From 317590f25790e19b32a586c4af63b43ffd150913 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 15 Nov 2023 13:19:45 +0200 Subject: [PATCH 01/25] SC addition --- ibm/provider/provider.go | 2 + ...ource_ibm_sm_service_credentials_secret.go | 601 ++++++++++++ ...ource_ibm_sm_service_credentilas_secret.go | 868 ++++++++++++++++++ ...m_service_credentials_secret.html.markdown | 166 ++++ 4 files changed, 1637 insertions(+) create mode 100644 ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go create mode 100644 ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go create mode 100644 website/docs/r/sm_service_credentials_secret.html.markdown diff --git a/ibm/provider/provider.go b/ibm/provider/provider.go index bdc22fc9a5..936814aded 100644 --- a/ibm/provider/provider.go +++ b/ibm/provider/provider.go @@ -710,6 +710,7 @@ func Provider() *schema.Provider { "ibm_sm_iam_credentials_secret": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmIamCredentialsSecret()), "ibm_sm_kv_secret": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmKvSecret()), "ibm_sm_username_password_secret": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmUsernamePasswordSecret()), + "ibm_sm_service_credentials_secret": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmServiceCredentialsSecret()), "ibm_sm_en_registration": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmEnRegistration()), // //Added for Satellite @@ -1234,6 +1235,7 @@ func Provider() *schema.Provider { "ibm_sm_public_certificate": secretsmanager.AddInstanceFields(secretsmanager.ResourceIbmSmPublicCertificate()), "ibm_sm_private_certificate": secretsmanager.AddInstanceFields(secretsmanager.ResourceIbmSmPrivateCertificate()), "ibm_sm_iam_credentials_secret": secretsmanager.AddInstanceFields(secretsmanager.ResourceIbmSmIamCredentialsSecret()), + "ibm_sm_service_credentials_secret": secretsmanager.AddInstanceFields(secretsmanager.ResourceIbmSmServiceCredentialsSecret()), "ibm_sm_username_password_secret": secretsmanager.AddInstanceFields(secretsmanager.ResourceIbmSmUsernamePasswordSecret()), "ibm_sm_kv_secret": secretsmanager.AddInstanceFields(secretsmanager.ResourceIbmSmKvSecret()), "ibm_sm_public_certificate_configuration_ca_lets_encrypt": secretsmanager.AddInstanceFields(secretsmanager.ResourceIbmSmPublicCertificateConfigurationCALetsEncrypt()), diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go new file mode 100644 index 0000000000..8e23da6863 --- /dev/null +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go @@ -0,0 +1,601 @@ +// Copyright IBM Corp. 2023 All Rights Reserved. +// Licensed under the Mozilla Public License v2.0 + +package secretsmanager + +import ( + "context" + "fmt" + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex" + "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +func DataSourceIbmSmServiceCredentialsSecret() *schema.Resource { + return &schema.Resource{ + ReadContext: dataSourceIbmSmServiceCredentialsSecretRead, + + Schema: map[string]*schema.Schema{ + "secret_id": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Computed: true, + ExactlyOneOf: []string{"secret_id", "name"}, + Description: "The ID of the secret.", + }, + "created_by": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The unique identifier that is associated with the entity that created the secret.", + }, + "created_at": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date when a resource was created. The date format follows RFC 3339.", + }, + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A CRN that uniquely identifies an IBM Cloud resource.", + }, + "custom_metadata": &schema.Schema{ + Type: schema.TypeMap, + Computed: true, + Description: "The secret metadata that a user can customize.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group.", + }, + "downloaded": &schema.Schema{ + Type: schema.TypeBool, + Computed: true, + Description: "Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API.", + }, + "labels": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "Labels that you can use to search for secrets in your instance.Up to 30 labels can be created.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "locks_total": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The number of locks of the secret.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Computed: true, + ExactlyOneOf: []string{"secret_id", "name"}, + RequiredWith: []string{"secret_group_name"}, + Description: "The human-readable name of your secret.", + }, + + "secret_group_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + ForceNew: true, + Description: "A v4 UUID identifier, or `default` secret group.", + }, + "secret_group_name": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + RequiredWith: []string{"name"}, + Description: "The human-readable name of your secret group.", + }, + "secret_type": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials.", + }, + "state": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values.", + }, + "state_description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A text representation of the secret state.", + }, + "updated_at": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date when a resource was recently modified. The date format follows RFC 3339.", + }, + "versions_total": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The number of versions of the secret.", + }, + "ttl": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The time-to-live (TTL) or lease duration to assign to generated credentials.", + }, + "rotation": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "Determines whether Secrets Manager rotates your secrets automatically.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "auto_rotate": &schema.Schema{ + Type: schema.TypeBool, + Computed: true, + Description: "Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval.", + }, + "interval": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The length of the secret rotation time interval.", + }, + "unit": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The units for the secret rotation time interval.", + }, + }, + }, + }, + "next_rotation_date": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date that the secret is scheduled for automatic rotation. The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy.", + }, + "credentials": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The properties of the service credentials secret payload.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "apikey": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Sensitive: true, + Description: "The API key that is generated for this secret.", + }, + "cos_hmac_keys": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The Cloud Object Storage HMAC keys that are returned after you create a service credentials secret.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "access_key_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The access key ID for Cloud Object Storage HMAC credentials.", + }, + "secret_access_key": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The secret access key ID for Cloud Object Storage HMAC credentials.", + }, + }, + }, + }, + "endpoints": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The endpoints that are returned after you create a service credentials secret.", + }, + "iam_apikey_description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The description of the generated IAM API key.", + }, + "iam_apikey_name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The name of the generated IAM API key.", + }, + "iam_role_crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM role CRN that is returned after you create a service credentials secret.", + }, + "iam_serviceid_crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM serviceId CRN that is returned after you create a service credentials secret.", + }, + "resource_instance_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource instance CRN that is returned after you create a service credentials secret.", + }, + }, + }, + }, + "source_service": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The properties required for creating the service credentials for the specified source service instance.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "instance": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service instance identifier.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A CRN that uniquely identifies a service credentials target.", + }, + }, + }, + }, + "role": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The CRN role identifier for creating a service-id.", + }, + }, + }, + }, + "iam": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service IAM data is returned in case IAM credentials where created for this secret.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "apikey": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM apikey metadata for the IAM credentials that were generated.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM API key name for the generated service credentials.", + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM API key description for the generated service credentials.", + }, + }, + }, + }, + "role": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM role for the generate service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM role CRN assigned to the generated service credentials.", + }, + }, + }, + }, + "serviceid": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM serviceid for the generated service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM Service ID CRN.", + }, + }, + }, + }, + }, + }, + }, + "resource_key": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service resource key data of the generated service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource key CRN of the generated service credentials.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource key name of the generated service credentials.", + }, + }, + }, + }, + "parameters": &schema.Schema{ + Type: schema.TypeMap, + Computed: true, + Description: "The collection of parameters for the service credentials target.", + }, + }, + }, + }, + }, + } +} + +func dataSourceIbmSmServiceCredentialsSecretRead(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + ServiceCredentialsSecretIntf, region, instanceId, diagError := getSecretByIdOrByName(context, d, meta, ServiceCredentialsSecretType) + if diagError != nil { + return diagError + } + + ServiceCredentialsSecret := ServiceCredentialsSecretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) + d.SetId(fmt.Sprintf("%s/%s/%s", region, instanceId, *ServiceCredentialsSecret.ID)) + + var err error + if err = d.Set("region", region); err != nil { + return diag.FromErr(fmt.Errorf("Error setting region: %s", err)) + } + if err = d.Set("created_by", ServiceCredentialsSecret.CreatedBy); err != nil { + return diag.FromErr(fmt.Errorf("Error setting created_by: %s", err)) + } + + if err = d.Set("created_at", DateTimeToRFC3339(ServiceCredentialsSecret.CreatedAt)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting created_at: %s", err)) + } + + if err = d.Set("crn", ServiceCredentialsSecret.Crn); err != nil { + return diag.FromErr(fmt.Errorf("Error setting crn: %s", err)) + } + + if ServiceCredentialsSecret.CustomMetadata != nil { + convertedMap := make(map[string]interface{}, len(ServiceCredentialsSecret.CustomMetadata)) + for k, v := range ServiceCredentialsSecret.CustomMetadata { + convertedMap[k] = v + } + + if err = d.Set("custom_metadata", flex.Flatten(convertedMap)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting custom_metadata: %s", err)) + } + if err != nil { + return diag.FromErr(fmt.Errorf("Error setting custom_metadata %s", err)) + } + } + + if err = d.Set("description", ServiceCredentialsSecret.Description); err != nil { + return diag.FromErr(fmt.Errorf("Error setting description: %s", err)) + } + + if err = d.Set("downloaded", ServiceCredentialsSecret.Downloaded); err != nil { + return diag.FromErr(fmt.Errorf("Error setting downloaded: %s", err)) + } + + if ServiceCredentialsSecret.Labels != nil { + if err = d.Set("labels", ServiceCredentialsSecret.Labels); err != nil { + return diag.FromErr(fmt.Errorf("Error setting labels: %s", err)) + } + } + + if err = d.Set("locks_total", flex.IntValue(ServiceCredentialsSecret.LocksTotal)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting locks_total: %s", err)) + } + + if err = d.Set("name", ServiceCredentialsSecret.Name); err != nil { + return diag.FromErr(fmt.Errorf("Error setting name: %s", err)) + } + + if err = d.Set("secret_group_id", ServiceCredentialsSecret.SecretGroupID); err != nil { + return diag.FromErr(fmt.Errorf("Error setting secret_group_id: %s", err)) + } + + if err = d.Set("secret_type", ServiceCredentialsSecret.SecretType); err != nil { + return diag.FromErr(fmt.Errorf("Error setting secret_type: %s", err)) + } + + if err = d.Set("state", flex.IntValue(ServiceCredentialsSecret.State)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting state: %s", err)) + } + + if err = d.Set("state_description", ServiceCredentialsSecret.StateDescription); err != nil { + return diag.FromErr(fmt.Errorf("Error setting state_description: %s", err)) + } + + if err = d.Set("updated_at", DateTimeToRFC3339(ServiceCredentialsSecret.UpdatedAt)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting updated_at: %s", err)) + } + + if err = d.Set("versions_total", flex.IntValue(ServiceCredentialsSecret.VersionsTotal)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting versions_total: %s", err)) + } + + if err = d.Set("ttl", ServiceCredentialsSecret.TTL); err != nil { + return diag.FromErr(fmt.Errorf("Error setting ttl: %s", err)) + } + + rotation := []map[string]interface{}{} + if ServiceCredentialsSecret.Rotation != nil { + modelMap, err := dataSourceIbmSmServiceCredentialsSecretRotationPolicyToMap(ServiceCredentialsSecret.Rotation.(*secretsmanagerv2.RotationPolicy)) + if err != nil { + return diag.FromErr(err) + } + rotation = append(rotation, modelMap) + } + if err = d.Set("rotation", rotation); err != nil { + return diag.FromErr(fmt.Errorf("Error setting rotation %s", err)) + } + + if err = d.Set("next_rotation_date", DateTimeToRFC3339(ServiceCredentialsSecret.NextRotationDate)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting next_rotation_date: %s", err)) + } + + if ServiceCredentialsSecret.Credentials != nil { + credentialsMap, err := dataSourceIbmSmServiceCredentialsSecretCredentialsToMap(ServiceCredentialsSecret.Credentials) + if err != nil { + return diag.FromErr(err) + } + if len(credentialsMap) > 0 { + if err = d.Set("credentials", []map[string]interface{}{credentialsMap}); err != nil { + return diag.FromErr(fmt.Errorf("Error setting credentialsMap: %s", err)) + } + } + } + + sourceServiceMap, err := dataSourceIbmSmServiceCredentialsSecretSourceServiceToMap(ServiceCredentialsSecret.SourceService) + if err != nil { + return diag.FromErr(err) + } + if len(sourceServiceMap) > 0 { + if err = d.Set("source_service", []map[string]interface{}{sourceServiceMap}); err != nil { + return diag.FromErr(fmt.Errorf("Error setting source_service: %s", err)) + } + } + + return nil +} + +func dataSourceIbmSmServiceCredentialsSecretRotationPolicyToMap(model *secretsmanagerv2.RotationPolicy) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + if model.AutoRotate != nil { + modelMap["auto_rotate"] = *model.AutoRotate + } + if model.Interval != nil { + modelMap["interval"] = *model.Interval + } + if model.Unit != nil { + modelMap["unit"] = *model.Unit + } + return modelMap, nil +} + +func dataSourceIbmSmServiceCredentialsSecretCredentialsToMap(credentials *secretsmanagerv2.ServiceCredentialsSecretCredentials) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + if credentials.IamApikeyDescription != nil { + modelMap["iam_apikey_description"] = credentials.IamApikeyDescription + } + if credentials.Apikey != nil { + modelMap["apikey"] = credentials.Apikey + } + if credentials.Endpoints != nil { + modelMap["endpoints"] = credentials.Endpoints + } + if credentials.IamApikeyName != nil { + modelMap["iam_apikey_name"] = credentials.IamApikeyName + } + if credentials.IamRoleCrn != nil { + modelMap["iam_role_crn"] = credentials.IamRoleCrn + } + if credentials.IamServiceidCrn != nil { + modelMap["iam_serviceid_crn"] = credentials.IamServiceidCrn + } + if credentials.ResourceInstanceID != nil { + modelMap["resource_instance_id"] = credentials.ResourceInstanceID + } + if credentials.CosHmacKeys != nil { + cosHmacKeys := [1]map[string]interface{}{} + m := map[string]interface{}{} + if credentials.CosHmacKeys.AccessKeyID != nil { + m["access_key_id"] = credentials.CosHmacKeys.AccessKeyID + } + if credentials.CosHmacKeys.SecretAccessKey != nil { + m["secret_access_key"] = credentials.CosHmacKeys.SecretAccessKey + } + cosHmacKeys[0] = m + modelMap["cos_hmac_keys"] = cosHmacKeys + } + return modelMap, nil +} + +func dataSourceIbmSmServiceCredentialsSecretSourceServiceToMap(sourceService *secretsmanagerv2.ServiceCredentialsSecretSourceService) (map[string]interface{}, error) { + mainModelMap := make(map[string]interface{}) + if sourceService.Instance != nil { + instanceMap := make(map[string]interface{}) + instanceModel := sourceService.Instance + if instanceModel.Crn != nil { + instanceMap["crn"] = instanceModel.Crn + } + mainModelMap["instance"] = []map[string]interface{}{instanceMap} + } + + if sourceService.Role != nil { + roleMap := make(map[string]interface{}) + roleModel := sourceService.Role + if roleModel.Crn != nil { + roleMap["crn"] = roleModel.Crn + } + mainModelMap["role"] = []map[string]interface{}{roleMap} + } + + if sourceService.Iam != nil { + iamMap := make(map[string]interface{}) + iamModel := sourceService.Iam + + // apikey + if iamModel.Apikey != nil { + iamApikeyMap := make(map[string]interface{}) + iamApikeyModel := iamModel.Apikey + if iamApikeyModel.Name != nil { + iamApikeyMap["name"] = iamApikeyModel.Name + } + if iamApikeyModel.Description != nil { + iamApikeyMap["description"] = iamApikeyModel.Description + } + iamMap["apikey"] = []map[string]interface{}{iamApikeyMap} + } + + // role + if iamModel.Role != nil { + iamRoleMap := make(map[string]interface{}) + iamRoleModel := iamModel.Role + if iamRoleModel.Crn != nil { + iamRoleMap["crn"] = iamRoleModel.Crn + } + iamMap["role"] = []map[string]interface{}{iamRoleMap} + } + + // service id + if iamModel.Serviceid != nil { + iamServiceidMap := make(map[string]interface{}) + iamServiceidModel := iamModel.Serviceid + if iamServiceidModel.Crn != nil { + iamServiceidMap["crn"] = iamServiceidModel.Crn + } + iamMap["serviceid"] = []map[string]interface{}{iamServiceidMap} + } + + mainModelMap["iam"] = []map[string]interface{}{iamMap} + + } + + if sourceService.ResourceKey != nil { + resourceKeyMap := make(map[string]interface{}) + resourceKeyModel := sourceService.ResourceKey + if resourceKeyModel.Crn != nil { + resourceKeyMap["crn"] = resourceKeyModel.Crn + } + if resourceKeyModel.Name != nil { + resourceKeyMap["name"] = resourceKeyModel.Name + } + mainModelMap["resource_key"] = []map[string]interface{}{resourceKeyMap} + } + + if sourceService.Parameters != nil { + parametersMap := sourceService.Parameters.GetProperties() + for k, v := range parametersMap { + parametersMap[k] = fmt.Sprint(v) + } + if sourceService.Parameters.ServiceidCrn != nil { + parametersMap["serviceid_crn"] = sourceService.Parameters.ServiceidCrn + } + mainModelMap["parameters"] = parametersMap + } + + return mainModelMap, nil +} diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go new file mode 100644 index 0000000000..1f1f813e83 --- /dev/null +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go @@ -0,0 +1,868 @@ +// Copyright IBM Corp. 2023 All Rights Reserved. +// Licensed under the Mozilla Public License v2.0 + +package secretsmanager + +import ( + "context" + "fmt" + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns" + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex" + "github.com/IBM/go-sdk-core/v5/core" + "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "log" + "strconv" + "strings" +) + +func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { + return &schema.Resource{ + CreateContext: resourceIbmSmServiceCredentialsSecretCreate, + ReadContext: resourceIbmSmServiceCredentialsSecretRead, + UpdateContext: resourceIbmSmServiceCredentialsSecretUpdate, + DeleteContext: resourceIbmSmServiceCredentialsSecretDelete, + Importer: &schema.ResourceImporter{}, + + Schema: map[string]*schema.Schema{ + "secret_type": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Required: true, + Description: "A human-readable name to assign to your secret.To protect your privacy, do not use personal data, such as your name or location, as a name for your secret.", + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Description: "An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group.", + }, + "secret_group_id": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Computed: true, + ForceNew: true, + Description: "A v4 UUID identifier, or `default` secret group.", + }, + "labels": &schema.Schema{ + Type: schema.TypeList, + Optional: true, + Computed: true, + Description: "Labels that you can use to search for secrets in your instance.Up to 30 labels can be created.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "custom_metadata": &schema.Schema{ + Type: schema.TypeMap, + Optional: true, + Computed: true, + Description: "The secret metadata that a user can customize.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "version_custom_metadata": &schema.Schema{ + Type: schema.TypeMap, + Optional: true, + Computed: true, + Description: "The secret version metadata that a user can customize.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "created_by": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The unique identifier that is associated with the entity that created the secret.", + }, + "created_at": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date when a resource was created. The date format follows RFC 3339.", + }, + "credentials": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The properties of the service credentials secret payload.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "apikey": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Sensitive: true, + Description: "The API key that is generated for this secret.", + }, + "cos_hmac_keys": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The Cloud Object Storage HMAC keys that are returned after you create a service credentials secret.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "access_key_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The access key ID for Cloud Object Storage HMAC credentials.", + }, + "secret_access_key": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The secret access key ID for Cloud Object Storage HMAC credentials.", + }, + }, + }, + }, + "endpoints": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The endpoints that are returned after you create a service credentials secret.", + }, + "iam_apikey_description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The description of the generated IAM API key.", + }, + "iam_apikey_name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The name of the generated IAM API key.", + }, + "iam_role_crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM role CRN that is returned after you create a service credentials secret.", + }, + "iam_serviceid_crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM serviceId CRN that is returned after you create a service credentials secret.", + }, + "resource_instance_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource instance CRN that is returned after you create a service credentials secret.", + }, + }, + }, + }, + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A CRN that uniquely identifies an IBM Cloud resource.", + }, + "downloaded": &schema.Schema{ + Type: schema.TypeBool, + Computed: true, + Description: "Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API.", + }, + "locks_total": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The number of locks of the secret.", + }, + "next_rotation_date": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date that the secret is scheduled for automatic rotation. The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy.", + }, + "rotation": &schema.Schema{ + Type: schema.TypeList, + MaxItems: 1, + Optional: true, + Computed: true, + Description: "Determines whether Secrets Manager rotates your secrets automatically.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "auto_rotate": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + Computed: true, + Description: "Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval.", + }, + "interval": &schema.Schema{ + Type: schema.TypeInt, + Optional: true, + Computed: true, + Description: "The length of the secret rotation time interval.", + DiffSuppressFunc: rotationAttributesDiffSuppress, + }, + "unit": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Computed: true, + Description: "The units for the secret rotation time interval.", + DiffSuppressFunc: rotationAttributesDiffSuppress, + }, + }, + }, + }, + "source_service": &schema.Schema{ + Type: schema.TypeList, + MaxItems: 1, + Required: true, + ForceNew: true, + Description: "The properties required for creating the service credentials for the specified source service instance.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "instance": &schema.Schema{ + Type: schema.TypeList, + Required: true, + MaxItems: 1, + Description: "The source service instance identifier.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Required: true, + Description: "A CRN that uniquely identifies a service credentials target.", + }, + }, + }, + }, + "role": &schema.Schema{ + Type: schema.TypeList, + Optional: true, + Computed: true, + MaxItems: 1, + Description: "The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Computed: true, + Description: "The CRN role identifier for creating a service-id.", + }, + }, + }, + }, + "iam": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service IAM data is returned in case IAM credentials where created for this secret.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "apikey": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM apikey metadata for the IAM credentials that were generated.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM API key name for the generated service credentials.", + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM API key description for the generated service credentials.", + }, + }, + }, + }, + "role": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM role for the generate service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM role CRN assigned to the generated service credentials.", + }, + }, + }, + }, + "serviceid": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM serviceid for the generated service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM Service ID CRN.", + }, + }, + }, + }, + }, + }, + }, + "resource_key": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service resource key data of the generated service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource key CRN of the generated service credentials.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource key name of the generated service credentials.", + }, + }, + }, + }, + "parameters": &schema.Schema{ + Type: schema.TypeMap, + Optional: true, + Description: "The collection of parameters for the service credentials target.", + }, + }, + }, + }, + "state": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values.", + }, + "state_description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A text representation of the secret state.", + }, + "ttl": &schema.Schema{ + Type: schema.TypeString, + Required: true, + ValidateFunc: StringIsIntBetween(60, 7776000), + Description: "The time-to-live (TTL) or lease duration to assign to generated credentials.", + }, + "updated_at": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date when a resource was recently modified. The date format follows RFC 3339.", + }, + "versions_total": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The number of versions of the secret.", + }, + "secret_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A v4 UUID identifier.", + }, + }, + } +} + +func resourceIbmSmServiceCredentialsSecretCreate(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() + if err != nil { + return diag.FromErr(err) + } + + region := getRegion(secretsManagerClient, d) + instanceId := d.Get("instance_id").(string) + secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) + + createSecretOptions := &secretsmanagerv2.CreateSecretOptions{} + + secretPrototypeModel, err := resourceIbmSmServiceCredentialsSecretMapToSecretPrototype(d) + if err != nil { + return diag.FromErr(err) + } + createSecretOptions.SetSecretPrototype(secretPrototypeModel) + + secretIntf, response, err := secretsManagerClient.CreateSecretWithContext(context, createSecretOptions) + if err != nil { + log.Printf("[DEBUG] CreateSecretWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("CreateSecretWithContext failed %s\n%s", err, response)) + } + + secret := secretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) + d.SetId(fmt.Sprintf("%s/%s/%s", region, instanceId, *secret.ID)) + d.Set("secret_id", *secret.ID) + + return resourceIbmSmServiceCredentialsSecretRead(context, d, meta) +} + +func resourceIbmSmServiceCredentialsSecretRead(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() + if err != nil { + return diag.FromErr(err) + } + + id := strings.Split(d.Id(), "/") + if len(id) != 3 { + return diag.Errorf("Wrong format of resource ID. To import a secret use the format `//`") + } + region := id[0] + instanceId := id[1] + secretId := id[2] + secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) + + getSecretOptions := &secretsmanagerv2.GetSecretOptions{} + + getSecretOptions.SetID(secretId) + + secretIntf, response, err := secretsManagerClient.GetSecretWithContext(context, getSecretOptions) + if err != nil { + if response != nil && response.StatusCode == 404 { + d.SetId("") + return nil + } + log.Printf("[DEBUG] GetSecretWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("GetSecretWithContext failed %s\n%s", err, response)) + } + + secret := secretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) + + if err = d.Set("secret_id", secretId); err != nil { + return diag.FromErr(fmt.Errorf("Error setting secret_id: %s", err)) + } + if err = d.Set("instance_id", instanceId); err != nil { + return diag.FromErr(fmt.Errorf("Error setting instance_id: %s", err)) + } + if err = d.Set("region", region); err != nil { + return diag.FromErr(fmt.Errorf("Error setting region: %s", err)) + } + if err = d.Set("created_by", secret.CreatedBy); err != nil { + return diag.FromErr(fmt.Errorf("Error setting created_by: %s", err)) + } + if err = d.Set("created_at", DateTimeToRFC3339(secret.CreatedAt)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting created_at: %s", err)) + } + if err = d.Set("crn", secret.Crn); err != nil { + return diag.FromErr(fmt.Errorf("Error setting crn: %s", err)) + } + if err = d.Set("downloaded", secret.Downloaded); err != nil { + return diag.FromErr(fmt.Errorf("Error setting downloaded: %s", err)) + } + if err = d.Set("locks_total", flex.IntValue(secret.LocksTotal)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting locks_total: %s", err)) + } + if err = d.Set("name", secret.Name); err != nil { + return diag.FromErr(fmt.Errorf("Error setting name: %s", err)) + } + if err = d.Set("secret_group_id", secret.SecretGroupID); err != nil { + return diag.FromErr(fmt.Errorf("Error setting secret_group_id: %s", err)) + } + if err = d.Set("secret_type", secret.SecretType); err != nil { + return diag.FromErr(fmt.Errorf("Error setting secret_type: %s", err)) + } + if err = d.Set("state", flex.IntValue(secret.State)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting state: %s", err)) + } + if err = d.Set("state_description", secret.StateDescription); err != nil { + return diag.FromErr(fmt.Errorf("Error setting state_description: %s", err)) + } + if err = d.Set("updated_at", DateTimeToRFC3339(secret.UpdatedAt)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting updated_at: %s", err)) + } + if err = d.Set("versions_total", flex.IntValue(secret.VersionsTotal)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting versions_total: %s", err)) + } + if secret.CustomMetadata != nil { + d.Set("custom_metadata", secret.CustomMetadata) + } + if err = d.Set("description", secret.Description); err != nil { + return diag.FromErr(fmt.Errorf("Error setting description: %s", err)) + } + if secret.Labels != nil { + if err = d.Set("labels", secret.Labels); err != nil { + return diag.FromErr(fmt.Errorf("Error setting labels: %s", err)) + } + } + rotationMap, err := resourceIbmSmServiceCredentialsSecretRotationPolicyToMap(secret.Rotation) + if err != nil { + return diag.FromErr(err) + } + if len(rotationMap) > 0 { + if err = d.Set("rotation", []map[string]interface{}{rotationMap}); err != nil { + return diag.FromErr(fmt.Errorf("Error setting rotation: %s", err)) + } + } + sourceServiceMap, err := resourceIbmSmServiceCredentialsSecretSourceServiceToMap(secret.SourceService) + if err != nil { + return diag.FromErr(err) + } + if len(sourceServiceMap) > 0 { + if err = d.Set("source_service", []map[string]interface{}{sourceServiceMap}); err != nil { + return diag.FromErr(fmt.Errorf("Error setting source_service: %s", err)) + } + } + if secret.Credentials != nil { + credentialsMap, err := resourceIbmSmServiceCredentialsSecretCredentialsToMap(secret.Credentials) + if err != nil { + return diag.FromErr(err) + } + if len(credentialsMap) > 0 { + if err = d.Set("credentials", []map[string]interface{}{credentialsMap}); err != nil { + return diag.FromErr(fmt.Errorf("Error setting credentialsMap: %s", err)) + } + } + } + if err = d.Set("next_rotation_date", DateTimeToRFC3339(secret.NextRotationDate)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting next_rotation_date: %s", err)) + } + + // Call get version metadata API to get the current version_custom_metadata + getVersionMetdataOptions := &secretsmanagerv2.GetSecretVersionMetadataOptions{} + getVersionMetdataOptions.SetSecretID(secretId) + getVersionMetdataOptions.SetID("current") + + versionMetadataIntf, response, err := secretsManagerClient.GetSecretVersionMetadataWithContext(context, getVersionMetdataOptions) + if err != nil { + log.Printf("[DEBUG] GetSecretVersionMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("GetSecretVersionMetadataWithContext failed %s\n%s", err, response)) + } + + versionMetadata := versionMetadataIntf.(*secretsmanagerv2.ServiceCredentialsSecretVersionMetadata) + if versionMetadata.VersionCustomMetadata != nil { + if err = d.Set("version_custom_metadata", versionMetadata.VersionCustomMetadata); err != nil { + return diag.FromErr(fmt.Errorf("Error setting version_custom_metadata: %s", err)) + } + } + + return nil +} + +func resourceIbmSmServiceCredentialsSecretUpdate(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() + if err != nil { + return diag.FromErr(err) + } + + id := strings.Split(d.Id(), "/") + region := id[0] + instanceId := id[1] + secretId := id[2] + secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) + + updateSecretMetadataOptions := &secretsmanagerv2.UpdateSecretMetadataOptions{} + + updateSecretMetadataOptions.SetID(secretId) + + hasChange := false + + patchVals := &secretsmanagerv2.SecretMetadataPatch{} + + if d.HasChange("name") { + patchVals.Name = core.StringPtr(d.Get("name").(string)) + hasChange = true + } + if d.HasChange("description") { + patchVals.Description = core.StringPtr(d.Get("description").(string)) + hasChange = true + } + if d.HasChange("labels") { + labels := d.Get("labels").([]interface{}) + labelsParsed := make([]string, len(labels)) + for i, v := range labels { + labelsParsed[i] = fmt.Sprint(v) + } + patchVals.Labels = labelsParsed + hasChange = true + } + if d.HasChange("custom_metadata") { + patchVals.CustomMetadata = d.Get("custom_metadata").