This code is a version of the parent root module that includes a default configuration that complies with the relevant controls from the IBM Cloud Framework for Financial Services. See the Example for IBM Cloud Framework for Financial Services for logic that uses this module.
The default values in this profile were scanned by IBM Code Risk Analyzer (CRA) for compliance with the IBM Cloud Framework for Financial Services profile that is specified by the IBM Security and Compliance Center.
The IBM Cloud Framework for Financial Services mandates the application of an inbound network-based allowlist in front of the IBM Cloud Secrets Manager instance. You can comply with this requirement by using the cbr_rules variable in the module, which can be used to create a narrow context-based restriction rule that is scoped to the Secrets Manager instance.
provider "ibm" {
ibmcloud_api_key = "XXXXXXXXXXXXXX" # pragma: allowlist secret
region = "us-south"
}
module "secrets_manager" {
source = "terraform-ibm-modules/secrets-manager/ibm//modules/fscloud"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
region = "us-south"
secrets_manager_name = "my-secrets-manager"
existing_kms_instance_guid = var.existing_kms_instance_guid
kms_key_crn = var.kms_key_crn
}| Name | Version |
|---|---|
| terraform | >= 1.3.0 |
| ibm | >=1.62.0, <2.0.0 |
| Name | Source | Version |
|---|---|---|
| secrets_manager | ../.. | n/a |
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cbr_rules | (list) List of CBR rules to create | list(object({ |
[] |
no |
| enable_event_notification | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for existing_en_instance_crn variable. |
bool |
false |
no |
| existing_en_instance_crn | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | string |
null |
no |
| existing_kms_instance_guid | The GUID of the Hyper Protect Crypto Services instance in which the key specified in kms_key_crn is coming from. |
string |
n/a | yes |
| kms_key_crn | The root key CRN of Hyper Protect Crypto Services (HPCS) that you want to use for encryption. | string |
n/a | yes |
| region | The region to provision the Secrets Manager instance to. | string |
n/a | yes |
| resource_group_id | The ID of the resource group to provision the Secrets Manager instance to. | string |
n/a | yes |
| secrets | Secret Manager secrets configurations. | list(object({ |
[] |
no |
| secrets_manager_name | The name to give the Secrets Manager instance. | string |
n/a | yes |
| service_plan | The Secrets Manager plan to provision. | string |
"standard" |
no |
| skip_en_iam_authorization_policy | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the existing_en_instance_crn input variable. In addition, no policy is created if enable_event_notification is set to false. |
bool |
false |
no |
| sm_tags | The list of resource tags that you want to associate with your Secrets Manager instance. | list(string) |
[] |
no |
| Name | Description |
|---|---|
| secret_groups | IDs of the created Secret Group |
| secrets | List of secret mananger secret config data |
| secrets_manager_crn | CRN of the Secrets Manager instance |
| secrets_manager_guid | GUID of Secrets Manager instance |
| secrets_manager_id | ID of the Secrets Manager instance |
| secrets_manager_name | Name of the Secrets Manager instance |
| secrets_manager_region | Region of the Secrets Manager instance |