From f65bba607d9eeb36db573037cb0702c4a4c17ce1 Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Tue, 23 Sep 2025 11:09:23 +0530 Subject: [PATCH 01/21] feat: added support for creating service credentials with private endpoint --- README.md | 1 + main.tf | 3 +++ variables.tf | 6 ++++++ 3 files changed, 10 insertions(+) diff --git a/README.md b/README.md index 32f6ada7..090af3f8 100644 --- a/README.md +++ b/README.md @@ -157,6 +157,7 @@ You need the following permissions to run this module. | [schema\_global\_rule](#input\_schema\_global\_rule) | Schema global compatibility rule. Allowed values are 'NONE', 'FULL', 'FULL\_TRANSITIVE', 'FORWARD', 'FORWARD\_TRANSITIVE', 'BACKWARD', 'BACKWARD\_TRANSITIVE'. | `string` | `null` | no | | [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | 
list(object(
    {
      schema_id = string
      schema = object({
        type = string
        name = string
        fields = optional(list(object({
          name = string
          type = string
        })))
      })
    }
  ))
| `[]` | no | | [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event streams. | `map(string)` | `{}` | no | +| [service\_credentials\_endpoints](#input\_service\_credentials\_endpoints) | Map of service credential names to endpoint type (public or private). If not specified, defaults to public. | `map(string)` | `{}` | no | | [service\_endpoints](#input\_service\_endpoints) | The type of service endpoints. Possible values: 'public', 'private', 'public-and-private'. | `string` | `"public"` | no | | [skip\_es\_s2s\_iam\_authorization\_policy](#input\_skip\_es\_s2s\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that will allow all Event Streams instances in the given resource group access to read from the mirror source instance. This policy is required when creating a mirroring instance, and will only be created if a value is passed in the mirroring input. | `bool` | `false` | no | | [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `kms_key_crn` variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no | diff --git a/main.tf b/main.tf index a8b59079..57dcf22d 100644 --- a/main.tf +++ b/main.tf @@ -230,6 +230,9 @@ resource "ibm_resource_key" "service_credentials" { name = each.key role = each.value resource_instance_id = ibm_resource_instance.es_instance.id + parameters = lookup(var.service_credentials_endpoints, each.key, null) != null ? { + service-endpoints = var.service_credentials_endpoints[each.key] + } : null } locals { diff --git a/variables.tf b/variables.tf index da359829..fbc741ea 100644 --- a/variables.tf +++ b/variables.tf @@ -350,3 +350,9 @@ variable "iam_token_only" { error_message = "iam_token_only is only supported for enterprise plan." } } + +variable "service_credentials_endpoints" { + description = "Map of service credential names to endpoint type (public or private). If not specified, defaults to public." + type = map(string) + default = {} +} From eb3e79a0086a2a086356852ed13d4217315025cf Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Mon, 29 Sep 2025 11:34:59 +0530 Subject: [PATCH 02/21] updated fscloud example --- examples/fscloud/main.tf | 7 +++++++ modules/fscloud/README.md | 1 + modules/fscloud/main.tf | 1 + modules/fscloud/variables.tf | 6 ++++++ 4 files changed, 15 insertions(+) diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf index 1cec1b4a..750a63f5 100644 --- a/examples/fscloud/main.tf +++ b/examples/fscloud/main.tf @@ -120,6 +120,13 @@ module "event_streams" { "es_reader" : "Reader", "es_manager" : "Manager" } + service_credentials_endpoints = { + "es_writer" : "private" + "es_reader" : "private" + "es_manager" : "private" + } + + cbr_rules = [ { description = "${var.prefix}-event streams access from vpc and schematics" diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md index c134b436..717a0fd5 100644 --- a/modules/fscloud/README.md +++ b/modules/fscloud/README.md @@ -42,6 +42,7 @@ No resources. | [schema\_global\_rule](#input\_schema\_global\_rule) | Schema global compatibility rule. Allowed values are 'NONE', 'FULL', 'FULL\_TRANSITIVE', 'FORWARD', 'FORWARD\_TRANSITIVE', 'BACKWARD', 'BACKWARD\_TRANSITIVE'. | `string` | `null` | no | | [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | 
list(object(
    {
      schema_id = string
      schema = object({
        type = string
        name = string
        fields = optional(list(object({
          name = string
          type = string
        })))
      })
    }
  ))
| `[]` | no | | [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event streams. | `map(string)` | `{}` | no | +| [service\_credentials\_endpoints](#input\_service\_credentials\_endpoints) | Map of service credential names to endpoint type (public or private). If not specified, defaults to public. | `map(string)` | `{}` | no | | [skip\_es\_s2s\_iam\_authorization\_policy](#input\_skip\_es\_s2s\_iam\_authorization\_policy) | Set to true to skip the creation of an Event Streams s2s IAM authorization policy to provision an Event Streams mirroring instance. This is required to read from the source cluster. This policy is required when creating mirroring instance. | `bool` | `false` | no | | [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the kms\_key\_crn variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no | | [tags](#input\_tags) | The list of tags associated with the Event Streams instance. | `list(string)` | `[]` | no | diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf index 77ea999c..76e91756 100644 --- a/modules/fscloud/main.tf +++ b/modules/fscloud/main.tf @@ -24,4 +24,5 @@ module "event_streams" { create_timeout = var.create_timeout update_timeout = var.update_timeout delete_timeout = var.delete_timeout + service_credentials_endpoints = var.service_credentials_endpoints } diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf index a1f8c83c..69f9ec66 100644 --- a/modules/fscloud/variables.tf +++ b/modules/fscloud/variables.tf @@ -107,6 +107,12 @@ variable "service_credential_names" { default = {} } +variable "service_credentials_endpoints" { + description = "Map of service credential names to endpoint type (public or private). If not specified, defaults to public." + type = map(string) + default = {} +} + variable "metrics" { type = list(string) description = "Enhanced metrics to activate, as list of strings. Allowed values: 'topic', 'partition', 'consumers'." From 746f6447990b2b1d806931eea09e0f8e741ea488 Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Tue, 30 Sep 2025 18:57:21 +0530 Subject: [PATCH 03/21] resolve review comments --- README.md | 2 +- examples/fscloud/main.tf | 7 +------ ibm_catalog.json | 13 +++++++++++++ main.tf | 6 +++--- modules/fscloud/README.md | 2 +- modules/fscloud/main.tf | 2 +- modules/fscloud/variables.tf | 8 ++++---- solutions/quickstart/main.tf | 25 +++++++++++++------------ solutions/quickstart/variables.tf | 6 ++++++ solutions/security-enforced/main.tf | 1 + variables.tf | 8 ++++---- 11 files changed, 48 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 090af3f8..d5e5184f 100644 --- a/README.md +++ b/README.md @@ -156,8 +156,8 @@ You need the following permissions to run this module. | [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes | | [schema\_global\_rule](#input\_schema\_global\_rule) | Schema global compatibility rule. Allowed values are 'NONE', 'FULL', 'FULL\_TRANSITIVE', 'FORWARD', 'FORWARD\_TRANSITIVE', 'BACKWARD', 'BACKWARD\_TRANSITIVE'. | `string` | `null` | no | | [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | 
list(object(
    {
      schema_id = string
      schema = object({
        type = string
        name = string
        fields = optional(list(object({
          name = string
          type = string
        })))
      })
    }
  ))
| `[]` | no | +| [service\_credential\_endpoint](#input\_service\_credential\_endpoint) | Service credential endpoint type (public or private). If not specified, defaults to public. | `string` | `"public"` | no | | [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event streams. | `map(string)` | `{}` | no | -| [service\_credentials\_endpoints](#input\_service\_credentials\_endpoints) | Map of service credential names to endpoint type (public or private). If not specified, defaults to public. | `map(string)` | `{}` | no | | [service\_endpoints](#input\_service\_endpoints) | The type of service endpoints. Possible values: 'public', 'private', 'public-and-private'. | `string` | `"public"` | no | | [skip\_es\_s2s\_iam\_authorization\_policy](#input\_skip\_es\_s2s\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that will allow all Event Streams instances in the given resource group access to read from the mirror source instance. This policy is required when creating a mirroring instance, and will only be created if a value is passed in the mirroring input. | `bool` | `false` | no | | [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `kms_key_crn` variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no | diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf index 750a63f5..9bfe5efc 100644 --- a/examples/fscloud/main.tf +++ b/examples/fscloud/main.tf @@ -120,12 +120,7 @@ module "event_streams" { "es_reader" : "Reader", "es_manager" : "Manager" } - service_credentials_endpoints = { - "es_writer" : "private" - "es_reader" : "private" - "es_manager" : "private" - } - + service_credential_endpoint = "private" cbr_rules = [ { diff --git a/ibm_catalog.json b/ibm_catalog.json index d0921228..809d8ba5 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -236,6 +236,19 @@ { "key": "service_credential_names" }, + { + "key": "service_credential_endpoint", + "options": [ + { + "displayname": "private", + "value": "private" + }, + { + "displayname": "public", + "value": "public" + } + ] + }, { "key": "existing_secrets_manager_endpoint_type", "hidden": true diff --git a/main.tf b/main.tf index 57dcf22d..d0eadd9e 100644 --- a/main.tf +++ b/main.tf @@ -230,9 +230,9 @@ resource "ibm_resource_key" "service_credentials" { name = each.key role = each.value resource_instance_id = ibm_resource_instance.es_instance.id - parameters = lookup(var.service_credentials_endpoints, each.key, null) != null ? { - service-endpoints = var.service_credentials_endpoints[each.key] - } : null + parameters = { + "service-endpoints" = var.service_credential_endpoint + } } locals { diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md index 717a0fd5..09bf5659 100644 --- a/modules/fscloud/README.md +++ b/modules/fscloud/README.md @@ -41,8 +41,8 @@ No resources. | [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes | | [schema\_global\_rule](#input\_schema\_global\_rule) | Schema global compatibility rule. Allowed values are 'NONE', 'FULL', 'FULL\_TRANSITIVE', 'FORWARD', 'FORWARD\_TRANSITIVE', 'BACKWARD', 'BACKWARD\_TRANSITIVE'. | `string` | `null` | no | | [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | 
