feat: automate api key and secret key creation (#31)

Author: rajatagarwal-ibm

cra-config.yaml

@@ -19,3 +19,6 @@ CRA_TARGETS:
       TF_VAR_watson_machine_learning_instance_guid: "4e621b22-5802-4013-896a-777fc345f424"
       TF_VAR_watson_machine_learning_instance_resource_name: "test-machine-learning-instance"
       TF_VAR_inventory_repo_url: "https://us-south.git.cloud.ibm.com/yada.yada/04181-inventory-repo.git"
+      TF_VAR_signing_key: "dummy value"
+      TF_VAR_secrets_manager_crn: "dummy crn"
+      TF_VAR_secrets_manager_guid: "dummy guid"

solutions/banking/main.tf

@@ -8,6 +8,9 @@ data "ibm_iam_auth_token" "tokendata" {}
 
 # Resource group - create if it doesn't exist
 module "resource_group" {
+  providers = {
+    ibm = ibm.ibm_resources
+  }
   source                       = "terraform-ibm-modules/resource-group/ibm"
   version                      = "1.1.5"
   resource_group_name          = var.use_existing_resource_group == false ? var.resource_group_name : null
@@ -16,19 +19,54 @@ module "resource_group" {
 
 # create COS instance for WatsonX.AI project
 module "cos" {
+  providers = {
+    ibm = ibm.ibm_resources
+  }
   source            = "terraform-ibm-modules/cos/ibm//modules/fscloud"
   version           = "8.1.7"
   resource_group_id = module.resource_group.resource_group_id
   cos_instance_name = "${var.prefix}-rag-sample-app-cos"
   cos_plan          = "standard"
 }
 
+# secrets manager secrets - IBM IAM API KEY
+module "secrets_manager_secret_ibm_iam" {
+  providers = {
+    ibm = ibm.ibm_resources
+  }
+  source                  = "terraform-ibm-modules/secrets-manager-secret/ibm"
+  version                 = "1.3.0"
+  region                  = var.toolchain_region
+  secrets_manager_guid    = var.secrets_manager_guid
+  secret_name             = "${var.prefix}-secret-api-key"
+  secret_description      = "IBM IAM Api key"
+  secret_type             = "arbitrary" #checkov:skip=CKV_SECRET_6
+  secret_payload_password = var.ibmcloud_api_key
+}
+
+# secrets manager secrets - IBM signing key
+module "secrets_manager_secret_signing_key" {
+  providers = {
+    ibm = ibm.ibm_resources
+  }
+  source                  = "terraform-ibm-modules/secrets-manager-secret/ibm"
+  version                 = "1.3.0"
+  region                  = var.toolchain_region
+  secrets_manager_guid    = var.secrets_manager_guid
+  secret_name             = "${var.prefix}-secret-signing-key"
+  secret_description      = "IBM Signing GPG key"
+  secret_type             = "arbitrary" #checkov:skip=CKV_SECRET_6
+  secret_payload_password = var.signing_key
+}
+
 data "ibm_resource_group" "toolchain_resource_group_id" {
-  name = var.toolchain_resource_group
+  provider = ibm.ibm_resources
+  name     = var.toolchain_resource_group
 }
 
 # create CD service for toolchain use if variable is set
 resource "ibm_resource_instance" "cd_instance" {
+  provider          = ibm.ibm_resources
   count             = var.create_continuous_delivery_service_instance ? 1 : 0
   name              = "${var.prefix}-cd-instance"
   service           = "continuous-delivery"
@@ -45,7 +83,8 @@ resource "ibm_resource_instance" "cd_instance" {
 
 # create watsonx.AI project
 module "configure_project" {
-  source                = "github.com/terraform-ibm-modules/terraform-ibm-watsonx-saas-da.git//configure_project?ref=v0.2.0"
+  watsonx_admin_api_key = var.watsonx_admin_api_key != null ? var.watsonx_admin_api_key : var.ibmcloud_api_key
+  source                = "github.com/terraform-ibm-modules/terraform-ibm-watsonx-saas-da.git//configure_project?ref=v0.4.1"
   project_name          = "${var.prefix}-RAG-sample-project"
   project_description   = "WatsonX AI project for RAG pattern sample app"
   project_tags          = ["watsonx-ai-SaaS", "RAG-sample-project"]
@@ -164,6 +203,7 @@ data "external" "discovery_project_id" {
 
