terraform-ibm-modules · ocofaigh · Nov 13, 2025 · Sep 23, 2025 · Sep 29, 2025 · Sep 29, 2025
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-10-07T09:32:06Z",
+  "generated_at": "2025-10-27T07:44:08Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

@@ -154,9 +154,9 @@ You need the following permissions to run this module.
 | <a name="input_quotas"></a> [quotas](#input\_quotas) | Quotas to be applied to the Event Streams instance. Entity may be 'default' to apply to all users, or an IAM ServiceID for a specific user. Rates are bytes/second, with -1 meaning no quota. | <pre>list(object({<br/>    entity             = string<br/>    producer_byte_rate = optional(number, -1)<br/>    consumer_byte_rate = optional(number, -1)<br/>  }))</pre> | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region where the Event Streams instance is created. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes |
+| <a name="input_resource_keys"></a> [resource\_keys](#input\_resource\_keys) | A list of service credential resource keys to be created for the Event Streams instance. | <pre>list(object({<br/>    name     = string<br/>    key_name = optional(string, null)<br/>    role     = optional(string, "Manager")<br/>    endpoint = optional(string, "public")<br/>  }))</pre> | `[]` | no |
 | <a name="input_schema_global_rule"></a> [schema\_global\_rule](#input\_schema\_global\_rule) | Schema global compatibility rule. Allowed values are 'NONE', 'FULL', 'FULL\_TRANSITIVE', 'FORWARD', 'FORWARD\_TRANSITIVE', 'BACKWARD', 'BACKWARD\_TRANSITIVE'. | `string` | `null` | no |
 | <a name="input_schemas"></a> [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | <pre>list(object(<br/>    {<br/>      schema_id = string<br/>      schema = object({<br/>        type = string<br/>        name = string<br/>        fields = optional(list(object({<br/>          name = string<br/>          type = string<br/>        })))<br/>      })<br/>    }<br/>  ))</pre> | `[]` | no |
-| <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event streams. | `map(string)` | `{}` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The type of service endpoints. Possible values: 'public', 'private', 'public-and-private'. | `string` | `"public"` | no |
 | <a name="input_skip_es_s2s_iam_authorization_policy"></a> [skip\_es\_s2s\_iam\_authorization\_policy](#input\_skip\_es\_s2s\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that will allow all Event Streams instances in the given resource group access to read from the mirror source instance. This policy is required when creating a mirroring instance, and will only be created if a value is passed in the mirroring input. | `bool` | `false` | no |
 | <a name="input_skip_kms_iam_authorization_policy"></a> [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `kms_key_crn` variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no |
@@ -178,8 +178,7 @@ You need the following permissions to run this module.
 | <a name="output_kafka_http_url"></a> [kafka\_http\_url](#output\_kafka\_http\_url) | The API endpoint to interact with Event Streams REST API |
 | <a name="output_mirroring_config_id"></a> [mirroring\_config\_id](#output\_mirroring\_config\_id) | The ID of the mirroring config in CRN format |
 | <a name="output_mirroring_topic_patterns"></a> [mirroring\_topic\_patterns](#output\_mirroring\_topic\_patterns) | Mirroring topic patterns |
-| <a name="output_service_credentials_json"></a> [service\_credentials\_json](#output\_service\_credentials\_json) | The service credentials JSON map. |
-| <a name="output_service_credentials_object"></a> [service\_credentials\_object](#output\_service\_credentials\_object) | The service credentials object. |
+| <a name="output_resource_keys"></a> [resource\_keys](#output\_resource\_keys) | List of resource keys |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 <!-- BEGIN CONTRIBUTING HOOK -->
 

@@ -60,9 +60,19 @@ module "event_streams" {
   ]
   metrics = []
   quotas  = []
-  service_credential_names = {
-    "es_writer" : "Writer",
-    "es_reader" : "Reader",
-    "es_manager" : "Manager"
-  }
+
+  resource_keys = [
+    {
+      name = "${var.prefix}-writer-key"
+      role = "Writer"
+    },
+    {
+      name = "${var.prefix}-reader-key"
+      role = "Reader"
+    },
+    {
+      name = "${var.prefix}-manager-key"
+      role = "Manager"
+    }
+  ]
 }
@@ -36,14 +36,8 @@ output "kafka_broker_version" {
   value       = module.event_streams.kafka_broker_version
 }
 
