Secrets Manager Secret module

This module creates a secret in an IBM Secrets Manager secrets group.

The module supports the following secret types:

• Arbitrary
• User credentials
• Imported Certificate
• Service Credentials

The following attributes and parameters are supported for all secret types:

• secret_group_id: When null, the default secret-group is used.
• secret_name: The name of the secret that is created.
• secret_description: The description of the secret.
• secret_type : The type of the secret.
• secret_labels : Any labels to attach to the secret.

The following attributes and paramters are supported when storing arbitrary secrets:

• secret_payload_password: The payload (for arbitrary secrets) or password (for username and password credentials) of the secret.

The following attributes and parameters are supported when storing user credentials:

• secret_payload_password: The payload (for arbitrary secrets) or password (for username and password credentials) of the secret.
• secret_username: The username of the secret that is created. Applicable only to the username_password secret type. When the parameter is null, an arbitrary secret is created.
• secret_auto_rotation: Configures automatic rotation. Default is true.
• secret_auto_rotation_unit: Specifies the unit type for the secret rotation. Accepted values are day or month. Default is day.
• secret_auto_rotation_interval: Specifies the rotation interval for the rotation unit. Default is 89.

The following attributes and parameters are supported when creating imported certificates:

• imported_cert_certificate: The TLS certificate to be imported. Defaults to null.
• imported_cert_private_key: Optional private key for the TLS certificate to be imported. Defaults to null.
• imported_cert_intermediate: Optional intermediate certificate for the TLS certificate to be imported. Defaults to null.

The following attributes and parameters are supported when creating service credentials:

• service_credentials_source_service_crn: The CRN of the target service instance to create the service credentials.
• service_credentials_source_service_role: The service specific role to give the service credentials.
• secret_auto_rotation: Configures automatic rotation. Default is true.
• secret_auto_rotation_unit: Specifies the unit type for the secret rotation. Accepted values are day or month. Default is day.
• secret_auto_rotation_interval: Specifies the rotation interval for the rotation unit. Default is 89.

Overview

• terraform-ibm-secrets-manager-secret
• Examples
  • Example creating arbitrary, username_password and imported_cert type secrets
• Contributing

terraform-ibm-secrets-manager-secret

Usage

##############################################################################
# Create Arbitrary Secret
##############################################################################

module "secrets_manager_arbitrary_secret" {
  source                  = "terraform-ibm-modules/secrets-manager-secret/ibm"
  version                 = "latest" # Replace "latest" with a release version to lock into a specific release
  region                  = "us-south"
  secrets_manager_guid    = "42454b3b-5b06-407b-a4b3-34d9ef323901"
  secret_group_id         = "432b91f1-ff6d-4b47-9f06-82debc236d90"
  secret_name             = "example-arbitrary-secret"
  secret_description      = "Extended description for the arbirtary secret."
  secret_type             = "arbitrary"
  secret_payload_password = "secret-data" #pragma: allowlist secret
}

##############################################################################
# Create UserPass Secret
##############################################################################

module "secrets_manager_user_pass_secret" {
  source                  = "terraform-ibm-modules/secrets-manager-secret/ibm"
  version                 = "latest" # Replace "latest" with a release version to lock into a specific release
  region                  = "us-south"
  secrets_manager_guid    = "42454b3b-5b06-407b-a4b3-34d9ef323901"
  secret_group_id         = "432b91f1-ff6d-4b47-9f06-82debc236d90"
  secret_name             = "example-user-pass-secret"
  secret_description      = "Extended description for the user pass secret."
  secret_type             = "username_password"
  secret_payload_password = "secret-data" #pragma: allowlist secret
  secret_username         = "terraform-user"
}

##############################################################################
# Create Imported Cert
##############################################################################

module "secret_manager_imported_cert secret" {
  source                     = "terraform-ibm-modules/secrets-manager-secret/ibm"
  version                    = "latest" # Replace "latest" with a release version to lock into a specific release
  region                     = "us-south
  secrets_manager_guid       = "42454b3b-5b06-407b-a4b3-34d9ef323901"
  secret_group_id            = "432b91f1-ff6d-4b47-9f06-82debc236d90"
  secret_name                = "example-imported-cert-secret"
  secret_description         = "Extended description for the imported cert secret."
  secret_type                = "imported_cert"
  imported_cert_certificate  = module.certificate.cert_pem
  imported_cert_private_key  = module.certificate.private_key #pragma: allowlist secret
  imported_cert_intermediate = module.certificate.ca_cert_pem
}