(map[string]interface{}) + hasChange = true + } + + // Apply change in metadata (if changed) + if hasChange { + updateSecretMetadataOptions.SecretMetadataPatch, _ = patchVals.AsPatch() + _, response, err := secretsManagerClient.UpdateSecretMetadataWithContext(context, updateSecretMetadataOptions) + if err != nil { + log.Printf("[DEBUG] UpdateSecretMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("UpdateSecretMetadataWithContext failed %s\n%s", err, response)) + } + } + + if d.HasChange("version_custom_metadata") { + // Apply change to version_custom_metadata in current version + secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) + secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) + secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() + + updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} + updateSecretVersionOptions.SetSecretID(secretId) + updateSecretVersionOptions.SetID("current") + updateSecretVersionOptions.SetSecretVersionMetadataPatch(secretVersionMetadataPatchModelAsPatch) + _, response, err := secretsManagerClient.UpdateSecretVersionMetadataWithContext(context, updateSecretVersionOptions) + if err != nil { + if hasChange { + // Call the read function to update the Terraform state with the change already applied to the metadata + resourceIbmSmServiceCredentialsSecretRead(context, d, meta) + } + log.Printf("[DEBUG] UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response)) + } + } + + return resourceIbmSmServiceCredentialsSecretRead(context, d, meta) +} + +func resourceIbmSmServiceCredentialsSecretDelete(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() + if err != nil { + return diag.FromErr(err) + } + + id := strings.Split(d.Id(), "/") + region := id[0] + instanceId := id[1] + secretId := id[2] + secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) + + deleteSecretOptions := &secretsmanagerv2.DeleteSecretOptions{} + + deleteSecretOptions.SetID(secretId) + + response, err := secretsManagerClient.DeleteSecretWithContext(context, deleteSecretOptions) + if err != nil { + log.Printf("[DEBUG] DeleteSecretWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("DeleteSecretWithContext failed %s\n%s", err, response)) + } + + d.SetId("") + + return nil +} + +func resourceIbmSmServiceCredentialsSecretMapToSecretPrototype(d *schema.ResourceData) (*secretsmanagerv2.ServiceCredentialsSecretPrototype, error) { + model := &secretsmanagerv2.ServiceCredentialsSecretPrototype{} + model.SecretType = core.StringPtr("service_credentials") + + if _, ok := d.GetOk("name"); ok { + model.Name = core.StringPtr(d.Get("name").(string)) + } + if _, ok := d.GetOk("description"); ok { + model.Description = core.StringPtr(d.Get("description").(string)) + } + if _, ok := d.GetOk("secret_group_id"); ok { + model.SecretGroupID = core.StringPtr(d.Get("secret_group_id").(string)) + } + if _, ok := d.GetOk("labels"); ok { + labels := d.Get("labels").([]interface{}) + labelsParsed := make([]string, len(labels)) + for i, v := range labels { + labelsParsed[i] = fmt.Sprint(v) + } + model.Labels = labelsParsed + } + if _, ok := d.GetOk("ttl"); ok { + model.TTL = core.StringPtr(d.Get("ttl").(string)) + } + if _, ok := d.GetOk("rotation"); ok { + RotationModel, err := resourceIbmSmServiceCredentialsSecretMapToRotationPolicy(d.Get("rotation").([]interface{})[0].(map[string]interface{})) + if err != nil { + return model, err + } + model.Rotation = RotationModel + } + if _, ok := d.GetOk("source_service"); ok { + SourceServiceModel, err := resourceIbmSmServiceCredentialsSecretMapToSourceService(d.Get("source_service").([]interface{})[0].(map[string]interface{})) + if err != nil { + return model, err + } + model.SourceService = SourceServiceModel + } + if _, ok := d.GetOk("custom_metadata"); ok { + model.CustomMetadata = d.Get("custom_metadata").(map[string]interface{}) + } + if _, ok := d.GetOk("version_custom_metadata"); ok { + model.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) + } + return model, nil +} + +func resourceIbmSmServiceCredentialsSecretMapToRotationPolicy(modelMap map[string]interface{}) (secretsmanagerv2.RotationPolicyIntf, error) { + model := &secretsmanagerv2.RotationPolicy{} + if modelMap["auto_rotate"] != nil { + model.AutoRotate = core.BoolPtr(modelMap["auto_rotate"].(bool)) + } + if modelMap["interval"].(int) == 0 { + model.Interval = nil + } else { + model.Interval = core.Int64Ptr(int64(modelMap["interval"].(int))) + } + if modelMap["unit"] != nil && modelMap["unit"].(string) != "" { + model.Unit = core.StringPtr(modelMap["unit"].(string)) + } + return model, nil +} + +func resourceIbmSmServiceCredentialsSecretMapToSourceService(modelMap map[string]interface{}) (*secretsmanagerv2.ServiceCredentialsSecretSourceService, error) { + mainModel := &secretsmanagerv2.ServiceCredentialsSecretSourceService{} + + if modelMap["instance"] != nil && len(modelMap["instance"].([]interface{})) > 0 { + instanceModel := &secretsmanagerv2.ServiceCredentialsSourceServiceInstance{} + if modelMap["instance"].([]interface{})[0].(map[string]interface{})["crn"].(string) != "" { + instanceModel.Crn = core.StringPtr(modelMap["instance"].([]interface{})[0].(map[string]interface{})["crn"].(string)) + mainModel.Instance = instanceModel + } + } + + if modelMap["role"] != nil && len(modelMap["role"].([]interface{})) > 0 { + roleModel := &secretsmanagerv2.ServiceCredentialsSourceServiceRole{} + if modelMap["role"].([]interface{})[0].(map[string]interface{})["crn"].(string) != "" { + roleModel.Crn = core.StringPtr(modelMap["role"].([]interface{})[0].(map[string]interface{})["crn"].(string)) + mainModel.Role = roleModel + } + } + + if modelMap["parameters"] != nil { + mainModel.Parameters = &secretsmanagerv2.ServiceCredentialsSourceServiceParameters{} + parametersMap := modelMap["parameters"].(map[string]interface{}) + for k, v := range parametersMap { + if k == "serviceid_crn" { + serviceIdCrn := v.(string) + mainModel.Parameters.ServiceidCrn = &serviceIdCrn + } else if v == "true" || v == "false" { + b, _ := strconv.ParseBool(v.(string)) + mainModel.Parameters.SetProperty(k, b) + } else { + mainModel.Parameters.SetProperty(k, v) + } + } + } + return mainModel, nil +} + +func resourceIbmSmServiceCredentialsSecretRotationPolicyToMap(modelIntf secretsmanagerv2.RotationPolicyIntf) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + model := modelIntf.(*secretsmanagerv2.RotationPolicy) + if model.AutoRotate != nil { + modelMap["auto_rotate"] = model.AutoRotate + } + if model.Interval != nil { + modelMap["interval"] = flex.IntValue(model.Interval) + } + if model.Unit != nil { + modelMap["unit"] = model.Unit + } + return modelMap, nil +} + +func resourceIbmSmServiceCredentialsSecretSourceServiceToMap(sourceService *secretsmanagerv2.ServiceCredentialsSecretSourceService) (map[string]interface{}, error) { + mainModelMap := make(map[string]interface{}) + if sourceService.Instance != nil { + instanceMap := make(map[string]interface{}) + instanceModel := sourceService.Instance + if instanceModel.Crn != nil { + instanceMap["crn"] = instanceModel.Crn + } + mainModelMap["instance"] = []map[string]interface{}{instanceMap} + } + + if sourceService.Role != nil { + roleMap := make(map[string]interface{}) + roleModel := sourceService.Role + if roleModel.Crn != nil { + roleMap["crn"] = roleModel.Crn + } + mainModelMap["role"] = []map[string]interface{}{roleMap} + } + + if sourceService.Iam != nil { + iamMap := make(map[string]interface{}) + iamModel := sourceService.Iam + + // apikey + if iamModel.Apikey != nil { + iamApikeyMap := make(map[string]interface{}) + iamApikeyModel := iamModel.Apikey + if iamApikeyModel.Name != nil { + iamApikeyMap["name"] = iamApikeyModel.Name + } + if iamApikeyModel.Description != nil { + iamApikeyMap["description"] = iamApikeyModel.Description + } + iamMap["apikey"] = []map[string]interface{}{iamApikeyMap} + } + + // role + if iamModel.Role != nil { + iamRoleMap := make(map[string]interface{}) + iamRoleModel := iamModel.Role + if iamRoleModel.Crn != nil { + iamRoleMap["crn"] = iamRoleModel.Crn + } + iamMap["role"] = []map[string]interface{}{iamRoleMap} + } + + // service id + if iamModel.Serviceid != nil { + iamServiceidMap := make(map[string]interface{}) + iamServiceidModel := iamModel.Serviceid + if iamServiceidModel.Crn != nil { + iamServiceidMap["crn"] = iamServiceidModel.Crn + } + iamMap["serviceid"] = []map[string]interface{}{iamServiceidMap} + } + + mainModelMap["iam"] = []map[string]interface{}{iamMap} + + } + + if sourceService.ResourceKey != nil { + resourceKeyMap := make(map[string]interface{}) + resourceKeyModel := sourceService.ResourceKey + if resourceKeyModel.Crn != nil { + resourceKeyMap["crn"] = resourceKeyModel.Crn + } + if resourceKeyModel.Name != nil { + resourceKeyMap["name"] = resourceKeyModel.Name + } + mainModelMap["resource_key"] = []map[string]interface{}{resourceKeyMap} + } + + if sourceService.Parameters != nil { + parametersMap := sourceService.Parameters.GetProperties() + for k, v := range parametersMap { + parametersMap[k] = fmt.Sprint(v) + } + if sourceService.Parameters.ServiceidCrn != nil { + parametersMap["serviceid_crn"] = sourceService.Parameters.ServiceidCrn + } + mainModelMap["parameters"] = parametersMap + } + + return mainModelMap, nil +} + +func resourceIbmSmServiceCredentialsSecretCredentialsToMap(credentials *secretsmanagerv2.ServiceCredentialsSecretCredentials) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + if credentials.IamApikeyDescription != nil { + modelMap["iam_apikey_description"] = credentials.IamApikeyDescription + } + if credentials.Apikey != nil { + modelMap["apikey"] = credentials.Apikey + } + if credentials.Endpoints != nil { + modelMap["endpoints"] = credentials.Endpoints + } + if credentials.IamApikeyName != nil { + modelMap["iam_apikey_name"] = credentials.IamApikeyName + } + if credentials.IamRoleCrn != nil { + modelMap["iam_role_crn"] = credentials.IamRoleCrn + } + if credentials.IamServiceidCrn != nil { + modelMap["iam_serviceid_crn"] = credentials.IamServiceidCrn + } + if credentials.ResourceInstanceID != nil { + modelMap["resource_instance_id"] = credentials.ResourceInstanceID + } + if credentials.CosHmacKeys != nil { + cosHmacKeys := [1]map[string]interface{}{} + m := map[string]interface{}{} + if credentials.CosHmacKeys.AccessKeyID != nil { + m["access_key_id"] = credentials.CosHmacKeys.AccessKeyID + } + if credentials.CosHmacKeys.SecretAccessKey != nil { + m["secret_access_key"] = credentials.CosHmacKeys.SecretAccessKey + } + cosHmacKeys[0] = m + modelMap["cos_hmac_keys"] = cosHmacKeys + } + return modelMap, nil +} diff --git a/website/docs/r/sm_service_credentials_secret.html.markdown b/website/docs/r/sm_service_credentials_secret.html.markdown new file mode 100644 index 0000000000..b86d6093a6 --- /dev/null +++ b/website/docs/r/sm_service_credentials_secret.html.markdown @@ -0,0 +1,166 @@ +--- +layout: "ibm" +page_title: "IBM : ibm_sm_service_credentials_secret" +description: |- + Manages ServiceCredentialsSecret. +subcategory: "Secrets Manager" +--- + +# ibm_sm_service_credentials_secret + +Provides a resource for ServiceCredentialsSecret. This allows ServiceCredentialsSecret to be created, updated and deleted. + +## Example Usage + +```hcl +resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { + instance_id = ibm_resource_instance.sm_instance.guid + region = "us-south" + name = "secret-name" + custom_metadata = {"key":"value"} + description = "Extended description for this secret." + labels = ["my-label"] + rotation { + auto_rotate = true + interval = 1 + unit = "day" + } + secret_group_id = ibm_sm_secret_group.sm_secret_group.secret_group_id + ttl = "1800" +} +``` + +## Argument Reference + +Review the argument reference that you can specify for your resource. + +* `instance_id` - (Required, Forces new resource, String) The GUID of the Secrets Manager instance. +* `region` - (Optional, Forces new resource, String) The region of the Secrets Manager instance. If not provided defaults to the region defined in the IBM provider configuration. +* `endpoint_type` - (Optional, String) - The endpoint type. If not provided the endpoint type is determined by the `visibility` argument provided in the provider configuration. + * Constraints: Allowable values are: `private`, `public`. +* `custom_metadata` - (Optional, Map) The secret metadata that a user can customize. +* `description` - (Optional, String) An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. + * Constraints: The maximum length is `1024` characters. The minimum length is `0` characters. The value must match regular expression `/(.*?)/`. +* `labels` - (Optional, List) Labels that you can use to search for secrets in your instance.Up to 30 labels can be created. + * Constraints: The list items must match regular expression `/(.*?)/`. The maximum length is `30` items. The minimum length is `0` items. +* `name` - (Required, String) The human-readable name of your secret. + * Constraints: The maximum length is `256` characters. The minimum length is `2` characters. The value must match regular expression `^[A-Za-z0-9][A-Za-z0-9]*(?:_*-*\\.*[A-Za-z0-9]+)*$`. +* `rotation` - (Optional, List) Determines whether Secrets Manager rotates your secrets automatically. +Nested scheme for **rotation**: + * `auto_rotate` - (Optional, Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. + * `interval` - (Optional, Integer) The length of the secret rotation time interval. + * Constraints: The minimum value is `1`. + * `rotate_keys` - (Optional, Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. + * `unit` - (Optional, String) The units for the secret rotation time interval. + * Constraints: Allowable values are: `day`, `month`. +* `secret_group_id` - (Optional, Forces new resource, String) A v4 UUID identifier, or `default` secret group. + * Constraints: The maximum length is `36` characters. The minimum length is `7` characters. The value must match regular expression `/^([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|default)$/`. +* `source_service` - (Optional, List) The properties required for creating the service credentials for the specified source service instance. +Nested scheme for **source_service**: + * `instance` - (Optional, List) The source service instance identifier. + Nested scheme for **instance**: + * `crn` - (Optional, String) A CRN that uniquely identifies a service credentials source. + * `parameters` - (Optional, List) Configuration options represented as key-value pairs. Service-defined options are used in the generation of credentials for some services. For example, Cloud Object Storage accepts the optional boolean parameter HMAC for creating specific kind of credentials. + * `role` - (Optional, List) The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles. + Nested scheme for **role**: + * `crn` - (Optional, String) The service role CRN. + * `iam` - (Optional, List) The source service IAM data is returned in case IAM credentials where created for this secret. + Nested scheme for **iam**: + * `apikey` - (Optional, String) The IAM apikey metadata for the IAM credentials that were generated. + * `role` - (Optional, String) The IAM role for the generate service credentials. + * `serviceid` - (Optional, String) The IAM serviceid for the generated service credentials. + * `resource_key` - (Optional, List) The source service resource key data of the generated service credentials. + Nested scheme for **resource_key**: + * `crn` - (Optional, String) The resource key CRN of the generated service credentials. + * `name` - (Optional, String) The resource key name of the generated service credentials. +* `ttl` - (Required, String) The time-to-live (TTL) or lease duration to assign to generated credentials. The TTL defines for how long each generated API key remains valid. The value should be an integer that specifies the number of seconds. Minimum duration is 60 seconds. Maximum is 7776000 seconds (90 days). + * Constraints: The maximum length is `7` characters. The minimum length is `2` characters. + +## Attribute Reference + +In addition to all argument references listed, you can access the following attribute references after your resource is created. + +* `secret_id` - The unique identifier of the ServiceCredentialsSecret. +* `created_at` - (String) The date when a resource was created. The date format follows RFC 3339. +* `created_by` - (String) The unique identifier that is associated with the entity that created the secret. + * Constraints: The maximum length is `128` characters. The minimum length is `4` characters. +* `crn` - (String) A CRN that uniquely identifies an IBM Cloud resource. + * Constraints: The maximum length is `512` characters. The minimum length is `9` characters. The value must match regular expression `/^crn:v[0-9](:([A-Za-z0-9-._~!$&'()*+,;=@\/]|%[0-9A-Z]{2})*){8}$/`. +* `downloaded` - (Boolean) Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API. +* `locks_total` - (Integer) The number of locks of the secret. + * Constraints: The maximum value is `1000`. The minimum value is `0`. +* `next_rotation_date` - (String) The date that the secret is scheduled for automatic rotation.The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy. +* `state` - (Integer) The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values. + * Constraints: Allowable values are: `0`, `1`, `2`, `3`, `5`. +* `state_description` - (String) A text representation of the secret state. + * Constraints: Allowable values are: `pre_activation`, `active`, `suspended`, `deactivated`, `destroyed`. +* `secret_type` - (String) The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials. + * Constraints: Allowable values are: `arbitrary`, `imported_cert`, `public_cert`, `iam_credentials`, `kv`, `username_password`, `private_cert`. +* `updated_at` - (String) The date when a resource was recently modified. The date format follows RFC 3339. +* `versions_total` - (Integer) The number of versions of the secret. + * Constraints: The maximum value is `50`. The minimum value is `0`. + +## Provider Configuration + +The IBM Cloud provider offers a flexible means of providing credentials for authentication. The following methods are supported, in this order, and explained below: + +- Static credentials +- Environment variables + +To find which credentials are required for this resource, see the service table [here](https://cloud.ibm.com/docs/ibm-cloud-provider-for-terraform?topic=ibm-cloud-provider-for-terraform-provider-reference#required-parameters). + +### Static credentials + +You can provide your static credentials by adding the `ibmcloud_api_key`, `iaas_classic_username`, and `iaas_classic_api_key` arguments in the IBM Cloud provider block. + +Usage: +``` +provider "ibm" { + ibmcloud_api_key = "" + iaas_classic_username = "" + iaas_classic_api_key = "" +} +``` + +### Environment variables + +You can provide your credentials by exporting the `IC_API_KEY`, `IAAS_CLASSIC_USERNAME`, and `IAAS_CLASSIC_API_KEY` environment variables, representing your IBM Cloud platform API key, IBM Cloud Classic Infrastructure (SoftLayer) user name, and IBM Cloud infrastructure API key, respectively. + +``` +provider "ibm" {} +``` + +Usage: +``` +export IC_API_KEY="ibmcloud_api_key" +export IAAS_CLASSIC_USERNAME="iaas_classic_username" +export IAAS_CLASSIC_API_KEY="iaas_classic_api_key" +terraform plan +``` + +Note: + +1. Create or find your `ibmcloud_api_key` and `iaas_classic_api_key` [here](https://cloud.ibm.com/iam/apikeys). + - Select `My IBM Cloud API Keys` option from view dropdown for `ibmcloud_api_key` + - Select `Classic Infrastructure API Keys` option from view dropdown for `iaas_classic_api_key` +2. For iaas_classic_username + - Go to [Users](https://cloud.ibm.com/iam/users) + - Click on user. + - Find user name in the `VPN password` section under `User Details` tab + +For more informaton, see [here](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs#authentication). + +## Import + +You can import the `ibm_sm_service_credentials_secret` resource by using `region`, `instance_id`, and `secret_id`. +For more information, see [the documentation](https://cloud.ibm.com/docs/secrets-manager) + +# Syntax +```bash +$ terraform import ibm_sm_service_credentials_secret.sm_service_credentials_secret // +``` + +# Example +```bash +$ terraform import ibm_sm_service_credentials_secret.sm_service_credentials_secret us-east/6ebc4224-e983-496a-8a54-f40a0bfa9175/b49ad24d-81d4-5ebc-b9b9-b0937d1c84d5 +``` From babc0f9a9e52c3255d433975f8458067e699e52b Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 15 Nov 2023 14:31:44 +0200 Subject: [PATCH 02/25] SC addition --- ibm/service/secretsmanager/utils.