list(object(
    {
      schema_id = string
      schema = object({
        type = string
        name = string
        fields = optional(list(object({
          name = string
          type = string
        })))
      })
    }
  ))
| `[]` | no | +| [service\_credential\_endpoint](#input\_service\_credential\_endpoint) | Service credential endpoint type (public or private). If not specified, defaults to public. | `string` | `"public"` | no | | [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event streams. | `map(string)` | `{}` | no | -| [service\_credentials\_endpoints](#input\_service\_credentials\_endpoints) | Map of service credential names to endpoint type (public or private). If not specified, defaults to public. | `map(string)` | `{}` | no | | [skip\_es\_s2s\_iam\_authorization\_policy](#input\_skip\_es\_s2s\_iam\_authorization\_policy) | Set to true to skip the creation of an Event Streams s2s IAM authorization policy to provision an Event Streams mirroring instance. This is required to read from the source cluster. This policy is required when creating mirroring instance. | `bool` | `false` | no | | [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the kms\_key\_crn variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no | | [tags](#input\_tags) | The list of tags associated with the Event Streams instance. | `list(string)` | `[]` | no | diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf index 76e91756..c8b233fc 100644 --- a/modules/fscloud/main.tf +++ b/modules/fscloud/main.tf @@ -15,6 +15,7 @@ module "event_streams" { service_endpoints = "private" cbr_rules = var.cbr_rules service_credential_names = var.service_credential_names + service_credential_endpoint = var.service_credential_endpoint metrics = var.metrics quotas = var.quotas kms_encryption_enabled = true @@ -24,5 +25,4 @@ module "event_streams" { create_timeout = var.create_timeout update_timeout = var.update_timeout delete_timeout = var.delete_timeout - service_credentials_endpoints = var.service_credentials_endpoints } diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf index 69f9ec66..38aeab1f 100644 --- a/modules/fscloud/variables.tf +++ b/modules/fscloud/variables.tf @@ -107,10 +107,10 @@ variable "service_credential_names" { default = {} } -variable "service_credentials_endpoints" { - description = "Map of service credential names to endpoint type (public or private). If not specified, defaults to public." - type = map(string) - default = {} +variable "service_credential_endpoint" { + description = "Service credential endpoint type (public or private). If not specified, defaults to public." + type = string + default = "public" } variable "metrics" { diff --git a/solutions/quickstart/main.tf b/solutions/quickstart/main.tf index a2f4060d..b3daa055 100644 --- a/solutions/quickstart/main.tf +++ b/solutions/quickstart/main.tf @@ -16,18 +16,19 @@ module "resource_group" { ####################################################################################################################### module "event_streams" { - source = "../../" - resource_group_id = module.resource_group.resource_group_id - es_name = "${local.prefix}${var.event_streams_name}" - plan = var.plan - region = var.region - topics = var.topics - tags = var.resource_tags - access_tags = var.access_tags - service_credential_names = var.service_credential_names - create_timeout = var.create_timeout - update_timeout = var.update_timeout - delete_timeout = var.delete_timeout + source = "../../" + resource_group_id = module.resource_group.resource_group_id + es_name = "${local.prefix}${var.event_streams_name}" + plan = var.plan + region = var.region + topics = var.topics + tags = var.resource_tags + access_tags = var.access_tags + service_credential_names = var.service_credential_names + service_credential_endpoint = var.service_credential_endpoint + create_timeout = var.create_timeout + update_timeout = var.update_timeout + delete_timeout = var.delete_timeout } ######################################################################################################################## diff --git a/solutions/quickstart/variables.tf b/solutions/quickstart/variables.tf index 55cc58fe..995d5c2d 100644 --- a/solutions/quickstart/variables.tf +++ b/solutions/quickstart/variables.tf @@ -178,3 +178,9 @@ variable "skip_event_streams_secrets_manager_auth_policy" { nullable = false description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Event Streams.If set to false, the Secrets Manager instance passed by the user is granted the Key Manager access to the Event Streams instance created by the Deployable Architecture. Set to `true` to use an existing policy. The value of this is ignored if any value for 'existing_secrets_manager_instance_crn' is not passed." } + +variable "service_credential_endpoint" { + description = "Service credential endpoint type (public or private). If not specified, defaults to public." + type = string + default = "public" +} diff --git a/solutions/security-enforced/main.tf b/solutions/security-enforced/main.tf index 7c325625..163e8a58 100644 --- a/solutions/security-enforced/main.tf +++ b/solutions/security-enforced/main.tf @@ -154,6 +154,7 @@ module "event_streams" { access_tags = var.access_tags service_endpoints = "private" service_credential_names = var.service_credential_names + service_credential_endpoint = "private" cbr_rules = var.cbr_rules schema_global_rule = var.schema_global_rule iam_token_only = var.iam_token_only diff --git a/variables.tf b/variables.tf index 8d0acfd2..55412c58 100644 --- a/variables.tf +++ b/variables.tf @@ -351,8 +351,8 @@ variable "iam_token_only" { } } -variable "service_credentials_endpoints" { - description = "Map of service credential names to endpoint type (public or private). If not specified, defaults to public." - type = map(string) - default = {} +variable "service_credential_endpoint" { + description = "Service credential endpoint type (public or private). If not specified, defaults to public." + type = string + default = "public" } From 17e665b2475c6045ddc6fdef445aa0a62c2e2ca2 Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Tue, 30 Sep 2025 19:16:13 +0530 Subject: [PATCH 04/21] minor fix --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index d0eadd9e..22db3485 100644 --- a/main.tf +++ b/main.tf @@ -231,7 +231,7 @@ resource "ibm_resource_key" "service_credentials" { role = each.value resource_instance_id = ibm_resource_instance.es_instance.id parameters = { - "service-endpoints" = var.service_credential_endpoint + service-endpoints = var.service_credential_endpoint } } From 1dbb86d2d199adb279e91ad5c30a19cf386421c0 Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Mon, 27 Oct 2025 13:22:06 +0530 Subject: [PATCH 05/21] updated PR --- .secrets.baseline | 2 +- examples/fscloud/main.tf | 1 - modules/fscloud/README.md | 1 - modules/fscloud/main.tf | 2 +- modules/fscloud/variables.tf | 7 ------- 5 files changed, 2 insertions(+), 11 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index de91ae34..e1c979ab 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-10-07T09:32:06Z", + "generated_at": "2025-10-27T07:44:08Z", "plugins_used": [ { "name": "AWSKeyDetector" diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf index daf42d05..3c564d23 100644 --- a/examples/fscloud/main.tf +++ b/examples/fscloud/main.tf @@ -120,7 +120,6 @@ module "event_streams" { "es_reader" : "Reader", "es_manager" : "Manager" } - service_credential_endpoint = "private" cbr_rules = [ { diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md index 09bf5659..c134b436 100644 --- a/modules/fscloud/README.md +++ b/modules/fscloud/README.md @@ -41,7 +41,6 @@ No resources. | [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes | | [schema\_global\_rule](#input\_schema\_global\_rule) | Schema global compatibility rule. Allowed values are 'NONE', 'FULL', 'FULL\_TRANSITIVE', 'FORWARD', 'FORWARD\_TRANSITIVE', 'BACKWARD', 'BACKWARD\_TRANSITIVE'. | `string` | `null` | no | | [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | 
list(object(
    {
      schema_id = string
      schema = object({
        type = string
        name = string
        fields = optional(list(object({
          name = string
          type = string
        })))
      })
    }
  ))
| `[]` | no | -| [service\_credential\_endpoint](#input\_service\_credential\_endpoint) | Service credential endpoint type (public or private). If not specified, defaults to public. | `string` | `"public"` | no | | [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event streams. | `map(string)` | `{}` | no | | [skip\_es\_s2s\_iam\_authorization\_policy](#input\_skip\_es\_s2s\_iam\_authorization\_policy) | Set to true to skip the creation of an Event Streams s2s IAM authorization policy to provision an Event Streams mirroring instance. This is required to read from the source cluster. This policy is required when creating mirroring instance. | `bool` | `false` | no | | [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the kms\_key\_crn variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no | diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf index c8b233fc..6f5fc9fb 100644 --- a/modules/fscloud/main.tf +++ b/modules/fscloud/main.tf @@ -15,7 +15,7 @@ module "event_streams" { service_endpoints = "private" cbr_rules = var.cbr_rules service_credential_names = var.service_credential_names - service_credential_endpoint = var.service_credential_endpoint + service_credential_endpoint = "private" metrics = var.metrics quotas = var.quotas kms_encryption_enabled = true diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf index 38aeab1f..e5400223 100644 --- a/modules/fscloud/variables.tf +++ b/modules/fscloud/variables.tf @@ -106,13 +106,6 @@ variable "service_credential_names" { type = map(string) default = {} } - -variable "service_credential_endpoint" { - description = "Service credential endpoint type (public or private). If not specified, defaults to public." - type = string - default = "public" -} - variable "metrics" { type = list(string) description = "Enhanced metrics to activate, as list of strings. Allowed values: 'topic', 'partition', 'consumers'." From 52c7d7bfccb34144ce51a7ba018c48693276af62 Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Mon, 27 Oct 2025 13:26:39 +0530 Subject: [PATCH 06/21] minor fix --- examples/fscloud/main.tf | 1 - modules/fscloud/variables.tf | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf index 3c564d23..67c91e0c 100644 --- a/examples/fscloud/main.tf +++ b/examples/fscloud/main.tf @@ -120,7 +120,6 @@ module "event_streams" { "es_reader" : "Reader", "es_manager" : "Manager" } - cbr_rules = [ { description = "${var.prefix}-event streams access from vpc and schematics" diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf index e5400223..a1f8c83c 100644 --- a/modules/fscloud/variables.tf +++ b/modules/fscloud/variables.tf @@ -106,6 +106,7 @@ variable "service_credential_names" { type = map(string) default = {} } + variable "metrics" { type = list(string) description = "Enhanced metrics to activate, as list of strings. Allowed values: 'topic', 'partition', 'consumers'." From 0af001d1dab187a9a94d336a280e9fa7acfe02b1 Mon Sep 17 00:00:00 2001 From: Khuzaima Shakeel <56439894+Khuzaima05@users.noreply.github.com> Date: Tue, 28 Oct 2025 09:57:40 +0530 Subject: [PATCH 07/21] Update ibm_catalog.json Co-authored-by: Akash Kumar --- ibm_catalog.