##############################################################################
# Create Service Credentials
##############################################################################

# A service authorization between Secrets Manager and the target service is required. The "complete" example includes a sample service authorization.

module "secret_manager_service_credential" {
  source                                  = "terraform-ibm-modules/secrets-manager-secret/ibm"
  version                                 = "latest" # Replace "latest" with a release version to lock into a specific release
  region                                  = "us-south
  secrets_manager_guid                    = "42454b3b-5b06-407b-a4b3-34d9ef323901"
  secret_group_id                         = "432b91f1-ff6d-4b47-9f06-82debc236d90"
  secret_name                             = "example-service-credential"
  secret_description                      = "Extended description for the service credentials secret."
  secret_type                             = "service_credentials"
  service_credentials_source_service_crn  = module.cloud_object_storage.cos_instance_id
  service_credentials_source_service_role = "Writer"
}

Required IAM access policies

You need the following permissions to run this module.

• Account Management
  • Resource Group service
    • Viewer platform access
• IAM Services
  • Secrets Manager service
    • Editor platform access
    • Manager service access

Requirements

Name	Version
terraform	>= 1.3.0
ibm	>= 1.51.0, <2.0.0

Modules

No modules.

Resources

Name	Type
ibm_sm_arbitrary_secret.arbitrary_secret	resource
ibm_sm_imported_certificate.imported_cert	resource
ibm_sm_service_credentials_secret.service_credentials_secret	resource
ibm_sm_username_password_secret.username_password_secret	resource

Inputs

Name	Description	Type	Default	Required
endpoint_type	The endpoint type to communicate with the provided secrets manager instance. Possible values are public or private	string	"public"	no
imported_cert_certificate	The TLS certificate to import.	string	null	no
imported_cert_intermediate	(optional) The intermediate certificate for the TLS certificate to import.	string	null	no
imported_cert_private_key	(optional) The private key for the TLS certificate to import.	string	null	no
region	The region where the Secrets Manager instance is deployed.	string	n/a	yes
secret_auto_rotation	Whether to configure automatic rotation. Applies only to the username_password and service_credentials secret types.	bool	true	no
secret_auto_rotation_interval	Specifies the rotation interval for the rotation unit.	number	89	no
secret_auto_rotation_unit	Specifies the unit of time for rotation of a username_password secret. Acceptable values are day or month.	string	"day"	no
secret_description	Description of the secret to create.	string	n/a	yes
secret_group_id	The ID of the secret group for the secret. If null, the default secret group is used.	string	"default"	no
secret_labels	Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|).	list(string)	[]	no
secret_name	Name of the secret to create.	string	n/a	yes
secret_payload_password	The payload (for arbitrary secrets) or password (for username and password credentials) of the secret.	string	""	no
secret_type	Type of secret to create, must be one of: arbitrary, username_password, imported_cert, service_credentials	string	n/a	yes
secret_username	Username of the secret to create. Applies only to username_password secret types. When null, an arbitrary secret is created.	string	null	no
secrets_manager_guid	The instance ID of the Secrets Manager instance where the secret will be added.	string	n/a	yes
service_credentials_source_service_crn	The CRN of the source service instance to create the service credential.	string	null	no
service_credentials_source_service_role	The role to give the service credential in the source service.	string	null	no
service_credentials_ttl	The time-to-live (TTL) to assign to generated service credentials (in seconds).	number	"7776000"	no

Outputs

Name	Description
secret_crn	CRN of the created Secret
secret_id	ID of the created Secret
secret_next_rotation_date	Next rotation date for secret (if applicable)
secret_rotation	Status of auto-rotation for secret
secret_rotation_interval	Rotation frecuency for secret (if applicable)

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.