public_certificate_metadata object | +| sm_kv_secret_metadata | sm_kv_secret_metadata object | +| sm_iam_credentials_secret_metadata | sm_iam_credentials_secret_metadata object | +| sm_service_credentials_secret_metadata | sm_service_credentials_secret_metadata object | +| sm_arbitrary_secret_metadata | sm_arbitrary_secret_metadata object | +| sm_username_password_secret_metadata | sm_username_password_secret_metadata object | +| sm_private_certificate_metadata | sm_private_certificate_metadata object | +| sm_configurations | sm_configurations object | diff --git a/examples/ibm-secrets-manager/main.tf b/examples/ibm-secrets-manager/main.tf index 1e1a89fccb7..5823fb3fa6e 100644 --- a/examples/ibm-secrets-manager/main.tf +++ b/examples/ibm-secrets-manager/main.tf @@ -81,6 +81,33 @@ resource "ibm_sm_iam_credentials_secret" "sm_iam_credentials_secret_instance" { } } +// Provision sm_service_credentials_secret resource instance +resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { + instance_id = var.secrets_manager_instance_id + region = var.region + endpoint_type = var.endpoint_type + name = var.sm_service_credentials_secret_name + custom_metadata = { my_key = jsonencode(var.sm_service_credentials_secret_custom_metadata) } + description = var.sm_service_credentials_secret_description + labels = var.sm_service_credentials_secret_labels + rotation { + auto_rotate = true + interval = 1 + unit = "day" + } + secret_group_id = var.sm_service_credentials_secret_secret_group_id + source_service { + instance { + crn = var.sm_service_credentials_secret_source_service_instance_crn + } + role { + crn = var.sm_service_credentials_secret_source_service_role_crn + } + parameters = var.sm_service_credentials_secret_source_service_parameters + } + ttl = var.sm_service_credentials_secret_ttl +} + // Provision sm_arbitrary_secret resource instance resource "ibm_sm_arbitrary_secret" "sm_arbitrary_secret_instance" { instance_id = var.secrets_manager_instance_id @@ -304,6 +331,14 @@ data "ibm_sm_iam_credentials_secret_metadata" "sm_iam_credentials_secret_metadat secret_id = var.sm_iam_credentials_secret_metadata_id } +// Create sm_service_credentials_secret_metadata data source +data "ibm_sm_service_credentials_secret_metadata" "sm_service_credentials_secret_metadata_instance" { + instance_id = var.secrets_manager_instance_id + region = var.region + endpoint_type = var.endpoint_type + secret_id = var.sm_service_credentials_secret_metadata_id +} + // Create sm_arbitrary_secret_metadata data source data "ibm_sm_arbitrary_secret_metadata" "sm_arbitrary_secret_metadata_instance" { instance_id = var.secrets_manager_instance_id @@ -352,6 +387,14 @@ data "ibm_sm_iam_credentials_secret" "sm_iam_credentials_secret_instance" { secret_id = var.sm_iam_credentials_secret_id } +// Create sm_service_credentials_secret data source +data "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_instance" { + instance_id = var.secrets_manager_instance_id + region = var.region + endpoint_type = var.endpoint_type + secret_id = var.sm_service_credentials_secret_id +} + // Create sm_arbitrary_secret data source data "ibm_sm_arbitrary_secret" "sm_arbitrary_secret_instance" { instance_id = var.secrets_manager_instance_id diff --git a/examples/ibm-secrets-manager/outputs.tf b/examples/ibm-secrets-manager/outputs.tf index 9ea26978ebb..9684c8c1eb5 100644 --- a/examples/ibm-secrets-manager/outputs.tf +++ b/examples/ibm-secrets-manager/outputs.tf @@ -45,6 +45,12 @@ output "ibm_sm_iam_credentials_secret" { value = ibm_sm_iam_credentials_secret.sm_iam_credentials_secret_instance description = "sm_iam_credentials_secret resource instance" } +// This allows sm_service_credentials_secret data to be referenced by other resources and the terraform CLI +// Modify this if only certain data should be exposed +output "ibm_sm_service_credentials_secret" { + value = ibm_sm_service_credentials_secret.sm_service_credentials_secret_instance + description = "sm_service_credentials_secret resource instance" +} // This allows sm_arbitrary_secret data to be referenced by other resources and the terraform CLI // Modify this if only certain data should be exposed output "ibm_sm_arbitrary_secret" { diff --git a/examples/ibm-secrets-manager/variables.tf b/examples/ibm-secrets-manager/variables.tf index 6c713285b83..fba28a2af81 100644 --- a/examples/ibm-secrets-manager/variables.tf +++ b/examples/ibm-secrets-manager/variables.tf @@ -210,6 +210,54 @@ variable "sm_iam_credentials_secret_reuse_api_key" { default = true } +// Resource arguments for sm_service_credentials_secret +variable "sm_service_credentials_name" { + description = "The human-readable name of your secret." + type = string + default = "my-service-credentials-secret" +} +variable "sm_service_credentials_secret_custom_metadata" { + description = "The secret metadata that a user can customize." + type = any + default = "anything as a string" +} +variable "sm_service_credentials_secret_description" { + description = "An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group." + type = string + default = "Extended description for this secret." +} +variable "sm_service_credentials_secret_labels" { + description = "Labels that you can use to search for secrets in your instance.Up to 30 labels can be created." + type = list(string) + default = [ "my-label" ] +} +variable "sm_service_credentials_secret_secret_group_id" { + description = "A v4 UUID identifier, or `default` secret group." + type = string + default = "default" +} +variable "sm_service_credentials_secret_source_service_instance_crn" { + description = "A CRN that uniquely identifies a service credentials source" + type = string + default = "crn:v1:staging:public:cloud-object-storage:global:a/111f5fb10986423e9saa8512f1db7e65:111133c8-49ea-41xe-8c40-122038246f5b::" +} +variable "sm_service_credentials_secret_source_service_role_crn" { + description = "The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles." + type = string + default = "crn:v1:bluemix:public:iam::::serviceRole:Writer" +} +variable "sm_service_credentials_secret_source_service_parameters" { + description = "Configuration options represented as key-value pairs. Service-defined options are used in the generation of credentials for some services." + type = string + default = {} +} +variable "sm_service_credentials_secret_ttl" { + description = "The time-to-live (TTL) or lease duration to assign to generated credentials. The TTL defines for how long generated credentials remain valid. The value should be a string that specifies the number of seconds. Minimum duration is 86400 (1 day). Maximum is 7776000 seconds (90 days)." + type = string + default = "86401" +} + + // Resource arguments for sm_arbitrary_secret variable "sm_arbitrary_secret_name" { description = "The human-readable name of your secret." @@ -705,6 +753,14 @@ variable "sm_iam_credentials_secret_metadata_id" { default = "0b5571f7-21e6-42b7-91c5-3f5ac9793a46" } +// Data source arguments for sm_service_credentials_secret_metadata +variable "sm_service_credentials_secret_metadata_id" { + description = "The ID of the secret." + type = string + default = "0b5571f7-21e6-42b7-91c5-3f5ac9793a46" +} + + // Data source arguments for sm_arbitrary_secret_metadata variable "sm_arbitrary_secret_metadata_id" { description = "The ID of the secret." @@ -747,6 +803,13 @@ variable "sm_iam_credentials_secret_id" { default = "0b5571f7-21e6-42b7-91c5-3f5ac9793a46" } +// Data source arguments for sm_service_credentials_secret +variable "sm_service_credentials_secret_id" { + description = "The ID of the secret." + type = string + default = "0b5571f7-21e6-42b7-91c5-3f5ac9793a46" +} + // Data source arguments for sm_arbitrary_secret variable "sm_arbitrary_secret_id" { description = "The ID of the secret." diff --git a/ibm/provider/provider.go b/ibm/provider/provider.go index 936814aded4..92ffcdcc772 100644 --- a/ibm/provider/provider.go +++ b/ibm/provider/provider.go @@ -701,6 +701,7 @@ func Provider() *schema.Provider { "ibm_sm_public_certificate_metadata": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmPublicCertificateMetadata()), "ibm_sm_private_certificate_metadata": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmPrivateCertificateMetadata()), "ibm_sm_iam_credentials_secret_metadata": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmIamCredentialsSecretMetadata()), + "ibm_sm_service_credentials_secret_metadata": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmServiceCredentialsSecretMetadata()), "ibm_sm_kv_secret_metadata": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmKvSecretMetadata()), "ibm_sm_username_password_secret_metadata": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmUsernamePasswordSecretMetadata()), "ibm_sm_arbitrary_secret": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmArbitrarySecret()), diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go new file mode 100644 index 00000000000..54ff509c4dc --- /dev/null +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go @@ -0,0 +1,491 @@ +// Copyright IBM Corp. 2023 All Rights Reserved. +// Licensed under the Mozilla Public License v2.0 + +package secretsmanager + +import ( + "context" + "fmt" + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns" + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex" + "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "log" +) + +func DataSourceIbmSmServiceCredentialsSecretMetadata() *schema.Resource { + return &schema.Resource{ + ReadContext: dataSourceIbmSmServiceCredentialsSecretMetadataRead, + + Schema: map[string]*schema.Schema{ + "secret_id": &schema.Schema{ + Type: schema.TypeString, + Required: true, + Description: "The ID of the secret.", + }, + "created_by": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The unique identifier that is associated with the entity that created the secret.", + }, + "created_at": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date when a resource was created. The date format follows RFC 3339.", + }, + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A CRN that uniquely identifies an IBM Cloud resource.", + }, + "custom_metadata": &schema.Schema{ + Type: schema.TypeMap, + Computed: true, + Description: "The secret metadata that a user can customize.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group.", + }, + "downloaded": &schema.Schema{ + Type: schema.TypeBool, + Computed: true, + Description: "Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API.", + }, + "labels": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "Labels that you can use to search for secrets in your instance.Up to 30 labels can be created.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "locks_total": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The number of locks of the secret.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The human-readable name of your secret.", + }, + "secret_group_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + ForceNew: true, + Description: "A v4 UUID identifier, or `default` secret group.", + }, + "secret_type": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials.", + }, + "state": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values.", + }, + "state_description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A text representation of the secret state.", + }, + "updated_at": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date when a resource was recently modified. The date format follows RFC 3339.", + }, + "versions_total": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The number of versions of the secret.", + }, + "ttl": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The time-to-live (TTL) or lease duration to assign to generated credentials.", + }, + "rotation": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "Determines whether Secrets Manager rotates your secrets automatically.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "auto_rotate": &schema.Schema{ + Type: schema.TypeBool, + Computed: true, + Description: "Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval.", + }, + "interval": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The length of the secret rotation time interval.", + }, + "unit": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The units for the secret rotation time interval.", + }, + }, + }, + }, + "next_rotation_date": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date that the secret is scheduled for automatic rotation. The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy.", + }, + "source_service": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The properties required for creating the service credentials for the specified source service instance.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "instance": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service instance identifier.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A CRN that uniquely identifies a service credentials target.", + }, + }, + }, + }, + "role": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The CRN role identifier for creating a service-id.", + }, + }, + }, + }, + "iam": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service IAM data is returned in case IAM credentials where created for this secret.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "apikey": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM apikey metadata for the IAM credentials that were generated.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM API key name for the generated service credentials.", + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM API key description for the generated service credentials.", + }, + }, + }, + }, + "role": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM role for the generate service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM role CRN assigned to the generated service credentials.", + }, + }, + }, + }, + "serviceid": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM serviceid for the generated service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM Service ID CRN.", + }, + }, + }, + }, + }, + }, + }, + "resource_key": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service resource key data of the generated service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource key CRN of the generated service credentials.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource key name of the generated service credentials.", + }, + }, + }, + }, + "parameters": &schema.Schema{ + Type: schema.TypeMap, + Computed: true, + Description: "The collection of parameters for the service credentials target.", + }, + }, + }, + }, + }, + } +} + +func dataSourceIbmSmServiceCredentialsSecretMetadataRead(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() + if err != nil { + return diag.FromErr(err) + } + + region := getRegion(secretsManagerClient, d) + instanceId := d.Get("instance_id").(string) + secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) + + getSecretMetadataOptions := &secretsmanagerv2.GetSecretMetadataOptions{} + + secretId := d.Get("secret_id").(string) + getSecretMetadataOptions.SetID(secretId) + + ServiceCredentialsSecretMetadataIntf, response, err := secretsManagerClient.GetSecretMetadataWithContext(context, getSecretMetadataOptions) + if err != nil { + log.Printf("[DEBUG] GetSecretMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("GetSecretMetadataWithContext failed %s\n%s", err, response)) + } + ServiceCredentialsSecretMetadata := ServiceCredentialsSecretMetadataIntf.(*secretsmanagerv2.ServiceCredentialsSecretMetadata) + + d.SetId(fmt.Sprintf("%s/%s/%s", region, instanceId, secretId)) + + if err = d.Set("region", region); err != nil { + return diag.FromErr(fmt.Errorf("Error setting region: %s", err)) + } + if err = d.Set("created_by", ServiceCredentialsSecretMetadata.CreatedBy); err != nil { + return diag.FromErr(fmt.Errorf("Error setting created_by: %s", err)) + } + + if err = d.Set("created_at", DateTimeToRFC3339(ServiceCredentialsSecretMetadata.CreatedAt)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting created_at: %s", err)) + } + + if err = d.Set("crn", ServiceCredentialsSecretMetadata.Crn); err != nil { + return diag.FromErr(fmt.Errorf("Error setting crn: %s", err)) + } + + if ServiceCredentialsSecretMetadata.CustomMetadata != nil { + convertedMap := make(map[string]interface{}, len(ServiceCredentialsSecretMetadata.CustomMetadata)) + for k, v := range ServiceCredentialsSecretMetadata.CustomMetadata { + convertedMap[k] = v + } + + if err = d.Set("custom_metadata", flex.Flatten(convertedMap)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting custom_metadata: %s", err)) + } + if err != nil { + return diag.FromErr(fmt.Errorf("Error setting custom_metadata %s", err)) + } + } + + if err = d.Set("description", ServiceCredentialsSecretMetadata.Description); err != nil { + return diag.FromErr(fmt.Errorf("Error setting description: %s", err)) + } + + if err = d.Set("downloaded", ServiceCredentialsSecretMetadata.Downloaded); err != nil { + return diag.FromErr(fmt.Errorf("Error setting downloaded: %s", err)) + } + + if ServiceCredentialsSecretMetadata.Labels != nil { + if err = d.Set("labels", ServiceCredentialsSecretMetadata.Labels); err != nil { + return diag.FromErr(fmt.Errorf("Error setting labels: %s", err)) + } + } + + if err = d.Set("locks_total", flex.IntValue(ServiceCredentialsSecretMetadata.LocksTotal)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting locks_total: %s", err)) + } + + if err = d.Set("name", ServiceCredentialsSecretMetadata.Name); err != nil { + return diag.FromErr(fmt.Errorf("Error setting name: %s", err)) + } + + if err = d.Set("secret_group_id", ServiceCredentialsSecretMetadata.SecretGroupID); err != nil { + return diag.FromErr(fmt.Errorf("Error setting secret_group_id: %s", err)) + } + + if err = d.Set("secret_type", ServiceCredentialsSecretMetadata.SecretType); err != nil { + return diag.FromErr(fmt.Errorf("Error setting secret_type: %s", err)) + } + + if err = d.Set("state", flex.IntValue(ServiceCredentialsSecretMetadata.State)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting state: %s", err)) + } + + if err = d.Set("state_description", ServiceCredentialsSecretMetadata.StateDescription); err != nil { + return diag.FromErr(fmt.Errorf("Error setting state_description: %s", err)) + } + + if err = d.Set("updated_at", DateTimeToRFC3339(ServiceCredentialsSecretMetadata.UpdatedAt)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting updated_at: %s", err)) + } + + if err = d.Set("versions_total", flex.IntValue(ServiceCredentialsSecretMetadata.VersionsTotal)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting versions_total: %s", err)) + } + + if err = d.Set("ttl", ServiceCredentialsSecretMetadata.TTL); err != nil { + return diag.FromErr(fmt.Errorf("Error setting ttl: %s", err)) + } + + rotation := []map[string]interface{}{} + if ServiceCredentialsSecretMetadata.Rotation != nil { + modelMap, err := dataSourceIbmSmServiceCredentialsSecretMetadataRotationPolicyToMap(ServiceCredentialsSecretMetadata.Rotation.