 # Update CI pipeline with Assistant instance ID
 resource "ibm_cd_tekton_pipeline_property" "watsonx_assistant_id_pipeline_property_ci" {
+  provider    = ibm.ibm_resources
   name        = "watsonx_assistant_id"
   pipeline_id = var.ci_pipeline_id
   type        = "text"
@@ -172,6 +212,7 @@ resource "ibm_cd_tekton_pipeline_property" "watsonx_assistant_id_pipeline_proper
 
 # Update CD pipeline with Assistant instance ID
 resource "ibm_cd_tekton_pipeline_property" "watsonx_assistant_id_pipeline_property_cd" {
+  provider    = ibm.ibm_resources
   name        = "watsonx_assistant_id"
   pipeline_id = var.cd_pipeline_id
   type        = "text"
@@ -180,6 +221,7 @@ resource "ibm_cd_tekton_pipeline_property" "watsonx_assistant_id_pipeline_proper
 
 # Update CI pipeline with app flavor
 resource "ibm_cd_tekton_pipeline_property" "application_flavor_pipeline_property_ci" {
+  provider    = ibm.ibm_resources
   name        = "app-flavor"
   pipeline_id = var.ci_pipeline_id
   type        = "text"
@@ -188,6 +230,7 @@ resource "ibm_cd_tekton_pipeline_property" "application_flavor_pipeline_property
 
 # Update CD pipeline with app flavor
 resource "ibm_cd_tekton_pipeline_property" "application_flavor_pipeline_property_cd" {
+  provider    = ibm.ibm_resources
   name        = "app-flavor"
   pipeline_id = var.cd_pipeline_id
   type        = "text"
@@ -196,6 +239,7 @@ resource "ibm_cd_tekton_pipeline_property" "application_flavor_pipeline_property
 
 # Update CI pipeline with Assistant integration ID
 resource "ibm_cd_tekton_pipeline_property" "watsonx_assistant_integration_id_pipeline_property_ci" {
+  provider    = ibm.ibm_resources
   depends_on  = [data.external.assistant_get_integration_id]
   name        = "watsonx_assistant_integration_id"
   pipeline_id = var.ci_pipeline_id
@@ -205,6 +249,7 @@ resource "ibm_cd_tekton_pipeline_property" "watsonx_assistant_integration_id_pip
 
 # Update CD pipeline with Assistant integration ID
 resource "ibm_cd_tekton_pipeline_property" "watsonx_assistant_integration_id_pipeline_property_cd" {
+  provider    = ibm.ibm_resources
   depends_on  = [data.external.assistant_get_integration_id]
   name        = "watsonx_assistant_integration_id"
   pipeline_id = var.cd_pipeline_id
@@ -221,6 +266,7 @@ resource "random_string" "webhook_secret" {
 
 # Create webhook for CI pipeline
 resource "ibm_cd_tekton_pipeline_trigger" "ci_pipeline_webhook" {
+  provider       = ibm.ibm_resources
   depends_on     = [random_string.webhook_secret]
   type           = "generic"
   pipeline_id    = var.ci_pipeline_id
@@ -236,6 +282,7 @@ resource "ibm_cd_tekton_pipeline_trigger" "ci_pipeline_webhook" {
 