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index 0b9b723f..198ca1db 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -251,7 +251,7 @@ "key": "service_credential_endpoint", "options": [ { - "displayname": "private", + "displayname": "Private", "value": "private" }, { From 507779c38b8e36d09030134c31652b523c98719e Mon Sep 17 00:00:00 2001 From: Khuzaima Shakeel <56439894+Khuzaima05@users.noreply.github.com> Date: Tue, 28 Oct 2025 09:57:48 +0530 Subject: [PATCH 08/21] Update ibm_catalog.json Co-authored-by: Akash Kumar --- ibm_catalog.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index 198ca1db..bbcfc79e 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -255,7 +255,7 @@ "value": "private" }, { - "displayname": "public", + "displayname": "Public", "value": "public" } ] From bd81578a0f30496e91c93cf125af90cbc32d37a1 Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Mon, 3 Nov 2025 21:15:18 +0530 Subject: [PATCH 09/21] resolve review comments --- README.md | 8 ++--- examples/complete/main.tf | 20 +++++++++--- examples/complete/outputs.tf | 12 ++----- examples/fscloud/main.tf | 6 +--- examples/fscloud/outputs.tf | 13 ++------ ibm_catalog.json | 17 ++-------- main.tf | 22 +++---------- modules/fscloud/README.md | 5 ++- modules/fscloud/main.tf | 3 +- modules/fscloud/outputs.tf | 12 ++----- modules/fscloud/variables.tf | 12 ++++--- outputs.tf | 12 ++----- solutions/quickstart/DA-types.md | 41 +++++++++++++++--------- solutions/quickstart/main.tf | 25 +++++++-------- solutions/quickstart/outputs.tf | 12 ++----- solutions/quickstart/variables.tf | 18 +++++------ solutions/security-enforced/DA-types.md | 41 +++++++++++++++--------- solutions/security-enforced/main.tf | 3 +- solutions/security-enforced/outputs.tf | 12 ++----- solutions/security-enforced/variables.tf | 12 ++++--- tests/other_test.go | 1 - tests/pr_test.go | 1 - variables.tf | 31 +++++++++++------- 23 files changed, 152 insertions(+), 187 deletions(-) diff --git a/README.md b/README.md index dd64a90a..637bdb4c 100644 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ You need the following permissions to run this module. | [ibm_iam_authorization_policy.es_s2s_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_resource_instance.es_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource | -| [ibm_resource_key.service_credentials](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource | +| [ibm_resource_key.resource_keys](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource | | [ibm_resource_tag.es_access_tag](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_tag) | resource | | [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [time_sleep.wait_for_es_s2s_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | @@ -154,10 +154,9 @@ You need the following permissions to run this module. | [quotas](#input\_quotas) | Quotas to be applied to the Event Streams instance. Entity may be 'default' to apply to all users, or an IAM ServiceID for a specific user. Rates are bytes/second, with -1 meaning no quota. | 
list(object({
    entity             = string
    producer_byte_rate = optional(number, -1)
    consumer_byte_rate = optional(number, -1)
  }))
| `[]` | no | | [region](#input\_region) | The region where the Event Streams instance is created. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes | +| [resource\_keys](#input\_resource\_keys) | The mapping of names and roles for service credentials that you want to create for the Event streams. | 
list(object({
    name     = string
    key_name = optional(string, null)
    role     = optional(string, "Manager")
    endpoint = optional(string, "public")
  }))
| `[]` | no | | [schema\_global\_rule](#input\_schema\_global\_rule) | Schema global compatibility rule. Allowed values are 'NONE', 'FULL', 'FULL\_TRANSITIVE', 'FORWARD', 'FORWARD\_TRANSITIVE', 'BACKWARD', 'BACKWARD\_TRANSITIVE'. | `string` | `null` | no | | [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | 
list(object(
    {
      schema_id = string
      schema = object({
        type = string
        name = string
        fields = optional(list(object({
          name = string
          type = string
        })))
      })
    }
  ))
| `[]` | no | -| [service\_credential\_endpoint](#input\_service\_credential\_endpoint) | Service credential endpoint type (public or private). If not specified, defaults to public. | `string` | `"public"` | no | -| [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event streams. | `map(string)` | `{}` | no | | [service\_endpoints](#input\_service\_endpoints) | The type of service endpoints. Possible values: 'public', 'private', 'public-and-private'. | `string` | `"public"` | no | | [skip\_es\_s2s\_iam\_authorization\_policy](#input\_skip\_es\_s2s\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that will allow all Event Streams instances in the given resource group access to read from the mirror source instance. This policy is required when creating a mirroring instance, and will only be created if a value is passed in the mirroring input. | `bool` | `false` | no | | [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `kms_key_crn` variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no | @@ -179,8 +178,7 @@ You need the following permissions to run this module. | [kafka\_http\_url](#output\_kafka\_http\_url) | The API endpoint to interact with Event Streams REST API | | [mirroring\_config\_id](#output\_mirroring\_config\_id) | The ID of the mirroring config in CRN format | | [mirroring\_topic\_patterns](#output\_mirroring\_topic\_patterns) | Mirroring topic patterns | -| [service\_credentials\_json](#output\_service\_credentials\_json) | The service credentials JSON map. | -| [service\_credentials\_object](#output\_service\_credentials\_object) | The service credentials object. | +| [resource\_keys](#output\_resource\_keys) | List of resource keys | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index afc78c17..64f767b3 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -60,9 +60,19 @@ module "event_streams" { ] metrics = [] quotas = [] - service_credential_names = { - "es_writer" : "Writer", - "es_reader" : "Reader", - "es_manager" : "Manager" - } + + resource_keys = [ + { + name = "${var.prefix}-writer-key" + role = "Writer" + }, + { + name = "${var.prefix}-reader-key" + role = "Reader" + }, + { + name = "${var.prefix}-manager-key" + role = "Manager" + } + ] } diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index 6656c847..5e303acf 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -36,14 +36,8 @@ output "kafka_broker_version" { value = module.event_streams.kafka_broker_version } -output "service_credentials_json" { - description = "Service credentials json map" - value = module.event_streams.service_credentials_json - sensitive = true -} - -output "service_credentials_object" { - description = "Service credentials object" - value = module.event_streams.service_credentials_object +output "resource_keys" { + description = "List of resource keys" + value = module.event_streams.resource_keys sensitive = true } diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf index 6caff247..f5f8326f 100644 --- a/examples/fscloud/main.tf +++ b/examples/fscloud/main.tf @@ -117,11 +117,7 @@ module "event_streams" { } ] schema_global_rule = "FORWARD" - service_credential_names = { - "es_writer" : "Writer", - "es_reader" : "Reader", - "es_manager" : "Manager" - } + cbr_rules = [ { description = "${var.prefix}-event streams access from vpc and schematics" diff --git a/examples/fscloud/outputs.tf b/examples/fscloud/outputs.tf index 8e53bdba..9c65f8d9 100644 --- a/examples/fscloud/outputs.tf +++ b/examples/fscloud/outputs.tf @@ -32,18 +32,11 @@ output "kafka_http_url" { value = module.event_streams.kafka_http_url } -output "service_credentials_json" { - description = "Service credentials json map" - value = module.event_streams.service_credentials_json +output "resource_keys" { + description = "List of resource keys" + value = module.event_streams.resource_keys sensitive = true } - -output "service_credentials_object" { - description = "Service credentials object" - value = module.event_streams.service_credentials_object - sensitive = true -} - output "mirroring_config_id" { description = "The ID of the mirroring config in CRN format" value = module.event_streams.mirroring_config_id diff --git a/ibm_catalog.json b/ibm_catalog.json index 62e0f272..7202a762 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -245,20 +245,7 @@ "key": "skip_event_streams_secrets_manager_auth_policy" }, { - "key": "service_credential_names" - }, - { - "key": "service_credential_endpoint", - "options": [ - { - "displayname": "Private", - "value": "private" - }, - { - "displayname": "Public", - "value": "public" - } - ] + "key": "resource_keys" }, { "key": "existing_secrets_manager_endpoint_type", @@ -752,7 +739,7 @@ "key": "skip_event_streams_secrets_manager_auth_policy" }, { - "key": "service_credential_names" + "key": "resource_keys" }, { "key": "existing_secrets_manager_endpoint_type", diff --git a/main.tf b/main.tf index b09757c2..33fa7971 100644 --- a/main.tf +++ b/main.tf @@ -225,30 +225,16 @@ module "cbr_rule" { }] } -resource "ibm_resource_key" "service_credentials" { - for_each = var.service_credential_names - name = each.key +resource "ibm_resource_key" "resource_keys" { + for_each = { for key in var.resource_keys : key.name => key } + name = each.value.key_name == null ? each.key : each.value.key_name role = each.value resource_instance_id = ibm_resource_instance.es_instance.id parameters = { - service-endpoints = var.service_credential_endpoint + service-endpoints = each.value.endpoint } } -locals { - service_credentials_json = length(var.service_credential_names) > 0 ? { - for service_credential in ibm_resource_key.service_credentials : - service_credential["name"] => service_credential["credentials_json"] - } : null - - service_credentials_object = length(var.service_credential_names) > 0 ? { - credentials = { - for service_credential in ibm_resource_key.service_credentials : - service_credential["name"] => service_credential["credentials"] - } - } : null -} - resource "ibm_event_streams_mirroring_config" "es_mirroring_config" { count = var.mirroring != null ? 1 : 0 resource_instance_id = ibm_resource_instance.es_instance.id diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md index c0c399bd..a5e77703 100644 --- a/modules/fscloud/README.md +++ b/modules/fscloud/README.md @@ -39,9 +39,9 @@ No resources. | [quotas](#input\_quotas) | Quotas to be applied to the Event Streams instance. Entity may be 'default' to apply to all users, or an IAM ServiceID for a specific user. Rates are bytes/second, with -1 meaning no quota. | 