(*secretsmanagerv2.RotationPolicy)) + if err != nil { + return diag.FromErr(err) + } + rotation = append(rotation, modelMap) + } + if err = d.Set("rotation", rotation); err != nil { + return diag.FromErr(fmt.Errorf("Error setting rotation %s", err)) + } + + if err = d.Set("next_rotation_date", DateTimeToRFC3339(ServiceCredentialsSecretMetadata.NextRotationDate)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting next_rotation_date: %s", err)) + } + + sourceServiceMap, err := dataSourceIbmSmServiceCredentialsSecretMetadataSourceServiceToMap(ServiceCredentialsSecretMetadata.SourceService) + if err != nil { + return diag.FromErr(err) + } + if len(sourceServiceMap) > 0 { + if err = d.Set("source_service", []map[string]interface{}{sourceServiceMap}); err != nil { + return diag.FromErr(fmt.Errorf("Error setting source_service: %s", err)) + } + } + + return nil +} + +func dataSourceIbmSmServiceCredentialsSecretMetadataRotationPolicyToMap(model *secretsmanagerv2.RotationPolicy) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + if model.AutoRotate != nil { + modelMap["auto_rotate"] = *model.AutoRotate + } + if model.Interval != nil { + modelMap["interval"] = *model.Interval + } + if model.Unit != nil { + modelMap["unit"] = *model.Unit + } + return modelMap, nil +} + +func dataSourceIbmSmServiceCredentialsSecretMetadataSourceServiceToMap(sourceService *secretsmanagerv2.ServiceCredentialsSecretSourceService) (map[string]interface{}, error) { + mainModelMap := make(map[string]interface{}) + if sourceService.Instance != nil { + instanceMap := make(map[string]interface{}) + instanceModel := sourceService.Instance + if instanceModel.Crn != nil { + instanceMap["crn"] = instanceModel.Crn + } + mainModelMap["instance"] = []map[string]interface{}{instanceMap} + } + + if sourceService.Role != nil { + roleMap := make(map[string]interface{}) + roleModel := sourceService.Role + if roleModel.Crn != nil { + roleMap["crn"] = roleModel.Crn + } + mainModelMap["role"] = []map[string]interface{}{roleMap} + } + + if sourceService.Iam != nil { + iamMap := make(map[string]interface{}) + iamModel := sourceService.Iam + + // apikey + if iamModel.Apikey != nil { + iamApikeyMap := make(map[string]interface{}) + iamApikeyModel := iamModel.Apikey + if iamApikeyModel.Name != nil { + iamApikeyMap["name"] = iamApikeyModel.Name + } + if iamApikeyModel.Description != nil { + iamApikeyMap["description"] = iamApikeyModel.Description + } + iamMap["apikey"] = []map[string]interface{}{iamApikeyMap} + } + + // role + if iamModel.Role != nil { + iamRoleMap := make(map[string]interface{}) + iamRoleModel := iamModel.Role + if iamRoleModel.Crn != nil { + iamRoleMap["crn"] = iamRoleModel.Crn + } + iamMap["role"] = []map[string]interface{}{iamRoleMap} + } + + // service id + if iamModel.Serviceid != nil { + iamServiceidMap := make(map[string]interface{}) + iamServiceidModel := iamModel.Serviceid + if iamServiceidModel.Crn != nil { + iamServiceidMap["crn"] = iamServiceidModel.Crn + } + iamMap["serviceid"] = []map[string]interface{}{iamServiceidMap} + } + + mainModelMap["iam"] = []map[string]interface{}{iamMap} + + } + + if sourceService.ResourceKey != nil { + resourceKeyMap := make(map[string]interface{}) + resourceKeyModel := sourceService.ResourceKey + if resourceKeyModel.Crn != nil { + resourceKeyMap["crn"] = resourceKeyModel.Crn + } + if resourceKeyModel.Name != nil { + resourceKeyMap["name"] = resourceKeyModel.Name + } + mainModelMap["resource_key"] = []map[string]interface{}{resourceKeyMap} + } + + if sourceService.Parameters != nil { + parametersMap := sourceService.Parameters.GetProperties() + for k, v := range parametersMap { + parametersMap[k] = fmt.Sprint(v) + } + if sourceService.Parameters.ServiceidCrn != nil { + parametersMap["serviceid_crn"] = sourceService.Parameters.ServiceidCrn + } + mainModelMap["parameters"] = parametersMap + } + + return mainModelMap, nil +} diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go index 1f1f813e830..82232a7cfdd 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go @@ -330,7 +330,7 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { "ttl": &schema.Schema{ Type: schema.TypeString, Required: true, - ValidateFunc: StringIsIntBetween(60, 7776000), + ValidateFunc: StringIsIntBetween(86400, 7776000), Description: "The time-to-live (TTL) or lease duration to assign to generated credentials.", }, "updated_at": &schema.Schema{ diff --git a/website/docs/d/sm_service_credentials_secret.html.markdown b/website/docs/d/sm_service_credentials_secret.html.markdown new file mode 100644 index 00000000000..0bce29f26e0 --- /dev/null +++ b/website/docs/d/sm_service_credentials_secret.html.markdown @@ -0,0 +1,140 @@ +--- +layout: "ibm" +page_title: "IBM : ibm_sm_service_credentials_secret" +description: |- + Get information about ServiceCredentialsSecret +subcategory: "Secrets Manager" +--- + +# ibm_sm_service_credentials_secret + +Provides a read-only data source for a service credentials secret. You can then reference the fields of the data source in other resources within the same configuration using interpolation syntax. +The data source can be defined by providing the secret ID or the secret and secret group names. + +## Example Usage + +By secret id +```hcl +data "ibm_sm_service_credentials_secret" "service_credentials_secret" { + instance_id = ibm_resource_instance.sm_instance.guid + region = "us-south" + secret_id = "0b5571f7-21e6-42b7-91c5-3f5ac9793a46" +} +``` + +By secret name and group name +```hcl +data "ibm_sm_service_credentials_secret" "service_credentials_secret" { + instance_id = ibm_resource_instance.sm_instance.guid + region = "us-south" + name = "secret-name" + secret_group_name = "group-name" +} +``` + +## Argument Reference + +Review the argument reference that you can specify for your data source. + +* `instance_id` - (Required, Forces new resource, String) The GUID of the Secrets Manager instance. +* `region` - (Optional, Forces new resource, String) The region of the Secrets Manager instance. If not provided defaults to the region defined in the IBM provider configuration. +* `endpoint_type` - (Optional, String) - The endpoint type. If not provided the endpoint type is determined by the `visibility` argument provided in the provider configuration. + * Constraints: Allowable values are: `private`, `public`. +* `secret_id` - (Optional, String) The ID of the secret. + * Constraints: The maximum length is `36` characters. The minimum length is `36` characters. The value must match regular expression `/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/`. +* `name` - (Optional, String) The human-readable name of your secret. To be used in combination with `secret_group_name`. + * Constraints: The maximum length is `256` characters. The minimum length is `2` characters. The value must match regular expression `^[A-Za-z0-9][A-Za-z0-9]*(?:_*-*\\.*[A-Za-z0-9]+)*$`. +* `secret_group_name` - (Optional, String) The name of your existing secret group. To be used in combination with `name`. + * Constraints: The maximum length is `64` characters. The minimum length is `2` characters. The value must match regular expression `/(.*?)/`. + +## Attribute Reference + +In addition to all argument references listed, you can access the following attribute references after your data source is created. + +* `created_at` - (String) The date when a resource was created. The date format follows RFC 3339. + +* `created_by` - (String) The unique identifier that is associated with the entity that created the secret. + * Constraints: The maximum length is `128` characters. The minimum length is `4` characters. + +* `credentials` - (List) The properties of the service credentials secret payload. + Nested scheme for **credentials**: + * `apikey` - (String) The API key that is generated for this secret. + * `cos_hmac_keys` - (String) The Cloud Object Storage HMAC keys that are returned after you create a service credentials secret. + Nested scheme for **cos_hmac_keys**: + * `access_key_id` - (String) The access key ID for Cloud Object Storage HMAC credentials. + * `secret_access_key` - (String) The secret access key ID for Cloud Object Storage HMAC credentials. + * `endpoints` - (String) The endpoints that are returned after you create a service credentials secret. + * `iam_apikey_description` - (String) The description of the generated IAM API key. + * `iam_apikey_name` - (String) The name of the generated IAM API key. + * `iam_role_crn` - (String) The IAM role CRN that is returned after you create a service credentials secret. + * `iam_serviceid_crn` - (String) The IAM serviceId CRN that is returned after you create a service credentials secret. + * `resource_instance_id` - (String) The resource instance CRN that is returned after you create a service credentials secret. + +* `crn` - (String) A CRN that uniquely identifies an IBM Cloud resource. + * Constraints: The maximum length is `512` characters. The minimum length is `9` characters. The value must match regular expression `/^crn:v[0-9](:([A-Za-z0-9-._~!$&'()*+,;=@\/]|%[0-9A-Z]{2})*){8}$/`. + +* `custom_metadata` - (Map) The secret metadata that a user can customize. + +* `description` - (String) An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. + * Constraints: The maximum length is `1024` characters. The minimum length is `0` characters. The value must match regular expression `/(.*?)/`. + +* `downloaded` - (Boolean) Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API. + +* `labels` - (List) Labels that you can use to search for secrets in your instance.Up to 30 labels can be created. + * Constraints: The list items must match regular expression `/(.*?)/`. The maximum length is `30` items. The minimum length is `0` items. + +* `locks_total` - (Integer) The number of locks of the secret. + * Constraints: The maximum value is `1000`. The minimum value is `0`. + +* `name` - (String) The human-readable name of your secret. + * Constraints: The maximum length is `256` characters. The minimum length is `2` characters. + +* `next_rotation_date` - (String) The date that the secret is scheduled for automatic rotation.The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy. + +* `rotation` - (List) Determines whether Secrets Manager rotates your secrets automatically. + Nested scheme for **rotation**: + * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. + * `interval` - (Integer) The length of the secret rotation time interval. + * Constraints: The minimum value is `1`. + * `unit` - (String) The units for the secret rotation time interval. + * Constraints: Allowable values are: `day`, `month`. + +* `secret_group_id` - (String) A v4 UUID identifier, or `default` secret group. + * Constraints: The maximum length is `36` characters. The minimum length is `7` characters. The value must match regular expression `/^([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|default)$/`. + +* `secret_type` - (String) The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials. + * Constraints: Allowable values are: `arbitrary`, `imported_cert`, `public_cert`, `iam_credentials`, `kv`, `username_password`, `private_cert`. + +* `source_service` - (List) The properties required for creating the service credentials for the specified source service instance. + Nested scheme for **source_service**: + * `iam` - (List) The source service IAM data is returned in case IAM credentials where created for this secret. + Nested scheme for **iam**: + * `apikey` - (String) The IAM apikey metadata for the IAM credentials that were generated. + Nested scheme for **apikey**: + * `name` - (String) The IAM API key name for the generated service credentials. + * `description` - (String) The IAM API key description for the generated service credentials. + * `role` - (String) The IAM role for the generate service credentials. + Nested scheme for **role**: + * `crn` - (String) The IAM role CRN assigned to the generated service credentials. + * `serviceid` - (String) The IAM serviceid for the generated service credentials. + Nested scheme for **serviceid**: + * `crn` - (String) The IAM Service ID CRN. + * `resource_key` - (List) The source service resource key data of the generated service credentials. + Nested scheme for **resource_key**: + * `crn` - (String) The resource key CRN of the generated service credentials. + * `name` - (String) The resource key name of the generated service credentials. + +* `state` - (Integer) The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values. + * Constraints: Allowable values are: `0`, `1`, `2`, `3`, `5`. + +* `state_description` - (String) A text representation of the secret state. + * Constraints: Allowable values are: `pre_activation`, `active`, `suspended`, `deactivated`, `destroyed`. + +* `ttl` - (String) The time-to-live (TTL) or lease duration to assign to generated credentials. The TTL defines for how long generated credentials remain valid. The value should be a string that specifies the number of seconds. Minimum duration is 86400 (1 day). Maximum is 7776000 seconds (90 days). + * Constraints: The maximum length is `7` characters. The minimum length is `2` characters. + +* `updated_at` - (String) The date when a resource was recently modified. The date format follows RFC 3339. + +* `versions_total` - (Integer) The number of versions of the secret. + * Constraints: The maximum value is `50`. The minimum value is `0`. + diff --git a/website/docs/d/sm_service_credentials_secret_metadata.html.markdown b/website/docs/d/sm_service_credentials_secret_metadata.html.markdown new file mode 100644 index 00000000000..0710616c26d --- /dev/null +++ b/website/docs/d/sm_service_credentials_secret_metadata.html.markdown @@ -0,0 +1,113 @@ +--- +layout: "ibm" +page_title: "IBM : ibm_sm_service_credentials_secret_metadata" +description: |- + Get information about ServiceCredentialsSecretMetadata +subcategory: "Secrets Manager" +--- + +# ibm_sm_service_credentials_secret + +Provides a read-only data source for the metadata of an service credentials secret. You can then reference the fields of the data source in other resources within the same configuration using interpolation syntax. + + +## Example Usage + +```hcl +data "ibm_sm_service_credentials_secret_metadata" "service_credentials_secret_metadata" { + instance_id = ibm_resource_instance.sm_instance.guid + region = "us-south" + secret_id = "0b5571f7-21e6-42b7-91c5-3f5ac9793a46" +} +``` + +## Argument Reference + +Review the argument reference that you can specify for your data source. + +* `instance_id` - (Required, Forces new resource, String) The GUID of the Secrets Manager instance. +* `region` - (Optional, Forces new resource, String) The region of the Secrets Manager instance. If not provided defaults to the region defined in the IBM provider configuration. +* `endpoint_type` - (Optional, String) - The endpoint type. If not provided the endpoint type is determined by the `visibility` argument provided in the provider configuration. + * Constraints: Allowable values are: `private`, `public`. +* `secret_id` - (Optional, String) The ID of the secret. + * Constraints: The maximum length is `36` characters. The minimum length is `36` characters. The value must match regular expression `/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/`. + +## Attribute Reference + +In addition to all argument references listed, you can access the following attribute references after your data source is created. + +* `id` - The unique identifier of the data source. + +* `created_at` - (String) The date when a resource was created. The date format follows RFC 3339. + +* `created_by` - (String) The unique identifier that is associated with the entity that created the secret. + * Constraints: The maximum length is `128` characters. The minimum length is `4` characters. + +* `crn` - (String) A CRN that uniquely identifies an IBM Cloud resource. + * Constraints: The maximum length is `512` characters. The minimum length is `9` characters. The value must match regular expression `/^crn:v[0-9](:([A-Za-z0-9-._~!$&'()*+,;=@\/]|%[0-9A-Z]{2})*){8}$/`. + +* `custom_metadata` - (Map) The secret metadata that a user can customize. + +* `description` - (String) An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. + * Constraints: The maximum length is `1024` characters. The minimum length is `0` characters. The value must match regular expression `/(.*?)/`. + +* `downloaded` - (Boolean) Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API. + +* `labels` - (List) Labels that you can use to search for secrets in your instance.Up to 30 labels can be created. + * Constraints: The list items must match regular expression `/(.*?)/`. The maximum length is `30` items. The minimum length is `0` items. + +* `locks_total` - (Integer) The number of locks of the secret. + * Constraints: The maximum value is `1000`. The minimum value is `0`. + +* `name` - (String) The human-readable name of your secret. + * Constraints: The maximum length is `256` characters. The minimum length is `2` characters. + +* `next_rotation_date` - (String) The date that the secret is scheduled for automatic rotation.The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy. + +* `rotation` - (List) Determines whether Secrets Manager rotates your secrets automatically. + Nested scheme for **rotation**: + * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. + * `interval` - (Integer) The length of the secret rotation time interval. + * Constraints: The minimum value is `1`. + * `unit` - (String) The units for the secret rotation time interval. + * Constraints: Allowable values are: `day`, `month`. + +* `secret_group_id` - (String) A v4 UUID identifier, or `default` secret group. + * Constraints: The maximum length is `36` characters. The minimum length is `7` characters. The value must match regular expression `/^([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|default)$/`. + +* `secret_type` - (String) The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials. + * Constraints: Allowable values are: `arbitrary`, `imported_cert`, `public_cert`, `iam_credentials`, `kv`, `username_password`, `private_cert`. + +* `source_service` - (List) The properties required for creating the service credentials for the specified source service instance. + Nested scheme for **source_service**: + * `iam` - (List) The source service IAM data is returned in case IAM credentials where created for this secret. + Nested scheme for **iam**: + * `apikey` - (String) The IAM apikey metadata for the IAM credentials that were generated. + Nested scheme for **apikey**: + * `name` - (String) The IAM API key name for the generated service credentials. + * `description` - (String) The IAM API key description for the generated service credentials. + * `role` - (String) The IAM role for the generate service credentials. + Nested scheme for **role**: + * `crn` - (String) The IAM role CRN assigned to the generated service credentials. + * `serviceid` - (String) The IAM serviceid for the generated service credentials. + Nested scheme for **serviceid**: + * `crn` - (String) The IAM Service ID CRN. + * `resource_key` - (List) The source service resource key data of the generated service credentials. + Nested scheme for **resource_key**: + * `crn` - (String) The resource key CRN of the generated service credentials. + * `name` - (String) The resource key name of the generated service credentials. + +* `state` - (Integer) The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values. + * Constraints: Allowable values are: `0`, `1`, `2`, `3`, `5`. + +* `state_description` - (String) A text representation of the secret state. + * Constraints: Allowable values are: `pre_activation`, `active`, `suspended`, `deactivated`, `destroyed`. + +* `ttl` - (String) The time-to-live (TTL) or lease duration to assign to generated credentials. The TTL defines for how long generated credentials remain valid. The value should be a string that specifies the number of seconds. Minimum duration is 86400 (1 day). Maximum is 7776000 seconds (90 days). + * Constraints: The maximum length is `7` characters. The minimum length is `2` characters. + +* `updated_at` - (String) The date when a resource was recently modified. The date format follows RFC 3339. + +* `versions_total` - (Integer) The number of versions of the secret. + * Constraints: The maximum value is `50`. The minimum value is `0`. + diff --git a/website/docs/r/sm_service_credentials_secret.html.markdown b/website/docs/r/sm_service_credentials_secret.html.markdown index b86d6093a6c..fdeb388008b 100644 --- a/website/docs/r/sm_service_credentials_secret.html.markdown +++ b/website/docs/r/sm_service_credentials_secret.html.markdown @@ -26,6 +26,15 @@ resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { unit = "day" } secret_group_id = ibm_sm_secret_group.sm_secret_group.secret_group_id + source_service { + instance { + crn = "crn:v1:staging:public:cloud-object-storage:global:a/111f5fb10986423e9saa8512f1db7e65:111133c8-49ea-41xe-8c40-122038246f5b::" + } + role { + crn = "crn:v1:bluemix:public:iam::::serviceRole:Writer" + } + parameters = {"HMAC": true} + } ttl = "1800" } ``` @@ -38,19 +47,18 @@ Review the argument reference that you can specify for your resource. * `region` - (Optional, Forces new resource, String) The region of the Secrets Manager instance. If not provided defaults to the region defined in the IBM provider configuration. * `endpoint_type` - (Optional, String) - The endpoint type. If not provided the endpoint type is determined by the `visibility` argument provided in the provider configuration. * Constraints: Allowable values are: `private`, `public`. +* `name` - (Required, String) The human-readable name of your secret. + * Constraints: The maximum length is `256` characters. The minimum length is `2` characters. The value must match regular expression `^[A-Za-z0-9][A-Za-z0-9]*(?:_*-*\\.