Secrets Manager module

This module is used to provision and configure an IBM Cloud Secrets Manager instance.

Overview

• terraform-ibm-secrets-manager
• Submodules
  • fscloud
• Examples
  • Basic example
  • Complete example with BYOK encryption
  • Financial Services Cloud profile example with KYOK encryption
• Contributing

Reference architectures

• Secrets Manager - Standard variation

terraform-ibm-secrets-manager

Usage

provider "ibm" {
  ibmcloud_api_key     = "XXXXXXXXXXXXXX"  # pragma: allowlist secret
  region               = "us-south"
}

module "secrets_manager" {
  source               = "terraform-ibm-modules/secrets-manager/ibm"
  version              = "X.X.X"  # Replace "X.X.X" with a release version to lock into a specific release
  resource_group_id    = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
  region               = "us-south"
  secrets_manager_name = "my-secrets-manager"
  sm_service_plan      = "trial"
}

Required IAM access policies

You need the following permissions to run this module.

• Account Management
  • Resource Group service
    • Viewer platform access
  • IAM Services
    • Secrets Manager service
      • Administrator platform access
      • Manager service access

Requirements

Name	Version
terraform	>= v1.0.0
ibm	>= 1.62.0, < 2.0.0
time	>= 0.9.1, < 1.0.0

Modules

Name	Source	Version
cbr_rule	terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module	1.22.2

Resources

Name	Type
ibm_iam_authorization_policy.en_policy	resource
ibm_iam_authorization_policy.kms_policy	resource
ibm_resource_instance.secrets_manager_instance	resource
ibm_sm_en_registration.sm_en_registration	resource
time_sleep.wait_for_authorization_policy	resource

Inputs

Name	Description	Type	Default	Required
allowed_network	The types of service endpoints to set on the Secrets Manager instance. Possible values are private-only or public-and-private.	string	"public-and-private"	no
cbr_rules	(Optional, list) List of CBR rules to create	list(object({ description = string account_id = string rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string }))	[]	no
enable_event_notification	Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for existing_en_instance_crn variable.	bool	false	no
endpoint_type	The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications.	string	"public"	no
existing_en_instance_crn	The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance.	string	null	no
existing_kms_instance_guid	The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in kms_key_crn is coming from. Required only if kms_encryption_enabled is set to true, and skip_kms_iam_authorization_policy is set to false.	string	null	no
kms_encryption_enabled	Set this to true to control the encryption keys used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption.	bool	false	no
kms_key_crn	The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for encryption. Only used if kms_encryption_enabled is set to true.	string	null	no
region	The region to provision the Secrets Manager instance to.	string	n/a	yes
resource_group_id	The ID of the resource group to provision the Secrets Manager instance to.	string	n/a	yes
secrets_manager_name	The name to give the Secrets Manager instance.	string	n/a	yes
skip_en_iam_authorization_policy	Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the existing_en_instance_crn input variable. In addition, no policy is created if enable_event_notification is set to false.	bool	false	no
skip_kms_iam_authorization_policy	Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing_kms_instance_guid variable. In addition, no policy is created if kms_encryption_enabled is set to false.	bool	false	no
sm_service_plan	The Secrets Manager plan to provision.	string	"standard"	no
sm_tags	The list of resource tags that you want to associate with your Secrets Manager instance.	list(string)	[]	no

Outputs

Name	Description
secrets_manager_crn	CRN of the Secrets Manager instance
secrets_manager_guid	GUID of Secrets Manager instance
secrets_manager_id	ID of the Secrets Manager instance
secrets_manager_name	Name of the Secrets Manager instance
secrets_manager_region	Region of the Secrets Manager instance

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.