list(object({
    entity             = string
    producer_byte_rate = optional(number, -1)
    consumer_byte_rate = optional(number, -1)
  }))
| `[]` | no | | [region](#input\_region) | The region where the Event Streams are created. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes | +| [resource\_keys](#input\_resource\_keys) | The definition of any resource keys to generate. | 
list(object({
    name     = string
    role     = optional(string, "Reader")
    endpoint = optional(string, "private")
  }))
| `[]` | no | | [schema\_global\_rule](#input\_schema\_global\_rule) | Schema global compatibility rule. Allowed values are 'NONE', 'FULL', 'FULL\_TRANSITIVE', 'FORWARD', 'FORWARD\_TRANSITIVE', 'BACKWARD', 'BACKWARD\_TRANSITIVE'. | `string` | `null` | no | | [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | 
list(object(
    {
      schema_id = string
      schema = object({
        type = string
        name = string
        fields = optional(list(object({
          name = string
          type = string
        })))
      })
    }
  ))
| `[]` | no | -| [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event streams. | `map(string)` | `{}` | no | | [skip\_es\_s2s\_iam\_authorization\_policy](#input\_skip\_es\_s2s\_iam\_authorization\_policy) | Set to true to skip the creation of an Event Streams s2s IAM authorization policy to provision an Event Streams mirroring instance. This is required to read from the source cluster. This policy is required when creating mirroring instance. | `bool` | `false` | no | | [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the kms\_key\_crn variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no | | [tags](#input\_tags) | The list of tags associated with the Event Streams instance. | `list(string)` | `[]` | no | @@ -60,6 +60,5 @@ No resources. | [kafka\_http\_url](#output\_kafka\_http\_url) | The API endpoint to interact with Event Streams REST API | | [mirroring\_config\_id](#output\_mirroring\_config\_id) | The ID of the mirroring config in CRN format | | [mirroring\_topic\_patterns](#output\_mirroring\_topic\_patterns) | Mirroring topic patterns | -| [service\_credentials\_json](#output\_service\_credentials\_json) | Service credentials json map | -| [service\_credentials\_object](#output\_service\_credentials\_object) | Service credentials object | +| [resource\_keys](#output\_resource\_keys) | List of resource keys | diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf index 6f5fc9fb..ab9fa121 100644 --- a/modules/fscloud/main.tf +++ b/modules/fscloud/main.tf @@ -14,8 +14,7 @@ module "event_streams" { topics = var.topics service_endpoints = "private" cbr_rules = var.cbr_rules - service_credential_names = var.service_credential_names - service_credential_endpoint = "private" + resource_keys = var.resource_keys metrics = var.metrics quotas = var.quotas kms_encryption_enabled = true diff --git a/modules/fscloud/outputs.tf b/modules/fscloud/outputs.tf index 0367f115..4ff327b8 100644 --- a/modules/fscloud/outputs.tf +++ b/modules/fscloud/outputs.tf @@ -32,15 +32,9 @@ output "kafka_broker_version" { value = module.event_streams.kafka_broker_version } -output "service_credentials_json" { - description = "Service credentials json map" - value = module.event_streams.service_credentials_json - sensitive = true -} - -output "service_credentials_object" { - description = "Service credentials object" - value = module.event_streams.service_credentials_object +output "resource_keys" { + description = "List of resource keys" + value = module.event_streams.resource_keys sensitive = true } diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf index 58302544..bb2b8607 100644 --- a/modules/fscloud/variables.tf +++ b/modules/fscloud/variables.tf @@ -101,10 +101,14 @@ variable "cbr_rules" { # Validation happens in the rule module } -variable "service_credential_names" { - description = "The mapping of names and roles for service credentials that you want to create for the Event streams." - type = map(string) - default = {} +variable "resource_keys" { + description = "The definition of any resource keys to generate." + type = list(object({ + name = string + role = optional(string, "Reader") + endpoint = optional(string, "private") + })) + default = [] } variable "metrics" { diff --git a/outputs.tf b/outputs.tf index 96113a81..a6738ff1 100644 --- a/outputs.tf +++ b/outputs.tf @@ -35,15 +35,9 @@ output "kafka_broker_version" { value = ibm_resource_instance.es_instance.extensions.kafka_broker_version } -output "service_credentials_json" { - description = "The service credentials JSON map." - value = local.service_credentials_json - sensitive = true -} - -output "service_credentials_object" { - description = "The service credentials object." - value = local.service_credentials_object +output "resource_keys" { + description = "List of resource keys" + value = ibm_resource_key.resource_keys sensitive = true } diff --git a/solutions/quickstart/DA-types.md b/solutions/quickstart/DA-types.md index 0c306c4b..336016c4 100644 --- a/solutions/quickstart/DA-types.md +++ b/solutions/quickstart/DA-types.md @@ -2,32 +2,41 @@ Several optional input variables in the IBM Cloud [Event Streams deployable architecture](https://cloud.ibm.com/catalog/7df1e4ca-d54c-4fd0-82ce-3d13247308cd/architecture/deploy-arch-ibm-event-streams-8272d54f-b54f-46a6-8dd6-772c6db82e87) use complex object types. You specify these inputs when you configure you deployable architecture. -- [Service credentials](#svc-credential-name) (`service_credential_names`) +- [Resource keys](#resource-keys) (`resource_keys`) - [Service credential secrets](#service-credential-secrets) (`service_credential_secrets`) -## Service credentials +## Resource keys +When you add an IBM Cloud Object Storage service from the IBM Cloud catalog to an IBM Cloud Projects service, you can configure resource keys. In the edit mode for the projects configuration, select the Configure panel and then click the optional tab. -You can specify a set of IAM credentials to connect to the instance with the `service_credential_names` input variable. Include a credential name and IAM service role for each key-value pair. Each role provides a specific level of access to the instance. For more information, see [Adding and viewing credentials](https://cloud.ibm.com/docs/account?topic=account-service_credentials&interface=ui). +In the configuration, specify the name of the resource key, , the Role of the key and an optional endpoint. -If you want to add service credentials to secret manager and to allow secret manager to manage it, you should use `service_credential_secrets` , see [Service credential secrets](#service-credential-secrets) +To enter a custom value, use the edit action to open the "Edit Array" panel. Add the resource key configurations to the array here. -- Variable name: `service_credential_names`. -- Type: A map. The key is the name of the service credential. The value is the role that is assigned to that credential. -- Default value: An empty map (`{}`). + [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) about resource keys. -### Options for service_credential_names +- Variable name: `resource_keys`. +- Type: A list of objects that represent a resource key +- Default value: An empty list (`[]`) -- Key (required): The name of the service credential. -- Value (required): The IAM service role that is assigned to the credential. The following values are valid for service credential roles: 'Manager', 'Writer', 'Reader'. For more information, see [IBM Cloud IAM roles](https://cloud.ibm.com/docs/account?topic=account-userroles). +### Options for resource_key -### Example service credentials +- `name` (required): A unique human-readable name that identifies this resource key. +- `role` (optional, default = `Reader`): The name of the user role. +- `endpoint` (optional, default = `public`): The endpoint of resource key. +The following example includes all the configuration options for two resource keys. One is with a `Reader` role with `Public` endpoint, the other with an IAM key with `Writer` role. ```hcl -{ - "es_writer" : "Writer", - "es_reader" : "Reader", - "es_manager" : "Manager" -} +[ + { + "name": "cos-reader-resource-key", + "role": "Reader", + "endpoint": "public" + }, + { + "name": "cos-writer-resource-key", + "role": "Writer" + } +] ``` ## Service credential secrets diff --git a/solutions/quickstart/main.tf b/solutions/quickstart/main.tf index 9e8c24a4..2bdc4cdd 100644 --- a/solutions/quickstart/main.tf +++ b/solutions/quickstart/main.tf @@ -16,19 +16,18 @@ module "resource_group" { ####################################################################################################################### module "event_streams" { - source = "../../" - resource_group_id = module.resource_group.resource_group_id - es_name = "${local.prefix}${var.event_streams_name}" - plan = var.plan - region = var.region - topics = var.topics - tags = var.resource_tags - access_tags = var.access_tags - service_credential_names = var.service_credential_names - service_credential_endpoint = var.service_credential_endpoint - create_timeout = var.create_timeout - update_timeout = var.update_timeout - delete_timeout = var.delete_timeout + source = "../../" + resource_group_id = module.resource_group.resource_group_id + es_name = "${local.prefix}${var.event_streams_name}" + plan = var.plan + region = var.region + topics = var.topics + tags = var.resource_tags + access_tags = var.access_tags + resource_keys = var.resource_keys + create_timeout = var.create_timeout + update_timeout = var.update_timeout + delete_timeout = var.delete_timeout } ######################################################################################################################## diff --git a/solutions/quickstart/outputs.tf b/solutions/quickstart/outputs.tf index c698d2ec..e66f852d 100644 --- a/solutions/quickstart/outputs.tf +++ b/solutions/quickstart/outputs.tf @@ -41,15 +41,9 @@ output "kafka_broker_version" { value = module.event_streams.kafka_broker_version } -output "service_credentials_json" { - description = "Service credentials json map" - value = module.event_streams.service_credentials_json - sensitive = true -} - -output "service_credentials_object" { - description = "Service credentials object" - value = module.event_streams.service_credentials_object +output "resource_keys" { + description = "List of resource keys" + value = module.event_streams.resource_keys sensitive = true } diff --git a/solutions/quickstart/variables.tf b/solutions/quickstart/variables.tf index 1b886cae..b05ea1b5 100644 --- a/solutions/quickstart/variables.tf +++ b/solutions/quickstart/variables.tf @@ -96,10 +96,14 @@ variable "topics" { } -variable "service_credential_names" { - description = "The mapping of names and roles for service credentials that you want to create for the Event streams.