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/ibm/service/secretsmanager/utils.go b/ibm/service/secretsmanager/utils.go index a00f44c9af..07a23380be 100644 --- a/ibm/service/secretsmanager/utils.go +++ b/ibm/service/secretsmanager/utils.go @@ -17,13 +17,14 @@ import ( ) const ( - ArbitrarySecretType = "arbitrary" - UsernamePasswordSecretType = "username_password" - IAMCredentialsSecretType = "iam_credentials" - KvSecretType = "kv" - ImportedCertSecretType = "imported_cert" - PublicCertSecretType = "public_cert" - PrivateCertSecretType = "private_cert" + ArbitrarySecretType = "arbitrary" + UsernamePasswordSecretType = "username_password" + IAMCredentialsSecretType = "iam_credentials" + ServiceCredentialsSecretType = "service_credentials" + KvSecretType = "kv" + ImportedCertSecretType = "imported_cert" + PublicCertSecretType = "public_cert" + PrivateCertSecretType = "private_cert" ) func getRegion(originalClient *secretsmanagerv2.SecretsManagerV2, d *schema.ResourceData) string { From 80716674288963e6e64f30ba91de967a9465249c Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 15 Nov 2023 18:23:34 +0200 Subject: [PATCH 03/25] SC addition --- examples/ibm-secrets-manager/README.md | 238 +++++---- examples/ibm-secrets-manager/main.tf | 43 ++ examples/ibm-secrets-manager/outputs.tf | 6 + examples/ibm-secrets-manager/variables.tf | 63 +++ ibm/provider/provider.go | 1 + ..._sm_service_credentials_secret_metadata.go | 491 ++++++++++++++++++ ...ource_ibm_sm_service_credentilas_secret.go | 2 +- ...m_service_credentials_secret.html.markdown | 140 +++++ ..._credentials_secret_metadata.html.markdown | 113 ++++ ...m_service_credentials_secret.html.markdown | 62 ++- 10 files changed, 1046 insertions(+), 113 deletions(-) create mode 100644 ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go create mode 100644 website/docs/d/sm_service_credentials_secret.html.markdown create mode 100644 website/docs/d/sm_service_credentials_secret_metadata.html.markdown diff --git a/examples/ibm-secrets-manager/README.md b/examples/ibm-secrets-manager/README.md index 04a144758a..f68677dec5 100644 --- a/examples/ibm-secrets-manager/README.md +++ b/examples/ibm-secrets-manager/README.md @@ -131,6 +131,31 @@ resource "sm_iam_credentials_secret" "sm_iam_credentials_secret_instance" { rotation = var.sm_iam_credentials_secret_rotation } ``` +sm_service_credentials_secret resource: + +```hcl +resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { + instance_id = var.secrets_manager_instance_id + region = var.region + endpoint_type = var.endpoint_type + name = var.sm_service_credentials_secret_name + custom_metadata = { my_key = jsonencode(var.sm_service_credentials_secret_custom_metadata) } + description = var.sm_service_credentials_secret_description + labels = var.sm_service_credentials_secret_labels + rotation = var.sm_service_credentials_secret_rotation + secret_group_id = var.sm_service_credentials_secret_secret_group_id + source_service { + instance { + crn = var.sm_service_credentials_secret_source_service_instance_crn + } + role { + crn = var.sm_service_credentials_secret_source_service_role_crn + } + parameters = var.sm_service_credentials_secret_source_service_parameters + } + ttl = var.sm_service_credentials_secret_ttl +} +``` sm_arbitrary_secret resource: ```hcl @@ -349,6 +374,15 @@ data "sm_iam_credentials_secret_metadata" "sm_iam_credentials_secret_metadata_in secret_id = var.sm_iam_credentials_secret_metadata_id } ``` +sm_service_credentials_secret_metadata data source: + +```hcl +data "sm_service_credentials_secret_metadata" "sm_service_credentials_secret_metadata_instance" { + instance_id = var.secrets_manager_instance_id + region = var.region + secret_id = var.sm_service_credentials_secret_metadata_id +} +``` sm_arbitrary_secret_metadata data source: ```hcl @@ -403,6 +437,15 @@ data "sm_iam_credentials_secret" "sm_iam_credentials_secret_instance" { secret_id = var.sm_iam_credentials_secret_id } ``` +sm_service_credentials_secret data source: + +```hcl +data "sm_service_credentials_secret" "sm_service_credentials_secret_instance" { + instance_id = var.secrets_manager_instance_id + region = var.region + secret_id = var.sm_service_credentials_secret_id +} +``` sm_arbitrary_secret data source: ```hcl @@ -524,103 +567,106 @@ data "sm_en_registration" "sm_en_registration_instance" { ## Inputs -| Name | Description | Type | Default | Required | -|----------------------------------------|-------------|------|---------|----------| -| ibmcloud\_api\_key | IBM Cloud API key | `string` | | true | -| region | Secrets Manager Instance region | `string` | us-south | false | -| secrets\_manager\_instance\_id | Secrets Manager Instance GUID | `string` | | true | -| instance\_id | Secrets Manager Instance GUID | `string` | | true | -| endpoint\_type | Secrets manager endpoint type | `string` | `private` | false | -| description | An extended description of your secret group.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. | `string` | false | -| custom_metadata | The secret metadata that a user can customize. | `map()` | false | -| description | An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. | `string` | false | -| expiration_date | The date a secret is expired. The date format follows RFC 3339. | `` | false | -| labels | Labels that you can use to search for secrets in your instance.Up to 30 labels can be created. | `list(string)` | false | -| secret_group_id | A v4 UUID identifier, or `default` secret group. | `string` | false | -| secret_type | The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials. | `string` | false | -| certificate | The PEM-encoded contents of your certificate. | `string` | false | -| intermediate | (Optional) The PEM-encoded intermediate certificate to associate with the root certificate. | `string` | false | -| private_key | (Optional) The PEM-encoded private key to associate with the certificate. | `string` | false | -| custom_metadata | The secret metadata that a user can customize. | `map()` | false | -| rotation | Determines whether Secrets Manager rotates your secrets automatically. | `` | false | -| data | The payload data of a key-value secret. | `map()` | false | -| ttl | The time-to-live (TTL) or lease duration to assign to generated credentials.For `iam_credentials` secrets, the TTL defines for how long each generated API key remains valid. The value can be either an integer that specifies the number of seconds, or the string representation of a duration, such as `120m` or `24h`.Minimum duration is 1 minute. Maximum is 90 days. | `string` | false | -| access_groups | Access Groups that you can use for an `iam_credentials` secret.Up to 10 Access Groups can be used for each secret. | `list(string)` | false | -| service_id | The service ID under which the API key (see the `api_key` field) is created.If you omit this parameter, Secrets Manager generates a new service ID for your secret at its creation and adds it to the access groups that you assign.Optionally, you can use this field to provide your own service ID if you prefer to manage its access directly or retain the service ID after your secret expires, is rotated, or deleted. If you provide a service ID, do not include the `access_groups` parameter. | `string` | false | -| reuse_api_key | Determines whether to use the same service ID and API key for future read operations on an`iam_credentials` secret.If it is set to `true`, the service reuses the current credentials. If it is set to `false`, a new service ID and API key are generated each time that the secret is read or accessed. | `bool` | false | -| payload | The arbitrary secret's data payload. | `string` | false | -| username | The username that is assigned to the secret. | `string` | false | -| password | The password that is assigned to the secret. | `string` | false | -| secret_id | The ID of the secret. | `string` | true | -| certificate_template | The name of the certificate template. | `string` | false | -| config_type | Th configuration type. | `string` | false | -| crl_disable | Disables or enables certificate revocation list (CRL) building.If CRL building is disabled, a signed but zero-length CRL is returned when downloading the CRL. If CRL building is enabled, it will rebuild the CRL. | `bool` | false | -| crl_distribution_points_encoded | Determines whether to encode the certificate revocation list (CRL) distribution points in the certificates that are issued by this certificate authority. | `bool` | false | -| issuing_certificates_urls_encoded | Determines whether to encode the URL of the issuing certificate in the certificates that are issued by this certificate authority. | `bool` | false | -| ttl | The requested time-to-live (TTL) for certificates that are created by this CA. This field's value cannot be longer than the `max_ttl` limit.The value can be supplied as a string representation of a duration in hours, for example '8760h'. In the API response, this value is returned in seconds (integer). | `string` | false | -| signing_method | The signing method to use with this certificate authority to generate private certificates.You can choose between internal or externally signed options. For more information, see the [docs](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-intermediate-certificate-authorities). | `string` | false | -| certificate_authority | The name of the intermediate certificate authority. | `string` | false | -| allowed_secret_groups | Scopes the creation of private certificates to only the secret groups that you specify.This field can be supplied as a comma-delimited list of secret group IDs. | `string` | false | -| allow_localhost | Determines whether to allow `localhost` to be included as one of the requested common names. | `bool` | false | -| allowed_domains | The domains to define for the certificate template. This property is used along with the `allow_bare_domains` and `allow_subdomains` options. | `list(string)` | false | -| allowed_domains_template | Determines whether to allow the domains that are supplied in the `allowed_domains` field to contain access control list (ACL) templates. | `bool` | false | -| allow_bare_domains | Determines whether to allow clients to request private certificates that match the value of the actual domains on the final certificate.For example, if you specify `example.com` in the `allowed_domains` field, you grant clients the ability to request a certificate that contains the name `example.com` as one of the DNS values on the final certificate.**Important:** In some scenarios, allowing bare domains can be considered a security risk. | `bool` | false | -| allow_subdomains | Determines whether to allow clients to request private certificates with common names (CN) that are subdomains of the CNs that are allowed by the other certificate template options. This includes wildcard subdomains.For example, if `allowed_domains` has a value of `example.com` and `allow_subdomains`is set to `true`, then the following subdomains are allowed: `foo.example.com`, `bar.example.com`, `*.example.com`.**Note:** This field is redundant if you use the `allow_any_name` option. | `bool` | false | -| allow_glob_domains | Determines whether to allow glob patterns, for example, `ftp*.example.com`, in the names that are specified in the `allowed_domains` field.If set to `true`, clients are allowed to request private certificates with names that match the glob patterns. | `bool` | false | -| allow_any_name | Determines whether to allow clients to request a private certificate that matches any common name. | `bool` | false | -| enforce_hostnames | Determines whether to enforce only valid host names for common names, DNS Subject Alternative Names, and the host section of email addresses. | `bool` | false | -| allow_ip_sans | Determines whether to allow clients to request a private certificate with IP Subject Alternative Names. | `bool` | false | -| allowed_uri_sans | The URI Subject Alternative Names to allow for private certificates.Values can contain glob patterns, for example `spiffe://hostname/_*`. | `list(string)` | false | -| allowed_other_sans | The custom Object Identifier (OID) or UTF8-string Subject Alternative Names (SANs) to allow for private certificates.The format for each element in the list is the same as OpenSSL: `::` where the current valid type is `UTF8`. To allow any value for an OID, use `*` as its value. Alternatively, specify a single `*` to allow any `other_sans` input. | `list(string)` | false | -| server_flag | Determines whether private certificates are flagged for server use. | `bool` | false | -| client_flag | Determines whether private certificates are flagged for client use. | `bool` | false | -| code_signing_flag | Determines whether private certificates are flagged for code signing use. | `bool` | false | -| email_protection_flag | Determines whether private certificates are flagged for email protection use. | `bool` | false | -| key_usage | The allowed key usage constraint to define for private certificates.You can find valid values in the [Go x509 package documentation](https://pkg.go.dev/crypto/x509#KeyUsage). Omit the `KeyUsage` part of the value. Values are not case-sensitive. To specify no key usage constraints, set this field to an empty list. | `list(string)` | false | -| ext_key_usage | The allowed extended key usage constraint on private certificates.You can find valid values in the [Go x509 package documentation](https://golang.org/pkg/crypto/x509/#ExtKeyUsage). Omit the `ExtKeyUsage` part of the value. Values are not case-sensitive. To specify no key usage constraints, set this field to an empty list. | `list(string)` | false | -| ext_key_usage_oids | A list of extended key usage Object Identifiers (OIDs). | `list(string)` | false | -| use_csr_common_name | When used with the `private_cert_configuration_action_sign_csr` action, this field determines whether to use the common name (CN) from a certificate signing request (CSR) instead of the CN that's included in the data of the certificate.Does not include any requested Subject Alternative Names (SANs) in the CSR. To use the alternative names, include the `use_csr_sans` property. | `bool` | false | -| use_csr_sans | When used with the `private_cert_configuration_action_sign_csr` action, this field determines whether to use the Subject Alternative Names(SANs) from a certificate signing request (CSR) instead of the SANs that are included in the data of the certificate.Does not include the common name in the CSR. To use the common name, include the `use_csr_common_name` property. | `bool` | false | -| require_cn | Determines whether to require a common name to create a private certificate.By default, a common name is required to generate a certificate. To make the `common_name` field optional, set the `require_cn` option to `false`. | `bool` | false | -| policy_identifiers | A list of policy Object Identifiers (OIDs). | `list(string)` | false | -| basic_constraints_valid_for_non_ca | Determines whether to mark the Basic Constraints extension of an issued private certificate as valid for non-CA certificates. | `bool` | false | -| lets_encrypt_environment | The configuration of the Let's Encrypt CA environment. | `string` | false | -| lets_encrypt_private_key | The PEM encoded private key of your Lets Encrypt account. | `string` | false | -| lets_encrypt_preferred_chain | Prefer the chain with an issuer matching this Subject Common Name. | `string` | false | -| event_notifications_instance_crn | A CRN that uniquely identifies an IBM Cloud resource. | `string` | true | -| event_notifications_source_name | The name that is displayed as a source that is in your Event Notifications instance. | `string` | true | -| event_notifications_source_description | An optional description for the source that is in your Event Notifications instance. | `string` | false | -| secret_group_id | The ID of the secret group. | `string` | true | -| secret_id | The ID of the secret. | `string` | true | -| name | The name of the configuration. | `string` | true | +| Name | Description | Type | Default | Required | +|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|-----------|----------| +| ibmcloud\_api\_key | IBM Cloud API key | `string` | | true | +| region | Secrets Manager Instance region | `string` | us-south | false | +| secrets\_manager\_instance\_id | Secrets Manager Instance GUID | `string` | | true | +| instance\_id | Secrets Manager Instance GUID | `string` | | true | +| endpoint\_type | Secrets manager endpoint type | `string` | `private` | false | +| description | An extended description of your secret group.