-output "service_credentials_json" {
-  description = "Service credentials json map"
-  value       = module.event_streams.service_credentials_json
-  sensitive   = true
-}
-
-output "service_credentials_object" {
-  description = "Service credentials object"
-  value       = module.event_streams.service_credentials_object
+output "resource_keys" {
+  description = "List of resource keys"
+  value       = module.event_streams.resource_keys
   sensitive   = true
 }
@@ -117,11 +117,25 @@ module "event_streams" {
     }
   ]
   schema_global_rule = "FORWARD"
-  service_credential_names = {
-    "es_writer" : "Writer",
-    "es_reader" : "Reader",
-    "es_manager" : "Manager"
-  }
+
+  resource_keys = [
+    {
+      name     = "${var.prefix}-writer-key"
+      role     = "Writer"
+      endpoint = "private"
+    },
+    {
+      name     = "${var.prefix}-reader-key"
+      role     = "Reader"
+      endpoint = "private"
+    },
+    {
+      name     = "${var.prefix}-manager-key"
+      role     = "Manager"
+      endpoint = "private"
+    }
+  ]
+
   cbr_rules = [
     {
       description      = "${var.prefix}-event streams access from vpc and schematics"

@@ -32,18 +32,11 @@ output "kafka_http_url" {
   value       = module.event_streams.kafka_http_url
 }
 
-output "service_credentials_json" {
-  description = "Service credentials json map"
-  value       = module.event_streams.service_credentials_json
+output "resource_keys" {
+  description = "List of resource keys"
+  value       = module.event_streams.resource_keys
   sensitive   = true
 }
-
-output "service_credentials_object" {
-  description = "Service credentials object"
-  value       = module.event_streams.service_credentials_object
-  sensitive   = true
-}
-
 output "mirroring_config_id" {
   description = "The ID of the mirroring config in CRN format"
   value       = module.event_streams.mirroring_config_id

@@ -245,7 +245,18 @@
               "key": "skip_event_streams_secrets_manager_auth_policy"
             },
             {
-              "key": "service_credential_names"
+              "key": "resource_keys",
+              "type": "array",
+              "custom_config": {
+                "type": "code_editor",
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "config_constraints": {
+                  "supportedLanguages": [
+                    "hcl"
+                  ]
+                }
+              }
             },
             {
               "key": "existing_secrets_manager_endpoint_type",
@@ -739,7 +750,18 @@
               "key": "skip_event_streams_secrets_manager_auth_policy"
             },
             {
-              "key": "service_credential_names"
+              "key": "resource_keys",
+              "type": "array",
+              "custom_config": {
+                "type": "code_editor",
+                "grouping": "deployment",
+                "original_grouping": "deployment",
+                "config_constraints": {
+                  "supportedLanguages": [
+                    "hcl"
+                  ]
+                }
+              }
             },
             {
               "key": "existing_secrets_manager_endpoint_type",

@@ -226,24 +226,13 @@ module "cbr_rule" {
 }
 
 resource "ibm_resource_key" "service_credentials" {
-  for_each             = var.service_credential_names
-  name                 = each.key
-  role                 = each.value
+  for_each             = { for key in var.resource_keys : key.name => key }
+  name                 = each.value.key_name == null ? each.key : each.value.key_name
+  role                 = each.value.role
   resource_instance_id = ibm_resource_instance.es_instance.id
-}
-
-locals {
-  service_credentials_json = length(var.service_credential_names) > 0 ? {
-    for service_credential in ibm_resource_key.service_credentials :
-    service_credential["name"] => service_credential["credentials_json"]
-  } : null
-
-  service_credentials_object = length(var.service_credential_names) > 0 ? {
-    credentials = {
-      for service_credential in ibm_resource_key.service_credentials :
-      service_credential["name"] => service_credential["credentials"]
-    }
-  } : null
+  parameters = {
+    service-endpoints = each.value.endpoint
+  }
 }
 