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/security-enforced/DA-types.md#svc-credential-name)" - type = map(string) - default = {} +variable "resource_keys" { + description = "The definition of the resource keys to generate. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/quickstart/DA-types.md#resource-keys)." + type = list(object({ + name = string + role = optional(string, "Reader") + endpoint = optional(string, "public") + })) + default = [] } variable "create_timeout" { @@ -179,9 +183,3 @@ variable "skip_event_streams_secrets_manager_auth_policy" { nullable = false description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Event Streams.If set to false, the Secrets Manager instance passed by the user is granted the Key Manager access to the Event Streams instance created by the Deployable Architecture. Set to `true` to use an existing policy. The value of this is ignored if any value for 'existing_secrets_manager_instance_crn' is not passed." } - -variable "service_credential_endpoint" { - description = "Service credential endpoint type (public or private). If not specified, defaults to public." - type = string - default = "public" -} diff --git a/solutions/security-enforced/DA-types.md b/solutions/security-enforced/DA-types.md index 0d33d809..f2afacb9 100644 --- a/solutions/security-enforced/DA-types.md +++ b/solutions/security-enforced/DA-types.md @@ -2,34 +2,43 @@ Several optional input variables in the IBM Cloud Event Streams deployable architecture use complex object types. You specify these inputs when you configure you deployable architecture. -- [Service credentials](#svc-credential-name) (`service_credential_names`) +- [Resource keys](#resource-keys) (`resource_keys`) - [Service credential secrets](#service-credential-secrets) (`service_credential_secrets`) - [Quotas](#quotas) (`quotas`) - [Mirroring](#mirroring) (`quotas`) -## Service credentials +## Resource keys +When you add an IBM Cloud Object Storage service from the IBM Cloud catalog to an IBM Cloud Projects service, you can configure resource keys. In the edit mode for the projects configuration, select the Configure panel and then click the optional tab. -You can specify a set of IAM credentials to connect to the instance with the `service_credential_names` input variable. Include a credential name and IAM service role for each key-value pair. Each role provides a specific level of access to the instance. For more information, see [Adding and viewing credentials](https://cloud.ibm.com/docs/account?topic=account-service_credentials&interface=ui). +In the configuration, specify the name of the resource key, , the Role of the key and an optional endpoint. -If you want to add service credentials to secret manager and to allow secret manager to manage it, you should use `service_credential_secrets` , see [Service credential secrets](#service-credential-secrets). +To enter a custom value, use the edit action to open the "Edit Array" panel. Add the resource key configurations to the array here. -- Variable name: `service_credential_names`. -- Type: A map. The key is the name of the service credential. The value is the role that is assigned to that credential. -- Default value: An empty map (`{}`). + [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) about resource keys. -### Options for service_credential_names +- Variable name: `resource_keys`. +- Type: A list of objects that represent a resource key +- Default value: An empty list (`[]`) -- Key (required): The name of the service credential. -- Value (required): The IAM service role that is assigned to the credential. The following values are valid for service credential roles: 'Manager', 'Writer', 'Reader'. For more information, see [IBM Cloud IAM roles](https://cloud.ibm.com/docs/account?topic=account-userroles). +### Options for resource_key -### Example service credentials +- `name` (required): A unique human-readable name that identifies this resource key. +- `role` (optional, default = `Reader`): The name of the user role. +- `endpoint` (optional, default = `public`): The endpoint of resource key. +The following example includes all the configuration options for two resource keys. One is with a `Reader` role with `Private` endpoint, the other with an IAM key with `Writer` role. ```hcl -{ - "es_writer" : "Writer", - "es_reader" : "Reader", - "es_manager" : "Manager" -} +[ + { + "name": "cos-reader-resource-key", + "role": "Reader", + "endpoint": "private" + }, + { + "name": "cos-writer-resource-key", + "role": "Writer" + } +] ``` ## Service credential secrets diff --git a/solutions/security-enforced/main.tf b/solutions/security-enforced/main.tf index ec41f1b0..c3b8bcf3 100644 --- a/solutions/security-enforced/main.tf +++ b/solutions/security-enforced/main.tf @@ -153,8 +153,7 @@ module "event_streams" { tags = var.resource_tags access_tags = var.access_tags service_endpoints = "private" - service_credential_names = var.service_credential_names - service_credential_endpoint = "private" + resource_keys = var.resource_keys cbr_rules = var.cbr_rules schema_global_rule = var.schema_global_rule iam_token_only = var.iam_token_only diff --git a/solutions/security-enforced/outputs.tf b/solutions/security-enforced/outputs.tf index 2db4b458..5327b858 100644 --- a/solutions/security-enforced/outputs.tf +++ b/solutions/security-enforced/outputs.tf @@ -41,15 +41,9 @@ output "kafka_broker_version" { value = module.event_streams.kafka_broker_version } -output "service_credentials_json" { - description = "Service credentials json map" - value = module.event_streams.service_credentials_json - sensitive = true -} - -output "service_credentials_object" { - description = "Service credentials object" - value = module.event_streams.service_credentials_object +output "resource_keys" { + description = "List of resource keys" + value = module.event_streams.resource_keys sensitive = true } diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index 4d6095ba..61be2d05 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -123,10 +123,14 @@ variable "quotas" { default = [] } -variable "service_credential_names" { - description = "The mapping of names and roles for service credentials that you want to create for the Event streams.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/security-enforced/DA-types.md#svc-credential-name)" - type = map(string) - default = {} +variable "resource_keys" { + description = "The definition of the resource keys to generate. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/security-enforced/DA-types.md#resource-keys)." + type = list(object({ + name = string + role = optional(string, "Reader") + endpoint = optional(string, "private") + })) + default = [] } variable "iam_token_only" { diff --git a/tests/other_test.go b/tests/other_test.go index 6d628705..b78b9325 100644 --- a/tests/other_test.go +++ b/tests/other_test.go @@ -150,7 +150,6 @@ func setupSecurityEnforcedOptions(t *testing.T, prefix string) *testschematic.Te {Name: "create_timeout", Value: "6h", DataType: "string"}, {Name: "existing_secrets_manager_instance_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"}, {Name: "service_credential_secrets", Value: serviceCredentialSecrets, DataType: "list(object)"}, - {Name: "service_credential_names", Value: "{\"es_writer\": \"Writer\", \"es_reader\": \"Reader\"}", DataType: "map(string)"}, {Name: "metrics", Value: []string{"topic", "partition", "consumers"}, DataType: "list(string)"}, {Name: "quotas", Value: quotas, DataType: "list(object)"}, {Name: "schema_global_rule", Value: "FORWARD", DataType: "string"}, diff --git a/tests/pr_test.go b/tests/pr_test.go index b3f6792e..eb88eee4 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -101,7 +101,6 @@ func setupQuickstartOptions(t *testing.T, prefix string) *testschematic.TestSche {Name: "create_timeout", Value: "6h", DataType: "string"}, {Name: "existing_secrets_manager_instance_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"}, {Name: "service_credential_secrets", Value: serviceCredentialSecrets, DataType: "list(object)"}, - {Name: "service_credential_names", Value: "{\"es_writer\": \"Writer\", \"es_reader\": \"Reader\"}", DataType: "map(string)"}, } return options } diff --git a/variables.tf b/variables.tf index 1623389d..aa76b04c 100644 --- a/variables.tf +++ b/variables.tf @@ -249,14 +249,27 @@ variable "cbr_rules" { } } -variable "service_credential_names" { +variable "resource_keys" { description = "The mapping of names and roles for service credentials that you want to create for the Event streams." - type = map(string) - default = {} - + type = list(object({ + name = string + key_name = optional(string, null) + role = optional(string, "Manager") + endpoint = optional(string, "public") + })) + default = [] validation { - condition = alltrue([for name, role in var.service_credential_names : contains(["Writer", "Reader", "Manager"], role)]) - error_message = "The specified service credential role is not valid. The following values are valid for service credential roles: 'Writer', 'Reader', 'Manager'" + condition = alltrue([ + for key in var.resource_keys : contains(["Writer", "Reader", "Manager"], key.role) + ]) + error_message = "`resource_keys` role must be one of the following: `Writer', `Reader` or `Manager`." + } + validation { + condition = !