Secrets manager public cert module

This module orders a public certificate in an IBM Secrets Manager secrets group from an existing Secrets Manager instance that has a public certificate engine configured.

The module supports the following secret types:

• Public Certificates ordered from third parties

Overview

• terraform-ibm-secrets-manager-public-cert
• Examples
  • Complete example
• Contributing

secrets-manager-public-cert-module

Usage

module "public_certificate" {
  source                = "terraform-ibm-modules/secrets-manager-public-cert/ibm"
  version               = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release

  cert_common_name      = "<common_name_for_domain>"
  cert_description      = "Certificate for example domain"
  cert_name             = "example-public-certificate"
  cert_secrets_group_id = "<secrets_manager_secret_group_id>" # pragma: allowlist secret

  secrets_manager_ca_name           = "My CA Config"
  secrets_manager_dns_provider_name = "My DNS Provider Config"

  secrets_manager_guid   = "<secrets_manager_instance_id>" # pragma: allowlist secret
  secrets_manager_region = "us-south"
}

##############################################################################
# Example for CA with two DNS domains
##############################################################################
# Engine CA and first DNS config
##############################################################################
module "secrets_manager_public_cert_engine" {
  source                       = "terraform-ibm-modules/secrets-manager-public-cert/ibm"
  version                      = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  secrets_manager_guid         = "<secrets_manager_guid>"
  region                       = "us-south"
  internet_services_crn        = ibm_cis.cis_instance.id
  ibmcloud_cis_api_key         = var.ibmcloud_api_key
  dns_config_name              = "DNS Provider Config"
  ca_config_name               = "CA Config"
  acme_letsencrypt_private_key = var.acme_letsencrypt_private_key
}
##############################################################################
# Engine second DNS config
##############################################################################
module "secrets_manager_public_cert_engine_second_dns" {
  source                = "terraform-ibm-modules/secrets-manager-public-cert/ibm"
  version               = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  secrets_manager_guid  = "<secrets_manager_guid>"
  region                = "us-south"
  internet_services_crn = ibm_cis.cis_instance.id
  ibmcloud_cis_api_key  = var.ibmcloud_api_key
  dns_config_name       = "Second DNS Provider Config"
}
##############################################################################
# Certificate in two DNS configuration
##############################################################################
module "secrets_manager_public_certificate" {
  source                = "terraform-ibm-modules/secrets-manager-public-cert/ibm"
  version               = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release

  cert_common_name      = var.cert_common_name
  cert_description      = "Certificate for ${var.cert_common_name} domain"
  cert_name             = "goldeneye-instance-sm-public-cert"
  cert_secrets_group_id = "<secret_group_id>"

  secrets_manager_ca_name           = "CA Config"
  secrets_manager_dns_provider_name = "Second DNS Provider Config"

  secrets_manager_guid   = "<secrets_manager_guid>"
  secrets_manager_region = "us-south"

}

Required IAM access policies

• Account Management
  • Resource Group service
  • Viewer platform access
• IAM Services
  • Secrets Manager service
    • Editor platform access
    • Manager service access

Requirements

Name	Version
terraform	>= 1.3.0
ibm	>= 1.62.0, < 2.0.0

Modules

No modules.

Resources

Name	Type
ibm_sm_public_certificate.secrets_manager_public_certificate	resource

Inputs

Name	Description	Type	Default	Required
bundle_certs	Indicates whether the issued certificate is bundled with intermediate certificates.	bool	true	no
cert_alt_names	Optional, Alternate names for the certificate to be created	list(string)	null	no
cert_common_name	Fully qualified domain name or host domain name for the certificate to be created	string	n/a	yes
cert_description	Optional, Extended description of certificate to be created. To protect privacy, do not use personal data, such as name or location, as a description for certificate	string	null	no
cert_name	The name of the certificate to be created in Secrets Manager	string	n/a	yes
cert_rotation	Optional, Rotation policy for the certificate to be created	object({ auto_rotate = optional(bool), rotate_keys = optional(bool) })	{ "auto_rotate": true, "rotate_keys": false }	no
cert_secrets_group_id	Optional, Id of Secrets Manager secret group to store the certificate in	string	"default"	no
key_algorithm	The identifier for the cryptographic algorithm to be used to generate the public key that is associated with the certificate.	string	"RSA2048"	no
secrets_manager_ca_name	The name of the Secrets Manager certificate authority	string	n/a	yes
secrets_manager_dns_provider_name	The name of the Secrets Manager DNS provider	string	n/a	yes
secrets_manager_guid	Secrets Manager GUID	string	n/a	yes
secrets_manager_region	Region the Secrets Manager instance is in	string	n/a	yes
service_endpoints	Service endpoint type to communicate with the provided secrets manager instance. Possible values are public or private	string	"public"	no

Outputs

Name	Description
secret_crn	Public certificates secrets manager secret CRN
secret_id	Public certificates secrets manager secret ID

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.