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. | `string` | false | +| custom_metadata | The secret metadata that a user can customize. | `map()` | false | +| description | An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. | `string` | false | +| expiration_date | The date a secret is expired. The date format follows RFC 3339. | `` | false | +| labels | Labels that you can use to search for secrets in your instance.Up to 30 labels can be created. | `list(string)` | false | +| secret_group_id | A v4 UUID identifier, or `default` secret group. | `string` | false | +| secret_type | The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials. | `string` | false | +| certificate | The PEM-encoded contents of your certificate. | `string` | false | +| intermediate | (Optional) The PEM-encoded intermediate certificate to associate with the root certificate. | `string` | false | +| private_key | (Optional) The PEM-encoded private key to associate with the certificate. | `string` | false | +| custom_metadata | The secret metadata that a user can customize. | `map()` | false | +| rotation | Determines whether Secrets Manager rotates your secrets automatically. | `` | false | +| source_service | The properties required for creating the service credentials for the specified source service instance. | `` | false | +| data | The payload data of a key-value secret. | `map()` | false | +| ttl | The time-to-live (TTL) or lease duration to assign to generated credentials.The TTL defines for how long generated credentials remain valid. For iam_credentials secret TTL is mandatory. The minimum duration is 1 minute. The maximum is 90 days. For service_credentials secret TTL is optional, if set the minimum duration is 1 day. The maximum is 90 days. The TTL defaults to 0 which means no TTL. | `string` | false | +| access_groups | Access Groups that you can use for an `iam_credentials` secret.Up to 10 Access Groups can be used for each secret. | `list(string)` | false | +| service_id | The service ID under which the API key (see the `api_key` field) is created.If you omit this parameter, Secrets Manager generates a new service ID for your secret at its creation and adds it to the access groups that you assign.Optionally, you can use this field to provide your own service ID if you prefer to manage its access directly or retain the service ID after your secret expires, is rotated, or deleted. If you provide a service ID, do not include the `access_groups` parameter. | `string` | false | +| reuse_api_key | Determines whether to use the same service ID and API key for future read operations on an`iam_credentials` secret.If it is set to `true`, the service reuses the current credentials. If it is set to `false`, a new service ID and API key are generated each time that the secret is read or accessed. | `bool` | false | +| payload | The arbitrary secret's data payload. | `string` | false | +| username | The username that is assigned to the secret. | `string` | false | +| password | The password that is assigned to the secret. | `string` | false | +| secret_id | The ID of the secret. | `string` | true | +| certificate_template | The name of the certificate template. | `string` | false | +| config_type | Th configuration type. | `string` | false | +| crl_disable | Disables or enables certificate revocation list (CRL) building.If CRL building is disabled, a signed but zero-length CRL is returned when downloading the CRL. If CRL building is enabled, it will rebuild the CRL. | `bool` | false | +| crl_distribution_points_encoded | Determines whether to encode the certificate revocation list (CRL) distribution points in the certificates that are issued by this certificate authority. | `bool` | false | +| issuing_certificates_urls_encoded | Determines whether to encode the URL of the issuing certificate in the certificates that are issued by this certificate authority. | `bool` | false | +| ttl | The requested time-to-live (TTL) for certificates that are created by this CA. This field's value cannot be longer than the `max_ttl` limit.The value can be supplied as a string representation of a duration in hours, for example '8760h'. In the API response, this value is returned in seconds (integer). | `string` | false | +| signing_method | The signing method to use with this certificate authority to generate private certificates.You can choose between internal or externally signed options. For more information, see the [docs](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-intermediate-certificate-authorities). | `string` | false | +| certificate_authority | The name of the intermediate certificate authority. | `string` | false | +| allowed_secret_groups | Scopes the creation of private certificates to only the secret groups that you specify.This field can be supplied as a comma-delimited list of secret group IDs. | `string` | false | +| allow_localhost | Determines whether to allow `localhost` to be included as one of the requested common names. | `bool` | false | +| allowed_domains | The domains to define for the certificate template. This property is used along with the `allow_bare_domains` and `allow_subdomains` options. | `list(string)` | false | +| allowed_domains_template | Determines whether to allow the domains that are supplied in the `allowed_domains` field to contain access control list (ACL) templates. | `bool` | false | +| allow_bare_domains | Determines whether to allow clients to request private certificates that match the value of the actual domains on the final certificate.For example, if you specify `example.com` in the `allowed_domains` field, you grant clients the ability to request a certificate that contains the name `example.com` as one of the DNS values on the final certificate.**Important:** In some scenarios, allowing bare domains can be considered a security risk. | `bool` | false | +| allow_subdomains | Determines whether to allow clients to request private certificates with common names (CN) that are subdomains of the CNs that are allowed by the other certificate template options. This includes wildcard subdomains.For example, if `allowed_domains` has a value of `example.com` and `allow_subdomains`is set to `true`, then the following subdomains are allowed: `foo.example.com`, `bar.example.com`, `*.example.com`.**Note:** This field is redundant if you use the `allow_any_name` option. | `bool` | false | +| allow_glob_domains | Determines whether to allow glob patterns, for example, `ftp*.example.com`, in the names that are specified in the `allowed_domains` field.If set to `true`, clients are allowed to request private certificates with names that match the glob patterns. | `bool` | false | +| allow_any_name | Determines whether to allow clients to request a private certificate that matches any common name. | `bool` | false | +| enforce_hostnames | Determines whether to enforce only valid host names for common names, DNS Subject Alternative Names, and the host section of email addresses. | `bool` | false | +| allow_ip_sans | Determines whether to allow clients to request a private certificate with IP Subject Alternative Names. | `bool` | false | +| allowed_uri_sans | The URI Subject Alternative Names to allow for private certificates.Values can contain glob patterns, for example `spiffe://hostname/_*`. | `list(string)` | false | +| allowed_other_sans | The custom Object Identifier (OID) or UTF8-string Subject Alternative Names (SANs) to allow for private certificates.The format for each element in the list is the same as OpenSSL: `::` where the current valid type is `UTF8`. To allow any value for an OID, use `*` as its value. Alternatively, specify a single `*` to allow any `other_sans` input. | `list(string)` | false | +| server_flag | Determines whether private certificates are flagged for server use. | `bool` | false | +| client_flag | Determines whether private certificates are flagged for client use. | `bool` | false | +| code_signing_flag | Determines whether private certificates are flagged for code signing use. | `bool` | false | +| email_protection_flag | Determines whether private certificates are flagged for email protection use. | `bool` | false | +| key_usage | The allowed key usage constraint to define for private certificates.You can find valid values in the [Go x509 package documentation](https://pkg.go.dev/crypto/x509#KeyUsage). Omit the `KeyUsage` part of the value. Values are not case-sensitive. To specify no key usage constraints, set this field to an empty list. | `list(string)` | false | +| ext_key_usage | The allowed extended key usage constraint on private certificates.You can find valid values in the [Go x509 package documentation](https://golang.org/pkg/crypto/x509/#ExtKeyUsage). Omit the `ExtKeyUsage` part of the value. Values are not case-sensitive. To specify no key usage constraints, set this field to an empty list. | `list(string)` | false | +| ext_key_usage_oids | A list of extended key usage Object Identifiers (OIDs). | `list(string)` | false | +| use_csr_common_name | When used with the `private_cert_configuration_action_sign_csr` action, this field determines whether to use the common name (CN) from a certificate signing request (CSR) instead of the CN that's included in the data of the certificate.Does not include any requested Subject Alternative Names (SANs) in the CSR. To use the alternative names, include the `use_csr_sans` property. | `bool` | false | +| use_csr_sans | When used with the `private_cert_configuration_action_sign_csr` action, this field determines whether to use the Subject Alternative Names(SANs) from a certificate signing request (CSR) instead of the SANs that are included in the data of the certificate.Does not include the common name in the CSR. To use the common name, include the `use_csr_common_name` property. | `bool` | false | +| require_cn | Determines whether to require a common name to create a private certificate.By default, a common name is required to generate a certificate. To make the `common_name` field optional, set the `require_cn` option to `false`. | `bool` | false | +| policy_identifiers | A list of policy Object Identifiers (OIDs). | `list(string)` | false | +| basic_constraints_valid_for_non_ca | Determines whether to mark the Basic Constraints extension of an issued private certificate as valid for non-CA certificates. | `bool` | false | +| lets_encrypt_environment | The configuration of the Let's Encrypt CA environment. | `string` | false | +| lets_encrypt_private_key | The PEM encoded private key of your Lets Encrypt account. | `string` | false | +| lets_encrypt_preferred_chain | Prefer the chain with an issuer matching this Subject Common Name. | `string` | false | +| event_notifications_instance_crn | A CRN that uniquely identifies an IBM Cloud resource. | `string` | true | +| event_notifications_source_name | The name that is displayed as a source that is in your Event Notifications instance. | `string` | true | +| event_notifications_source_description | An optional description for the source that is in your Event Notifications instance. | `string` | false | +| secret_group_id | The ID of the secret group. | `string` | true | +| secret_id | The ID of the secret. | `string` | true | +| name | The name of the configuration. | `string` | true | ## Outputs -| Name | Description | -|------|-------------| -| secrets\_manager\_secrets | secrets\_manager\_secrets object | -| secrets\_manager\_secret | secrets\_manager\_secret object | -| sm_secret_group | sm_secret_group object | -| sm_imported_certificate | sm_imported_certificate object | -| sm_public_certificate | sm_public_certificate object | -| sm_kv_secret | sm_kv_secret object | -| sm_iam_credentials_secret | sm_iam_credentials_secret object | -| sm_arbitrary_secret | sm_arbitrary_secret object | -| sm_username_password_secret | sm_username_password_secret object | -| sm_private_certificate | sm_private_certificate object | -| sm_private_certificate_configuration_root_ca | sm_private_certificate_configuration_root_ca object | +| Name | Description | +|------------------------------------------------------|-------------------------------------------------------------| +| secrets\_manager\_secrets | secrets\_manager\_secrets object | +| secrets\_manager\_secret | secrets\_manager\_secret object | +| sm_secret_group | sm_secret_group object | +| sm_imported_certificate | sm_imported_certificate object | +| sm_public_certificate | sm_public_certificate object | +| sm_kv_secret | sm_kv_secret object | +| sm_iam_credentials_secret | sm_iam_credentials_secret object | +| sm_service_credentials_secret | sm_service_credentials_secret object | +| sm_arbitrary_secret | sm_arbitrary_secret object | +| sm_username_password_secret | sm_username_password_secret object | +| sm_private_certificate | sm_private_certificate object | +| sm_private_certificate_configuration_root_ca | sm_private_certificate_configuration_root_ca object | | sm_private_certificate_configuration_intermediate_ca | sm_private_certificate_configuration_intermediate_ca object | -| sm_private_certificate_configuration_template | sm_private_certificate_configuration_template object | -| sm_public_certificate_configuration_ca_lets_encrypt | sm_public_certificate_configuration_ca_lets_encrypt object | -| sm_en_registration | sm_en_registration object | -| sm_secret_group | sm_secret_group object | -| sm_secret_groups | sm_secret_groups object | -| sm_secrets | sm_secrets object | -| sm_imported_certificate_metadata | sm_imported_certificate_metadata object | -| sm_public_certificate_metadata | sm_public_certificate_metadata object | -| sm_kv_secret_metadata | sm_kv_secret_metadata object | -| sm_iam_credentials_secret_metadata | sm_iam_credentials_secret_metadata object | -| sm_arbitrary_secret_metadata | sm_arbitrary_secret_metadata object | -| sm_username_password_secret_metadata | sm_username_password_secret_metadata object | -| sm_private_certificate_metadata | sm_private_certificate_metadata object | -| sm_configurations | sm_configurations object | +| sm_private_certificate_configuration_template | sm_private_certificate_configuration_template object | +| sm_public_certificate_configuration_ca_lets_encrypt | sm_public_certificate_configuration_ca_lets_encrypt object | +| sm_en_registration | sm_en_registration object | +| sm_secret_group | sm_secret_group object | +| sm_secret_groups | sm_secret_groups object | +| sm_secrets | sm_secrets object | +| sm_imported_certificate_metadata | sm_imported_certificate_metadata object | +| sm_public_certificate_metadata | sm_public_certificate_metadata object | +| sm_kv_secret_metadata | sm_kv_secret_metadata object | +| sm_iam_credentials_secret_metadata | sm_iam_credentials_secret_metadata object | +| sm_service_credentials_secret_metadata | sm_service_credentials_secret_metadata object | +| sm_arbitrary_secret_metadata | sm_arbitrary_secret_metadata object | +| sm_username_password_secret_metadata | sm_username_password_secret_metadata object | +| sm_private_certificate_metadata | sm_private_certificate_metadata object | +| sm_configurations | sm_configurations object | diff --git a/examples/ibm-secrets-manager/main.tf b/examples/ibm-secrets-manager/main.tf index 1e1a89fccb..5823fb3fa6 100644 --- a/examples/ibm-secrets-manager/main.tf +++ b/examples/ibm-secrets-manager/main.tf @@ -81,6 +81,33 @@ resource "ibm_sm_iam_credentials_secret" "sm_iam_credentials_secret_instance" { } } +// Provision sm_service_credentials_secret resource instance +resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { + instance_id = var.secrets_manager_instance_id + region = var.region + endpoint_type = var.endpoint_type + name = var.sm_service_credentials_secret_name + custom_metadata = { my_key = jsonencode(var.sm_service_credentials_secret_custom_metadata) } + description = var.sm_service_credentials_secret_description + labels = var.sm_service_credentials_secret_labels + rotation { + auto_rotate = true + interval = 1 + unit = "day" + } + secret_group_id = var.sm_service_credentials_secret_secret_group_id + source_service { + instance { + crn = var.sm_service_credentials_secret_source_service_instance_crn + } + role { + crn = var.sm_service_credentials_secret_source_service_role_crn + } + parameters = var.sm_service_credentials_secret_source_service_parameters + } + ttl = var.sm_service_credentials_secret_ttl +} + // Provision sm_arbitrary_secret resource instance resource "ibm_sm_arbitrary_secret" "sm_arbitrary_secret_instance" { instance_id = var.secrets_manager_instance_id @@ -304,6 +331,14 @@ data "ibm_sm_iam_credentials_secret_metadata" "sm_iam_credentials_secret_metadat secret_id = var.sm_iam_credentials_secret_metadata_id } +// Create sm_service_credentials_secret_metadata data source +data "ibm_sm_service_credentials_secret_metadata" "sm_service_credentials_secret_metadata_instance" { + instance_id = var.secrets_manager_instance_id + region = var.region + endpoint_type = var.endpoint_type + secret_id = var.sm_service_credentials_secret_metadata_id +} + // Create sm_arbitrary_secret_metadata data source data "ibm_sm_arbitrary_secret_metadata" "sm_arbitrary_secret_metadata_instance" { instance_id = var.secrets_manager_instance_id @@ -352,6 +387,14 @@ data "ibm_sm_iam_credentials_secret" "sm_iam_credentials_secret_instance" { secret_id = var.sm_iam_credentials_secret_id } +// Create sm_service_credentials_secret data source +data "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_instance" { + instance_id = var.secrets_manager_instance_id + region = var.region + endpoint_type = var.endpoint_type + secret_id = var.sm_service_credentials_secret_id +} + // Create sm_arbitrary_secret data source data "ibm_sm_arbitrary_secret" "sm_arbitrary_secret_instance" { instance_id = var.secrets_manager_instance_id diff --git a/examples/ibm-secrets-manager/outputs.tf b/examples/ibm-secrets-manager/outputs.tf index 9ea26978eb..9684c8c1eb 100644 --- a/examples/ibm-secrets-manager/outputs.tf +++ b/examples/ibm-secrets-manager/outputs.tf @@ -45,6 +45,12 @@ output "ibm_sm_iam_credentials_secret" { value = ibm_sm_iam_credentials_secret.sm_iam_credentials_secret_instance description = "sm_iam_credentials_secret resource instance" } +// This allows sm_service_credentials_secret data to be referenced by other resources and the terraform CLI +// Modify this if only certain data should be exposed +output "ibm_sm_service_credentials_secret" { + value = ibm_sm_service_credentials_secret.sm_service_credentials_secret_instance + description = "sm_service_credentials_secret resource instance" +} // This allows sm_arbitrary_secret data to be referenced by other resources and the terraform CLI // Modify this if only certain data