( + var.service_endpoints == "private" && + anytrue([for key in var.resource_keys : key.endpoint == "public"]) + ) + error_message = "When service_endpoints is set to 'private', resource key endpoints cannot be 'public'." } } @@ -375,9 +388,3 @@ variable "iam_token_only" { error_message = "iam_token_only is only supported for enterprise plan." } } - -variable "service_credential_endpoint" { - description = "Service credential endpoint type (public or private). If not specified, defaults to public." - type = string - default = "public" -} From 306b3b7e81b30396051bc8513b46c787b28a935a Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Mon, 10 Nov 2025 15:04:03 +0530 Subject: [PATCH 10/21] added moved block --- main.tf | 7 ++++++- tests/pr_test.go | 11 +++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 86be3a74..7f8bb1cd 100644 --- a/main.tf +++ b/main.tf @@ -225,10 +225,15 @@ module "cbr_rule" { }] } +moved { + from = ibm_resource_key.service_credentials + to = ibm_resource_key.resource_keys +} + resource "ibm_resource_key" "resource_keys" { for_each = { for key in var.resource_keys : key.name => key } name = each.value.key_name == null ? each.key : each.value.key_name - role = each.value + role = each.value.role resource_instance_id = ibm_resource_instance.es_instance.id parameters = { service-endpoints = each.value.endpoint diff --git a/tests/pr_test.go b/tests/pr_test.go index eb88eee4..88dc7560 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -88,6 +88,16 @@ func setupQuickstartOptions(t *testing.T, prefix string) *testschematic.TestSche }, }, } + resourceKeys := []map[string]interface{}{ + { + "name": "es_writer", + "role": "Writer", + }, + { + "name": "es_reader", + "role": "Reader", + }, +} options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, @@ -101,6 +111,7 @@ func setupQuickstartOptions(t *testing.T, prefix string) *testschematic.TestSche {Name: "create_timeout", Value: "6h", DataType: "string"}, {Name: "existing_secrets_manager_instance_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"}, {Name: "service_credential_secrets", Value: serviceCredentialSecrets, DataType: "list(object)"}, + {Name: "resource_keys", Value: resourceKeys, DataType: "list(object)"}, } return options } From e9dd681661659746416b73308a6632da140b816e Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Mon, 10 Nov 2025 15:09:46 +0530 Subject: [PATCH 11/21] fix pre-commit --- tests/pr_test.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/pr_test.go b/tests/pr_test.go index 88dc7560..136f4644 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -89,15 +89,15 @@ func setupQuickstartOptions(t *testing.T, prefix string) *testschematic.TestSche }, } resourceKeys := []map[string]interface{}{ - { - "name": "es_writer", - "role": "Writer", - }, - { - "name": "es_reader", - "role": "Reader", - }, -} + { + "name": "es_writer", + "role": "Writer", + }, + { + "name": "es_reader", + "role": "Reader", + }, + } options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, From 88383bad05316bf6b0102890fc332471a0dc1b99 Mon Sep 17 00:00:00 2001 From: Khuzaima Shakeel <56439894+Khuzaima05@users.noreply.github.com> Date: Mon, 10 Nov 2025 18:22:17 +0530 Subject: [PATCH 12/21] Update variables.tf Co-authored-by: Akash Kumar --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index aa76b04c..6a64f407 100644 --- a/variables.tf +++ b/variables.tf @@ -269,7 +269,7 @@ variable "resource_keys" { var.service_endpoints == "private" && anytrue([for key in var.resource_keys : key.endpoint == "public"]) ) - error_message = "When service_endpoints is set to 'private', resource key endpoints cannot be 'public'." + error_message = "When `service_endpoints` variable is set to `private`, `resource_key.endpoint` value cannot be set as `public`." } } From b0cd0e4a088607260351ca89d233385f7fb23241 Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Mon, 10 Nov 2025 18:32:21 +0530 Subject: [PATCH 13/21] resolve review comments --- examples/fscloud/main.tf | 15 +++++++++++++++ main.tf | 5 ----- moved.tf | 4 ++++ tests/other_test.go | 12 ++++++++++++ 4 files changed, 31 insertions(+), 5 deletions(-) create mode 100644 moved.tf diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf index bbdf9cad..55544c06 100644 --- a/examples/fscloud/main.tf +++ b/examples/fscloud/main.tf @@ -118,6 +118,21 @@ module "event_streams" { ] schema_global_rule = "FORWARD" + resource_keys = [ + { + name = "${var.prefix}-writer-key" + role = "Writer" + }, + { + name = "${var.prefix}-reader-key" + role = "Reader" + }, + { + name = "${var.prefix}-manager-key" + role = "Manager" + } + ] + cbr_rules = [ { description = "${var.prefix}-event streams access from vpc and schematics" diff --git a/main.tf b/main.tf index 7f8bb1cd..29fe19c6 100644 --- a/main.tf +++ b/main.tf @@ -225,11 +225,6 @@ module "cbr_rule" { }] } -moved { - from = ibm_resource_key.service_credentials - to = ibm_resource_key.resource_keys -} - resource "ibm_resource_key" "resource_keys" { for_each = { for key in var.resource_keys : key.name => key } name = each.value.key_name == null ? each.key : each.value.key_name diff --git a/moved.tf b/moved.tf new file mode 100644 index 00000000..bc89101f --- /dev/null +++ b/moved.tf @@ -0,0 +1,4 @@ +moved { + from = ibm_resource_key.service_credentials + to = ibm_resource_key.resource_keys +} \ No newline at end of file diff --git a/tests/other_test.go b/tests/other_test.go index b78b9325..803ecb8d 100644 --- a/tests/other_test.go +++ b/tests/other_test.go @@ -139,6 +139,17 @@ func setupSecurityEnforcedOptions(t *testing.T, prefix string) *testschematic.Te }, } + resourceKeys := []map[string]interface{}{ + { + "name": "es_writer", + "role": "Writer", + }, + { + "name": "es_reader", + "role": "Reader", + }, + } + options.TerraformVars = []testschematic.TestSchematicTerraformVar{ {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, {Name: "prefix", Value: options.Prefix, DataType: "string"}, @@ -150,6 +161,7 @@ func setupSecurityEnforcedOptions(t *testing.T, prefix string) *testschematic.Te {Name: "create_timeout", Value: "6h", DataType: "string"}, {Name: "existing_secrets_manager_instance_crn", Value: permanentResources["secretsManagerCRN"], DataType: "string"}, {Name: "service_credential_secrets", Value: serviceCredentialSecrets, DataType: "list(object)"}, + {Name: "resource_keys", Value: resourceKeys, DataType: "list(object)"}, {Name: "metrics", Value: []string{"topic", "partition", "consumers"}, DataType: "list(string)"}, {Name: "quotas", Value: quotas, DataType: "list(object)"}, {Name: "schema_global_rule", Value: "FORWARD", DataType: "string"}, From 815df4c6f9e97e415e7ad7980a53a209028b1f4e Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Mon, 10 Nov 2025 18:43:37 +0530 Subject: [PATCH 14/21] fix pre-commit --- moved.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/moved.tf b/moved.tf index bc89101f..01bd55a2 100644 --- a/moved.tf +++ b/moved.tf @@ -1,4 +1,4 @@ moved { from = ibm_resource_key.service_credentials to = ibm_resource_key.resource_keys -} \ No newline at end of file +} From ec9f3f00df43a5bdb0a195a4245bad0dd405808f Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Tue, 11 Nov 2025 13:54:55 +0530 Subject: [PATCH 15/21] minor fix --- solutions/quickstart/variables.tf | 2 +- solutions/security-enforced/variables.tf | 2 +- variables.tf | 10 +++++++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/solutions/quickstart/variables.tf b/solutions/quickstart/variables.tf index b05ea1b5..b90c4ce9 100644 --- a/solutions/quickstart/variables.tf +++ b/solutions/quickstart/variables.tf @@ -97,7 +97,7 @@ variable "topics" { variable "resource_keys" { - description = "The definition of the resource keys to generate. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/quickstart/DA-types.md#resource-keys)." + description = "The mapping of names and roles for service credentials that you want to create for the Event streams. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/quickstart/DA-types.md#resource-keys)." type = list(object({ name = string role = optional(string, "Reader") diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index 61be2d05..3c8e65fb 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -124,7 +124,7 @@ variable "quotas" { } variable "resource_keys" { - description = "The definition of the resource keys to generate. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/security-enforced/DA-types.md#resource-keys)." + description = "The mapping of names and roles for service credentials that you want to create for the Event streams. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/security-enforced/DA-types.md#resource-keys)." type = list(object({ name = string role = optional(string, "Reader") diff --git a/variables.tf b/variables.tf index 6a64f407..357a94b8 100644 --- a/variables.tf +++ b/variables.tf @@ -269,7 +269,15 @@ variable "resource_keys" { var.service_endpoints == "private" && anytrue([for key in var.resource_keys : key.endpoint == "public"]) ) - error_message = "When `service_endpoints` variable is set to `private`, `resource_key.endpoint` value cannot be set as `public`." + error_message = "When `service_endpoints` is set to `private`, `resource_key.endpoint` value cannot be `public`." + } + + validation { + condition = !( + var.service_endpoints == "public" && + anytrue([for key in var.resource_keys : key.endpoint == "private"]) + ) + error_message = "When `service_endpoints` is set to `public`, `resource_key.endpoint` value cannot be `private`." } } From 9d3480a341b104e53e90a5b9c2d5b64886f5f538 Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Tue, 11 Nov 2025 21:34:52 +0530 Subject: [PATCH 16/21] resolve review comments --- README.md | 2 +- examples/fscloud/main.tf | 15 ++-- solutions/quickstart/DA-types.md | 107 ----------------------- solutions/quickstart/variables.tf | 2 +- solutions/security-enforced/DA-types.md | 7 +- solutions/security-enforced/variables.tf | 2 +- tests/other_test.go | 10 ++- variables.tf | 6 +- 8 files changed, 25 insertions(+), 126 deletions(-) delete mode 100644 solutions/quickstart/DA-types.md diff --git a/README.md b/README.md index 613538c6..8141afb8 100644 --- a/README.md +++ b/README.md @@ -154,7 +154,7 @@ You need the following permissions to run this module. | [quotas](#input\_quotas) | Quotas to be applied to the Event Streams instance. Entity may be 'default' to apply to all users, or an IAM ServiceID for a specific user. Rates are bytes/second, with -1 meaning no quota. | 
list(object({
    entity             = string
    producer_byte_rate = optional(number, -1)
    consumer_byte_rate = optional(number, -1)