*[A-Za-z0-9]+)*$`. * `custom_metadata` - (Optional, Map) The secret metadata that a user can customize. * `description` - (Optional, String) An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. * Constraints: The maximum length is `1024` characters. The minimum length is `0` characters. The value must match regular expression `/(.*?)/`. * `labels` - (Optional, List) Labels that you can use to search for secrets in your instance.Up to 30 labels can be created. * Constraints: The list items must match regular expression `/(.*?)/`. The maximum length is `30` items. The minimum length is `0` items. -* `name` - (Required, String) The human-readable name of your secret. - * Constraints: The maximum length is `256` characters. The minimum length is `2` characters. The value must match regular expression `^[A-Za-z0-9][A-Za-z0-9]*(?:_*-*\\.*[A-Za-z0-9]+)*$`. * `rotation` - (Optional, List) Determines whether Secrets Manager rotates your secrets automatically. Nested scheme for **rotation**: * `auto_rotate` - (Optional, Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Optional, Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Optional, Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (Optional, String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. * `secret_group_id` - (Optional, Forces new resource, String) A v4 UUID identifier, or `default` secret group. @@ -59,21 +67,12 @@ Nested scheme for **rotation**: Nested scheme for **source_service**: * `instance` - (Optional, List) The source service instance identifier. Nested scheme for **instance**: - * `crn` - (Optional, String) A CRN that uniquely identifies a service credentials source. - * `parameters` - (Optional, List) Configuration options represented as key-value pairs. Service-defined options are used in the generation of credentials for some services. For example, Cloud Object Storage accepts the optional boolean parameter HMAC for creating specific kind of credentials. + * `crn` - (Optional, String) A CRN that uniquely identifies a service credentials source. * `role` - (Optional, List) The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles. Nested scheme for **role**: - * `crn` - (Optional, String) The service role CRN. - * `iam` - (Optional, List) The source service IAM data is returned in case IAM credentials where created for this secret. - Nested scheme for **iam**: - * `apikey` - (Optional, String) The IAM apikey metadata for the IAM credentials that were generated. - * `role` - (Optional, String) The IAM role for the generate service credentials. - * `serviceid` - (Optional, String) The IAM serviceid for the generated service credentials. - * `resource_key` - (Optional, List) The source service resource key data of the generated service credentials. - Nested scheme for **resource_key**: - * `crn` - (Optional, String) The resource key CRN of the generated service credentials. - * `name` - (Optional, String) The resource key name of the generated service credentials. -* `ttl` - (Required, String) The time-to-live (TTL) or lease duration to assign to generated credentials. The TTL defines for how long each generated API key remains valid. The value should be an integer that specifies the number of seconds. Minimum duration is 60 seconds. Maximum is 7776000 seconds (90 days). + * `crn` - (Optional, String) The service role CRN. + * `parameters` - (Optional, List) Configuration options represented as key-value pairs. Service-defined options are used in the generation of credentials for some services. For example, Cloud Object Storage accepts the optional boolean parameter HMAC for creating specific kind of credentials. +* `ttl` - (Required, String) The time-to-live (TTL) or lease duration to assign to generated credentials. The TTL defines for how long generated credentials remain valid. The value should be a string that specifies the number of seconds. Minimum duration is 86400 (1 day). Maximum is 7776000 seconds (90 days). * Constraints: The maximum length is `7` characters. The minimum length is `2` characters. ## Attribute Reference @@ -84,12 +83,43 @@ In addition to all argument references listed, you can access the following attr * `created_at` - (String) The date when a resource was created. The date format follows RFC 3339. * `created_by` - (String) The unique identifier that is associated with the entity that created the secret. * Constraints: The maximum length is `128` characters. The minimum length is `4` characters. +* `credentials` - (List) The properties of the service credentials secret payload. + Nested scheme for **credentials**: + * `apikey` - (String) The API key that is generated for this secret. + * `cos_hmac_keys` - (String) The Cloud Object Storage HMAC keys that are returned after you create a service credentials secret. + Nested scheme for **cos_hmac_keys**: + * `access_key_id` - (String) The access key ID for Cloud Object Storage HMAC credentials. + * `secret_access_key` - (String) The secret access key ID for Cloud Object Storage HMAC credentials. + * `endpoints` - (String) The endpoints that are returned after you create a service credentials secret. + * `iam_apikey_description` - (String) The description of the generated IAM API key. + * `iam_apikey_name` - (String) The name of the generated IAM API key. + * `iam_role_crn` - (String) The IAM role CRN that is returned after you create a service credentials secret. + * `iam_serviceid_crn` - (String) The IAM serviceId CRN that is returned after you create a service credentials secret. + * `resource_instance_id` - (String) The resource instance CRN that is returned after you create a service credentials secret. * `crn` - (String) A CRN that uniquely identifies an IBM Cloud resource. * Constraints: The maximum length is `512` characters. The minimum length is `9` characters. The value must match regular expression `/^crn:v[0-9](:([A-Za-z0-9-._~!$&'()*+,;=@\/]|%[0-9A-Z]{2})*){8}$/`. * `downloaded` - (Boolean) Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API. * `locks_total` - (Integer) The number of locks of the secret. * Constraints: The maximum value is `1000`. The minimum value is `0`. * `next_rotation_date` - (String) The date that the secret is scheduled for automatic rotation.The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy. +* `source_service` - (List) The properties required for creating the service credentials for the specified source service instance. + Nested scheme for **source_service**: + * `iam` - (List) The source service IAM data is returned in case IAM credentials where created for this secret. + Nested scheme for **iam**: + * `apikey` - (String) The IAM apikey metadata for the IAM credentials that were generated. + Nested scheme for **apikey**: + * `name` - (String) The IAM API key name for the generated service credentials. + * `description` - (String) The IAM API key description for the generated service credentials. + * `role` - (String) The IAM role for the generate service credentials. + Nested scheme for **role**: + * `crn` - (String) The IAM role CRN assigned to the generated service credentials. + * `serviceid` - (String) The IAM serviceid for the generated service credentials. + Nested scheme for **serviceid**: + * `crn` - (String) The IAM Service ID CRN. + * `resource_key` - (List) The source service resource key data of the generated service credentials. + Nested scheme for **resource_key**: + * `crn` - (String) The resource key CRN of the generated service credentials. + * `name` - (String) The resource key name of the generated service credentials. * `state` - (Integer) The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values. * Constraints: Allowable values are: `0`, `1`, `2`, `3`, `5`. * `state_description` - (String) A text representation of the secret state. From 60abaf9338a777d728270769409e861a7e09105a Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Sun, 19 Nov 2023 14:10:52 +0200 Subject: [PATCH 04/18] update function updated --- .../resource_ibm_sm_service_credentilas_secret.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go index 82232a7cfdd..013921c17e8 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go @@ -552,6 +552,10 @@ func resourceIbmSmServiceCredentialsSecretUpdate(context context.Context, d *sch patchVals.Description = core.StringPtr(d.Get("description").(string)) hasChange = true } + if d.HasChange("ttl") { + patchVals.TTL = core.StringPtr(d.Get("ttl").(string)) + hasChange = true + } if d.HasChange("labels") { labels := d.Get("labels").([]interface{}) labelsParsed := make([]string, len(labels)) @@ -565,6 +569,15 @@ func resourceIbmSmServiceCredentialsSecretUpdate(context context.Context, d *sch patchVals.CustomMetadata = d.Get("custom_metadata").(map[string]interface{}) hasChange = true } + if d.HasChange("rotation") { + RotationModel, err := resourceIbmSmServiceCredentialsSecretMapToRotationPolicy(d.Get("rotation").([]interface{})[0].(map[string]interface{})) + if err != nil { + log.Printf("[DEBUG] UpdateSecretMetadataWithContext failed: Reading Rotation parameter failed: %s", err) + return diag.FromErr(fmt.Errorf("UpdateSecretMetadataWithContext failed: Reading Rotation parameter failed: %s", err)) + } + patchVals.Rotation = RotationModel + hasChange = true + } // Apply change in metadata (if changed) if hasChange { From 8477dde3ca0db972dd5e6c8a6aa3c9915e4c4582 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 22 Nov 2023 10:36:24 +0200 Subject: [PATCH 05/18] SC unit tests added --- ibm/acctest/acctest.go | 6 + ...ource_ibm_sm_service_credentials_secret.go | 3 + ..._sm_service_credentials_secret_metadata.go | 3 + ...ervice_credentials_secret_metadata_test.go | 74 ++++ ..._ibm_sm_service_credentials_secret_test.go | 84 +++++ ...ource_ibm_sm_service_credentilas_secret.go | 3 + ..._ibm_sm_service_credentilas_secret_test.go | 335 ++++++++++++++++++ 7 files changed, 508 insertions(+) create mode 100644 ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata_test.go create mode 100644 ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go create mode 100644 ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go diff --git a/ibm/acctest/acctest.go b/ibm/acctest/acctest.go index 65e4440b75c..68cb246eace 100644 --- a/ibm/acctest/acctest.go +++ b/ibm/acctest/acctest.go @@ -139,6 +139,7 @@ var ( SecretsManagerPublicCertificateCommonName string SecretsManagerValidateManualDnsCisZoneId string SecretsManagerImportedCertificatePathToCertificate string + SecretsManagerServiceCredentialsCosCrn string SecretsManagerSecretType string SecretsManagerSecretID string ) @@ -1205,6 +1206,11 @@ func init() { fmt.Println("[INFO] Set the environment variable SECRETS_MANAGER_IMPORTED_CERTIFICATE_PATH_TO_CERTIFICATE for testing imported certificate's tests, else tests fail if not set correctly") } + SecretsManagerServiceCredentialsCosCrn = os.Getenv("SECRETS_MANAGER_SERVICE_CREDENTIALS_COS_CRN") + if SecretsManagerServiceCredentialsCosCrn == "" { + fmt.Println("[INFO] Set the environment variable SECRETS_MANAGER_SERVICE_CREDENTIALS_COS_CRN for testing service credentials' tests, else tests fail if not set correctly") + } + SecretsManagerSecretType = os.Getenv("SECRETS_MANAGER_SECRET_TYPE") if SecretsManagerSecretType == "" { SecretsManagerSecretType = "username_password" diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go index 8e23da68633..686a553ae76 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go @@ -592,6 +592,9 @@ func dataSourceIbmSmServiceCredentialsSecretSourceServiceToMap(sourceService *se parametersMap[k] = fmt.Sprint(v) } if sourceService.Parameters.ServiceidCrn != nil { + if len(parametersMap) == 0 { + parametersMap = make(map[string]interface{}) + } parametersMap["serviceid_crn"] = sourceService.Parameters.ServiceidCrn } mainModelMap["parameters"] = parametersMap diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go index 54ff509c4dc..141e0f9e6d4 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go @@ -482,6 +482,9 @@ func dataSourceIbmSmServiceCredentialsSecretMetadataSourceServiceToMap(sourceSer parametersMap[k] = fmt.Sprint(v) } if sourceService.Parameters.ServiceidCrn != nil { + if len(parametersMap) == 0 { + parametersMap = make(map[string]interface{}) + } parametersMap["serviceid_crn"] = sourceService.Parameters.ServiceidCrn } mainModelMap["parameters"] = parametersMap diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata_test.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata_test.go new file mode 100644 index 00000000000..91ad1c0491d --- /dev/null +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata_test.go @@ -0,0 +1,74 @@ +// Copyright IBM Corp. 2023 All Rights Reserved. +// Licensed under the Mozilla Public License v2.0 + +package secretsmanager_test + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + + acc "github.com/IBM-Cloud/terraform-provider-ibm/ibm/acctest" +) + +func TestAccIbmSmServiceCredentialsSecretMetadataDataSourceBasic(t *testing.T) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { acc.TestAccPreCheck(t) }, + Providers: acc.TestAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccCheckIbmSmServiceCredentialsSecretMetadataDataSourceConfigBasic(), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "secret_id"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "instance_id"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "created_by"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "created_at"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "crn"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "secret_group_id"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "secret_type"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "updated_at"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "versions_total"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "rotation.#"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "ttl"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "source_service.#"), + ), + }, + }, + }) +} + +func testAccCheckIbmSmServiceCredentialsSecretMetadataDataSourceConfigBasic() string { + return fmt.Sprintf(` + resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_instance" { + instance_id = "%s" + region = "%s" + custom_metadata = {"key":"value"} + description = "Extended description for this secret." + labels = ["my-label"] + rotation { + auto_rotate = true + interval = 1 + unit = "day" + } + secret_group_id = "default" + name = "service_credentials-datasource-terraform-test" + ttl = "%s" + source_service { + instance { + crn = "%s" + } + parameters = %s + role { + crn = "%s" + } + } + } + + data "ibm_sm_service_credentials_secret_metadata" "sm_service_credentials_secret_metadata" { + instance_id = "%s" + region = "%s" + secret_id = ibm_sm_service_credentials_secret.sm_service_credentials_secret_instance.secret_id + } + `, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, serviceCredentialsTtl, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParameters, serviceCredentialsRoleCrn, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion) +} diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go new file mode 100644 index 00000000000..ff445e0778e --- /dev/null +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go @@ -0,0 +1,84 @@ +// Copyright IBM Corp. 2023 All Rights Reserved. +// Licensed under the Mozilla Public License v2.0 + +package secretsmanager_test + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + + acc "github.com/IBM-Cloud/terraform-provider-ibm/ibm/acctest" +) + +func TestAccIbmSmServiceCredentialsSecretDataSourceBasic(t *testing.T) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { acc.TestAccPreCheck(t) }, + Providers: acc.TestAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccCheckIbmSmServiceCredentialsSecretDataSourceConfigBasic(), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "secret_id"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "instance_id"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "created_by"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "created_at"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "crn"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "secret_group_id"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "secret_type"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "updated_at"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "versions_total"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "rotation.#"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "ttl"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "source_service.#"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "credentials.#"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret_by_name", "name"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret_by_name", "secret_group_name"), + ), + }, + }, + }) +} + +func testAccCheckIbmSmServiceCredentialsSecretDataSourceConfigBasic() string { + return fmt.Sprintf(` + resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_instance" { + instance_id = "%s" + region = "%s" + custom_metadata = {"key":"value"} + description = "Extended description for this secret." + labels = ["my-label"] + rotation { + auto_rotate = true + interval = 1 + unit = "day" + } + secret_group_id = "default" + name = "service_credentials-datasource-terraform-test" + ttl = "%s" + source_service { + instance { + crn = "%s" + } + parameters = %s + role { + crn = "%s" + } + } + } + + data "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { + instance_id = "%s" + region = "%s" + secret_id = ibm_sm_service_credentials_secret.sm_service_credentials_secret_instance.secret_id + } + + data "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_by_name" { + instance_id = "%s" + region = "%s" + name = ibm_sm_service_credentials_secret.sm_service_credentials_secret_instance.name + secret_group_name = "default" + } + `, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, serviceCredentialsTtl, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParameters, serviceCredentialsRoleCrn, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion) +} diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go index 013921c17e8..5795d0ec0ab 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go @@ -834,6 +834,9 @@ func resourceIbmSmServiceCredentialsSecretSourceServiceToMap(sourceService *secr parametersMap[k] = fmt.Sprint(v) } if sourceService.Parameters.ServiceidCrn != nil { + if len(parametersMap) == 0 { + parametersMap = make(map[string]interface{}) + } parametersMap["serviceid_crn"] = sourceService.Parameters.ServiceidCrn } mainModelMap["parameters"] = parametersMap diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go new file mode 100644 index 00000000000..85e9c377952 --- /dev/null +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go @@ -0,0 +1,335 @@ +// Copyright IBM Corp. 2023 All Rights Reserved. +// Licensed under the Mozilla Public License v2.0 + +package secretsmanager_test + +import ( + "fmt" + "strings" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + + acc "github.com/IBM-Cloud/terraform-provider-ibm/ibm/acctest" + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns" + "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" +) + +var serviceCredentialsSecretName = "terraform-test-sc-secret" +var modifiedServiceCredentialsSecretName = "modified-terraform-test-sc-secret" +var serviceCredentialsParameters = `{"HMAC":"true"}` +var serviceCredentialsParametersWithServiceId = `{"serviceid_crn": ibm_iam_service_id.ibm_iam_service_id_instance.crn}` +var serviceCredentialsTtl = "86400" +var modifiedServiceCredentialsTtl = "96400" +var serviceCredentialsRoleCrn = "crn:v1:bluemix:public:iam::::serviceRole:Writer" + +func TestAccIbmSmServiceCredentialsSecretBasic(t *testing.T) { + resourceName := "ibm_sm_service_credentials_secret.sm_service_credentials_secret_basic" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { acc.TestAccPreCheck(t) }, + Providers: acc.TestAccProviders, + CheckDestroy: testAccCheckIbmSmServiceCredentialsSecretDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: serviceCredentialsSecretConfigBasic(), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttrSet(resourceName, "secret_id"), + resource.TestCheckResourceAttrSet(resourceName, "created_by"), + resource.TestCheckResourceAttrSet(resourceName, "created_at"), + resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + resource.TestCheckResourceAttrSet(resourceName, "crn"), + resource.TestCheckResourceAttrSet(resourceName, "downloaded"), + resource.TestCheckResourceAttr(resourceName, "state", "1"), + resource.TestCheckResourceAttr(resourceName, "versions_total", "1"), + ), + }, + resource.TestStep{ + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"ttl"}, + }, + }, + }) +} + +func TestAccIbmSmServiceCredentialsSecretAllArgs(t *testing.T) { + resourceName := "ibm_sm_service_credentials_secret.sm_service_credentials_secret" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { acc.TestAccPreCheck(t) }, + Providers: acc.TestAccProviders, + CheckDestroy: testAccCheckIbmSmServiceCredentialsSecretDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: serviceCredentialsSecretConfigAllArgs(), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckIbmSmServiceCredentialsSecretCreated(resourceName), + resource.TestCheckResourceAttrSet(resourceName, "secret_id"), + resource.TestCheckResourceAttrSet(resourceName, "created_by"), + resource.TestCheckResourceAttrSet(resourceName, "created_at"), + resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + resource.TestCheckResourceAttrSet(resourceName, "crn"), + resource.TestCheckResourceAttrSet(resourceName, "downloaded"), + resource.TestCheckResourceAttrSet(resourceName, "next_rotation_date"), + resource.TestCheckResourceAttr(resourceName, "state", "1"), + resource.TestCheckResourceAttr(resourceName, "versions_total", "1"), + ), + }, + resource.TestStep{ + Config: serviceCredentialsSecretConfigUpdated(), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckIbmSmServiceCredentialsSecretUpdated(resourceName), + ), + }, + resource.TestStep{ + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"ttl"}, + }, + }, + }) +} + +func TestAccIbmSmServiceCredentialsSecretAllArgsWithExistingServiceId(t *testing.T) { + resourceName := "ibm_sm_service_credentials_secret.sm_service_credentials_secret_service_id" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { acc.TestAccPreCheck(t) }, + Providers: acc.TestAccProviders, + CheckDestroy: testAccCheckIbmSmServiceCredentialsSecretDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: serviceCredentialsSecretConfigAllArgsWithExistingServiceId(), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckIbmSmServiceCredentialsSecretCreated(resourceName), + resource.TestCheckResourceAttrSet(resourceName, "secret_id"), + resource.TestCheckResourceAttrSet(resourceName, "created_by"), + resource.TestCheckResourceAttrSet(resourceName, "created_at"), + resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + resource.TestCheckResourceAttrSet(resourceName, "crn"), + resource.TestCheckResourceAttrSet(resourceName, "downloaded"), + resource.TestCheckResourceAttrSet(resourceName, "next_rotation_date"), + resource.TestCheckResourceAttr(resourceName, "state", "1"), + resource.TestCheckResourceAttr(resourceName, "versions_total", "1"), + ), + }, + resource.TestStep{ + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"ttl"}, + }, + }, + }) +} + +var serviceCredentialsSecretBasicConfigFormat = ` + resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_basic" { + instance_id = "%s" + region = "%s" + name = "%s" + source_service { + instance { + crn = "%s" + } + role { + crn = "%s" + } + } + ttl = "%s" + }` + +var serviceCredentialsSecretFullConfigFormat = ` + resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { + instance_id = "%s" + region = "%s" + name = "%s-serviceid" + description = "%s" + labels = ["%s"] + source_service { + instance { + crn = "%s" + } + parameters = %s + role { + crn = "%s" + } + } + ttl = "%s" + custom_metadata = %s + secret_group_id = "default" + rotation %s + }` + +var serviceCredentialsSecretFullConfigFormatWithExistingServiceId = ` + resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_service_id" { + instance_id = "%s" + region = "%s" + name = "%s" + description = "%s" + labels = ["%s"] + source_service { + instance { + crn = "%s" + } + parameters = %s + role { + crn = "%s" + } + } + ttl = "%s" + custom_metadata = %s + secret_group_id = "default" + rotation %s + }` + +func iamServiceIdConfig() string { + return fmt.Sprintf(` + resource "ibm_iam_service_id" "ibm_iam_service_id_instance" { + name = "service-id-terraform-tests-sc" + }`) +} + +func serviceCredentialsSecretConfigBasic() string { + return fmt.Sprintf(serviceCredentialsSecretBasicConfigFormat, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, + serviceCredentialsSecretName, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsRoleCrn, serviceCredentialsTtl) +} + +func serviceCredentialsSecretConfigAllArgs() string { + return fmt.Sprintf(serviceCredentialsSecretFullConfigFormat, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, + serviceCredentialsSecretName, description, label, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParametersWithServiceId, serviceCredentialsRoleCrn, serviceCredentialsTtl, customMetadata, rotationPolicy) +} + +func serviceCredentialsSecretConfigAllArgsWithExistingServiceId() string { + return iamServiceIdConfig() + fmt.Sprintf(serviceCredentialsSecretFullConfigFormatWithExistingServiceId, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, + serviceCredentialsSecretName, description, label, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParametersWithServiceId, serviceCredentialsRoleCrn, serviceCredentialsTtl, customMetadata, rotationPolicy) +} + +func serviceCredentialsSecretConfigUpdated() string { + return fmt.Sprintf(serviceCredentialsSecretFullConfigFormat, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, + modifiedServiceCredentialsSecretName, modifiedDescription, modifiedLabel, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParameters, serviceCredentialsRoleCrn, + modifiedServiceCredentialsTtl, modifiedCustomMetadata, modifiedRotationPolicy) +} + +func testAccCheckIbmSmServiceCredentialsSecretCreated(n string) resource.TestCheckFunc { + return func(s *terraform.State) error { + serviceCredentialsSecretIntf, err := getSecret(s, n) + if err != nil { + return err + } + secret := serviceCredentialsSecretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) + + if err := verifyAttr(*secret.Name, serviceCredentialsSecretName, "secret name"); err != nil { + return err + } + if err := verifyAttr(*secret.Description, description, "secret description"); err != nil { + return err + } + if len(secret.Labels) != 1 { + return fmt.Errorf("Wrong number of labels: %d", len(secret.Labels)) + } + if err := verifyAttr(secret.Labels[0], label, "label"); err != nil { + return err + } + if err := verifyJsonAttr(secret.CustomMetadata, customMetadata, "custom metadata"); err != nil { + return err + } + if err := verifyAttr(getAutoRotate(secret.Rotation), "true", "auto_rotate"); err != nil { + return err + } + if err := verifyAttr(getRotationUnit(secret.Rotation), "day", "rotation unit"); err != nil { + return err + } + if err := verifyAttr(getRotationInterval(secret.Rotation), "1", "rotation interval"); err != nil { + return err + } + if err := verifyAttr(*secret.TTL, serviceCredentialsTtl, "ttl"); err != nil { + return err + } + if err := verifyAttr(*secret.SourceService.Instance.Crn, acc.SecretsManagerServiceCredentialsCosCrn, "source_service.Instance.Crn"); err != nil { + return err + } + if err := verifyAttr(*secret.SourceService.Role.Crn, serviceCredentialsRoleCrn, "source_service.Role.Crn"); err != nil { + return err + } + if err := verifyAttr(*secret.Credentials.IamRoleCrn, serviceCredentialsRoleCrn, "credentials.IamRoleCrn"); err != nil { + return err + } + return nil + } +} + +func testAccCheckIbmSmServiceCredentialsSecretUpdated(n string) resource.TestCheckFunc { + return func(s *terraform.State) error { + serviceCredentialsSecretIntf, err := getSecret(s, n) + if err != nil { + return err + } + secret := serviceCredentialsSecretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) + + if err := verifyAttr(*secret.Name, modifiedServiceCredentialsSecretName, "secret name"); err != nil { + return err + } + if err := verifyAttr(*secret.Description, modifiedDescription, "secret description after update"); err != nil { + return err + } + if len(secret.Labels) != 1 { + return fmt.Errorf("Wrong number of labels after update: %d", len(secret.Labels)) + } + if err := verifyAttr(secret.Labels[0], modifiedLabel, "label after update"); err != nil { + return err + } + if err := verifyJsonAttr(secret.CustomMetadata, modifiedCustomMetadata, "custom metadata after update"); err != nil { + return err + } + if err := verifyAttr(*secret.TTL, modifiedServiceCredentialsTtl, "ttl after update"); err != nil { + return err + } + if err := verifyAttr(getAutoRotate(secret.Rotation), "true", "auto_rotate after update"); err != nil { + return err + } + if err := verifyAttr(getRotationUnit(secret.Rotation), "month", "rotation unit after update"); err != nil { + return err + } + if err := verifyAttr(getRotationInterval(secret.Rotation), "2", "rotation interval after update"); err != nil { + return err + } + return nil + } +} + +func testAccCheckIbmSmServiceCredentialsSecretDestroy(s *terraform.State) error { + secretsManagerClient, err := acc.TestAccProvider.Meta().(conns.ClientSession).SecretsManagerV2() + if err != nil { + return err + } + + secretsManagerClient = getClientWithInstanceEndpointTest(secretsManagerClient) + + for _, rs := range s.RootModule().Resources { + if rs.Type != "ibm_sm_service_credentials_secret" { + continue + } + + getSecretOptions := &secretsmanagerv2.GetSecretOptions{} + + id := strings.Split(rs.Primary.ID, "/") + secretId := id[2] + getSecretOptions.SetID(secretId) + + // Try to find the key + _, response, err := secretsManagerClient.GetSecret(getSecretOptions) + + if err == nil { + return fmt.Errorf("ServiceCredentialsSecret still exists: %s", rs.Primary.ID) + } else if response.StatusCode != 404 { + return fmt.Errorf("Error checking for ServiceCredentialsSecret (%s) has been destroyed: %s", rs.Primary.ID, err) + } + } + + return nil +} From 972a9b986bd75f778d14726e6ab8bf77cdb201bb Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Tue, 28 Nov 2023 13:01:11 +0200 Subject: [PATCH 06/18] SC unit tests added --- ...ource_ibm_sm_service_credentials_secret.go | 114 ++-------------- ...ource_ibm_sm_service_credentilas_secret.go | 126 +++--------------- ...m_service_credentials_secret.html.markdown | 16 +++ ...m_service_credentials_secret.html.markdown | 26 ++++ 4 files changed, 66 insertions(+), 216 deletions(-) diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go index 686a553ae76..bc5c17a8c94 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go @@ -5,6 +5,7 @@ package secretsmanager import ( "context" + "encoding/json" "fmt" "github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex" "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" @@ -147,68 +148,10 @@ func DataSourceIbmSmServiceCredentialsSecret() *schema.Resource { Description: "The date that the secret is scheduled for automatic rotation. The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy.", }, "credentials": &schema.Schema{ - Type: schema.TypeList, + Type: schema.TypeMap, Computed: true, + Sensitive: true, Description: "The properties of the service credentials secret payload.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "apikey": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Sensitive: true, - Description: "The API key that is generated for this secret.", - }, - "cos_hmac_keys": &schema.Schema{ - Type: schema.TypeList, - Computed: true, - Description: "The Cloud Object Storage HMAC keys that are returned after you create a service credentials secret.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "access_key_id": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The access key ID for Cloud Object Storage HMAC credentials.", - }, - "secret_access_key": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The secret access key ID for Cloud Object Storage HMAC credentials.", - }, - }, - }, - }, - "endpoints": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The endpoints that are returned after you create a service credentials secret.", - }, - "iam_apikey_description": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The description of the generated IAM API key.", - }, - "iam_apikey_name": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The name of the generated IAM API key.", - }, - "iam_role_crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM role CRN that is returned after you create a service credentials secret.", - }, - "iam_serviceid_crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM serviceId CRN that is returned after you create a service credentials secret.", - }, - "resource_instance_id": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The resource instance CRN that is returned after you create a service credentials secret.", - }, - }, - }, }, "source_service": &schema.Schema{ Type: schema.TypeList, @@ -437,14 +380,11 @@ func dataSourceIbmSmServiceCredentialsSecretRead(context context.Context, d *sch } if ServiceCredentialsSecret.Credentials != nil { - credentialsMap, err := dataSourceIbmSmServiceCredentialsSecretCredentialsToMap(ServiceCredentialsSecret.Credentials) - if err != nil { - return diag.FromErr(err) - } - if len(credentialsMap) > 0 { - if err = d.Set("credentials", []map[string]interface{}{credentialsMap}); err != nil { - return diag.FromErr(fmt.Errorf("Error setting credentialsMap: %s", err)) - } + var credInterface map[string]interface{} + cred, _ := json.Marshal(ServiceCredentialsSecret.Credentials) + json.Unmarshal(cred, &credInterface) + if err = d.Set("credentials", flex.Flatten(credInterface)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting credentials: %s", err)) } } @@ -475,44 +415,6 @@ func dataSourceIbmSmServiceCredentialsSecretRotationPolicyToMap(model *secretsma return modelMap, nil } -func dataSourceIbmSmServiceCredentialsSecretCredentialsToMap(credentials *secretsmanagerv2.ServiceCredentialsSecretCredentials) (map[string]interface{}, error) { - modelMap := make(map[string]interface{}) - if credentials.IamApikeyDescription != nil { - modelMap["iam_apikey_description"] = credentials.IamApikeyDescription - } - if credentials.Apikey != nil { - modelMap["apikey"] = credentials.Apikey - } - if credentials.Endpoints != nil { - modelMap["endpoints"] = credentials.Endpoints - } - if credentials.IamApikeyName != nil { - modelMap["iam_apikey_name"] = credentials.IamApikeyName - } - if credentials.IamRoleCrn != nil { - modelMap["iam_role_crn"] = credentials.IamRoleCrn - } - if credentials.IamServiceidCrn != nil { - modelMap["iam_serviceid_crn"] = credentials.IamServiceidCrn - } - if credentials.ResourceInstanceID != nil { - modelMap["resource_instance_id"] = credentials.ResourceInstanceID - } - if credentials.CosHmacKeys != nil { - cosHmacKeys := [1]map[string]interface{}{} - m := map[string]interface{}{} - if credentials.CosHmacKeys.AccessKeyID != nil { - m["access_key_id"] = credentials.CosHmacKeys.AccessKeyID - } - if credentials.CosHmacKeys.SecretAccessKey != nil { - m["secret_access_key"] = credentials.CosHmacKeys.SecretAccessKey - } - cosHmacKeys[0] = m - modelMap["cos_hmac_keys"] = cosHmacKeys - } - return modelMap, nil -} - func dataSourceIbmSmServiceCredentialsSecretSourceServiceToMap(sourceService *secretsmanagerv2.ServiceCredentialsSecretSourceService) (map[string]interface{}, error) { mainModelMap := make(map[string]interface{}) if sourceService.Instance != nil { diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go index 5795d0ec0ab..10d8494813c 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go @@ -5,6 +5,7 @@ package secretsmanager import ( "context" + "encoding/json" "fmt" "github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns" "github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex" @@ -80,68 +81,10 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { Description: "The date when a resource was created. The date format follows RFC 3339.", }, "credentials": &schema.Schema{ - Type: schema.TypeList, + Type: schema.TypeMap, Computed: true, + Sensitive: true, Description: "The properties of the service credentials secret payload.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "apikey": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Sensitive: true, - Description: "The API key that is generated for this secret.", - }, - "cos_hmac_keys": &schema.Schema{ - Type: schema.TypeList, - Computed: true, - Description: "The Cloud Object Storage HMAC keys that are returned after you create a service credentials secret.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "access_key_id": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The access key ID for Cloud Object Storage HMAC credentials.", - }, - "secret_access_key": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The secret access key ID for Cloud Object Storage HMAC credentials.", - }, - }, - }, - }, - "endpoints": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The endpoints that are returned after you create a service credentials secret.", - }, - "iam_apikey_description": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The description of the generated IAM API key.", - }, - "iam_apikey_name": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The name of the generated IAM API key.", - }, - "iam_role_crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM role CRN that is returned after you create a service credentials secret.", - }, - "iam_serviceid_crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM serviceId CRN that is returned after you create a service credentials secret.", - }, - "resource_instance_id": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The resource instance CRN that is returned after you create a service credentials secret.", - }, - }, - }, }, "crn": &schema.Schema{ Type: schema.TypeString, @@ -206,12 +149,14 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { Type: schema.TypeList, Required: true, MaxItems: 1, + ForceNew: true, Description: "The source service instance identifier.", Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "crn": &schema.Schema{ Type: schema.TypeString, Required: true, + ForceNew: true, Description: "A CRN that uniquely identifies a service credentials target.", }, }, @@ -221,6 +166,7 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { Type: schema.TypeList, Optional: true, Computed: true, + ForceNew: true, MaxItems: 1, Description: "The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles.", Elem: &schema.Resource{ @@ -229,6 +175,7 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { Type: schema.TypeString, Optional: true, Computed: true, + ForceNew: true, Description: "The CRN role identifier for creating a service-id.", }, }, @@ -312,6 +259,7 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { "parameters": &schema.Schema{ Type: schema.TypeMap, Optional: true, + ForceNew: true, Description: "The collection of parameters for the service credentials target.", }, }, @@ -328,10 +276,9 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { Description: "A text representation of the secret state.", }, "ttl": &schema.Schema{ - Type: schema.TypeString, - Required: true, - ValidateFunc: StringIsIntBetween(86400, 7776000), - Description: "The time-to-live (TTL) or lease duration to assign to generated credentials.", + Type: schema.TypeString, + Required: true, + Description: "The time-to-live (TTL) or lease duration to assign to generated credentials.", }, "updated_at": &schema.Schema{ Type: schema.TypeString, @@ -489,14 +436,11 @@ func resourceIbmSmServiceCredentialsSecretRead(context context.Context, d *schem } } if secret.Credentials != nil { - credentialsMap, err := resourceIbmSmServiceCredentialsSecretCredentialsToMap(secret.Credentials) - if err != nil { - return diag.FromErr(err) - } - if len(credentialsMap) > 0 { - if err = d.Set("credentials", []map[string]interface{}{credentialsMap}); err != nil { - return diag.FromErr(fmt.Errorf("Error setting credentialsMap: %s", err)) - } + var credInterface map[string]interface{} + cred, _ := json.Marshal(secret.Credentials) + json.Unmarshal(cred, &credInterface) + if err = d.Set("credentials", flex.Flatten(credInterface)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting credentials: %s", err)) } } if err = d.Set("next_rotation_date", DateTimeToRFC3339(secret.NextRotationDate)); err != nil { @@ -844,41 +788,3 @@ func resourceIbmSmServiceCredentialsSecretSourceServiceToMap(sourceService *secr return mainModelMap, nil } - -func resourceIbmSmServiceCredentialsSecretCredentialsToMap(credentials *secretsmanagerv2.ServiceCredentialsSecretCredentials) (map[string]interface{}, error) { - modelMap := make(map[string]interface{}) - if credentials.IamApikeyDescription != nil { - modelMap["iam_apikey_description"] = credentials.IamApikeyDescription - } - if