feat: Add support to DA to provision IAM engine (#89)

jor2 · web-flow · commit 9db51ed33add · 2024-04-11T18:13:44.000+01:00
diff --git a/common-dev-assets b/common-dev-assets
@@ -1 +1 @@
-Subproject commit 2285d9993a4141de3b08b18358acae41d5bc0be1
+Subproject commit 71609c4126de4499ab1132b241908c5fa995eb95
diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -29,6 +29,10 @@
           "title": "Creates a Secrets Manager instance.",
           "description": "Creates an IBM Secrets Manager instance."
         },
+        {
+          "title": "Optionally configure an IBM Secrets Manager IAM credentials engine to an IBM Secrets Manager instance.",
+          "description": "Optionally configure an IBM Secrets Manager IAM credentials engine to an IBM Secrets Manager instance."
+        },
         {
           "title": "Sets up authorization policy.",
           "description": "Sets up IBM IAM authorization policy between IBM Secrets Manager instance and IBM Key Management Service (KMS) instance. It also supports Event Notification authorization policy."
@@ -60,6 +64,10 @@
                 "title": "Creates a Secrets Manager instance.",
                 "description": "Creates and configures an IBM Secrets Manager instance."
               },
+              {
+                "title": "Optionally configure an IBM Secrets Manager IAM credentials engine to an IBM Secrets Manager instance.",
+                "description": "Optionally configure an IBM Secrets Manager IAM credentials engine to an IBM Secrets Manager instance."
+              },
               {
                 "title": "Sets up authorization policy.",
                 "description": "Sets up IBM IAM authorization policy between IBM Secrets Manager instance and IBM Key Management Service (KMS) instance. It also supports Event Notification authorization policy."
diff --git a/reference-architecture/secrets_manager.svg b/reference-architecture/secrets_manager.svg
diff --git a/solutions/standard/README.md b/solutions/standard/README.md
@@ -3,6 +3,7 @@
 This solution supports the following:
 - Creating a new resource group, or taking in an existing one.
 - Provisioning and configuring of a Secrets Manager instance.
+- Optionally configure an IBM Secrets Manager IAM credentials engine to an IBM Secrets Manager instance.
 - Configuring KMS encryption using a newly created key, or passing an existing key.
 
 **NB:** This solution is not intended to be called by one or more other modules since it contains a provider configurations, meaning it is not compatible with the `for_each`, `count`, and `depends_on` arguments. For more information see [Providers Within Modules](https://developer.hashicorp.com/terraform/language/modules/develop/providers)
diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
@@ -69,3 +69,14 @@ module "secrets_manager" {
   skip_en_iam_authorization_policy = var.skip_en_iam_authorization_policy
   endpoint_type                    = var.allowed_network == "private-only" ? "private" : "public"
 }
+
+# Configure an IBM Secrets Manager IAM credentials engine for an existing IBM Secrets Manager instance.
+module "iam_secrets_engine" {
+  count                = var.iam_engine_enabled ? 1 : 0
+  source               = "terraform-ibm-modules/secrets-manager-iam-engine/ibm"
+  version              = "1.1.0"
+  region               = var.region
+  iam_engine_name      = var.iam_engine_name
+  secrets_manager_guid = module.secrets_manager.secrets_manager_guid
+  endpoint_type        = var.allowed_network == "private-only" ? "private" : "public"
+}
diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf
@@ -61,6 +61,18 @@ variable "secret_manager_tags" {
   default     = []
 }
 
+variable "iam_engine_enabled" {
+  type        = bool
+  description = "Set this to true to to configure an IBM Secrets Manager IAM credentials engine. If set to false, no iam engine will be configured for your secrets manager instance. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-configure-iam-engine."
+  default     = false
+}
+
+variable "iam_engine_name" {
+  type        = string
+  description = "The name of the IAM Engine used to configure an IBM Secrets Manager IAM credentials engine."
+  default     = "base-sm-iam-engine"
+}
+
 ########################################################################################################################
 # Key Protect
 ########################################################################################################################
diff --git a/tests/pr_test.go b/tests/pr_test.go
@@ -134,6 +134,7 @@ func TestRunDASolutionSchematics(t *testing.T) {
 		{Name: "allowed_network", Value: "private-only", DataType: "string"},
 		{Name: "existing_kms_guid", Value: permanentResources["hpcs_south"], DataType: "string"},
 		{Name: "kms_region", Value: "us-south", DataType: "string"}, // KMS instance is in us-south
+		{Name: "iam_engine_enabled", Value: true, DataType: "bool"},
 	}
 
 	err := options.RunSchematicTest()

Original file line number	Diff line number	Diff line change
`@@ -134,6 +134,7 @@ func TestRunDASolutionSchematics(t *testing.T) {`
`134`	`134`	`{Name: "allowed_network", Value: "private-only", DataType: "string"},`
`135`	`135`	`{Name: "existing_kms_guid", Value: permanentResources["hpcs_south"], DataType: "string"},`
`136`	`136`	`{Name: "kms_region", Value: "us-south", DataType: "string"}, // KMS instance is in us-south`
	`137`	`+ {Name: "iam_engine_enabled", Value: true, DataType: "bool"},`
`137`	`138`	`}`
`138`	`139`
`139`	`140`	`err := options.RunSchematicTest()`