 # Create git trigger for CD pipeline - to run inventory promotion once CI pipeline is complete
 resource "ibm_cd_tekton_pipeline_trigger" "cd_pipeline_inventory_promotion_trigger" {
+  provider       = ibm.ibm_resources
   count          = var.inventory_repo_url != null ? 1 : 0
   type           = "scm"
   pipeline_id    = var.cd_pipeline_id

solutions/banking/outputs.tf

@@ -32,3 +32,8 @@ output "discovery_project_id" {
   description = "WatsonX Discovery Project ID."
   value       = data.external.discovery_project_id.result.discovery_project_id
 }
+
+output "secrets_manager_crn" {
+  description = "Secrets Manager CRN."
+  value       = var.secrets_manager_crn
+}

solutions/banking/provider.tf

@@ -1,8 +1,14 @@
 provider "ibm" {
+  alias            = "ibm_resources"
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.toolchain_region
 }
 
+provider "ibm" {
+  ibmcloud_api_key = var.watsonx_admin_api_key != null ? var.watsonx_admin_api_key : var.ibmcloud_api_key
+  region           = var.toolchain_region
+}
+
 provider "restapi" {
   uri                  = "https:"
   write_returns_object = true

solutions/banking/variables.tf

@@ -4,6 +4,13 @@ variable "ibmcloud_api_key" {
   sensitive   = true
 }
 
+variable "watsonx_admin_api_key" {
+  default     = null
+  description = "Used to call Watson APIs to configure the user and the project."
+  sensitive   = true
+  type        = string
+}
+
 variable "prefix" {
   description = "Prefix for resources to be created"
   type        = string
@@ -87,3 +94,19 @@ variable "watson_machine_learning_instance_resource_name" {
   description = "Watson Machine Learning instance resource name"
   type        = string
 }
+
+variable "signing_key" {
+  description = "Signing GPG key."
+  type        = string
+  sensitive   = true
+}
+
+variable "secrets_manager_crn" {
+  description = "Secrets Manager CRN where the API key and signing key will be stored."
+  type        = string
+}
+
+variable "secrets_manager_guid" {
+  description = "Secrets Manager GUID where the API key and signing key will be stored."
+  type        = string
+}

tests/pr_test.go

@@ -81,6 +81,9 @@ func TestRunBankingSolutions(t *testing.T) {
 				"watson_machine_learning_instance_crn":           terraform.Output(t, existingTerraformOptions, "watson_machine_learning_instance_crn"),
 				"watson_machine_learning_instance_guid":          terraform.Output(t, existingTerraformOptions, "watson_machine_learning_instance_guid"),
 				"watson_machine_learning_instance_resource_name": terraform.Output(t, existingTerraformOptions, "watson_machine_learning_instance_resource_name"),
+				"secrets_manager_guid":                           terraform.Output(t, existingTerraformOptions, "secrets_manager_guid"),
+				"secrets_manager_crn":                            terraform.Output(t, existingTerraformOptions, "secrets_manager_crn"),
+				"signing_key":                                    terraform.Output(t, existingTerraformOptions, "signing_key_payload"),
 			},
 		})
 

tests/resources/existing-resources/main.tf

@@ -1,3 +1,7 @@
+locals {
+  signing_key_payload = sensitive("secret-signing-key-payload")
+}
+
 ########################################################################################################################
 # Resource Group
 ########################################################################################################################
@@ -10,6 +14,19 @@ module "resource_group" {
   existing_resource_group_name = var.resource_group
 }
 
+########################################################################################################################
+# Secrets Manager
+########################################################################################################################
+
+module "secrets_manager" {
+  source               = "terraform-ibm-modules/secrets-manager/ibm"
+  version              = "v1.9.0"
+  resource_group_id    = module.resource_group.resource_group_id
+  region               = var.region
+  secrets_manager_name = "${var.prefix}-secrets-manager" #tfsec:ignore:general-secrets-no-plaintext-exposure
+  sm_service_plan      = var.sm_service_plan
+}
+
 ########################################################################################################################
 # Watson resources
 ########################################################################################################################

tests/resources/existing-resources/outputs.tf

@@ -47,3 +47,19 @@ output "resource_group_name" {
   value       = module.resource_group.resource_group_name
   description = "Resource group name."
 }
+
+output "secrets_manager_guid" {
+  value       = module.secrets_manager.secrets_manager_guid
+  description = "GUID of Secrets Manager instance."
+}
+
+output "secrets_manager_crn" {
+  value       = module.secrets_manager.secrets_manager_crn
+  description = "CRN of the Secrets Manager instance."
+}
+
+output "signing_key_payload" {
+  value       = local.signing_key_payload
+  sensitive   = true
+  description = "Signing key payload."
+}