credentials.Apikey != nil { - modelMap["apikey"] = credentials.Apikey - } - if credentials.Endpoints != nil { - modelMap["endpoints"] = credentials.Endpoints - } - if credentials.IamApikeyName != nil { - modelMap["iam_apikey_name"] = credentials.IamApikeyName - } - if credentials.IamRoleCrn != nil { - modelMap["iam_role_crn"] = credentials.IamRoleCrn - } - if credentials.IamServiceidCrn != nil { - modelMap["iam_serviceid_crn"] = credentials.IamServiceidCrn - } - if credentials.ResourceInstanceID != nil { - modelMap["resource_instance_id"] = credentials.ResourceInstanceID - } - if credentials.CosHmacKeys != nil { - cosHmacKeys := [1]map[string]interface{}{} - m := map[string]interface{}{} - if credentials.CosHmacKeys.AccessKeyID != nil { - m["access_key_id"] = credentials.CosHmacKeys.AccessKeyID - } - if credentials.CosHmacKeys.SecretAccessKey != nil { - m["secret_access_key"] = credentials.CosHmacKeys.SecretAccessKey - } - cosHmacKeys[0] = m - modelMap["cos_hmac_keys"] = cosHmacKeys - } - return modelMap, nil -} diff --git a/website/docs/d/sm_service_credentials_secret.html.markdown b/website/docs/d/sm_service_credentials_secret.html.markdown index 0bce29f26e0..bef56d14696 100644 --- a/website/docs/d/sm_service_credentials_secret.html.markdown +++ b/website/docs/d/sm_service_credentials_secret.html.markdown @@ -32,6 +32,22 @@ data "ibm_sm_service_credentials_secret" "service_credentials_secret" { } ``` +### Example to access resource credentials using credentials attribute: + +```terraform +data "ibm_sm_service_credentials_secret" "service_credentials_secret" { + instance_id = ibm_resource_instance.sm_instance.guid + region = "us-south" + secret_id = "0b5571f7-21e6-42b7-91c5-3f5ac9793a46" +} +output "access_key_id" { + value = data.ibm_sm_service_credentials_secret.service_credentials_secret.credentials["cos_hmac_keys.access_key_id"] +} +output "secret_access_key" { + value = data.ibm_sm_service_credentials_secret.service_credentials_secret.credentials["cos_hmac_keys.secret_access_key"] +} +``` + ## Argument Reference Review the argument reference that you can specify for your data source. diff --git a/website/docs/r/sm_service_credentials_secret.html.markdown b/website/docs/r/sm_service_credentials_secret.html.markdown index fdeb388008b..cdf60c3e9ff 100644 --- a/website/docs/r/sm_service_credentials_secret.html.markdown +++ b/website/docs/r/sm_service_credentials_secret.html.markdown @@ -39,6 +39,32 @@ resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { } ``` +### Example to access resource credentials using credentials attribute: + +```terraform +resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { + region = "us-south" + name = "secret-name" + source_service { + instance { + crn = "crn:v1:staging:public:cloud-object-storage:global:a/111f5fb10986423e9saa8512f1db7e65:111133c8-49ea-41xe-8c40-122038246f5b::" + } + role { + crn = "crn:v1:bluemix:public:iam::::serviceRole:Writer" + } + parameters = {"HMAC": true} + } + ttl = "1800" +} + +output "access_key_id" { + value = ibm_sm_service_credentials_secret.sm_service_credentials_secret.credentials["cos_hmac_keys.access_key_id"] +} +output "secret_access_key" { + value = ibm_sm_service_credentials_secret.sm_service_credentials_secret.credentials["cos_hmac_keys.secret_access_key"] +} +``` + ## Argument Reference Review the argument reference that you can specify for your resource. From 59c5e72bbb9381d46965d10a34f1fe5b29c7bc20 Mon Sep 17 00:00:00 2001 From: Avi Ribchinsky Date: Wed, 6 Dec 2023 11:38:29 +0200 Subject: [PATCH 07/18] d --- .../resource_ibm_sm_service_credentilas_secret.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go index 10d8494813c..7d5e211b0d5 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go @@ -1,6 +1,6 @@ // Copyright IBM Corp. 2023 All Rights Reserved. // Licensed under the Mozilla Public License v2.0 - +// . package secretsmanager import ( From 2ff98ad7a2917ea3837552fa4c7f6d554999d906 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 6 Dec 2023 12:36:44 +0200 Subject: [PATCH 08/18] tests fixes --- .../data_source_ibm_sm_service_credentials_secret_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go index ff445e0778e..eadf2f92c86 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go @@ -32,7 +32,6 @@ func TestAccIbmSmServiceCredentialsSecretDataSourceBasic(t *testing.T) { resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "rotation.#"), resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "ttl"), resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "source_service.#"), - resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "credentials.#"), resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret_by_name", "name"), resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret_by_name", "secret_group_name"), ), From 40ea122d32b0339fc9314b400f2ebde941952c80 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 6 Dec 2023 12:37:25 +0200 Subject: [PATCH 09/18] tests fixes --- .../resource_ibm_sm_service_credentilas_secret_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go index 85e9c377952..7de340208c7 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go @@ -20,8 +20,8 @@ var serviceCredentialsSecretName = "terraform-test-sc-secret" var modifiedServiceCredentialsSecretName = "modified-terraform-test-sc-secret" var serviceCredentialsParameters = `{"HMAC":"true"}` var serviceCredentialsParametersWithServiceId = `{"serviceid_crn": ibm_iam_service_id.ibm_iam_service_id_instance.crn}` -var serviceCredentialsTtl = "86400" -var modifiedServiceCredentialsTtl = "96400" +var serviceCredentialsTtl = "172800" +var modifiedServiceCredentialsTtl = "6048000" var serviceCredentialsRoleCrn = "crn:v1:bluemix:public:iam::::serviceRole:Writer" func TestAccIbmSmServiceCredentialsSecretBasic(t *testing.T) { @@ -147,7 +147,7 @@ var serviceCredentialsSecretFullConfigFormat = ` resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { instance_id = "%s" region = "%s" - name = "%s-serviceid" + name = "%s" description = "%s" labels = ["%s"] source_service { @@ -201,7 +201,7 @@ func serviceCredentialsSecretConfigBasic() string { func serviceCredentialsSecretConfigAllArgs() string { return fmt.Sprintf(serviceCredentialsSecretFullConfigFormat, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, - serviceCredentialsSecretName, description, label, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParametersWithServiceId, serviceCredentialsRoleCrn, serviceCredentialsTtl, customMetadata, rotationPolicy) + serviceCredentialsSecretName, description, label, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParameters, serviceCredentialsRoleCrn, serviceCredentialsTtl, customMetadata, rotationPolicy) } func serviceCredentialsSecretConfigAllArgsWithExistingServiceId() string { From f3a195f69c96fd8c80b4a59d57922b64d35d8e7b Mon Sep 17 00:00:00 2001 From: Tatyana Date: Mon, 11 Dec 2023 11:32:05 +0200 Subject: [PATCH 10/18] update sdk --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index ddb9fcf3271..8a622f02270 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/IBM/push-notifications-go-sdk v0.0.0-20210310100607-5790b96c47f5 github.com/IBM/scc-go-sdk/v5 v5.1.3 github.com/IBM/schematics-go-sdk v0.2.2 - github.com/IBM/secrets-manager-go-sdk/v2 v2.0.1 + github.com/IBM/secrets-manager-go-sdk/v2 v2.0.2 github.com/IBM/vpc-beta-go-sdk v0.6.0 github.com/IBM/vpc-go-sdk v0.43.0 github.com/ScaleFT/sshkeys v0.0.0-20200327173127-6142f742bca5 diff --git a/go.sum b/go.sum index abd13996b4f..2507c980b06 100644 --- a/go.sum +++ b/go.sum @@ -167,8 +167,8 @@ github.com/IBM/scc-go-sdk/v5 v5.1.3 h1:8zqJx/HgChTlMaC21HzthIR4HbFkuJ3dR/D68254j github.com/IBM/scc-go-sdk/v5 v5.1.3/go.mod h1:YtAVlzq10bwR82QX4ZavhDIwa1s85RuVO9N/KmXVcuk= github.com/IBM/schematics-go-sdk v0.2.2 h1:8S3hoVLzF/ZRgWDaLqwHnLmZvlEBHCKgHszmMh7yD2E= github.com/IBM/schematics-go-sdk v0.2.2/go.mod h1:Tw2OSAPdpC69AxcwoyqcYYaGTTW6YpERF9uNEU+BFRQ= -github.com/IBM/secrets-manager-go-sdk/v2 v2.0.1 h1:0Ouu31RsuOLdH26oNsnPErEjctWTplLEIXxwExnTZT0= -github.com/IBM/secrets-manager-go-sdk/v2 v2.0.1/go.mod h1:jagqWmjZ0zUEqh5jdGB42ApSQS40fu2LWw6pdg8JJko= +github.com/IBM/secrets-manager-go-sdk/v2 v2.0.2 h1:+Svh1OmoFxMBnZQSOUtp2UUzrOGFsSQlE5TFL/ptJco= +github.com/IBM/secrets-manager-go-sdk/v2 v2.0.2/go.mod h1:WII+LS4VkQYykmq65NWSuPb5xGNvsqkcK1aCWZoU2x4= github.com/IBM/vpc-beta-go-sdk v0.6.0 h1:wfM3AcW3zOM3xsRtZ+EA6+sESlGUjQ6Yf4n5QQyz4uc= github.com/IBM/vpc-beta-go-sdk v0.6.0/go.mod h1:fzHDAQIqH/5yJmYsKodKHLcqxMDT+yfH6vZjdiw8CQA= github.com/IBM/vpc-go-sdk v0.43.0 h1:uy/qWIqETCXraUG2cq5sjScr6pZ79ZteY1v5iLUVQ3Q= From 8fa09ae490bb853ea384b68858adac0e41df4257 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Mon, 11 Dec 2023 18:24:21 +0200 Subject: [PATCH 11/18] .secrets.baseline update --- .secrets.baseline | 130 ++++++++++++++++++++++++++++------------------ 1 file changed, 80 insertions(+), 50 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index c90644602fb..f9d2be69dea 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,11 +3,8 @@ "files": "go.mod|go.sum|.*.map|^.secrets.baseline$", "lines": null }, - "generated_at": "2023-11-10T20:51:53Z", + "generated_at": "2023-12-11T16:20:36Z", "plugins_used": [ - { - "name": "AWSKeyDetector" - }, { "name": "ArtifactoryDetector" }, @@ -21,12 +18,6 @@ { "name": "BasicAuthDetector" }, - { - "name": "BoxDetector" - }, - { - "name": "CloudantDetector" - }, { "ghe_instance": "github.ibm.com", "name": "GheDetector" @@ -51,9 +42,6 @@ "keyword_exclude": null, "name": "KeywordDetector" }, - { - "name": "MailchimpDetector" - }, { "name": "NpmDetector" }, @@ -68,12 +56,6 @@ }, { "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" } ], "results": { @@ -696,7 +678,7 @@ "hashed_secret": "912accc17209bb36cb22d76d430ef9e9ec99dd4c", "is_secret": false, "is_verified": false, - "line_number": 163, + "line_number": 188, "type": "Secret Keyword", "verified_result": null }, @@ -704,7 +686,7 @@ "hashed_secret": "514edd121688f936809a62aecd24419c7eaa772b", "is_secret": false, "is_verified": false, - "line_number": 250, + "line_number": 275, "type": "Secret Keyword", "verified_result": null }, @@ -712,7 +694,7 @@ "hashed_secret": "fa33d07da58b52eee9f13b88e9cda8b98f1c19b6", "is_secret": false, "is_verified": false, - "line_number": 261, + "line_number": 286, "type": "Secret Keyword", "verified_result": null }, @@ -720,7 +702,7 @@ "hashed_secret": "5926151b9a84e25fbc262e88ef6c1d58f0c95548", "is_secret": false, "is_verified": false, - "line_number": 273, + "line_number": 298, "type": "Secret Keyword", "verified_result": null } @@ -760,7 +742,7 @@ "hashed_secret": "731438016c5ab94431f61820f35e3ae5f8ad6004", "is_secret": false, "is_verified": false, - "line_number": 412, + "line_number": 417, "type": "Secret Keyword", "verified_result": null }, @@ -768,7 +750,7 @@ "hashed_secret": "12da2e35d6b50c902c014f1ab9e3032650368df7", "is_secret": false, "is_verified": false, - "line_number": 418, + "line_number": 423, "type": "Secret Keyword", "verified_result": null }, @@ -776,7 +758,7 @@ "hashed_secret": "813274ccae5b6b509379ab56982d862f7b5969b6", "is_secret": false, "is_verified": false, - "line_number": 1123, + "line_number": 1128, "type": "Base64 High Entropy String", "verified_result": null } @@ -846,7 +828,7 @@ "hashed_secret": "da8cae6284528565678de15e03d461e23fe22538", "is_secret": false, "is_verified": false, - "line_number": 1845, + "line_number": 1858, "type": "Secret Keyword", "verified_result": null }, @@ -854,7 +836,7 @@ "hashed_secret": "1a0334cfa65f4be58b9d914b8e96e9d9478bfbac", "is_secret": false, "is_verified": false, - "line_number": 3226, + "line_number": 3239, "type": "Secret Keyword", "verified_result": null } @@ -864,7 +846,7 @@ "hashed_secret": "c8b6f5ef11b9223ac35a5663975a466ebe7ebba9", "is_secret": false, "is_verified": false, - "line_number": 1803, + "line_number": 1806, "type": "Secret Keyword", "verified_result": null }, @@ -872,7 +854,7 @@ "hashed_secret": "8abf4899c01104241510ba87685ad4de76b0c437", "is_secret": false, "is_verified": false, - "line_number": 1809, + "line_number": 1812, "type": "Secret Keyword", "verified_result": null } @@ -1268,15 +1250,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 129, - "type": "Secret Keyword", - "verified_result": null - }, - { - "hashed_secret": "505032eaf8a3acf9b094a326dfb1cd0537c75a0d", - "is_secret": false, - "is_verified": false, - "line_number": 235, + "line_number": 104, "type": "Secret Keyword", "verified_result": null } @@ -1364,15 +1338,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 94, - "type": "Secret Keyword", - "verified_result": null - }, - { - "hashed_secret": "505032eaf8a3acf9b094a326dfb1cd0537c75a0d", - "is_secret": false, - "is_verified": false, - "line_number": 364, + "line_number": 68, "type": "Secret Keyword", "verified_result": null } @@ -2014,7 +1980,7 @@ "hashed_secret": "884a58e4c2c5d195d3876787bdc63af6c5af2924", "is_secret": false, "is_verified": false, - "line_number": 1589, + "line_number": 1595, "type": "Secret Keyword", "verified_result": null } @@ -2940,7 +2906,7 @@ "hashed_secret": "3c2ecad9b250fd6d99893e4d05ec02ca19aa95d0", "is_secret": false, "is_verified": false, - "line_number": 383, + "line_number": 389, "type": "Secret Keyword", "verified_result": null } @@ -3355,6 +3321,34 @@ "verified_result": null } ], + "ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go": [ + { + "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", + "is_secret": false, + "is_verified": false, + "line_number": 196, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", + "is_secret": false, + "is_verified": false, + "line_number": 387, + "type": "Secret Keyword", + "verified_result": null + } + ], + "ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go": [ + { + "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", + "is_secret": false, + "is_verified": false, + "line_number": 179, + "type": "Secret Keyword", + "verified_result": null + } + ], "ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret.go": [ { "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", @@ -3663,6 +3657,24 @@ "verified_result": null } ], + "ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go": [ + { + "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", + "is_secret": false, + "is_verified": false, + "line_number": 190, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", + "is_secret": false, + "is_verified": false, + "line_number": 443, + "type": "Secret Keyword", + "verified_result": null + } + ], "ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go": [ { "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", @@ -4801,6 +4813,24 @@ "verified_result": null } ], + "website/docs/r/sm_service_credentials_secret.html.markdown": [ + { + "hashed_secret": "d47dcacc720a39e236679ac3e311a0d58bb6519e", + "is_secret": false, + "is_verified": false, + "line_number": 191, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "e66e7d67fdf3c596c435fc7828b13205e4950a0f", + "is_secret": false, + "is_verified": false, + "line_number": 193, + "type": "Secret Keyword", + "verified_result": null + } + ], "website/docs/r/sm_username_password_secret.html.markdown": [ { "hashed_secret": "e3efaa78f2f6ca38f70ded91b232d8dac947315d", From a6b779c726db1c91c7619003fc79c05360f37945 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Mon, 11 Dec 2023 18:26:37 +0200 Subject: [PATCH 12/18] .secrets.baseline update --- .secrets.baseline | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.secrets.baseline b/.secrets.baseline index f9d2be69dea..2f29990cf47 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.mod|go.sum|.*.map|^.secrets.baseline$", "lines": null }, - "generated_at": "2023-12-11T16:20:36Z", + "generated_at": "2023-12-11T16:26:19Z", "plugins_used": [ { "name": "ArtifactoryDetector" From cea9bd43196031714d31657113996522d9912054 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Mon, 11 Dec 2023 18:30:51 +0200 Subject: [PATCH 13/18] .secrets.baseline update --- .secrets.baseline | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.secrets.baseline b/.secrets.baseline index 2f29990cf47..9d2216f2834 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -5,6 +5,9 @@ }, "generated_at": "2023-12-11T16:26:19Z", "plugins_used": [ + { + "name": "AWSKeyDetector" + }, { "name": "ArtifactoryDetector" }, @@ -18,6 +21,12 @@ { "name": "BasicAuthDetector" }, + { + "name": "BoxDetector" + }, + { + "name": "CloudantDetector" + }, { "ghe_instance": "github.ibm.com", "name": "GheDetector" @@ -42,6 +51,9 @@ "keyword_exclude": null, "name": "KeywordDetector" }, + { + "name": "MailchimpDetector" + }, { "name": "NpmDetector" }, @@ -56,6 +68,12 @@ }, { "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" } ], "results": { From ad75820af0514073951748edea910de9268c5872 Mon Sep 17 00:00:00 2001 From: Idan Adar Date: Wed, 13 Dec 2023 06:40:12 +0200 Subject: [PATCH 14/18] Update sm_service_credentials_secret_metadata.html.markdown --- .../docs/d/sm_service_credentials_secret_metadata.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/d/sm_service_credentials_secret_metadata.html.markdown b/website/docs/d/sm_service_credentials_secret_metadata.html.markdown index 0710616c26d..94b9d8d648e 100644 --- a/website/docs/d/sm_service_credentials_secret_metadata.html.markdown +++ b/website/docs/d/sm_service_credentials_secret_metadata.html.markdown @@ -6,7 +6,7 @@ description: |- subcategory: "Secrets Manager" --- -# ibm_sm_service_credentials_secret +# ibm_sm_service_credentials_secret_metadata Provides a read-only data source for the metadata of an service credentials secret. You can then reference the fields of the data source in other resources within the same configuration using interpolation syntax. From e91f4292c7615ada18f0ffa33922afa1cbeccadf Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Tue, 26 Dec 2023 14:37:47 +0200 Subject: [PATCH 15/18] bugs fixes --- .secrets.baseline | 2 +- .../data_source_ibm_sm_iam_credentials_secret.go | 8 -------- ..._source_ibm_sm_iam_credentials_secret_metadata.go | 8 -------- .../data_source_ibm_sm_private_certificate.go | 8 -------- ...ata_source_ibm_sm_private_certificate_metadata.go | 8 -------- .../data_source_ibm_sm_username_password_secret.go | 8 -------- ...ource_ibm_sm_username_password_secret_metadata.go | 8 -------- .../resource_ibm_sm_iam_credentials_secret.go | 12 ------------ .../resource_ibm_sm_private_certificate.go | 3 +-- .../docs/d/sm_iam_credentials_secret.html.markdown | 1 - .../sm_iam_credentials_secret_metadata.html.markdown | 1 - website/docs/d/sm_private_certificate.html.markdown | 1 - .../d/sm_private_certificate_metadata.html.markdown | 1 - .../docs/d/sm_username_password_secret.html.markdown | 1 - ...m_username_password_secret_metadata.html.markdown | 1 - .../docs/r/sm_iam_credentials_secret.html.markdown | 1 - website/docs/r/sm_private_certificate.html.markdown | 1 - ..._certificate_configuration_template.html.markdown | 2 ++ .../docs/r/sm_username_password_secret.html.markdown | 1 - 19 files changed, 4 insertions(+), 72 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index cb30966a3b5..75ebe186bb0 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.mod|go.sum|.*.map|^.secrets.baseline$", "lines": null }, - "generated_at": "2023-12-14T01:01:48Z", + "generated_at": "2023-12-26T12:35:45Z", "plugins_used": [ { "name": "AWSKeyDetector" diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret.go b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret.go index 75ad6a8306a..bce495303bc 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret.go @@ -169,11 +169,6 @@ func DataSourceIbmSmIamCredentialsSecret() *schema.Resource { Computed: true, Description: "The units for the secret rotation time interval.", }, - "rotate_keys": &schema.Schema{ - Type: schema.TypeBool, - Computed: true, - Description: "Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate.", - }, }, }, }, @@ -330,9 +325,6 @@ func dataSourceIbmSmIamCredentialsSecretRotationPolicyToMap(model secretsmanager if model.Unit != nil { modelMap["unit"] = *model.Unit } - if model.RotateKeys != nil { - modelMap["rotate_keys"] = *model.RotateKeys - } return modelMap, nil } else { return nil, fmt.Errorf("Unrecognized secretsmanagerv2.RotationPolicyIntf subtype encountered") diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret_metadata.go b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret_metadata.go index d1124752b93..f58be6333d6 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret_metadata.