 resource "ibm_event_streams_mirroring_config" "es_mirroring_config" {

@@ -39,9 +39,9 @@ No resources.
 | <a name="input_quotas"></a> [quotas](#input\_quotas) | Quotas to be applied to the Event Streams instance. Entity may be 'default' to apply to all users, or an IAM ServiceID for a specific user. Rates are bytes/second, with -1 meaning no quota. | <pre>list(object({<br/>    entity             = string<br/>    producer_byte_rate = optional(number, -1)<br/>    consumer_byte_rate = optional(number, -1)<br/>  }))</pre> | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region where the Event Streams are created. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes |
+| <a name="input_resource_keys"></a> [resource\_keys](#input\_resource\_keys) | A list of service credential resource keys to be created for the Event Streams instance. | <pre>list(object({<br/>    name     = string<br/>    role     = optional(string, "Reader")<br/>    endpoint = optional(string, "private")<br/>  }))</pre> | `[]` | no |
 | <a name="input_schema_global_rule"></a> [schema\_global\_rule](#input\_schema\_global\_rule) | Schema global compatibility rule. Allowed values are 'NONE', 'FULL', 'FULL\_TRANSITIVE', 'FORWARD', 'FORWARD\_TRANSITIVE', 'BACKWARD', 'BACKWARD\_TRANSITIVE'. | `string` | `null` | no |
 | <a name="input_schemas"></a> [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | <pre>list(object(<br/>    {<br/>      schema_id = string<br/>      schema = object({<br/>        type = string<br/>        name = string<br/>        fields = optional(list(object({<br/>          name = string<br/>          type = string<br/>        })))<br/>      })<br/>    }<br/>  ))</pre> | `[]` | no |
-| <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event streams. | `map(string)` | `{}` | no |
 | <a name="input_skip_es_s2s_iam_authorization_policy"></a> [skip\_es\_s2s\_iam\_authorization\_policy](#input\_skip\_es\_s2s\_iam\_authorization\_policy) | Set to true to skip the creation of an Event Streams s2s IAM authorization policy to provision an Event Streams mirroring instance. This is required to read from the source cluster. This policy is required when creating mirroring instance. | `bool` | `false` | no |
 | <a name="input_skip_kms_iam_authorization_policy"></a> [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the kms\_key\_crn variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | The list of tags associated with the Event Streams instance. | `list(string)` | `[]` | no |
@@ -60,6 +60,5 @@ No resources.
 | <a name="output_kafka_http_url"></a> [kafka\_http\_url](#output\_kafka\_http\_url) | The API endpoint to interact with Event Streams REST API |
 | <a name="output_mirroring_config_id"></a> [mirroring\_config\_id](#output\_mirroring\_config\_id) | The ID of the mirroring config in CRN format |
 | <a name="output_mirroring_topic_patterns"></a> [mirroring\_topic\_patterns](#output\_mirroring\_topic\_patterns) | Mirroring topic patterns |
-| <a name="output_service_credentials_json"></a> [service\_credentials\_json](#output\_service\_credentials\_json) | Service credentials json map |
-| <a name="output_service_credentials_object"></a> [service\_credentials\_object](#output\_service\_credentials\_object) | Service credentials object |
+| <a name="output_resource_keys"></a> [resource\_keys](#output\_resource\_keys) | List of resource keys |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -14,7 +14,7 @@ module "event_streams" {
   topics                               = var.topics
   service_endpoints                    = "private"
   cbr_rules                            = var.cbr_rules
-  service_credential_names             = var.service_credential_names
+  resource_keys                        = var.resource_keys
   metrics                              = var.metrics
   quotas                               = var.quotas
   kms_encryption_enabled               = true

@@ -32,15 +32,9 @@ output "kafka_broker_version" {
   value       = module.event_streams.kafka_broker_version
 }
 
-output "service_credentials_json" {
-  description = "Service credentials json map"
-  value       = module.event_streams.service_credentials_json
-  sensitive   = true
-}
-
-output "service_credentials_object" {
-  description = "Service credentials object"
-  value       = module.event_streams.service_credentials_object
+output "resource_keys" {
+  description = "List of resource keys"
+  value       = module.event_streams.resource_keys
   sensitive   = true
 }
 

@@ -101,10 +101,14 @@ variable "cbr_rules" {
   # Validation happens in the rule module
 }
 
-variable "service_credential_names" {
-  description = "The mapping of names and roles for service credentials that you want to create for the Event streams."
-  type        = map(string)
-  default     = {}
+variable "resource_keys" {
+  description = "A list of service credential resource keys to be created for the Event Streams instance."
+  type = list(object({
+    name     = string
+    role     = optional(string, "Reader")
+    endpoint = optional(string, "private")
+  }))
+  default = []
 }
 
 variable "metrics" {

@@ -35,15 +35,9 @@ output "kafka_broker_version" {
   value       = ibm_resource_instance.es_instance.extensions.kafka_broker_version
 }
 
-output "service_credentials_json" {
-  description = "The service credentials JSON map."
-  value       = local.service_credentials_json
-  sensitive   = true
-}
-
-output "service_credentials_object" {
-  description = "The service credentials object."
-  value       = local.service_credentials_object
+output "resource_keys" {
+  description = "List of resource keys"
+  value       = ibm_resource_key.service_credentials
   sensitive   = true
 }