should be exposed output "ibm_sm_arbitrary_secret" { diff --git a/examples/ibm-secrets-manager/variables.tf b/examples/ibm-secrets-manager/variables.tf index 6c713285b8..fba28a2af8 100644 --- a/examples/ibm-secrets-manager/variables.tf +++ b/examples/ibm-secrets-manager/variables.tf @@ -210,6 +210,54 @@ variable "sm_iam_credentials_secret_reuse_api_key" { default = true } +// Resource arguments for sm_service_credentials_secret +variable "sm_service_credentials_name" { + description = "The human-readable name of your secret." + type = string + default = "my-service-credentials-secret" +} +variable "sm_service_credentials_secret_custom_metadata" { + description = "The secret metadata that a user can customize." + type = any + default = "anything as a string" +} +variable "sm_service_credentials_secret_description" { + description = "An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group." + type = string + default = "Extended description for this secret." +} +variable "sm_service_credentials_secret_labels" { + description = "Labels that you can use to search for secrets in your instance.Up to 30 labels can be created." + type = list(string) + default = [ "my-label" ] +} +variable "sm_service_credentials_secret_secret_group_id" { + description = "A v4 UUID identifier, or `default` secret group." + type = string + default = "default" +} +variable "sm_service_credentials_secret_source_service_instance_crn" { + description = "A CRN that uniquely identifies a service credentials source" + type = string + default = "crn:v1:staging:public:cloud-object-storage:global:a/111f5fb10986423e9saa8512f1db7e65:111133c8-49ea-41xe-8c40-122038246f5b::" +} +variable "sm_service_credentials_secret_source_service_role_crn" { + description = "The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles." + type = string + default = "crn:v1:bluemix:public:iam::::serviceRole:Writer" +} +variable "sm_service_credentials_secret_source_service_parameters" { + description = "Configuration options represented as key-value pairs. Service-defined options are used in the generation of credentials for some services." + type = string + default = {} +} +variable "sm_service_credentials_secret_ttl" { + description = "The time-to-live (TTL) or lease duration to assign to generated credentials. The TTL defines for how long generated credentials remain valid. The value should be a string that specifies the number of seconds. Minimum duration is 86400 (1 day). Maximum is 7776000 seconds (90 days)." + type = string + default = "86401" +} + + // Resource arguments for sm_arbitrary_secret variable "sm_arbitrary_secret_name" { description = "The human-readable name of your secret." @@ -705,6 +753,14 @@ variable "sm_iam_credentials_secret_metadata_id" { default = "0b5571f7-21e6-42b7-91c5-3f5ac9793a46" } +// Data source arguments for sm_service_credentials_secret_metadata +variable "sm_service_credentials_secret_metadata_id" { + description = "The ID of the secret." + type = string + default = "0b5571f7-21e6-42b7-91c5-3f5ac9793a46" +} + + // Data source arguments for sm_arbitrary_secret_metadata variable "sm_arbitrary_secret_metadata_id" { description = "The ID of the secret." @@ -747,6 +803,13 @@ variable "sm_iam_credentials_secret_id" { default = "0b5571f7-21e6-42b7-91c5-3f5ac9793a46" } +// Data source arguments for sm_service_credentials_secret +variable "sm_service_credentials_secret_id" { + description = "The ID of the secret." + type = string + default = "0b5571f7-21e6-42b7-91c5-3f5ac9793a46" +} + // Data source arguments for sm_arbitrary_secret variable "sm_arbitrary_secret_id" { description = "The ID of the secret." diff --git a/ibm/provider/provider.go b/ibm/provider/provider.go index 936814aded..92ffcdcc77 100644 --- a/ibm/provider/provider.go +++ b/ibm/provider/provider.go @@ -701,6 +701,7 @@ func Provider() *schema.Provider { "ibm_sm_public_certificate_metadata": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmPublicCertificateMetadata()), "ibm_sm_private_certificate_metadata": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmPrivateCertificateMetadata()), "ibm_sm_iam_credentials_secret_metadata": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmIamCredentialsSecretMetadata()), + "ibm_sm_service_credentials_secret_metadata": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmServiceCredentialsSecretMetadata()), "ibm_sm_kv_secret_metadata": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmKvSecretMetadata()), "ibm_sm_username_password_secret_metadata": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmUsernamePasswordSecretMetadata()), "ibm_sm_arbitrary_secret": secretsmanager.AddInstanceFields(secretsmanager.DataSourceIbmSmArbitrarySecret()), diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go new file mode 100644 index 0000000000..54ff509c4d --- /dev/null +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go @@ -0,0 +1,491 @@ +// Copyright IBM Corp. 2023 All Rights Reserved. +// Licensed under the Mozilla Public License v2.0 + +package secretsmanager + +import ( + "context" + "fmt" + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns" + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex" + "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "log" +) + +func DataSourceIbmSmServiceCredentialsSecretMetadata() *schema.Resource { + return &schema.Resource{ + ReadContext: dataSourceIbmSmServiceCredentialsSecretMetadataRead, + + Schema: map[string]*schema.Schema{ + "secret_id": &schema.Schema{ + Type: schema.TypeString, + Required: true, + Description: "The ID of the secret.", + }, + "created_by": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The unique identifier that is associated with the entity that created the secret.", + }, + "created_at": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date when a resource was created. The date format follows RFC 3339.", + }, + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A CRN that uniquely identifies an IBM Cloud resource.", + }, + "custom_metadata": &schema.Schema{ + Type: schema.TypeMap, + Computed: true, + Description: "The secret metadata that a user can customize.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group.", + }, + "downloaded": &schema.Schema{ + Type: schema.TypeBool, + Computed: true, + Description: "Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API.", + }, + "labels": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "Labels that you can use to search for secrets in your instance.Up to 30 labels can be created.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + "locks_total": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The number of locks of the secret.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The human-readable name of your secret.", + }, + "secret_group_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + ForceNew: true, + Description: "A v4 UUID identifier, or `default` secret group.", + }, + "secret_type": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials.", + }, + "state": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values.", + }, + "state_description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A text representation of the secret state.", + }, + "updated_at": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date when a resource was recently modified. The date format follows RFC 3339.", + }, + "versions_total": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The number of versions of the secret.", + }, + "ttl": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The time-to-live (TTL) or lease duration to assign to generated credentials.", + }, + "rotation": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "Determines whether Secrets Manager rotates your secrets automatically.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "auto_rotate": &schema.Schema{ + Type: schema.TypeBool, + Computed: true, + Description: "Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval.", + }, + "interval": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "The length of the secret rotation time interval.", + }, + "unit": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The units for the secret rotation time interval.", + }, + }, + }, + }, + "next_rotation_date": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The date that the secret is scheduled for automatic rotation. The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy.", + }, + "source_service": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The properties required for creating the service credentials for the specified source service instance.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "instance": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service instance identifier.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "A CRN that uniquely identifies a service credentials target.", + }, + }, + }, + }, + "role": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The CRN role identifier for creating a service-id.", + }, + }, + }, + }, + "iam": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service IAM data is returned in case IAM credentials where created for this secret.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "apikey": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM apikey metadata for the IAM credentials that were generated.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM API key name for the generated service credentials.", + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM API key description for the generated service credentials.", + }, + }, + }, + }, + "role": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM role for the generate service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM role CRN assigned to the generated service credentials.", + }, + }, + }, + }, + "serviceid": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The IAM serviceid for the generated service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The IAM Service ID CRN.", + }, + }, + }, + }, + }, + }, + }, + "resource_key": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "The source service resource key data of the generated service credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "crn": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource key CRN of the generated service credentials.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The resource key name of the generated service credentials.", + }, + }, + }, + }, + "parameters": &schema.Schema{ + Type: schema.TypeMap, + Computed: true, + Description: "The collection of parameters for the service credentials target.", + }, + }, + }, + }, + }, + } +} + +func dataSourceIbmSmServiceCredentialsSecretMetadataRead(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() + if err != nil { + return diag.FromErr(err) + } + + region := getRegion(secretsManagerClient, d) + instanceId := d.Get("instance_id").(string) + secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) + + getSecretMetadataOptions := &secretsmanagerv2.GetSecretMetadataOptions{} + + secretId := d.Get("secret_id").(string) + getSecretMetadataOptions.SetID(secretId) + + ServiceCredentialsSecretMetadataIntf, response, err := secretsManagerClient.GetSecretMetadataWithContext(context, getSecretMetadataOptions) + if err != nil { + log.Printf("[DEBUG] GetSecretMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("GetSecretMetadataWithContext failed %s\n%s", err, response)) + } + ServiceCredentialsSecretMetadata := ServiceCredentialsSecretMetadataIntf.(*secretsmanagerv2.ServiceCredentialsSecretMetadata) + + d.SetId(fmt.Sprintf("%s/%s/%s", region, instanceId, secretId)) + + if err = d.Set("region", region); err != nil { + return diag.FromErr(fmt.Errorf("Error setting region: %s", err)) + } + if err = d.Set("created_by", ServiceCredentialsSecretMetadata.CreatedBy); err != nil { + return diag.FromErr(fmt.Errorf("Error setting created_by: %s", err)) + } + + if err = d.Set("created_at", DateTimeToRFC3339(ServiceCredentialsSecretMetadata.CreatedAt)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting created_at: %s", err)) + } + + if err = d.Set("crn", ServiceCredentialsSecretMetadata.Crn); err != nil { + return diag.FromErr(fmt.Errorf("Error setting crn: %s", err)) + } + + if ServiceCredentialsSecretMetadata.CustomMetadata != nil { + convertedMap := make(map[string]interface{}, len(ServiceCredentialsSecretMetadata.CustomMetadata)) + for k, v := range ServiceCredentialsSecretMetadata.CustomMetadata { + convertedMap[k] = v + } + + if err = d.Set("custom_metadata", flex.Flatten(convertedMap)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting custom_metadata: %s", err)) + } + if err != nil { + return diag.FromErr(fmt.Errorf("Error setting custom_metadata %s", err)) + } + } + + if err = d.Set("description", ServiceCredentialsSecretMetadata.Description); err != nil { + return diag.FromErr(fmt.Errorf("Error setting description: %s", err)) + } + + if err = d.Set("downloaded", ServiceCredentialsSecretMetadata.Downloaded); err != nil { + return diag.FromErr(fmt.Errorf("Error setting downloaded: %s", err)) + } + + if ServiceCredentialsSecretMetadata.Labels != nil { + if err = d.Set("labels", ServiceCredentialsSecretMetadata.Labels); err != nil { + return diag.FromErr(fmt.Errorf("Error setting labels: %s", err)) + } + } + + if err = d.Set("locks_total", flex.IntValue(ServiceCredentialsSecretMetadata.LocksTotal)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting locks_total: %s", err)) + } + + if err = d.Set("name", ServiceCredentialsSecretMetadata.Name); err != nil { + return diag.FromErr(fmt.Errorf("Error setting name: %s", err)) + } + + if err = d.Set("secret_group_id", ServiceCredentialsSecretMetadata.SecretGroupID); err != nil { + return diag.FromErr(fmt.Errorf("Error setting secret_group_id: %s", err)) + } + + if err = d.Set("secret_type", ServiceCredentialsSecretMetadata.SecretType); err != nil { + return diag.FromErr(fmt.Errorf("Error setting secret_type: %s", err)) + } + + if err = d.Set("state", flex.IntValue(ServiceCredentialsSecretMetadata.State)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting state: %s", err)) + } + + if err = d.Set("state_description", ServiceCredentialsSecretMetadata.StateDescription); err != nil { + return diag.FromErr(fmt.Errorf("Error setting state_description: %s", err)) + } + + if err = d.Set("updated_at", DateTimeToRFC3339(ServiceCredentialsSecretMetadata.UpdatedAt)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting updated_at: %s", err)) + } + + if err = d.Set("versions_total", flex.IntValue(ServiceCredentialsSecretMetadata.VersionsTotal)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting versions_total: %s", err)) + } + + if err = d.Set("ttl", ServiceCredentialsSecretMetadata.TTL); err != nil { + return diag.FromErr(fmt.Errorf("Error setting ttl: %s", err)) + } + + rotation := []map[string]interface{}{} + if ServiceCredentialsSecretMetadata.Rotation != nil { + modelMap, err := dataSourceIbmSmServiceCredentialsSecretMetadataRotationPolicyToMap(ServiceCredentialsSecretMetadata.Rotation.(*secretsmanagerv2.RotationPolicy)) + if err != nil { + return diag.FromErr(err) + } + rotation = append(rotation, modelMap) + } + if err = d.Set("rotation", rotation); err != nil { + return diag.FromErr(fmt.Errorf("Error setting rotation %s", err)) + } + + if err = d.Set("next_rotation_date", DateTimeToRFC3339(ServiceCredentialsSecretMetadata.NextRotationDate)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting next_rotation_date: %s", err)) + } + + sourceServiceMap, err := dataSourceIbmSmServiceCredentialsSecretMetadataSourceServiceToMap(ServiceCredentialsSecretMetadata.SourceService) + if err != nil { + return diag.FromErr(err) + } + if len(sourceServiceMap) > 0 { + if err = d.Set("source_service", []map[string]interface{}{sourceServiceMap}); err != nil { + return diag.FromErr(fmt.Errorf("Error setting source_service: %s", err)) + } + } + + return nil +} + +func dataSourceIbmSmServiceCredentialsSecretMetadataRotationPolicyToMap(model *secretsmanagerv2.RotationPolicy) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + if model.AutoRotate != nil { + modelMap["auto_rotate"] = *model.AutoRotate + } + if model.Interval != nil { + modelMap["interval"] = *model.Interval + } + if model.Unit != nil { + modelMap["unit"] = *model.Unit + } + return modelMap, nil +} + +func dataSourceIbmSmServiceCredentialsSecretMetadataSourceServiceToMap(sourceService *secretsmanagerv2.ServiceCredentialsSecretSourceService) (map[string]interface{}, error) { + mainModelMap := make(map[string]interface{}) + if sourceService.Instance != nil { + instanceMap := make(map[string]interface{}) + instanceModel := sourceService.Instance + if instanceModel.Crn != nil { + instanceMap["crn"] = instanceModel.Crn + } + mainModelMap["instance"] = []map[string]interface{}{instanceMap} + } + + if sourceService.Role != nil { + roleMap := make(map[string]interface{}) + roleModel := sourceService.Role + if roleModel.Crn != nil { + roleMap["crn"] = roleModel.Crn + } + mainModelMap["role"] = []map[string]interface{}{roleMap} + } + + if sourceService.Iam != nil { + iamMap := make(map[string]interface{}) + iamModel := sourceService.Iam + + // apikey + if iamModel.Apikey != nil { + iamApikeyMap := make(map[string]interface{}) + iamApikeyModel := iamModel.Apikey + if iamApikeyModel.Name != nil { + iamApikeyMap["name"] = iamApikeyModel.Name + } + if iamApikeyModel.Description != nil { + iamApikeyMap["description"] = iamApikeyModel.Description + } + iamMap["apikey"] = []map[string]interface{}{iamApikeyMap} + } + + // role + if iamModel.Role != nil { + iamRoleMap := make(map[string]interface{}) + iamRoleModel := iamModel.Role + if iamRoleModel.Crn != nil { + iamRoleMap["crn"] = iamRoleModel.Crn + } + iamMap["role"] = []map[string]interface{}{iamRoleMap} + } + + // service id + if iamModel.Serviceid != nil { + iamServiceidMap := make(map[string]interface{}) + iamServiceidModel := iamModel.Serviceid + if iamServiceidModel.Crn != nil { + iamServiceidMap["crn"] = iamServiceidModel.Crn + } + iamMap["serviceid"] = []map[string]interface{}{iamServiceidMap} + } + + mainModelMap["iam"] = []map[string]interface{}{iamMap} + + } + + if sourceService.ResourceKey != nil { + resourceKeyMap := make(map[string]interface{}) + resourceKeyModel := sourceService.ResourceKey + if resourceKeyModel.Crn != nil { + resourceKeyMap["crn"] = resourceKeyModel.Crn + } + if resourceKeyModel.Name != nil { + resourceKeyMap["name"] = resourceKeyModel.Name + } + mainModelMap["resource_key"] = []map[string]interface{}{resourceKeyMap} + } + + if sourceService.Parameters != nil { + parametersMap := sourceService.Parameters.GetProperties() + for k, v := range parametersMap { + parametersMap[k] = fmt.Sprint(v) + } + if sourceService.Parameters.ServiceidCrn != nil { + parametersMap["serviceid_crn"] = sourceService.Parameters.ServiceidCrn + } + mainModelMap["parameters"] = parametersMap + } + + return mainModelMap, nil +} diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go index 1f1f813e83..82232a7cfd 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go @@ -330,7 +330,7 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { "ttl": &schema.Schema{ Type: schema.TypeString, Required: true, - ValidateFunc: StringIsIntBetween(60, 7776000), + ValidateFunc: StringIsIntBetween(86400, 7776000), Description: "The time-to-live (TTL) or lease duration to assign to generated credentials.", }, "updated_at": &schema.Schema{ diff --git a/website/docs/d/sm_service_credentials_secret.html.markdown b/website/docs/d/sm_service_credentials_secret.html.markdown new file mode 100644 index 0000000000..0bce29f26e --- /dev/null +++ b/website/docs/d/sm_service_credentials_secret.html.markdown @@ -0,0 +1,140 @@ +--- +layout: "ibm" +page_title: "IBM : ibm_sm_service_credentials_secret" +description: |- + Get information about ServiceCredentialsSecret +subcategory: "Secrets Manager" +--- + +# ibm_sm_service_credentials_secret + +Provides a read-only data source for a service credentials secret. You can then reference the fields of the data source in other resources within the same configuration using interpolation syntax. +The data source can be defined by providing the secret ID or the secret and secret group names. + +## Example Usage + +By secret id +```hcl +data "ibm_sm_service_credentials_secret" "service_credentials_secret" { + instance_id = ibm_resource_instance.sm_instance.guid + region = "us-south" + secret_id = "0b5571f7-21e6-42b7-91c5-3f5ac9793a46" +} +``` + +By secret name and group name +```hcl +data "ibm_sm_service_credentials_secret" "service_credentials_secret" { + instance_id = ibm_resource_instance.sm_instance.guid + region = "us-south" + name = "secret-name" + secret_group_name = "group-name" +} +``` + +## Argument Reference + +Review the argument reference that you can specify for your data source. + +* `instance_id` - (Required, Forces new resource, String) The GUID of the Secrets Manager instance. +* `region` - (Optional, Forces new resource, String) The region of the Secrets Manager instance. If not provided defaults to the region defined in the IBM provider configuration. +* `endpoint_type` - (Optional, String) - The endpoint type. If not provided the endpoint type is determined by the `visibility` argument provided in the provider configuration. + * Constraints: Allowable values are: `private`, `public`. +* `secret_id` - (Optional, String) The ID of the secret. + * Constraints: The maximum length is `36` characters. The minimum length is `36` characters. The value must match regular expression `/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/`. +* `name` - (Optional, String) The human-readable name of your secret. To be used in combination with `secret_group_name`. + * Constraints: The maximum length is `256` characters. The minimum length is `2` characters. The value must match regular expression `^[A-Za-z0-9][A-Za-z0-9]*(?:_*-*\\.*[A-Za-z0-9]+)*$`. +* `secret_group_name` - (Optional, String) The name of your existing secret group. To be used in combination with `name`. + * Constraints: The maximum length is `64` characters. The minimum length is `2` characters. The value must match regular expression `/(.*?)/`. + +## Attribute Reference + +In addition to all argument references listed, you can access the following attribute references after your data source is created. + +* `created_at` - (String) The date when a resource was created. The date format follows RFC 3339. + +* `created_by` - (String) The unique identifier that is associated with the entity that created the secret. + * Constraints: The maximum length is `128` characters. The minimum length is `4` characters. + +* `credentials` - (List) The properties of the service credentials secret payload. + Nested scheme for **credentials**: + * `apikey` - (String) The API key that is generated for this secret. + * `cos_hmac_keys` - (String) The Cloud Object Storage HMAC keys that are returned after you create a service credentials secret. + Nested scheme for **cos_hmac_keys**: + * `access_key_id` - (String) The access key ID for Cloud Object Storage HMAC credentials. + * `secret_access_key` - (String) The secret access key ID for Cloud Object Storage HMAC credentials. + * `endpoints` - (String) The endpoints that are returned after you create a service credentials secret. + * `iam_apikey_description` - (String) The description of the generated IAM API key. + * `iam_apikey_name` - (String) The name of the generated IAM API key. + * `iam_role_crn` - (String) The IAM role CRN that is returned after you create a service credentials secret. + * `iam_serviceid_crn` - (String) The IAM serviceId CRN that is returned after you create a service credentials secret. + * `resource_instance_id` - (String) The resource instance CRN that is returned after you create a service credentials secret. + +* `crn` - (String) A CRN that uniquely identifies an IBM Cloud resource. + * Constraints: The maximum length is `512` characters. The minimum length is `9` characters. The value must match regular expression `/^crn:v[0-9](:([A-Za-z0-9-._~!$&'()*+,;=@\/]|%[0-9A-Z]{2})*){8}$/`. + +* `custom_metadata` - (Map) The secret metadata that a user can customize. + +* `description` - (String) An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. + * Constraints: The maximum length is `1024` characters. The minimum length is `0` characters. The value must match regular expression `/(.*?)/`. + +* `downloaded` - (Boolean) Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API. + +* `labels` - (List) Labels that you can use to search for secrets in your instance.Up to 30 labels can be created. + * Constraints: The list items must match regular expression `/(.*?)/`. The maximum length is `30` items. The minimum length is `0` items. + +* `locks_total` - (Integer) The number of locks of the secret. + * Constraints: The maximum value is `1000`. The minimum value is `0`. + +* `name` - (String) The human-readable name of your secret. + * Constraints: The maximum length is `256` characters. The minimum length is `2` characters. + +* `next_rotation_date` - (String) The date that the secret is scheduled for automatic rotation.The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy. + +* `rotation` - (List) Determines whether Secrets Manager rotates your secrets automatically. + Nested scheme for **rotation**: + * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. + * `interval` - (Integer) The length of the secret rotation time interval. + * Constraints: The minimum value is `1`. + * `unit` - (String) The units for the secret rotation time interval. + * Constraints: Allowable values are: `day`, `month`. + +* `secret_group_id` - (String) A v4 UUID identifier, or `default` secret group. + * Constraints: The maximum length is `36` characters. The minimum length is `7` characters. The value must match regular expression `/^([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|default)$/`. + +* `secret_type` - (String) The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials. + * Constraints: Allowable values are: `arbitrary`, `imported_cert`, `public_cert`, `iam_credentials`, `kv`, `username_password`, `private_cert`. + +* `source_service` - (List) The properties required for creating the service credentials for the specified source service instance. + Nested scheme for **source_service**: + * `iam` - (List) The source service IAM data is returned in case IAM credentials where created for this secret. + Nested scheme for **iam**: + * `apikey` - (String) The IAM apikey metadata for the IAM credentials that were generated. + Nested scheme for **apikey**: + * `name` - (String) The IAM API key name for the generated service credentials. + * `description` - (String) The IAM API key description for the generated service credentials. + * `role` - (String) The IAM role for the generate service credentials. + Nested scheme for **role**: + * `crn` - (String) The IAM role CRN assigned to the generated service credentials. + * `serviceid` - (String) The IAM serviceid for the generated service credentials. + Nested scheme for **serviceid**: + * `crn` - (String) The IAM Service ID CRN. + * `resource_key` - (List) The source service resource key data of the generated service credentials. + Nested scheme for **resource_key**: + * `crn` - (String) The resource key CRN of the generated service credentials. + * `name` - (String) The resource key name of the generated service credentials. + +* `state` - (Integer) The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values. + * Constraints: Allowable values are: `0`, `1`, `2`, `3`, `5`. + +* `state_description` - (String) A text representation of the secret state. + * Constraints: Allowable values are: `pre_activation`, `active`, `suspended`, `deactivated`, `destroyed`. + +* `ttl` - (String) The time-to-live (TTL) or lease duration to assign to generated credentials. The TTL defines for how long generated credentials remain valid. The value should be a string that specifies the number of seconds. Minimum duration is 86400 (1 day). Maximum is 7776000 seconds (90 days). + * Constraints: The maximum length is `7` characters. The minimum length is `2` characters. + +* `updated_at` - (String) The date when a resource was recently modified. The date format follows RFC 3339. + +* `versions_total` - (Integer) The number of versions of the secret. + * Constraints: The maximum value is `50`. The minimum value is `0`. + diff --git a/website/docs/d/sm_service_credentials_secret_metadata.html.markdown b/website/docs/d/sm_service_credentials_secret_metadata.html.markdown new file mode 100644 index 0000000000..0710616c26 --- /dev/null +++ b/website/docs/d/sm_service_credentials_secret_metadata.html.markdown @@ -0,0 +1,113 @@ +--- +layout: "ibm" +page_title: "IBM : ibm_sm_service_credentials_secret_metadata" +description: |- + Get information about ServiceCredentialsSecretMetadata +subcategory: "Secrets Manager" +--- + +# ibm_sm_service_credentials_secret + +Provides a read-only data source for the metadata of an service credentials secret. You can then reference the fields of the data source in other resources within the same configuration using interpolation syntax. + + +## Example Usage + +```hcl +data "ibm_sm_service_credentials_secret_metadata" "service_credentials_secret_metadata" { + instance_id = ibm_resource_instance.sm_instance.guid + region = "us-south" + secret_id = "0b5571f7-21e6-42b7-91c5-3f5ac9793a46" +} +``` + +## Argument Reference + +Review the argument reference that you can specify for your data source. + +* `instance_id` - (Required, Forces new resource, String) The GUID of the Secrets Manager instance. +* `region` - (Optional, Forces new resource, String) The region of the Secrets Manager instance. If not provided defaults to the region defined in the IBM provider configuration. +* `endpoint_type` - (Optional, String) - The endpoint type. If not provided the endpoint type is determined by the `visibility` argument provided in the provider configuration. + * Constraints: Allowable values are: `private`, `public`. +* `secret_id` - (Optional, String) The ID of the secret. + * Constraints: The maximum length is `36` characters. The minimum length is `36` characters. The value must match regular expression `/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/`. + +## Attribute Reference + +In addition to all argument references listed, you can access the following attribute references after your data source is created. + +* `id` - The unique identifier of the data source. + +* `created_at` - (String) The date when a resource was created. The date format follows RFC 3339. + +* `created_by` - (String) The unique identifier that is associated with the entity that created the secret. + * Constraints: The maximum length is `128` characters. The minimum length is `4` characters. + +* `crn` - (String) A CRN that uniquely identifies an IBM Cloud resource. + * Constraints: The maximum length is `512` characters. The minimum length is `9` characters. The value must match regular expression `/^crn:v[0-9](:([A-Za-z0-9-._~!$&'()*+,;=@\/]|%[0-9A-Z]{2})*){8}$/`. + +* `custom_metadata` - (Map) The secret metadata that a user can customize. + +* `description` - (String) An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. + * Constraints: The maximum length is `1024` characters. The minimum length is `0` characters. The value must match regular expression `/(.*?)/`. + +* `downloaded` - (Boolean) Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API. + +* `labels` - (List) Labels that you can use to search for secrets in your instance.Up to 30 labels can be created. + * Constraints: The list items must match regular expression `/(.*?)/`. The maximum length is `30` items. The minimum length is `0` items. + +* `locks_total` - (Integer) The number of locks of the secret. + * Constraints: The maximum value is `1000`. The minimum value is `0`. + +* `name` - (String) The human-readable name of your secret. + * Constraints: The maximum length is `256` characters. The minimum length is `2` characters. + +* `next_rotation_date` - (String) The date that the secret is scheduled for automatic rotation.The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy. + +* `rotation` - (List) Determines whether Secrets Manager rotates your secrets automatically. + Nested scheme for **rotation**: + * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. + * `interval` - (Integer) The length of the secret rotation time interval. + * Constraints: The minimum value is `1`. + * `unit` - (String) The units for the secret rotation time interval. + * Constraints: Allowable values are: `day`, `month`. + +* `secret_group_id` - (String) A v4 UUID identifier, or `default` secret group. + * Constraints: The maximum length is `36` characters. The minimum length is `7` characters. The value must match regular expression `/^([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|default)$/`. + +* `secret_type` - (String) The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials. + * Constraints: Allowable values are: `arbitrary`, `imported_cert`, `public_cert`, `iam_credentials`, `kv`, `username_password`, `private_cert`. + +* `source_service` - (List) The properties required for creating the service credentials for the specified source service instance. + Nested scheme for **source_service**: + * `iam` - (List) The source service IAM data is returned in case IAM credentials where created for this secret. + Nested scheme for **iam**: + * `apikey` - (String) The IAM apikey metadata for the IAM credentials that were generated. + Nested scheme for **apikey**: + * `name` - (String) The IAM API key name for the generated service credentials. + * `description` - (String) The IAM API key description for the generated service credentials. + * `role` - (String) The IAM role for the generate service credentials. + Nested scheme for **role**: + * `crn` - (String) The IAM role CRN assigned to the generated service credentials. + * `serviceid` - (String) The IAM serviceid for the generated service credentials. + Nested scheme for **serviceid**: + * `crn` - (String) The IAM Service ID CRN. + * `resource_key` - (List) The source service resource key data of the generated service credentials. + Nested scheme for **resource_key**: + * `crn` - (String) The resource key CRN of the generated service credentials. + * `name` - (String) The resource key name of the generated service credentials. + +* `state` - (Integer) The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values. + * Constraints: Allowable values are: `0`, `1`, `2`, `3`, `5`. + +* `state_description` - (String) A text representation of the secret state. + * Constraints: Allowable values are: `pre_activation`, `active`, `suspended`, `deactivated`, `destroyed`. + +* `ttl` - (String) The time-to-live (TTL) or lease duration to assign to generated credentials. The TTL defines for how long generated credentials remain valid. The value should be a string that specifies the number of seconds. Minimum duration is 86400 (1 day). Maximum is 7776000 seconds (90 days). + * Constraints: The maximum length is `7` characters. The minimum length is `2` characters. + +* `updated_at` - (String) The date when a resource was recently modified. The date format follows RFC 3339. + +* `versions_total` - (Integer) The number of versions of the secret. + * Constraints: The maximum value is `50`. The minimum value is `0`. + diff --git a/website/docs/r/sm_service_credentials_secret.html.markdown b/website/docs/r/sm_service_credentials_secret.html.markdown index b86d6093a6..fdeb388008 100644 --- a/website/docs/r/sm_service_credentials_secret.html.markdown +++ b/website/docs/r/sm_service_credentials_secret.html.markdown @@ -26,6 +26,15 @@ resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { unit = "day" } secret_group_id = ibm_sm_secret_group.sm_secret_group.secret_group_id + source_service { + instance { + crn = "crn:v1:staging:public:cloud-object-storage:global:a/111f5fb10986423e9saa8512f1db7e65:111133c8-49ea-41xe-8c40-122038246f5b::" + } + role { + crn = "crn:v1:bluemix:public:iam::::serviceRole:Writer" + } + parameters = {"HMAC": true} + } ttl = "1800" } ``` @@ -38,19 +47,18 @@ Review the argument reference that you can specify for your resource. * `region` - (Optional, Forces new resource, String) The region of the Secrets Manager instance. If not provided defaults to the region defined in the IBM provider configuration. * `endpoint_type` - (Optional, String) - The endpoint type. If not provided the endpoint type is determined by the `visibility` argument provided in the provider configuration. * Constraints: Allowable values are: `private`, `public`. +* `name` - (Required, String) The human-readable name of your secret. + * Constraints: The maximum length is `256` characters. The minimum length is `2` characters. The value must match regular expression `^[A-Za-z0-9][A-Za-z0-9]*(?:_*-*\\.