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret_metadata.go @@ -161,11 +161,6 @@ func DataSourceIbmSmIamCredentialsSecretMetadata() *schema.Resource { Computed: true, Description: "The units for the secret rotation time interval.", }, - "rotate_keys": &schema.Schema{ - Type: schema.TypeBool, - Computed: true, - Description: "Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate.", - }, }, }, }, @@ -325,9 +320,6 @@ func dataSourceIbmSmIamCredentialsSecretMetadataRotationPolicyToMap(model secret if model.Unit != nil { modelMap["unit"] = *model.Unit } - if model.RotateKeys != nil { - modelMap["rotate_keys"] = *model.RotateKeys - } return modelMap, nil } else { return nil, fmt.Errorf("Unrecognized secretsmanagerv2.RotationPolicyIntf subtype encountered") diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate.go b/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate.go index 31043b4a786..59ce4a1fa86 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate.go @@ -184,11 +184,6 @@ func DataSourceIbmSmPrivateCertificate() *schema.Resource { Computed: true, Description: "The units for the secret rotation time interval.", }, - "rotate_keys": &schema.Schema{ - Type: schema.TypeBool, - Computed: true, - Description: "Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate.", - }, }, }, }, @@ -436,9 +431,6 @@ func dataSourceIbmSmPrivateCertificateRotationPolicyToMap(model secretsmanagerv2 if model.Unit != nil { modelMap["unit"] = *model.Unit } - if model.RotateKeys != nil { - modelMap["rotate_keys"] = *model.RotateKeys - } return modelMap, nil } else { return nil, fmt.Errorf("Unrecognized secretsmanagerv2.RotationPolicyIntf subtype encountered") diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate_metadata.go b/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate_metadata.go index 1585e1a831e..a1afb4a6389 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate_metadata.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate_metadata.go @@ -176,11 +176,6 @@ func DataSourceIbmSmPrivateCertificateMetadata() *schema.Resource { Computed: true, Description: "The units for the secret rotation time interval.", }, - "rotate_keys": &schema.Schema{ - Type: schema.TypeBool, - Computed: true, - Description: "Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate.", - }, }, }, }, @@ -403,9 +398,6 @@ func dataSourceIbmSmPrivateCertificateMetadataRotationPolicyToMap(model secretsm if model.Unit != nil { modelMap["unit"] = *model.Unit } - if model.RotateKeys != nil { - modelMap["rotate_keys"] = *model.RotateKeys - } return modelMap, nil } else { return nil, fmt.Errorf("Unrecognized secretsmanagerv2.RotationPolicyIntf subtype encountered") diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret.go b/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret.go index 5a9fa84affc..a1119f17e02 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret.go @@ -136,11 +136,6 @@ func DataSourceIbmSmUsernamePasswordSecret() *schema.Resource { Computed: true, Description: "The units for the secret rotation time interval.", }, - "rotate_keys": &schema.Schema{ - Type: schema.TypeBool, - Computed: true, - Description: "Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate.", - }, }, }, }, @@ -296,9 +291,6 @@ func dataSourceIbmSmUsernamePasswordSecretRotationPolicyToMap(model secretsmanag if model.Unit != nil { modelMap["unit"] = *model.Unit } - if model.RotateKeys != nil { - modelMap["rotate_keys"] = *model.RotateKeys - } return modelMap, nil } else { return nil, fmt.Errorf("Unrecognized secretsmanagerv2.RotationPolicyIntf subtype encountered") diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret_metadata.go b/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret_metadata.go index 35d24ef67b7..6eada6eb8b9 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret_metadata.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret_metadata.go @@ -128,11 +128,6 @@ func DataSourceIbmSmUsernamePasswordSecretMetadata() *schema.Resource { Computed: true, Description: "The units for the secret rotation time interval.", }, - "rotate_keys": &schema.Schema{ - Type: schema.TypeBool, - Computed: true, - Description: "Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate.", - }, }, }, }, @@ -282,9 +277,6 @@ func dataSourceIbmSmUsernamePasswordSecretMetadataRotationPolicyToMap(model secr if model.Unit != nil { modelMap["unit"] = *model.Unit } - if model.RotateKeys != nil { - modelMap["rotate_keys"] = *model.RotateKeys - } return modelMap, nil } else { return nil, fmt.Errorf("Unrecognized secretsmanagerv2.RotationPolicyIntf subtype encountered") diff --git a/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go index e47da2cee7a..542275b142f 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go @@ -113,12 +113,6 @@ func ResourceIbmSmIamCredentialsSecret() *schema.Resource { Description: "The units for the secret rotation time interval.", DiffSuppressFunc: rotationAttributesDiffSuppress, }, - "rotate_keys": &schema.Schema{ - Type: schema.TypeBool, - Optional: true, - Computed: true, - Description: "Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate.", - }, }, }, }, @@ -576,9 +570,6 @@ func resourceIbmSmIamCredentialsSecretMapToRotationPolicy(modelMap map[string]in if modelMap["unit"] != nil && modelMap["unit"].(string) != "" { model.Unit = core.StringPtr(modelMap["unit"].(string)) } - if modelMap["rotate_keys"] != nil { - model.RotateKeys = core.BoolPtr(modelMap["rotate_keys"].(bool)) - } return model, nil } @@ -594,8 +585,5 @@ func resourceIbmSmIamCredentialsSecretRotationPolicyToMap(modelIntf secretsmanag if model.Unit != nil { modelMap["unit"] = model.Unit } - if model.RotateKeys != nil { - modelMap["rotate_keys"] = model.RotateKeys - } return modelMap, nil } diff --git a/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go b/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go index dfbbc39e693..7fe6c10bd66 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go @@ -245,9 +245,8 @@ func ResourceIbmSmPrivateCertificate() *schema.Resource { }, "key_algorithm": &schema.Schema{ Type: schema.TypeString, - Optional: true, + Computed: true, ForceNew: true, - Default: "RSA2048", Description: "The identifier for the cryptographic algorithm to be used to generate the public key that is associated with the certificate.The algorithm that you select determines the encryption algorithm (`RSA` or `ECDSA`) and key size to be used to generate keys and sign certificates. For longer living certificates, it is recommended to use longer keys to provide more encryption protection. Allowed values: RSA2048, RSA4096, EC256, EC384.", }, "next_rotation_date": &schema.Schema{ diff --git a/website/docs/d/sm_iam_credentials_secret.html.markdown b/website/docs/d/sm_iam_credentials_secret.html.markdown index 8355a081f09..79fe4ce3c0a 100644 --- a/website/docs/d/sm_iam_credentials_secret.html.markdown +++ b/website/docs/d/sm_iam_credentials_secret.html.markdown @@ -93,7 +93,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. diff --git a/website/docs/d/sm_iam_credentials_secret_metadata.html.markdown b/website/docs/d/sm_iam_credentials_secret_metadata.html.markdown index e429c1892f4..1db8123221f 100644 --- a/website/docs/d/sm_iam_credentials_secret_metadata.html.markdown +++ b/website/docs/d/sm_iam_credentials_secret_metadata.html.markdown @@ -74,7 +74,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. diff --git a/website/docs/d/sm_private_certificate.html.markdown b/website/docs/d/sm_private_certificate.html.markdown index 22bc5867708..abecd98dc08 100644 --- a/website/docs/d/sm_private_certificate.html.markdown +++ b/website/docs/d/sm_private_certificate.html.markdown @@ -119,7 +119,6 @@ In addition to all argument references listed, you can access the following attr * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. diff --git a/website/docs/d/sm_private_certificate_metadata.html.markdown b/website/docs/d/sm_private_certificate_metadata.html.markdown index caf491c86c4..4d16d2b1a8d 100644 --- a/website/docs/d/sm_private_certificate_metadata.html.markdown +++ b/website/docs/d/sm_private_certificate_metadata.html.markdown @@ -90,7 +90,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. diff --git a/website/docs/d/sm_username_password_secret.html.markdown b/website/docs/d/sm_username_password_secret.html.markdown index c18a55df9ce..64768e067f1 100644 --- a/website/docs/d/sm_username_password_secret.html.markdown +++ b/website/docs/d/sm_username_password_secret.html.markdown @@ -88,7 +88,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. diff --git a/website/docs/d/sm_username_password_secret_metadata.html.markdown b/website/docs/d/sm_username_password_secret_metadata.html.markdown index e4a10d832bf..781f524f1ad 100644 --- a/website/docs/d/sm_username_password_secret_metadata.html.markdown +++ b/website/docs/d/sm_username_password_secret_metadata.html.markdown @@ -69,7 +69,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. diff --git a/website/docs/r/sm_iam_credentials_secret.html.markdown b/website/docs/r/sm_iam_credentials_secret.html.markdown index 2f3e78f8f62..3c108eb82cb 100644 --- a/website/docs/r/sm_iam_credentials_secret.html.markdown +++ b/website/docs/r/sm_iam_credentials_secret.html.markdown @@ -55,7 +55,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Optional, Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Optional, Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Optional, Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (Optional, String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. * `secret_group_id` - (Optional, Forces new resource, String) A v4 UUID identifier, or `default` secret group. diff --git a/website/docs/r/sm_private_certificate.html.markdown b/website/docs/r/sm_private_certificate.html.markdown index 64f1bb83b74..98c1d2c122d 100644 --- a/website/docs/r/sm_private_certificate.html.markdown +++ b/website/docs/r/sm_private_certificate.html.markdown @@ -56,7 +56,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Optional, Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Optional, Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Optional, Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (Optional, String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. * `secret_group_id` - (Optional, Forces new resource, String) A v4 UUID identifier, or `default` secret group. diff --git a/website/docs/r/sm_private_certificate_configuration_template.html.markdown b/website/docs/r/sm_private_certificate_configuration_template.html.markdown index d34b20e904d..00f6d033fd5 100644 --- a/website/docs/r/sm_private_certificate_configuration_template.html.markdown +++ b/website/docs/r/sm_private_certificate_configuration_template.html.markdown @@ -67,6 +67,7 @@ Review the argument reference that you can specify for your resource. * Constraints: The list items must match regular expression `/^[a-zA-Z]+$/`. The maximum length is `100` items. The minimum length is `0` items. * `locality` - (Optional, Forces new resource, List) The Locality (L) values to define in the subject field of the resulting certificate. * Constraints: The list items must match regular expression `/(.*?)/`. The maximum length is `10` items. The minimum length is `0` items. +* `max_ttl` - (Optional, String) The maximum time-to-live (TTL) for certificates that are created by this template. * `name` - (Required, String) A human-readable unique name to assign to your configuration. * `organization` - (Optional, Forces new resource, List) The Organization (O) values to define in the subject field of the resulting certificate. * Constraints: The list items must match regular expression `/(.*?)/`. The maximum length is `10` items. The minimum length is `0` items. @@ -84,6 +85,7 @@ Review the argument reference that you can specify for your resource. * Constraints: The maximum length is `64` characters. The minimum length is `32` characters. The value must match regular expression `/[^a-fA-F0-9]/`. * `street_address` - (Optional, Forces new resource, List) The street address values to define in the subject field of the resulting certificate. * Constraints: The list items must match regular expression `/(.*?)/`. The maximum length is `10` items. The minimum length is `0` items. +* `ttl` - The requested time-to-live (TTL) for certificates that are created by this template. This field's value can't be longer than the max_ttl limit. * `use_csr_common_name` - (Optional, Boolean) When used with the `private_cert_configuration_action_sign_csr` action, this field determines whether to use the common name (CN) from a certificate signing request (CSR) instead of the CN that's included in the data of the certificate.Does not include any requested Subject Alternative Names (SANs) in the CSR. To use the alternative names, include the `use_csr_sans` property. * `use_csr_sans` - (Optional, Boolean) When used with the `private_cert_configuration_action_sign_csr` action, this field determines whether to use the Subject Alternative Names(SANs) from a certificate signing request (CSR) instead of the SANs that are included in the data of the certificate.Does not include the common name in the CSR. To use the common name, include the `use_csr_common_name` property. diff --git a/website/docs/r/sm_username_password_secret.html.markdown b/website/docs/r/sm_username_password_secret.html.markdown index b8a07c3af03..fdb4605f155 100644 --- a/website/docs/r/sm_username_password_secret.html.markdown +++ b/website/docs/r/sm_username_password_secret.html.markdown @@ -55,7 +55,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Optional, Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Optional, Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Optional, Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (Optional, String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. * `secret_group_id` - (Optional, Forces new resource, String) A v4 UUID identifier, or `default` secret group. From c44ff91d82de43d35366c678af5efc41f0492754 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Tue, 26 Dec 2023 14:43:28 +0200 Subject: [PATCH 16/18] bugs fixes --- .secrets.baseline | 74 +- ...ource_ibm_sm_service_credentials_secret.go | 790 ------------------ ..._ibm_sm_service_credentials_secret_test.go | 335 -------- 3 files changed, 46 insertions(+), 1153 deletions(-) delete mode 100644 ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go delete mode 100644 ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret_test.go diff --git a/.secrets.baseline b/.secrets.baseline index 75ebe186bb0..c7f19872a83 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -760,7 +760,7 @@ "hashed_secret": "731438016c5ab94431f61820f35e3ae5f8ad6004", "is_secret": false, "is_verified": false, - "line_number": 426, + "line_number": 428, "type": "Secret Keyword", "verified_result": null }, @@ -768,7 +768,7 @@ "hashed_secret": "12da2e35d6b50c902c014f1ab9e3032650368df7", "is_secret": false, "is_verified": false, - "line_number": 432, + "line_number": 434, "type": "Secret Keyword", "verified_result": null }, @@ -776,7 +776,7 @@ "hashed_secret": "813274ccae5b6b509379ab56982d862f7b5969b6", "is_secret": false, "is_verified": false, - "line_number": 1143, + "line_number": 1157, "type": "Base64 High Entropy String", "verified_result": null } @@ -2056,7 +2056,7 @@ "hashed_secret": "deab23f996709b4e3d14e5499d1cc2de677bfaa8", "is_secret": false, "is_verified": false, - "line_number": 1367, + "line_number": 1372, "type": "Secret Keyword", "verified_result": null }, @@ -2064,7 +2064,7 @@ "hashed_secret": "20a25bac21219ffff1904bde871ded4027eca2f8", "is_secret": false, "is_verified": false, - "line_number": 1957, + "line_number": 1962, "type": "Secret Keyword", "verified_result": null }, @@ -2072,7 +2072,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 1976, + "line_number": 1981, "type": "Secret Keyword", "verified_result": null }, @@ -2080,7 +2080,7 @@ "hashed_secret": "1f5e25be9b575e9f5d39c82dfd1d9f4d73f1975c", "is_secret": false, "is_verified": false, - "line_number": 2189, + "line_number": 2194, "type": "Secret Keyword", "verified_result": null } @@ -3224,7 +3224,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 185, + "line_number": 180, "type": "Secret Keyword", "verified_result": null }, @@ -3232,7 +3232,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 312, + "line_number": 307, "type": "Secret Keyword", "verified_result": null } @@ -3250,7 +3250,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 291, + "line_number": 286, "type": "Secret Keyword", "verified_result": null } @@ -3298,7 +3298,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 235, + "line_number": 230, "type": "Secret Keyword", "verified_result": null }, @@ -3306,7 +3306,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 414, + "line_number": 409, "type": "Secret Keyword", "verified_result": null } @@ -3510,7 +3510,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 162, + "line_number": 157, "type": "Secret Keyword", "verified_result": null }, @@ -3518,7 +3518,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 278, + "line_number": 273, "type": "Secret Keyword", "verified_result": null } @@ -3556,7 +3556,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 204, + "line_number": 198, "type": "Secret Keyword", "verified_result": null }, @@ -3564,7 +3564,7 @@ "hashed_secret": "108b310facc1a193833fc2971fd83081f775ea0c", "is_secret": false, "is_verified": false, - "line_number": 395, + "line_number": 389, "type": "Secret Keyword", "verified_result": null }, @@ -3572,7 +3572,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 398, + "line_number": 392, "type": "Secret Keyword", "verified_result": null } @@ -3636,7 +3636,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 298, + "line_number": 297, "type": "Secret Keyword", "verified_result": null }, @@ -3644,7 +3644,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 539, + "line_number": 538, "type": "Secret Keyword", "verified_result": null } @@ -3831,6 +3831,24 @@ "verified_result": null } ], + "ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go": [ + { + "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", + "is_secret": false, + "is_verified": false, + "line_number": 190, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", + "is_secret": false, + "is_verified": false, + "line_number": 443, + "type": "Secret Keyword", + "verified_result": null + } + ], "ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go": [ { "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", @@ -4736,7 +4754,7 @@ "hashed_secret": "d47dcacc720a39e236679ac3e311a0d58bb6519e", "is_secret": false, "is_verified": false, - "line_number": 128, + "line_number": 127, "type": "Secret Keyword", "verified_result": null }, @@ -4744,7 +4762,7 @@ "hashed_secret": "e66e7d67fdf3c596c435fc7828b13205e4950a0f", "is_secret": false, "is_verified": false, - "line_number": 130, + "line_number": 129, "type": "Secret Keyword", "verified_result": null } @@ -4790,7 +4808,7 @@ "hashed_secret": "d47dcacc720a39e236679ac3e311a0d58bb6519e", "is_secret": false, "is_verified": false, - "line_number": 148, + "line_number": 147, "type": "Secret Keyword", "verified_result": null }, @@ -4798,7 +4816,7 @@ "hashed_secret": "e66e7d67fdf3c596c435fc7828b13205e4950a0f", "is_secret": false, "is_verified": false, - "line_number": 150, + "line_number": 149, "type": "Secret Keyword", "verified_result": null } @@ -4844,7 +4862,7 @@ "hashed_secret": "d47dcacc720a39e236679ac3e311a0d58bb6519e", "is_secret": false, "is_verified": false, - "line_number": 137, + "line_number": 139, "type": "Secret Keyword", "verified_result": null }, @@ -4852,7 +4870,7 @@ "hashed_secret": "e66e7d67fdf3c596c435fc7828b13205e4950a0f", "is_secret": false, "is_verified": false, - "line_number": 139, + "line_number": 141, "type": "Secret Keyword", "verified_result": null } @@ -5010,7 +5028,7 @@ "hashed_secret": "d47dcacc720a39e236679ac3e311a0d58bb6519e", "is_secret": false, "is_verified": false, - "line_number": 122, + "line_number": 121, "type": "Secret Keyword", "verified_result": null }, @@ -5018,7 +5036,7 @@ "hashed_secret": "e66e7d67fdf3c596c435fc7828b13205e4950a0f", "is_secret": false, "is_verified": false, - "line_number": 124, + "line_number": 123, "type": "Secret Keyword", "verified_result": null } @@ -5034,7 +5052,7 @@ } ] }, - "version": "0.13.1+ibm.51.dss", + "version": "0.13.1+ibm.61.dss", "word_list": { "file": null, "hash": null diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go deleted file mode 100644 index 7d5e211b0d5..00000000000 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go +++ /dev/null @@ -1,790 +0,0 @@ -// Copyright IBM Corp. 2023 All Rights Reserved. -// Licensed under the Mozilla Public License v2.0 -// . -package secretsmanager - -import ( - "context" - "encoding/json" - "fmt" - "github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns" - "github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex" - "github.com/IBM/go-sdk-core/v5/core" - "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "log" - "strconv" - "strings" -) - -func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { - return &schema.Resource{ - CreateContext: resourceIbmSmServiceCredentialsSecretCreate, - ReadContext: resourceIbmSmServiceCredentialsSecretRead, - UpdateContext: resourceIbmSmServiceCredentialsSecretUpdate, - DeleteContext: resourceIbmSmServiceCredentialsSecretDelete, - Importer: &schema.ResourceImporter{}, - - Schema: map[string]*schema.Schema{ - "secret_type": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials.", - }, - "name": &schema.Schema{ - Type: schema.TypeString, - Required: true, - Description: "A human-readable name to assign to your secret.To protect your privacy, do not use personal data, such as your name or location, as a name for your secret.", - }, - "description": &schema.Schema{ - Type: schema.TypeString, - Optional: true, - Description: "An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group.", - }, - "secret_group_id": &schema.Schema{ - Type: schema.TypeString, - Optional: true, - Computed: true, - ForceNew: true, - Description: "A v4 UUID identifier, or `default` secret group.", - }, - "labels": &schema.Schema{ - Type: schema.TypeList, - Optional: true, - Computed: true, - Description: "Labels that you can use to search for secrets in your instance.Up to 30 labels can be created.", - Elem: &schema.Schema{Type: schema.TypeString}, - }, - "custom_metadata": &schema.Schema{ - Type: schema.TypeMap, - Optional: true, - Computed: true, - Description: "The secret metadata that a user can customize.", - Elem: &schema.Schema{Type: schema.TypeString}, - }, - "version_custom_metadata": &schema.Schema{ - Type: schema.TypeMap, - Optional: true, - Computed: true, - Description: "The secret version metadata that a user can customize.", - Elem: &schema.Schema{Type: schema.TypeString}, - }, - "created_by": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The unique identifier that is associated with the entity that created the secret.", - }, - "created_at": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The date when a resource was created. The date format follows RFC 3339.", - }, - "credentials": &schema.Schema{ - Type: schema.TypeMap, - Computed: true, - Sensitive: true, - Description: "The properties of the service credentials secret payload.", - }, - "crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "A CRN that uniquely identifies an IBM Cloud resource.", - }, - "downloaded": &schema.Schema{ - Type: schema.TypeBool, - Computed: true, - Description: "Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API.", - }, - "locks_total": &schema.Schema{ - Type: schema.TypeInt, - Computed: true, - Description: "The number of locks of the secret.", - }, - "next_rotation_date": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The date that the secret is scheduled for automatic rotation. The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy.", - }, - "rotation": &schema.Schema{ - Type: schema.TypeList, - MaxItems: 1, - Optional: true, - Computed: true, - Description: "Determines whether Secrets Manager rotates your secrets automatically.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "auto_rotate": &schema.Schema{ - Type: schema.TypeBool, - Optional: true, - Computed: true, - Description: "Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval.", - }, - "interval": &schema.Schema{ - Type: schema.TypeInt, - Optional: true, - Computed: true, - Description: "The length of the secret rotation time interval.", - DiffSuppressFunc: rotationAttributesDiffSuppress, - }, - "unit": &schema.Schema{ - Type: schema.TypeString, - Optional: true, - Computed: true, - Description: "The units for the secret rotation time interval.", - DiffSuppressFunc: rotationAttributesDiffSuppress, - }, - }, - }, - }, - "source_service": &schema.Schema{ - Type: schema.TypeList, - MaxItems: 1, - Required: true, - ForceNew: true, - Description: "The properties required for creating the service credentials for the specified source service instance.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "instance": &schema.Schema{ - Type: schema.TypeList, - Required: true, - MaxItems: 1, - ForceNew: true, - Description: "The source service instance identifier.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "crn": &schema.Schema{ - Type: schema.TypeString, - Required: true, - ForceNew: true, - Description: "A CRN that uniquely identifies a service credentials target.", - }, - }, - }, - }, - "role": &schema.Schema{ - Type: schema.TypeList, - Optional: true, - Computed: true, - ForceNew: true, - MaxItems: 1, - Description: "The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "crn": &schema.Schema{ - Type: schema.TypeString, - Optional: true, - Computed: true, - ForceNew: true, - Description: "The CRN role identifier for creating a service-id.", - }, - }, - }, - }, - "iam": &schema.Schema{ - Type: schema.TypeList, - Computed: true, - Description: "The source service IAM data is returned in case IAM credentials where created for this secret.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "apikey": &schema.Schema{ - Type: schema.TypeList, - Computed: true, - Description: "The IAM apikey metadata for the IAM credentials that were generated.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "name": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM API key name for the generated service credentials.", - }, - "description": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM API key description for the generated service credentials.", - }, - }, - }, - }, - "role": &schema.Schema{ - Type: schema.TypeList, - Computed: true, - Description: "The IAM role for the generate service credentials.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM role CRN assigned to the generated service credentials.", - }, - }, - }, - }, - "serviceid": &schema.Schema{ - Type: schema.TypeList, - Computed: true, - Description: "The IAM serviceid for the generated service credentials.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM Service ID CRN.", - }, - }, - }, - }, - }, - }, - }, - "resource_key": &schema.Schema{ - Type: schema.TypeList, - Computed: true, - Description: "The source service resource key data of the generated service credentials.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The resource key CRN of the generated service credentials.", - }, - "name": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The resource key name of the generated service credentials.", - }, - }, - }, - }, - "parameters": &schema.Schema{ - Type: schema.TypeMap, - Optional: true, - ForceNew: true, - Description: "The collection of parameters for the service credentials target.", - }, - }, - }, - }, - "state": &schema.Schema{ - Type: schema.TypeInt, - Computed: true, - Description: "The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values.", - }, - "state_description": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "A text representation of the secret state.", - }, - "ttl": &schema.Schema{ - Type: schema.TypeString, - Required: true, - Description: "The time-to-live (TTL) or lease duration to assign to generated credentials.", - }, - "updated_at": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The date when a resource was recently modified. The date format follows RFC 3339.", - }, - "versions_total": &schema.Schema{ - Type: schema.TypeInt, - Computed: true, - Description: "The number of versions of the secret.", - }, - "secret_id": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "A v4 UUID identifier.", - }, - }, - } -} - -func resourceIbmSmServiceCredentialsSecretCreate(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() - if err != nil { - return diag.FromErr(err) - } - - region := getRegion(secretsManagerClient, d) - instanceId := d.Get("instance_id").(string) - secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) - - createSecretOptions := &secretsmanagerv2.CreateSecretOptions{} - - secretPrototypeModel, err := resourceIbmSmServiceCredentialsSecretMapToSecretPrototype(d) - if err != nil { - return diag.FromErr(err) - } - createSecretOptions.SetSecretPrototype(secretPrototypeModel) - - secretIntf, response, err := secretsManagerClient.CreateSecretWithContext(context, createSecretOptions) - if err != nil { - log.Printf("[DEBUG] CreateSecretWithContext failed %s\n%s", err, response) - return diag.FromErr(fmt.Errorf("CreateSecretWithContext failed %s\n%s", err, response)) - } - - secret := secretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) - d.SetId(fmt.Sprintf("%s/%s/%s", region, instanceId, *secret.ID)) - d.Set("secret_id", *secret.ID) - - return resourceIbmSmServiceCredentialsSecretRead(context, d, meta) -} - -func resourceIbmSmServiceCredentialsSecretRead(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() - if err != nil { - return diag.FromErr(err) - } - - id := strings.Split(d.Id(), "/") - if len(id) != 3 { - return diag.Errorf("Wrong format of resource ID. To import a secret use the format `//`") - } - region := id[0] - instanceId := id[1] - secretId := id[2] - secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) - - getSecretOptions := &secretsmanagerv2.GetSecretOptions{} - - getSecretOptions.SetID(secretId) - - secretIntf, response, err := secretsManagerClient.GetSecretWithContext(context, getSecretOptions) - if err != nil { - if response != nil && response.StatusCode == 404 { - d.SetId("") - return nil - } - log.Printf("[DEBUG] GetSecretWithContext failed %s\n%s", err, response) - return diag.FromErr(fmt.Errorf("GetSecretWithContext failed %s\n%s", err, response)) - } - - secret := secretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) - - if err = d.Set("secret_id", secretId); err != nil { - return diag.FromErr(fmt.Errorf("Error setting secret_id: %s", err)) - } - if err = d.Set("instance_id", instanceId); err != nil { - return diag.FromErr(fmt.Errorf("Error setting instance_id: %s", err)) - } - if err = d.Set("region", region); err != nil { - return diag.FromErr(fmt.Errorf("Error setting region: %s", err)) - } - if err = d.Set("created_by", secret.CreatedBy); err != nil { - return diag.FromErr(fmt.Errorf("Error setting created_by: %s", err)) - } - if err = d.Set("created_at", DateTimeToRFC3339(secret.CreatedAt)); err != nil { - return diag.FromErr(fmt.Errorf("Error setting created_at: %s", err)) - } - if err = d.Set("crn", secret.Crn); err != nil { - return diag.FromErr(fmt.Errorf("Error setting crn: %s", err)) - } - if err = d.Set("downloaded", secret.Downloaded); err != nil { - return diag.FromErr(fmt.Errorf("Error setting downloaded: %s", err)) - } - if err = d.Set("locks_total", flex.IntValue(secret.LocksTotal)); err != nil { - return diag.FromErr(fmt.Errorf("Error setting locks_total: %s", err)) - } - if err = d.Set("name", secret.Name); err != nil { - return diag.FromErr(fmt.Errorf("Error setting name: %s", err)) - } - if err = d.Set("secret_group_id", secret.SecretGroupID); err != nil { - return diag.FromErr(fmt.Errorf("Error setting secret_group_id: %s", err)) - } - if err = d.Set("secret_type", secret.SecretType); err != nil { - return diag.FromErr(fmt.Errorf("Error setting secret_type: %s", err)) - } - if err = d.Set("state", flex.IntValue(secret.State)); err != nil { - return diag.FromErr(fmt.Errorf("Error setting state: %s", err)) - } - if err = d.Set("state_description", secret.StateDescription); err != nil { - return diag.FromErr(fmt.Errorf("Error setting state_description: %s", err)) - } - if err = d.Set("updated_at", DateTimeToRFC3339(secret.UpdatedAt)); err != nil { - return diag.FromErr(fmt.Errorf("Error setting updated_at: %s", err)) - } - if err = d.Set("versions_total", flex.IntValue(secret.VersionsTotal)); err != nil { - return diag.FromErr(fmt.Errorf("Error setting versions_total: %s", err)) - } - if secret.CustomMetadata != nil { - d.Set("custom_metadata", secret.CustomMetadata) - } - if err = d.Set("description", secret.Description); err != nil { - return diag.FromErr(fmt.Errorf("Error setting description: %s", err)) - } - if secret.Labels != nil { - if err = d.Set("labels", secret.Labels); err != nil { - return diag.FromErr(fmt.Errorf("Error setting labels: %s", err)) - } - } - rotationMap, err := resourceIbmSmServiceCredentialsSecretRotationPolicyToMap(secret.Rotation) - if err != nil { - return diag.FromErr(err) - } - if len(rotationMap) > 0 { - if err = d.Set("rotation", []map[string]interface{}{rotationMap}); err != nil { - return diag.FromErr(fmt.Errorf("Error setting rotation: %s", err)) - } - } - sourceServiceMap, err := resourceIbmSmServiceCredentialsSecretSourceServiceToMap(secret.SourceService) - if err != nil { - return diag.FromErr(err) - } - if len(sourceServiceMap) > 0 { - if err = d.Set("source_service", []map[string]interface{}{sourceServiceMap}); err != nil { - return diag.FromErr(fmt.Errorf("Error setting source_service: %s", err)) - } - } - if secret.Credentials != nil { - var credInterface map[string]interface{} - cred, _ := json.Marshal(secret.Credentials) - json.Unmarshal(cred, &credInterface) - if err = d.Set("credentials", flex.Flatten(credInterface)); err != nil { - return diag.FromErr(fmt.Errorf("Error setting credentials: %s", err)) - } - } - if err = d.Set("next_rotation_date", DateTimeToRFC3339(secret.NextRotationDate)); err != nil { - return diag.FromErr(fmt.Errorf("Error setting next_rotation_date: %s", err)) - } - - // Call get version metadata API to get the current version_custom_metadata - getVersionMetdataOptions := &secretsmanagerv2.GetSecretVersionMetadataOptions{} - getVersionMetdataOptions.SetSecretID(secretId) - getVersionMetdataOptions.SetID("current") - - versionMetadataIntf, response, err := secretsManagerClient.GetSecretVersionMetadataWithContext(context, getVersionMetdataOptions) - if err != nil { - log.Printf("[DEBUG] GetSecretVersionMetadataWithContext failed %s\n%s", err, response) - return diag.FromErr(fmt.Errorf("GetSecretVersionMetadataWithContext failed %s\n%s", err, response)) - } - - versionMetadata := versionMetadataIntf.(*secretsmanagerv2.ServiceCredentialsSecretVersionMetadata) - if versionMetadata.VersionCustomMetadata != nil { - if err = d.Set("version_custom_metadata", versionMetadata.VersionCustomMetadata); err != nil { - return diag.FromErr(fmt.Errorf("Error setting version_custom_metadata: %s", err)) - } - } - - return nil -} - -func resourceIbmSmServiceCredentialsSecretUpdate(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() - if err != nil { - return diag.FromErr(err) - } - - id := strings.Split(d.Id(), "/") - region := id[0] - instanceId := id[1] - secretId := id[2] - secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) - - updateSecretMetadataOptions := &secretsmanagerv2.UpdateSecretMetadataOptions{} - - updateSecretMetadataOptions.SetID(secretId) - - hasChange := false - - patchVals := &secretsmanagerv2.SecretMetadataPatch{} - - if d.HasChange("name") { - patchVals.Name = core.StringPtr(d.Get("name").(string)) - hasChange = true - } - if d.HasChange("description") { - patchVals.Description = core.StringPtr(d.Get("description").(string)) - hasChange = true - } - if d.HasChange("ttl") { - patchVals.TTL = core.StringPtr(d.Get("ttl").(string)) - hasChange = true - } - if d.HasChange("labels") { - labels := d.Get("labels").([]interface{}) - labelsParsed := make([]string, len(labels)) - for i, v := range labels { - labelsParsed[i] = fmt.Sprint(v) - } - patchVals.Labels = labelsParsed - hasChange = true - } - if d.HasChange("custom_metadata") { - patchVals.CustomMetadata = d.Get("custom_metadata").(map[string]interface{}) - hasChange = true - } - if d.HasChange("rotation") { - RotationModel, err := resourceIbmSmServiceCredentialsSecretMapToRotationPolicy(d.Get("rotation").([]interface{})[0].(map[string]interface{})) - if err != nil { - log.Printf("[DEBUG] UpdateSecretMetadataWithContext failed: Reading Rotation parameter failed: %s", err) - return diag.FromErr(fmt.Errorf("UpdateSecretMetadataWithContext failed: Reading Rotation parameter failed: %s", err)) - } - patchVals.Rotation = RotationModel - hasChange = true - } - - // Apply change in metadata (if changed) - if hasChange { - updateSecretMetadataOptions.SecretMetadataPatch, _ = patchVals.AsPatch() - _, response, err := secretsManagerClient.UpdateSecretMetadataWithContext(context, updateSecretMetadataOptions) - if err != nil { - log.Printf("[DEBUG] UpdateSecretMetadataWithContext failed %s\n%s", err, response) - return diag.FromErr(fmt.Errorf("UpdateSecretMetadataWithContext failed %s\n%s", err, response)) - } - } - - if d.HasChange("version_custom_metadata") { - // Apply change to version_custom_metadata in current version - secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) - secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) - secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() - - updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} - updateSecretVersionOptions.SetSecretID(secretId) - updateSecretVersionOptions.SetID("current") - updateSecretVersionOptions.SetSecretVersionMetadataPatch(secretVersionMetadataPatchModelAsPatch) - _, response, err := secretsManagerClient.UpdateSecretVersionMetadataWithContext(context, updateSecretVersionOptions) - if err != nil { - if hasChange { - // Call the read function to update the Terraform state with the change already applied to the metadata - resourceIbmSmServiceCredentialsSecretRead(context, d, meta) - } - log.Printf("[DEBUG] UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response) - return diag.FromErr(fmt.Errorf("UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response)) - } - } - - return resourceIbmSmServiceCredentialsSecretRead(context, d, meta) -} - -func resourceIbmSmServiceCredentialsSecretDelete(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() - if err != nil { - return diag.FromErr(err) - } - - id := strings.Split(d.Id(), "/") - region := id[0] - instanceId := id[1] - secretId := id[2] - secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) - - deleteSecretOptions := &secretsmanagerv2.DeleteSecretOptions{} - - deleteSecretOptions.SetID(secretId) - - response, err := secretsManagerClient.DeleteSecretWithContext(context, deleteSecretOptions) - if err != nil { - log.Printf("[DEBUG] DeleteSecretWithContext failed %s\n%s", err, response) - return diag.FromErr(fmt.Errorf("DeleteSecretWithContext failed %s\n%s", err, response)) - } - - d.SetId("") - - return nil -} - -func resourceIbmSmServiceCredentialsSecretMapToSecretPrototype(d *schema.ResourceData) (*secretsmanagerv2.ServiceCredentialsSecretPrototype, error) { - model := &secretsmanagerv2.ServiceCredentialsSecretPrototype{} - model.SecretType = core.StringPtr("service_credentials") - - if _, ok := d.GetOk("name"); ok { - model.Name = core.StringPtr(d.Get("name").(string)) - } - if _, ok := d.GetOk("description"); ok { - model.Description = core.StringPtr(d.Get("description").(string)) - } - if _, ok := d.GetOk("secret_group_id"); ok { - model.SecretGroupID = core.StringPtr(d.Get("secret_group_id").(string)) - } - if _, ok := d.GetOk("labels"); ok { - labels := d.Get("labels").([]interface{}) - labelsParsed := make([]string, len(labels)) - for i, v := range labels { - labelsParsed[i] = fmt.Sprint(v) - } - model.Labels = labelsParsed - } - if _, ok := d.GetOk("ttl"); ok { - model.TTL = core.StringPtr(d.Get("ttl").(string)) - } - if _, ok := d.GetOk("rotation"); ok { - RotationModel, err := resourceIbmSmServiceCredentialsSecretMapToRotationPolicy(d.Get("rotation").([]interface{})[0].(map[string]interface{})) - if err != nil { - return model, err - } - model.Rotation = RotationModel - } - if _, ok := d.GetOk("source_service"); ok { - SourceServiceModel, err := resourceIbmSmServiceCredentialsSecretMapToSourceService(d.Get("source_service").([]interface{})[0].(map[string]interface{})) - if err != nil { - return model, err - } - model.SourceService = SourceServiceModel - } - if _, ok := d.GetOk("custom_metadata"); ok { - model.CustomMetadata = d.Get("custom_metadata").(map[string]interface{}) - } - if _, ok := d.GetOk("version_custom_metadata"); ok { - model.