tests/resources/existing-resources/variables.tf

@@ -20,3 +20,9 @@ variable "region" {
   description = "Region where resources are deployed"
   type        = string
 }
+
+variable "sm_service_plan" {
+  type        = string
+  description = "The Secrets Manager service plan to provision"
+  default     = "trial"
+}

tests/scripts/pre-validation.sh

@@ -42,6 +42,9 @@ TF_VARS_FILE="terraform.tfvars"
   use_existing_resource_group_var_name="use_existing_resource_group"
   create_continuous_delivery_service_instance_var_name="create_continuous_delivery_service_instance"
   inventory_repo_url_var_name="inventory_repo_url"
+  secrets_manager_guid_var_name="secrets_manager_guid"
+  secrets_manager_crn_var_name="secrets_manager_crn"
+  signing_key_payload_var_name="signing_key_payload"
 
   resource_group_name_value=$(terraform output -state=terraform.tfstate -raw resource_group_name)
   toolchain_resource_group_value=$(terraform output -state=terraform.tfstate -raw resource_group_name)
@@ -55,6 +58,9 @@ TF_VARS_FILE="terraform.tfvars"
   use_existing_resource_group_value=true
   create_continuous_delivery_service_instance_value=false
   inventory_repo_url_value="https://${REGION}.git.cloud.ibm.com/test-inventory-repo"
+  secrets_manager_guid_value=$(terraform output -state=terraform.tfstate -raw secrets_manager_guid)
+  secrets_manager_crn_value=$(terraform output -state=terraform.tfstate -raw secrets_manager_crn)
+  signing_key_payload_value=$(terraform output -state=terraform.tfstate -raw signing_key_payload)
 
   echo "Appending required input variable values to ${JSON_FILE}.."
 
@@ -91,6 +97,12 @@ TF_VARS_FILE="terraform.tfvars"
         --arg create_continuous_delivery_service_instance_value "${create_continuous_delivery_service_instance_value}" \
         --arg inventory_repo_url_var_name "${inventory_repo_url_var_name}" \
         --arg inventory_repo_url_value "${inventory_repo_url_value}" \
+        --arg secrets_manager_crn_var_name "${secrets_manager_crn_var_name}" \
+        --arg secrets_manager_crn_value "${secrets_manager_crn_value}" \
+        --arg secrets_manager_guid_var_name "${secrets_manager_guid_var_name}" \
+        --arg secrets_manager_guid_value "${secrets_manager_guid_value}" \
+        --arg signing_key_payload_var_name "${signing_key_payload_var_name}" \
+        --arg signing_key_payload_value "${signing_key_payload_value}" \
         '. + {($prefix_var_name): $prefix_value,
           ($resource_group_name_var_name): $resource_group_name_value,
           ($toolchain_region_var_name): $toolchain_region_value,
@@ -106,6 +118,10 @@ TF_VARS_FILE="terraform.tfvars"
           ($use_existing_resource_group_var_name): $use_existing_resource_group_value,
           ($create_continuous_delivery_service_instance_var_name): $create_continuous_delivery_service_instance_value,
           ($watson_machine_learning_instance_resource_name_var_name): $watson_machine_learning_instance_resource_name_value,
+          ($secrets_manager_secrets_manager_crn_var_name): $secrets_manager_crn_value,
+          ($secrets_manager_guid_var_name): $secrets_manager_guid_value,
+          ($signing_key_payload_var_name): $signing_key_payload_var_name,
+          ($signing_key_payload_value): signing_key_payload_value,
           ($inventory_repo_url_var_name): $inventory_repo_url_value}' "${JSON_FILE}" > tmpfile && mv tmpfile "${JSON_FILE}" || exit 1
 
   echo "Pre-validation complete successfully"