  }))
| `[]` | no | | [region](#input\_region) | The region where the Event Streams instance is created. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes | -| [resource\_keys](#input\_resource\_keys) | The mapping of names and roles for service credentials that you want to create for the Event streams. | 
list(object({
    name     = string
    key_name = optional(string, null)
    role     = optional(string, "Manager")
    endpoint = optional(string, "public")
  }))
| `[]` | no | +| [resource\_keys](#input\_resource\_keys) | A list of service credential resource keys to be created for the Event Streams instance. | 
list(object({
    name     = string
    key_name = optional(string, null)
    role     = optional(string, "Manager")
    endpoint = optional(string, "public")
  }))
| `[]` | no | | [schema\_global\_rule](#input\_schema\_global\_rule) | Schema global compatibility rule. Allowed values are 'NONE', 'FULL', 'FULL\_TRANSITIVE', 'FORWARD', 'FORWARD\_TRANSITIVE', 'BACKWARD', 'BACKWARD\_TRANSITIVE'. | `string` | `null` | no | | [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | 
list(object(
    {
      schema_id = string
      schema = object({
        type = string
        name = string
        fields = optional(list(object({
          name = string
          type = string
        })))
      })
    }
  ))
| `[]` | no | | [service\_endpoints](#input\_service\_endpoints) | The type of service endpoints. Possible values: 'public', 'private', 'public-and-private'. | `string` | `"public"` | no | diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf index 55544c06..e165c546 100644 --- a/examples/fscloud/main.tf +++ b/examples/fscloud/main.tf @@ -120,16 +120,19 @@ module "event_streams" { resource_keys = [ { - name = "${var.prefix}-writer-key" - role = "Writer" + name = "${var.prefix}-writer-key" + role = "Writer" + endpoint = "private" }, { - name = "${var.prefix}-reader-key" - role = "Reader" + name = "${var.prefix}-reader-key" + role = "Reader" + endpoint = "private" }, { - name = "${var.prefix}-manager-key" - role = "Manager" + name = "${var.prefix}-manager-key" + role = "Manager" + endpoint = "private" } ] diff --git a/solutions/quickstart/DA-types.md b/solutions/quickstart/DA-types.md deleted file mode 100644 index 336016c4..00000000 --- a/solutions/quickstart/DA-types.md +++ /dev/null @@ -1,107 +0,0 @@ -# Configuring complex inputs in Event Streams - -Several optional input variables in the IBM Cloud [Event Streams deployable architecture](https://cloud.ibm.com/catalog/7df1e4ca-d54c-4fd0-82ce-3d13247308cd/architecture/deploy-arch-ibm-event-streams-8272d54f-b54f-46a6-8dd6-772c6db82e87) use complex object types. You specify these inputs when you configure you deployable architecture. - -- [Resource keys](#resource-keys) (`resource_keys`) -- [Service credential secrets](#service-credential-secrets) (`service_credential_secrets`) - -## Resource keys -When you add an IBM Cloud Object Storage service from the IBM Cloud catalog to an IBM Cloud Projects service, you can configure resource keys. In the edit mode for the projects configuration, select the Configure panel and then click the optional tab. - -In the configuration, specify the name of the resource key, , the Role of the key and an optional endpoint. - -To enter a custom value, use the edit action to open the "Edit Array" panel. Add the resource key configurations to the array here. - - [Learn more](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) about resource keys. - -- Variable name: `resource_keys`. -- Type: A list of objects that represent a resource key -- Default value: An empty list (`[]`) - -### Options for resource_key - -- `name` (required): A unique human-readable name that identifies this resource key. -- `role` (optional, default = `Reader`): The name of the user role. -- `endpoint` (optional, default = `public`): The endpoint of resource key. - -The following example includes all the configuration options for two resource keys. One is with a `Reader` role with `Public` endpoint, the other with an IAM key with `Writer` role. -```hcl -[ - { - "name": "cos-reader-resource-key", - "role": "Reader", - "endpoint": "public" - }, - { - "name": "cos-writer-resource-key", - "role": "Writer" - } -] -``` - -## Service credential secrets - -When you add an IBM Event Streams deployable architecture from the IBM Cloud catalog to IBM Cloud Project, you can configure service credentials. In edit mode for the projects configuration, from the configure panel click the optional tab. - -To enter a custom value, use the edit action to open the "Edit Array" panel. Add the service credential secrets configurations to the array here. - -In the configuration, specify the secret group name, whether it already exists or will be created and include all the necessary service credential secrets that need to be created within that secret group. - - [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-getting-started#getting-started) about service credential secrets. - -- Variable name: `service_credential_secrets`. -- Type: A list of objects that represent service credential secret groups and secrets -- Default value: An empty list (`[]`) - -### Options for service_credential_secrets - -- `secret_group_name` (required): A unique human-readable name that identifies this service credential secret group. -- `secret_group_description` (optional, default = `null`): A human-readable description for this secret group. -- `existing_secret_group`: (optional, default = `false`): Set to true, if secret group name provided in the variable `secret_group_name` already exists. -- `service_credentials`: (required): A list of object that represents a service credential secret. - -#### Options for service_credentials - -- `secret_name`: (required): A unique human-readable name of the secret to create. -- `service_credentials_source_service_role_crn`: (required): The CRN of the role to give the service credential in the IBM Cloud Database service. Service credentials role CRNs can be found at https://cloud.ibm.com/iam/roles, select the IBM Cloud Database and select the role. -- `secret_labels`: (optional, default = `[]`): Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|). -- `secret_auto_rotation`: (optional, default = `true`): Whether to configure automatic rotation of service credential. -- `secret_auto_rotation_unit`: (optional, default = `day`): Specifies the unit of time for rotation of a secret. Acceptable values are `day` or `month`. -- `secret_auto_rotation_interval`: (optional, default = `89`): Specifies the rotation interval for the rotation unit. -- `service_credentials_ttl`: (optional, default = `7776000`): The time-to-live (TTL) to assign to generated service credentials (in seconds). -- `service_credential_secret_description`: (optional, default = `null`): Description of the secret to create. - -The following example includes all the configuration options for four service credentials and two secret groups. -```hcl -[ -{ - "secret_group_name": "sg-1" - "existing_secret_group": true - "service_credentials": [ #pragma: allowlist secret - { - "secret_name": "cred-1" - "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Writer" - "secret_labels": ["test-writer-1", "test-writer-2"] - "secret_auto_rotation": true - "secret_auto_rotation_unit": "day" - "secret_auto_rotation_interval": 89 - "service_credentials_ttl": 7776000 - "service_credential_secret_description": "sample description" - }, - { - "secret_name": "cred-2" - "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Reader" - } - ] -}, -{ - "secret_group_name": "sg-2" - "service_credentials": [ #pragma: allowlist secret - { - "secret_name": "cred-3" - "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor" - } - ] -} -] -``` diff --git a/solutions/quickstart/variables.tf b/solutions/quickstart/variables.tf index b90c4ce9..af37f7dd 100644 --- a/solutions/quickstart/variables.tf +++ b/solutions/quickstart/variables.tf @@ -97,7 +97,7 @@ variable "topics" { variable "resource_keys" { - description = "The mapping of names and roles for service credentials that you want to create for the Event streams. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/quickstart/DA-types.md#resource-keys)." + description = "A list of service credential resource keys to be created for the Event Streams instance. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/security-enforced/DA-types.md#resource-keys)." type = list(object({ name = string role = optional(string, "Reader") diff --git a/solutions/security-enforced/DA-types.md b/solutions/security-enforced/DA-types.md index f2afacb9..c91790aa 100644 --- a/solutions/security-enforced/DA-types.md +++ b/solutions/security-enforced/DA-types.md @@ -1,14 +1,14 @@ # Configuring complex inputs in Event Streams -Several optional input variables in the IBM Cloud Event Streams deployable architecture use complex object types. You specify these inputs when you configure you deployable architecture. +Several optional input variables in the IBM Cloud Event Streams deployable architecture use complex object types. You specify these inputs when you configure your deployable architecture. - [Resource keys](#resource-keys) (`resource_keys`) - [Service credential secrets](#service-credential-secrets) (`service_credential_secrets`) - [Quotas](#quotas) (`quotas`) -- [Mirroring](#mirroring) (`quotas`) +- [Mirroring](#mirroring) (`mirroring`) ## Resource keys -When you add an IBM Cloud Object Storage service from the IBM Cloud catalog to an IBM Cloud Projects service, you can configure resource keys. In the edit mode for the projects configuration, select the Configure panel and then click the optional tab. +When you add an IBM Event Streams deployable architecture from the IBM Cloud catalog to an IBM Cloud Projects service, you can configure resource keys. In the edit mode for the projects configuration, select the Configure panel and then click the optional tab. In the configuration, specify the name of the resource key, , the Role of the key and an optional endpoint. @@ -37,6 +37,7 @@ The following example includes all the configuration options for two resource ke { "name": "cos-writer-resource-key", "role": "Writer" + "endpoint": "public" } ] ``` diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index 3c8e65fb..e79640d2 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -124,7 +124,7 @@ variable "quotas" { } variable "resource_keys" { - description = "The mapping of names and roles for service credentials that you want to create for the Event streams. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/security-enforced/DA-types.md#resource-keys)." + description = "A list of service credential resource keys to be created for the Event Streams instance. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/security-enforced/DA-types.md#resource-keys)." type = list(object({ name = string role = optional(string, "Reader") diff --git a/tests/other_test.go b/tests/other_test.go index 803ecb8d..7a338bbe 100644 --- a/tests/other_test.go +++ b/tests/other_test.go @@ -141,12 +141,14 @@ func setupSecurityEnforcedOptions(t *testing.T, prefix string) *testschematic.Te resourceKeys := []map[string]interface{}{ { - "name": "es_writer", - "role": "Writer", + "name": "es_writer", + "role": "Writer", + "endpoint": "private", }, { - "name": "es_reader", - "role": "Reader", + "name": "es_reader", + "role": "Reader", + "endpoint": "private", }, } diff --git a/variables.tf b/variables.tf index 357a94b8..501a1601 100644 --- a/variables.tf +++ b/variables.tf @@ -250,7 +250,7 @@ variable "cbr_rules" { } variable "resource_keys" { - description = "The mapping of names and roles for service credentials that you want to create for the Event streams." + description = "A list of service credential resource keys to be created for the Event Streams instance." type = list(object({ name = string key_name = optional(string, null) @@ -260,9 +260,9 @@ variable "resource_keys" { default = [] validation { condition = alltrue([ - for key in var.resource_keys : contains(["Writer", "Reader", "Manager"], key.role) + for key in var.resource_keys : contains(["Writer", "Reader", "Manager", "NONE"], key.role) ]) - error_message = "`resource_keys` role must be one of the following: `Writer', `Reader` or `Manager`." + error_message = "`resource_keys` role must be one of the following: `Writer', `Reader`, `Manager` or `NONE`." } validation { condition = !( From 3f6bb4e36681ffbee94ecab4b525b72983d1132d Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Wed, 12 Nov 2025 17:29:28 +0530 Subject: [PATCH 17/21] remove moved block --- README.md | 2 +- main.tf | 2 +- moved.tf | 4 ---- outputs.tf | 2 +- 4 files changed, 3 insertions(+), 7 deletions(-) delete mode 100644 moved.tf diff --git a/README.md b/README.md index 8141afb8..5242a29e 100644 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ You need the following permissions to run this module. | [ibm_iam_authorization_policy.es_s2s_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_resource_instance.es_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource | -| [ibm_resource_key.resource_keys](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource | +| [ibm_resource_key.service_credentials](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource | | [ibm_resource_tag.es_access_tag](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_tag) | resource | | [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [time_sleep.wait_for_es_s2s_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | diff --git a/main.tf b/main.tf index 29fe19c6..c4c1f5d5 100644 --- a/main.tf +++ b/main.tf @@ -225,7 +225,7 @@ module "cbr_rule" { }] } -resource "ibm_resource_key" "resource_keys" { +resource "ibm_resource_key" "service_credentials" { for_each = { for key in var.resource_keys : key.name => key } name = each.value.key_name == null ? each.key : each.value.key_name role = each.value.role diff --git a/moved.tf b/moved.tf deleted file mode 100644 index 01bd55a2..00000000 --- a/moved.tf +++ /dev/null @@ -1,4 +0,0 @@ -moved { - from = ibm_resource_key.service_credentials - to = ibm_resource_key.resource_keys -} diff --git a/outputs.tf b/outputs.tf index a6738ff1..492a0d7f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -37,7 +37,7 @@ output "kafka_broker_version" { output "resource_keys" { description = "List of resource keys" - value = ibm_resource_key.resource_keys + value = ibm_resource_key.service_credentials sensitive = true } From b6a40a07d2a42df6b36776bd8c165e708c039f2a Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Wed, 12 Nov 2025 17:45:22 +0530 Subject: [PATCH 18/21] updated description --- modules/fscloud/README.md | 2 +- modules/fscloud/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md index a5e77703..02a66415 100644 --- a/modules/fscloud/README.md +++ b/modules/fscloud/README.md @@ -39,7 +39,7 @@ No resources. | [quotas](#input\_quotas) | Quotas to be applied to the Event Streams instance. Entity may be 'default' to apply to all users, or an IAM ServiceID for a specific user. Rates are bytes/second, with -1 meaning no quota. | 
list(object({
    entity             = string
    producer_byte_rate = optional(number, -1)
    consumer_byte_rate = optional(number, -1)
  }))
| `[]` | no | | [region](#input\_region) | The region where the Event Streams are created. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes | -| [resource\_keys](#input\_resource\_keys) | The definition of any resource keys to generate. | 
list(object({
    name     = string
    role     = optional(string, "Reader")
    endpoint = optional(string, "private")
  }))
| `[]` | no | +| [resource\_keys](#input\_resource\_keys) | A list of service credential resource keys to be created for the Event Streams instance. | 
list(object({
    name     = string
    role     = optional(string, "Reader")
    endpoint = optional(string, "private")
  }))
| `[]` | no | | [schema\_global\_rule](#input\_schema\_global\_rule) | Schema global compatibility rule. Allowed values are 'NONE', 'FULL', 'FULL\_TRANSITIVE', 'FORWARD', 'FORWARD\_TRANSITIVE', 'BACKWARD', 'BACKWARD\_TRANSITIVE'. | `string` | `null` | no | | [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | 
list(object(
    {
      schema_id = string
      schema = object({
        type = string
        name = string
        fields = optional(list(object({
          name = string
          type = string
        })))
      })
    }
  ))
| `[]` | no | | [skip\_es\_s2s\_iam\_authorization\_policy](#input\_skip\_es\_s2s\_iam\_authorization\_policy) | Set to true to skip the creation of an Event Streams s2s IAM authorization policy to provision an Event Streams mirroring instance. This is required to read from the source cluster. This policy is required when creating mirroring instance. | `bool` | `false` | no | diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf index bb2b8607..68bdda65 100644 --- a/modules/fscloud/variables.tf +++ b/modules/fscloud/variables.tf @@ -102,7 +102,7 @@ variable "cbr_rules" { } variable "resource_keys" { - description = "The definition of any resource keys to generate." + description = "A list of service credential resource keys to be created for the Event Streams instance." type = list(object({ name = string role = optional(string, "Reader") From 355eab1399b44ac5dc0b7f7702df72a4e257b3ee Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Thu, 13 Nov 2025 15:56:20 +0530 Subject: [PATCH 19/21] resolve review comments --- ibm_catalog.json | 16 ++++++++++++++-- solutions/security-enforced/DA-types.md | 10 +++++----- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index 7202a762..27fa1b99 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -245,7 +245,13 @@ "key": "skip_event_streams_secrets_manager_auth_policy" }, { - "key": "resource_keys" + "key": "resource_keys", + "type": "array", + "custom_config": { + "type": "code_editor", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { "key": "existing_secrets_manager_endpoint_type", @@ -739,7 +745,13 @@ "key": "skip_event_streams_secrets_manager_auth_policy" }, { - "key": "resource_keys" + "key": "resource_keys", + "type": "array", + "custom_config": { + "type": "code_editor", + "grouping": "deployment", + "original_grouping": "deployment" + } }, { "key": "existing_secrets_manager_endpoint_type", diff --git a/solutions/security-enforced/DA-types.md b/solutions/security-enforced/DA-types.md index c91790aa..869c31a7 100644 --- a/solutions/security-enforced/DA-types.md +++ b/solutions/security-enforced/DA-types.md @@ -23,21 +23,21 @@ To enter a custom value, use the edit action to open the "Edit Array" panel. Add ### Options for resource_key - `name` (required): A unique human-readable name that identifies this resource key. -- `role` (optional, default = `Reader`): The name of the user role. -- `endpoint` (optional, default = `public`): The endpoint of resource key. +- `role` (optional, default = `Reader`): The name of the user role. These are the supported roles : `Writer`, `Reader`, `Manager`, `NONE` . +- `endpoint` (optional, default = `private`): The endpoint of resource key. The following example includes all the configuration options for two resource keys. One is with a `Reader` role with `Private` endpoint, the other with an IAM key with `Writer` role. ```hcl [ { - "name": "cos-reader-resource-key", + "name": "es-reader-resource-key", "role": "Reader", "endpoint": "private" }, { - "name": "cos-writer-resource-key", + "name": "es-writer-resource-key", "role": "Writer" - "endpoint": "public" + "endpoint": "private" } ] ``` From a1c84adbf0c51da47d0413a0e739d549dd68e356 Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Thu, 13 Nov 2025 16:55:05 +0530 Subject: [PATCH 20/21] resolve comments --- ibm_catalog.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ibm_catalog.json b/ibm_catalog.json index 27fa1b99..f8c87413 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -251,6 +251,11 @@ "type": "code_editor", "grouping": "deployment", "original_grouping": "deployment" + }, + "config_constraints": { + "supportedLanguages": [ + "hcl" + ] } }, { @@ -751,6 +756,11 @@ "type": "code_editor", "grouping": "deployment", "original_grouping": "deployment" + }, + "config_constraints": { + "supportedLanguages": [ + "hcl" + ] } }, { From f8eb3b7aafd84e780209a48e17a2529eec3484d0 Mon Sep 17 00:00:00 2001 From: Khuzaima-Shakeel Date: Thu, 13 Nov 2025 17:24:50 +0530 Subject: [PATCH 21/21] updated custom_config --- ibm_catalog.json | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/ibm_catalog.json b/ibm_catalog.json index f8c87413..b2d562a2 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -250,12 +250,12 @@ "custom_config": { "type": "code_editor", "grouping": "deployment", - "original_grouping": "deployment" - }, - "config_constraints": { - "supportedLanguages": [ - "hcl" - ] + "original_grouping": "deployment", + "config_constraints": { + "supportedLanguages": [ + "hcl" + ] + } } }, { @@ -755,12 +755,12 @@ "custom_config": { "type": "code_editor", "grouping": "deployment", - "original_grouping": "deployment" - }, - "config_constraints": { - "supportedLanguages": [ - "hcl" - ] + "original_grouping": "deployment", + "config_constraints": { + "supportedLanguages": [ + "hcl" + ] + } } }, {