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) - } - return model, nil -} - -func resourceIbmSmServiceCredentialsSecretMapToRotationPolicy(modelMap map[string]interface{}) (secretsmanagerv2.RotationPolicyIntf, error) { - model := &secretsmanagerv2.RotationPolicy{} - if modelMap["auto_rotate"] != nil { - model.AutoRotate = core.BoolPtr(modelMap["auto_rotate"].(bool)) - } - if modelMap["interval"].(int) == 0 { - model.Interval = nil - } else { - model.Interval = core.Int64Ptr(int64(modelMap["interval"].(int))) - } - if modelMap["unit"] != nil && modelMap["unit"].(string) != "" { - model.Unit = core.StringPtr(modelMap["unit"].(string)) - } - return model, nil -} - -func resourceIbmSmServiceCredentialsSecretMapToSourceService(modelMap map[string]interface{}) (*secretsmanagerv2.ServiceCredentialsSecretSourceService, error) { - mainModel := &secretsmanagerv2.ServiceCredentialsSecretSourceService{} - - if modelMap["instance"] != nil && len(modelMap["instance"].([]interface{})) > 0 { - instanceModel := &secretsmanagerv2.ServiceCredentialsSourceServiceInstance{} - if modelMap["instance"].([]interface{})[0].(map[string]interface{})["crn"].(string) != "" { - instanceModel.Crn = core.StringPtr(modelMap["instance"].([]interface{})[0].(map[string]interface{})["crn"].(string)) - mainModel.Instance = instanceModel - } - } - - if modelMap["role"] != nil && len(modelMap["role"].([]interface{})) > 0 { - roleModel := &secretsmanagerv2.ServiceCredentialsSourceServiceRole{} - if modelMap["role"].([]interface{})[0].(map[string]interface{})["crn"].(string) != "" { - roleModel.Crn = core.StringPtr(modelMap["role"].([]interface{})[0].(map[string]interface{})["crn"].(string)) - mainModel.Role = roleModel - } - } - - if modelMap["parameters"] != nil { - mainModel.Parameters = &secretsmanagerv2.ServiceCredentialsSourceServiceParameters{} - parametersMap := modelMap["parameters"].(map[string]interface{}) - for k, v := range parametersMap { - if k == "serviceid_crn" { - serviceIdCrn := v.(string) - mainModel.Parameters.ServiceidCrn = &serviceIdCrn - } else if v == "true" || v == "false" { - b, _ := strconv.ParseBool(v.(string)) - mainModel.Parameters.SetProperty(k, b) - } else { - mainModel.Parameters.SetProperty(k, v) - } - } - } - return mainModel, nil -} - -func resourceIbmSmServiceCredentialsSecretRotationPolicyToMap(modelIntf secretsmanagerv2.RotationPolicyIntf) (map[string]interface{}, error) { - modelMap := make(map[string]interface{}) - model := modelIntf.(*secretsmanagerv2.RotationPolicy) - if model.AutoRotate != nil { - modelMap["auto_rotate"] = model.AutoRotate - } - if model.Interval != nil { - modelMap["interval"] = flex.IntValue(model.Interval) - } - if model.Unit != nil { - modelMap["unit"] = model.Unit - } - return modelMap, nil -} - -func resourceIbmSmServiceCredentialsSecretSourceServiceToMap(sourceService *secretsmanagerv2.ServiceCredentialsSecretSourceService) (map[string]interface{}, error) { - mainModelMap := make(map[string]interface{}) - if sourceService.Instance != nil { - instanceMap := make(map[string]interface{}) - instanceModel := sourceService.Instance - if instanceModel.Crn != nil { - instanceMap["crn"] = instanceModel.Crn - } - mainModelMap["instance"] = []map[string]interface{}{instanceMap} - } - - if sourceService.Role != nil { - roleMap := make(map[string]interface{}) - roleModel := sourceService.Role - if roleModel.Crn != nil { - roleMap["crn"] = roleModel.Crn - } - mainModelMap["role"] = []map[string]interface{}{roleMap} - } - - if sourceService.Iam != nil { - iamMap := make(map[string]interface{}) - iamModel := sourceService.Iam - - // apikey - if iamModel.Apikey != nil { - iamApikeyMap := make(map[string]interface{}) - iamApikeyModel := iamModel.Apikey - if iamApikeyModel.Name != nil { - iamApikeyMap["name"] = iamApikeyModel.Name - } - if iamApikeyModel.Description != nil { - iamApikeyMap["description"] = iamApikeyModel.Description - } - iamMap["apikey"] = []map[string]interface{}{iamApikeyMap} - } - - // role - if iamModel.Role != nil { - iamRoleMap := make(map[string]interface{}) - iamRoleModel := iamModel.Role - if iamRoleModel.Crn != nil { - iamRoleMap["crn"] = iamRoleModel.Crn - } - iamMap["role"] = []map[string]interface{}{iamRoleMap} - } - - // service id - if iamModel.Serviceid != nil { - iamServiceidMap := make(map[string]interface{}) - iamServiceidModel := iamModel.Serviceid - if iamServiceidModel.Crn != nil { - iamServiceidMap["crn"] = iamServiceidModel.Crn - } - iamMap["serviceid"] = []map[string]interface{}{iamServiceidMap} - } - - mainModelMap["iam"] = []map[string]interface{}{iamMap} - - } - - if sourceService.ResourceKey != nil { - resourceKeyMap := make(map[string]interface{}) - resourceKeyModel := sourceService.ResourceKey - if resourceKeyModel.Crn != nil { - resourceKeyMap["crn"] = resourceKeyModel.Crn - } - if resourceKeyModel.Name != nil { - resourceKeyMap["name"] = resourceKeyModel.Name - } - mainModelMap["resource_key"] = []map[string]interface{}{resourceKeyMap} - } - - if sourceService.Parameters != nil { - parametersMap := sourceService.Parameters.GetProperties() - for k, v := range parametersMap { - parametersMap[k] = fmt.Sprint(v) - } - if sourceService.Parameters.ServiceidCrn != nil { - if len(parametersMap) == 0 { - parametersMap = make(map[string]interface{}) - } - parametersMap["serviceid_crn"] = sourceService.Parameters.ServiceidCrn - } - mainModelMap["parameters"] = parametersMap - } - - return mainModelMap, nil -} diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret_test.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret_test.go deleted file mode 100644 index 7de340208c7..00000000000 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret_test.go +++ /dev/null @@ -1,335 +0,0 @@ -// Copyright IBM Corp. 2023 All Rights Reserved. -// Licensed under the Mozilla Public License v2.0 - -package secretsmanager_test - -import ( - "fmt" - "strings" - "testing" - - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" - - acc "github.com/IBM-Cloud/terraform-provider-ibm/ibm/acctest" - "github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns" - "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" -) - -var serviceCredentialsSecretName = "terraform-test-sc-secret" -var modifiedServiceCredentialsSecretName = "modified-terraform-test-sc-secret" -var serviceCredentialsParameters = `{"HMAC":"true"}` -var serviceCredentialsParametersWithServiceId = `{"serviceid_crn": ibm_iam_service_id.ibm_iam_service_id_instance.crn}` -var serviceCredentialsTtl = "172800" -var modifiedServiceCredentialsTtl = "6048000" -var serviceCredentialsRoleCrn = "crn:v1:bluemix:public:iam::::serviceRole:Writer" - -func TestAccIbmSmServiceCredentialsSecretBasic(t *testing.T) { - resourceName := "ibm_sm_service_credentials_secret.sm_service_credentials_secret_basic" - - resource.Test(t, resource.TestCase{ - PreCheck: func() { acc.TestAccPreCheck(t) }, - Providers: acc.TestAccProviders, - CheckDestroy: testAccCheckIbmSmServiceCredentialsSecretDestroy, - Steps: []resource.TestStep{ - resource.TestStep{ - Config: serviceCredentialsSecretConfigBasic(), - Check: resource.ComposeAggregateTestCheckFunc( - resource.TestCheckResourceAttrSet(resourceName, "secret_id"), - resource.TestCheckResourceAttrSet(resourceName, "created_by"), - resource.TestCheckResourceAttrSet(resourceName, "created_at"), - resource.TestCheckResourceAttrSet(resourceName, "updated_at"), - resource.TestCheckResourceAttrSet(resourceName, "crn"), - resource.TestCheckResourceAttrSet(resourceName, "downloaded"), - resource.TestCheckResourceAttr(resourceName, "state", "1"), - resource.TestCheckResourceAttr(resourceName, "versions_total", "1"), - ), - }, - resource.TestStep{ - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, - ImportStateVerifyIgnore: []string{"ttl"}, - }, - }, - }) -} - -func TestAccIbmSmServiceCredentialsSecretAllArgs(t *testing.T) { - resourceName := "ibm_sm_service_credentials_secret.sm_service_credentials_secret" - - resource.Test(t, resource.TestCase{ - PreCheck: func() { acc.TestAccPreCheck(t) }, - Providers: acc.TestAccProviders, - CheckDestroy: testAccCheckIbmSmServiceCredentialsSecretDestroy, - Steps: []resource.TestStep{ - resource.TestStep{ - Config: serviceCredentialsSecretConfigAllArgs(), - Check: resource.ComposeAggregateTestCheckFunc( - testAccCheckIbmSmServiceCredentialsSecretCreated(resourceName), - resource.TestCheckResourceAttrSet(resourceName, "secret_id"), - resource.TestCheckResourceAttrSet(resourceName, "created_by"), - resource.TestCheckResourceAttrSet(resourceName, "created_at"), - resource.TestCheckResourceAttrSet(resourceName, "updated_at"), - resource.TestCheckResourceAttrSet(resourceName, "crn"), - resource.TestCheckResourceAttrSet(resourceName, "downloaded"), - resource.TestCheckResourceAttrSet(resourceName, "next_rotation_date"), - resource.TestCheckResourceAttr(resourceName, "state", "1"), - resource.TestCheckResourceAttr(resourceName, "versions_total", "1"), - ), - }, - resource.TestStep{ - Config: serviceCredentialsSecretConfigUpdated(), - Check: resource.ComposeAggregateTestCheckFunc( - testAccCheckIbmSmServiceCredentialsSecretUpdated(resourceName), - ), - }, - resource.TestStep{ - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, - ImportStateVerifyIgnore: []string{"ttl"}, - }, - }, - }) -} - -func TestAccIbmSmServiceCredentialsSecretAllArgsWithExistingServiceId(t *testing.T) { - resourceName := "ibm_sm_service_credentials_secret.sm_service_credentials_secret_service_id" - - resource.Test(t, resource.TestCase{ - PreCheck: func() { acc.TestAccPreCheck(t) }, - Providers: acc.TestAccProviders, - CheckDestroy: testAccCheckIbmSmServiceCredentialsSecretDestroy, - Steps: []resource.TestStep{ - resource.TestStep{ - Config: serviceCredentialsSecretConfigAllArgsWithExistingServiceId(), - Check: resource.ComposeAggregateTestCheckFunc( - testAccCheckIbmSmServiceCredentialsSecretCreated(resourceName), - resource.TestCheckResourceAttrSet(resourceName, "secret_id"), - resource.TestCheckResourceAttrSet(resourceName, "created_by"), - resource.TestCheckResourceAttrSet(resourceName, "created_at"), - resource.TestCheckResourceAttrSet(resourceName, "updated_at"), - resource.TestCheckResourceAttrSet(resourceName, "crn"), - resource.TestCheckResourceAttrSet(resourceName, "downloaded"), - resource.TestCheckResourceAttrSet(resourceName, "next_rotation_date"), - resource.TestCheckResourceAttr(resourceName, "state", "1"), - resource.TestCheckResourceAttr(resourceName, "versions_total", "1"), - ), - }, - resource.TestStep{ - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, - ImportStateVerifyIgnore: []string{"ttl"}, - }, - }, - }) -} - -var serviceCredentialsSecretBasicConfigFormat = ` - resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_basic" { - instance_id = "%s" - region = "%s" - name = "%s" - source_service { - instance { - crn = "%s" - } - role { - crn = "%s" - } - } - ttl = "%s" - }` - -var serviceCredentialsSecretFullConfigFormat = ` - resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { - instance_id = "%s" - region = "%s" - name = "%s" - description = "%s" - labels = ["%s"] - source_service { - instance { - crn = "%s" - } - parameters = %s - role { - crn = "%s" - } - } - ttl = "%s" - custom_metadata = %s - secret_group_id = "default" - rotation %s - }` - -var serviceCredentialsSecretFullConfigFormatWithExistingServiceId = ` - resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_service_id" { - instance_id = "%s" - region = "%s" - name = "%s" - description = "%s" - labels = ["%s"] - source_service { - instance { - crn = "%s" - } - parameters = %s - role { - crn = "%s" - } - } - ttl = "%s" - custom_metadata = %s - secret_group_id = "default" - rotation %s - }` - -func iamServiceIdConfig() string { - return fmt.Sprintf(` - resource "ibm_iam_service_id" "ibm_iam_service_id_instance" { - name = "service-id-terraform-tests-sc" - }`) -} - -func serviceCredentialsSecretConfigBasic() string { - return fmt.Sprintf(serviceCredentialsSecretBasicConfigFormat, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, - serviceCredentialsSecretName, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsRoleCrn, serviceCredentialsTtl) -} - -func serviceCredentialsSecretConfigAllArgs() string { - return fmt.Sprintf(serviceCredentialsSecretFullConfigFormat, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, - serviceCredentialsSecretName, description, label, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParameters, serviceCredentialsRoleCrn, serviceCredentialsTtl, customMetadata, rotationPolicy) -} - -func serviceCredentialsSecretConfigAllArgsWithExistingServiceId() string { - return iamServiceIdConfig() + fmt.Sprintf(serviceCredentialsSecretFullConfigFormatWithExistingServiceId, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, - serviceCredentialsSecretName, description, label, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParametersWithServiceId, serviceCredentialsRoleCrn, serviceCredentialsTtl, customMetadata, rotationPolicy) -} - -func serviceCredentialsSecretConfigUpdated() string { - return fmt.Sprintf(serviceCredentialsSecretFullConfigFormat, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, - modifiedServiceCredentialsSecretName, modifiedDescription, modifiedLabel, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParameters, serviceCredentialsRoleCrn, - modifiedServiceCredentialsTtl, modifiedCustomMetadata, modifiedRotationPolicy) -} - -func testAccCheckIbmSmServiceCredentialsSecretCreated(n string) resource.TestCheckFunc { - return func(s *terraform.State) error { - serviceCredentialsSecretIntf, err := getSecret(s, n) - if err != nil { - return err - } - secret := serviceCredentialsSecretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) - - if err := verifyAttr(*secret.Name, serviceCredentialsSecretName, "secret name"); err != nil { - return err - } - if err := verifyAttr(*secret.Description, description, "secret description"); err != nil { - return err - } - if len(secret.Labels) != 1 { - return fmt.Errorf("Wrong number of labels: %d", len(secret.Labels)) - } - if err := verifyAttr(secret.Labels[0], label, "label"); err != nil { - return err - } - if err := verifyJsonAttr(secret.CustomMetadata, customMetadata, "custom metadata"); err != nil { - return err - } - if err := verifyAttr(getAutoRotate(secret.Rotation), "true", "auto_rotate"); err != nil { - return err - } - if err := verifyAttr(getRotationUnit(secret.Rotation), "day", "rotation unit"); err != nil { - return err - } - if err := verifyAttr(getRotationInterval(secret.Rotation), "1", "rotation interval"); err != nil { - return err - } - if err := verifyAttr(*secret.TTL, serviceCredentialsTtl, "ttl"); err != nil { - return err - } - if err := verifyAttr(*secret.SourceService.Instance.Crn, acc.SecretsManagerServiceCredentialsCosCrn, "source_service.Instance.Crn"); err != nil { - return err - } - if err := verifyAttr(*secret.SourceService.Role.Crn, serviceCredentialsRoleCrn, "source_service.Role.Crn"); err != nil { - return err - } - if err := verifyAttr(*secret.Credentials.IamRoleCrn, serviceCredentialsRoleCrn, "credentials.IamRoleCrn"); err != nil { - return err - } - return nil - } -} - -func testAccCheckIbmSmServiceCredentialsSecretUpdated(n string) resource.TestCheckFunc { - return func(s *terraform.State) error { - serviceCredentialsSecretIntf, err := getSecret(s, n) - if err != nil { - return err - } - secret := serviceCredentialsSecretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) - - if err := verifyAttr(*secret.Name, modifiedServiceCredentialsSecretName, "secret name"); err != nil { - return err - } - if err := verifyAttr(*secret.Description, modifiedDescription, "secret description after update"); err != nil { - return err - } - if len(secret.Labels) != 1 { - return fmt.Errorf("Wrong number of labels after update: %d", len(secret.Labels)) - } - if err := verifyAttr(secret.Labels[0], modifiedLabel, "label after update"); err != nil { - return err - } - if err := verifyJsonAttr(secret.CustomMetadata, modifiedCustomMetadata, "custom metadata after update"); err != nil { - return err - } - if err := verifyAttr(*secret.TTL, modifiedServiceCredentialsTtl, "ttl after update"); err != nil { - return err - } - if err := verifyAttr(getAutoRotate(secret.Rotation), "true", "auto_rotate after update"); err != nil { - return err - } - if err := verifyAttr(getRotationUnit(secret.Rotation), "month", "rotation unit after update"); err != nil { - return err - } - if err := verifyAttr(getRotationInterval(secret.Rotation), "2", "rotation interval after update"); err != nil { - return err - } - return nil - } -} - -func testAccCheckIbmSmServiceCredentialsSecretDestroy(s *terraform.State) error { - secretsManagerClient, err := acc.TestAccProvider.Meta().(conns.ClientSession).SecretsManagerV2() - if err != nil { - return err - } - - secretsManagerClient = getClientWithInstanceEndpointTest(secretsManagerClient) - - for _, rs := range s.RootModule().Resources { - if rs.Type != "ibm_sm_service_credentials_secret" { - continue - } - - getSecretOptions := &secretsmanagerv2.GetSecretOptions{} - - id := strings.Split(rs.Primary.ID, "/") - secretId := id[2] - getSecretOptions.SetID(secretId) - - // Try to find the key - _, response, err := secretsManagerClient.GetSecret(getSecretOptions) - - if err == nil { - return fmt.Errorf("ServiceCredentialsSecret still exists: %s", rs.Primary.ID) - } else if response.StatusCode != 404 { - return fmt.Errorf("Error checking for ServiceCredentialsSecret (%s) has been destroyed: %s", rs.Primary.ID, err) - } - } - - return nil -} From 74626d8d3cd1bb23260726096022032b1cd74688 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Tue, 26 Dec 2023 14:45:19 +0200 Subject: [PATCH 17/18] bugs fixes --- ...as_secret.go => resource_ibm_sm_service_credentials_secret.go} | 0 ...test.go => resource_ibm_sm_service_credentials_secret_test.go} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename ibm/service/secretsmanager/{resource_ibm_sm_service_credentilas_secret.go => resource_ibm_sm_service_credentials_secret.go} (100%) rename ibm/service/secretsmanager/{resource_ibm_sm_service_credentilas_secret_test.go => resource_ibm_sm_service_credentials_secret_test.go} (100%) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go similarity index 100% rename from ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go rename to ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret_test.go similarity index 100% rename from ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go rename to ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret_test.go From fbf61c65a90dd20c11738ebb683fc09a6790ba05 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 3 Jan 2024 15:55:31 +0200 Subject: [PATCH 18/18] docs bugs fixes --- website/docs/r/sm_service_credentials_secret.html.markdown | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/website/docs/r/sm_service_credentials_secret.html.markdown b/website/docs/r/sm_service_credentials_secret.html.markdown index cdf60c3e9ff..12b43a166ba 100644 --- a/website/docs/r/sm_service_credentials_secret.html.markdown +++ b/website/docs/r/sm_service_credentials_secret.html.markdown @@ -43,6 +43,7 @@ resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { ```terraform resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { + instance_id = ibm_resource_instance.sm_instance.guid region = "us-south" name = "secret-name" source_service { @@ -89,11 +90,11 @@ Nested scheme for **rotation**: * Constraints: Allowable values are: `day`, `month`. * `secret_group_id` - (Optional, Forces new resource, String) A v4 UUID identifier, or `default` secret group. * Constraints: The maximum length is `36` characters. The minimum length is `7` characters. The value must match regular expression `/^([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|default)$/`. -* `source_service` - (Optional, List) The properties required for creating the service credentials for the specified source service instance. +* `source_service` - (Required, List) The properties required for creating the service credentials for the specified source service instance. Nested scheme for **source_service**: - * `instance` - (Optional, List) The source service instance identifier. + * `instance` - (Required, List) The source service instance identifier. Nested scheme for **instance**: - * `crn` - (Optional, String) A CRN that uniquely identifies a service credentials source. + * `crn` - (Required, String) A CRN that uniquely identifies a service credentials source. * `role` - (Optional, List) The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles. Nested scheme for **role**: * `crn` - (Optional, String) The service role CRN.