-brightgreen){kind=icon}
Use this module to configure an IBM Secrets Manager IAM credentials engine for an existing IBM Secrets Manager instance.
The module supports the following operations:
- Creates a new Service ID.
- Assigns the new Service ID "Editor" role access for
iam-groups. - Assigns the new Service ID "Operator" and "Service ID creator" role access for
iam-identity. - Creates a new API key for the Service ID.
- Optionally creates a secrets group, if an existing one is not passed in.
- Creates a new arbitrary secret in the Secret Group with the generated Service ID API key value. Because it is an arbitrary secret, the IAM engine does not create the key or manage its rotation.
- Configures the Secret Manager instance with the IAM credentials engine using the Service ID API key.
provider "ibm" {
ibmcloud_api_key = "XXXXXXXXXXXXX"
region = "us-south" # secrets manager instance region
}
module "iam_secrets_engine" {
source = "terraform-ibm-modules/secrets-manager-iam-engine/ibm"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
region = "us-south" # secrets manager instance region
iam_engine_name = "iam-engine"
secrets_manager_guid = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}You need the following permissions to run this module.
- Account Management
- IAM Access Groups service
Editorplatform access
- IAM Identity service
Operatorplatform accessService ID creatorservice access if the service id creation is disabled in the iam settings
- Resource Group service
Viewerplatform access
- IAM Access Groups service
- IAM Services
- Secrets Manager service
Administratorplatform accessManagerservice access
- Secrets Manager service
| Name | Version |
|---|---|
| terraform | >= 1.3.0 |
| ibm | >= 1.62.0, <2.0.0 |
| Name | Source | Version |
|---|---|---|
| secrets_manager_group_acct | terraform-ibm-modules/secrets-manager-secret-group/ibm | 1.2.2 |
| secrets_manager_secret_iam_secret_generator_apikey | terraform-ibm-modules/secrets-manager-secret/ibm | 1.3.2 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| display_iam_secret_generator_apikey | Set to true to display the iam_secret_generator_apikey serviceID API Key in output. Should only be used by account admins. | bool |
false |
no |
| endpoint_type | The endpoint type to communicate with the provided secrets manager instance. Possible values are public or private |
string |
"public" |
no |
| existing_secret_group_id | The ID of an existing secret group that the Service ID (used to configure IAM secret engine) apikey secret will be added to. If null, a new group is created using the value in var.new_secret_group_name. | string |
null |
no |
| iam_engine_name | The name of the IAM Engine to create. | string |
n/a | yes |
| iam_secret_generator_apikey_description | Description of ServiceID API Key to be created for Secrets Manager IAM Secret engine | string |
"ServiceID API Key to be created for Secrets Manager IAM Secret engine" |
no |
| iam_secret_generator_apikey_name | Name of ServiceID API Key to be created for Secrets Manager IAM Secret engine | string |
"iam-secret-generator-apikey" |
no |
| iam_secret_generator_apikey_secret_labels | Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|). | list(string) |
[] |
no |
| iam_secret_generator_apikey_secret_name | Name of the secret to add to secrets-manager which contains the ServiceID API Key | string |
"iam-secret-generator-apikey-secret" |
no |
| iam_secret_generator_service_id_name | Optionally override the name of the Service ID that will be created to configure the secrets-manager IAM secret engine. If null, the default value will be "sid:0.0.1:${secrets_manager_name}-iam-secret-generator:automated:simple-service:secret-manager:" | string |
null |
no |
| new_secret_group_name | The name of a new secret group to create. This is the group that the Service ID (used to configure IAM secret engine) apikey secret will be added to. Ignored if value passed for var.existing_secret_group_id. | string |
"account-secret-group" |
no |
| region | The region in which the secrets-manager instance exists. | string |
n/a | yes |
| secrets_manager_guid | The GUID of the secrets-manager instance. | string |
n/a | yes |
| Name | Description |
|---|---|
| acct_secret_group_id | ID of created group_acct secret-group |
| iam_secret_generator_apikey | API Key value of ServiceID used to configure the Secrets-Manager IAM engine |
| iam_secret_generator_apikey_secret_id | Secret ID containing IAM secret generator serviceID API key |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.