*[A-Za-z0-9]+)*$`. * `custom_metadata` - (Optional, Map) The secret metadata that a user can customize. * `description` - (Optional, String) An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. * Constraints: The maximum length is `1024` characters. The minimum length is `0` characters. The value must match regular expression `/(.*?)/`. * `labels` - (Optional, List) Labels that you can use to search for secrets in your instance.Up to 30 labels can be created. * Constraints: The list items must match regular expression `/(.*?)/`. The maximum length is `30` items. The minimum length is `0` items. -* `name` - (Required, String) The human-readable name of your secret. - * Constraints: The maximum length is `256` characters. The minimum length is `2` characters. The value must match regular expression `^[A-Za-z0-9][A-Za-z0-9]*(?:_*-*\\.*[A-Za-z0-9]+)*$`. * `rotation` - (Optional, List) Determines whether Secrets Manager rotates your secrets automatically. Nested scheme for **rotation**: * `auto_rotate` - (Optional, Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Optional, Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Optional, Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (Optional, String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. * `secret_group_id` - (Optional, Forces new resource, String) A v4 UUID identifier, or `default` secret group. @@ -59,21 +67,12 @@ Nested scheme for **rotation**: Nested scheme for **source_service**: * `instance` - (Optional, List) The source service instance identifier. Nested scheme for **instance**: - * `crn` - (Optional, String) A CRN that uniquely identifies a service credentials source. - * `parameters` - (Optional, List) Configuration options represented as key-value pairs. Service-defined options are used in the generation of credentials for some services. For example, Cloud Object Storage accepts the optional boolean parameter HMAC for creating specific kind of credentials. + * `crn` - (Optional, String) A CRN that uniquely identifies a service credentials source. * `role` - (Optional, List) The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles. Nested scheme for **role**: - * `crn` - (Optional, String) The service role CRN. - * `iam` - (Optional, List) The source service IAM data is returned in case IAM credentials where created for this secret. - Nested scheme for **iam**: - * `apikey` - (Optional, String) The IAM apikey metadata for the IAM credentials that were generated. - * `role` - (Optional, String) The IAM role for the generate service credentials. - * `serviceid` - (Optional, String) The IAM serviceid for the generated service credentials. - * `resource_key` - (Optional, List) The source service resource key data of the generated service credentials. - Nested scheme for **resource_key**: - * `crn` - (Optional, String) The resource key CRN of the generated service credentials. - * `name` - (Optional, String) The resource key name of the generated service credentials. -* `ttl` - (Required, String) The time-to-live (TTL) or lease duration to assign to generated credentials. The TTL defines for how long each generated API key remains valid. The value should be an integer that specifies the number of seconds. Minimum duration is 60 seconds. Maximum is 7776000 seconds (90 days). + * `crn` - (Optional, String) The service role CRN. + * `parameters` - (Optional, List) Configuration options represented as key-value pairs. Service-defined options are used in the generation of credentials for some services. For example, Cloud Object Storage accepts the optional boolean parameter HMAC for creating specific kind of credentials. +* `ttl` - (Required, String) The time-to-live (TTL) or lease duration to assign to generated credentials. The TTL defines for how long generated credentials remain valid. The value should be a string that specifies the number of seconds. Minimum duration is 86400 (1 day). Maximum is 7776000 seconds (90 days). * Constraints: The maximum length is `7` characters. The minimum length is `2` characters. ## Attribute Reference @@ -84,12 +83,43 @@ In addition to all argument references listed, you can access the following attr * `created_at` - (String) The date when a resource was created. The date format follows RFC 3339. * `created_by` - (String) The unique identifier that is associated with the entity that created the secret. * Constraints: The maximum length is `128` characters. The minimum length is `4` characters. +* `credentials` - (List) The properties of the service credentials secret payload. + Nested scheme for **credentials**: + * `apikey` - (String) The API key that is generated for this secret. + * `cos_hmac_keys` - (String) The Cloud Object Storage HMAC keys that are returned after you create a service credentials secret. + Nested scheme for **cos_hmac_keys**: + * `access_key_id` - (String) The access key ID for Cloud Object Storage HMAC credentials. + * `secret_access_key` - (String) The secret access key ID for Cloud Object Storage HMAC credentials. + * `endpoints` - (String) The endpoints that are returned after you create a service credentials secret. + * `iam_apikey_description` - (String) The description of the generated IAM API key. + * `iam_apikey_name` - (String) The name of the generated IAM API key. + * `iam_role_crn` - (String) The IAM role CRN that is returned after you create a service credentials secret. + * `iam_serviceid_crn` - (String) The IAM serviceId CRN that is returned after you create a service credentials secret. + * `resource_instance_id` - (String) The resource instance CRN that is returned after you create a service credentials secret. * `crn` - (String) A CRN that uniquely identifies an IBM Cloud resource. * Constraints: The maximum length is `512` characters. The minimum length is `9` characters. The value must match regular expression `/^crn:v[0-9](:([A-Za-z0-9-._~!$&'()*+,;=@\/]|%[0-9A-Z]{2})*){8}$/`. * `downloaded` - (Boolean) Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API. * `locks_total` - (Integer) The number of locks of the secret. * Constraints: The maximum value is `1000`. The minimum value is `0`. * `next_rotation_date` - (String) The date that the secret is scheduled for automatic rotation.The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy. +* `source_service` - (List) The properties required for creating the service credentials for the specified source service instance. + Nested scheme for **source_service**: + * `iam` - (List) The source service IAM data is returned in case IAM credentials where created for this secret. + Nested scheme for **iam**: + * `apikey` - (String) The IAM apikey metadata for the IAM credentials that were generated. + Nested scheme for **apikey**: + * `name` - (String) The IAM API key name for the generated service credentials. + * `description` - (String) The IAM API key description for the generated service credentials. + * `role` - (String) The IAM role for the generate service credentials. + Nested scheme for **role**: + * `crn` - (String) The IAM role CRN assigned to the generated service credentials. + * `serviceid` - (String) The IAM serviceid for the generated service credentials. + Nested scheme for **serviceid**: + * `crn` - (String) The IAM Service ID CRN. + * `resource_key` - (List) The source service resource key data of the generated service credentials. + Nested scheme for **resource_key**: + * `crn` - (String) The resource key CRN of the generated service credentials. + * `name` - (String) The resource key name of the generated service credentials. * `state` - (Integer) The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values. * Constraints: Allowable values are: `0`, `1`, `2`, `3`, `5`. * `state_description` - (String) A text representation of the secret state. From 60abaf9338a777d728270769409e861a7e09105a Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Sun, 19 Nov 2023 14:10:52 +0200 Subject: [PATCH 04/25] update function updated --- .../resource_ibm_sm_service_credentilas_secret.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go index 82232a7cfd..013921c17e 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go @@ -552,6 +552,10 @@ func resourceIbmSmServiceCredentialsSecretUpdate(context context.Context, d *sch patchVals.Description = core.StringPtr(d.Get("description").(string)) hasChange = true } + if d.HasChange("ttl") { + patchVals.TTL = core.StringPtr(d.Get("ttl").(string)) + hasChange = true + } if d.HasChange("labels") { labels := d.Get("labels").([]interface{}) labelsParsed := make([]string, len(labels)) @@ -565,6 +569,15 @@ func resourceIbmSmServiceCredentialsSecretUpdate(context context.Context, d *sch patchVals.CustomMetadata = d.Get("custom_metadata").(map[string]interface{}) hasChange = true } + if d.HasChange("rotation") { + RotationModel, err := resourceIbmSmServiceCredentialsSecretMapToRotationPolicy(d.Get("rotation").([]interface{})[0].(map[string]interface{})) + if err != nil { + log.Printf("[DEBUG] UpdateSecretMetadataWithContext failed: Reading Rotation parameter failed: %s", err) + return diag.FromErr(fmt.Errorf("UpdateSecretMetadataWithContext failed: Reading Rotation parameter failed: %s", err)) + } + patchVals.Rotation = RotationModel + hasChange = true + } // Apply change in metadata (if changed) if hasChange { From 8477dde3ca0db972dd5e6c8a6aa3c9915e4c4582 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 22 Nov 2023 10:36:24 +0200 Subject: [PATCH 05/25] SC unit tests added --- ibm/acctest/acctest.go | 6 + ...ource_ibm_sm_service_credentials_secret.go | 3 + ..._sm_service_credentials_secret_metadata.go | 3 + ...ervice_credentials_secret_metadata_test.go | 74 ++++ ..._ibm_sm_service_credentials_secret_test.go | 84 +++++ ...ource_ibm_sm_service_credentilas_secret.go | 3 + ..._ibm_sm_service_credentilas_secret_test.go | 335 ++++++++++++++++++ 7 files changed, 508 insertions(+) create mode 100644 ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata_test.go create mode 100644 ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go create mode 100644 ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go diff --git a/ibm/acctest/acctest.go b/ibm/acctest/acctest.go index 65e4440b75..68cb246eac 100644 --- a/ibm/acctest/acctest.go +++ b/ibm/acctest/acctest.go @@ -139,6 +139,7 @@ var ( SecretsManagerPublicCertificateCommonName string SecretsManagerValidateManualDnsCisZoneId string SecretsManagerImportedCertificatePathToCertificate string + SecretsManagerServiceCredentialsCosCrn string SecretsManagerSecretType string SecretsManagerSecretID string ) @@ -1205,6 +1206,11 @@ func init() { fmt.Println("[INFO] Set the environment variable SECRETS_MANAGER_IMPORTED_CERTIFICATE_PATH_TO_CERTIFICATE for testing imported certificate's tests, else tests fail if not set correctly") } + SecretsManagerServiceCredentialsCosCrn = os.Getenv("SECRETS_MANAGER_SERVICE_CREDENTIALS_COS_CRN") + if SecretsManagerServiceCredentialsCosCrn == "" { + fmt.Println("[INFO] Set the environment variable SECRETS_MANAGER_SERVICE_CREDENTIALS_COS_CRN for testing service credentials' tests, else tests fail if not set correctly") + } + SecretsManagerSecretType = os.Getenv("SECRETS_MANAGER_SECRET_TYPE") if SecretsManagerSecretType == "" { SecretsManagerSecretType = "username_password" diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go index 8e23da6863..686a553ae7 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go @@ -592,6 +592,9 @@ func dataSourceIbmSmServiceCredentialsSecretSourceServiceToMap(sourceService *se parametersMap[k] = fmt.Sprint(v) } if sourceService.Parameters.ServiceidCrn != nil { + if len(parametersMap) == 0 { + parametersMap = make(map[string]interface{}) + } parametersMap["serviceid_crn"] = sourceService.Parameters.ServiceidCrn } mainModelMap["parameters"] = parametersMap diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go index 54ff509c4d..141e0f9e6d 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go @@ -482,6 +482,9 @@ func dataSourceIbmSmServiceCredentialsSecretMetadataSourceServiceToMap(sourceSer parametersMap[k] = fmt.Sprint(v) } if sourceService.Parameters.ServiceidCrn != nil { + if len(parametersMap) == 0 { + parametersMap = make(map[string]interface{}) + } parametersMap["serviceid_crn"] = sourceService.Parameters.ServiceidCrn } mainModelMap["parameters"] = parametersMap diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata_test.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata_test.go new file mode 100644 index 0000000000..91ad1c0491 --- /dev/null +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata_test.go @@ -0,0 +1,74 @@ +// Copyright IBM Corp. 2023 All Rights Reserved. +// Licensed under the Mozilla Public License v2.0 + +package secretsmanager_test + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + + acc "github.com/IBM-Cloud/terraform-provider-ibm/ibm/acctest" +) + +func TestAccIbmSmServiceCredentialsSecretMetadataDataSourceBasic(t *testing.T) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { acc.TestAccPreCheck(t) }, + Providers: acc.TestAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccCheckIbmSmServiceCredentialsSecretMetadataDataSourceConfigBasic(), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "secret_id"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "instance_id"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "created_by"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "created_at"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "crn"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "secret_group_id"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "secret_type"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "updated_at"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "versions_total"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "rotation.#"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "ttl"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret_metadata.sm_service_credentials_secret_metadata", "source_service.#"), + ), + }, + }, + }) +} + +func testAccCheckIbmSmServiceCredentialsSecretMetadataDataSourceConfigBasic() string { + return fmt.Sprintf(` + resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_instance" { + instance_id = "%s" + region = "%s" + custom_metadata = {"key":"value"} + description = "Extended description for this secret." + labels = ["my-label"] + rotation { + auto_rotate = true + interval = 1 + unit = "day" + } + secret_group_id = "default" + name = "service_credentials-datasource-terraform-test" + ttl = "%s" + source_service { + instance { + crn = "%s" + } + parameters = %s + role { + crn = "%s" + } + } + } + + data "ibm_sm_service_credentials_secret_metadata" "sm_service_credentials_secret_metadata" { + instance_id = "%s" + region = "%s" + secret_id = ibm_sm_service_credentials_secret.sm_service_credentials_secret_instance.secret_id + } + `, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, serviceCredentialsTtl, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParameters, serviceCredentialsRoleCrn, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion) +} diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go new file mode 100644 index 0000000000..ff445e0778 --- /dev/null +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go @@ -0,0 +1,84 @@ +// Copyright IBM Corp. 2023 All Rights Reserved. +// Licensed under the Mozilla Public License v2.0 + +package secretsmanager_test + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + + acc "github.com/IBM-Cloud/terraform-provider-ibm/ibm/acctest" +) + +func TestAccIbmSmServiceCredentialsSecretDataSourceBasic(t *testing.T) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { acc.TestAccPreCheck(t) }, + Providers: acc.TestAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccCheckIbmSmServiceCredentialsSecretDataSourceConfigBasic(), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "secret_id"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "instance_id"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "created_by"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "created_at"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "crn"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "secret_group_id"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "secret_type"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "updated_at"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "versions_total"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "rotation.#"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "ttl"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "source_service.#"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "credentials.#"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret_by_name", "name"), + resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret_by_name", "secret_group_name"), + ), + }, + }, + }) +} + +func testAccCheckIbmSmServiceCredentialsSecretDataSourceConfigBasic() string { + return fmt.Sprintf(` + resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_instance" { + instance_id = "%s" + region = "%s" + custom_metadata = {"key":"value"} + description = "Extended description for this secret." + labels = ["my-label"] + rotation { + auto_rotate = true + interval = 1 + unit = "day" + } + secret_group_id = "default" + name = "service_credentials-datasource-terraform-test" + ttl = "%s" + source_service { + instance { + crn = "%s" + } + parameters = %s + role { + crn = "%s" + } + } + } + + data "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { + instance_id = "%s" + region = "%s" + secret_id = ibm_sm_service_credentials_secret.sm_service_credentials_secret_instance.secret_id + } + + data "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_by_name" { + instance_id = "%s" + region = "%s" + name = ibm_sm_service_credentials_secret.sm_service_credentials_secret_instance.name + secret_group_name = "default" + } + `, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, serviceCredentialsTtl, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParameters, serviceCredentialsRoleCrn, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion) +} diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go index 013921c17e..5795d0ec0a 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go @@ -834,6 +834,9 @@ func resourceIbmSmServiceCredentialsSecretSourceServiceToMap(sourceService *secr parametersMap[k] = fmt.Sprint(v) } if sourceService.Parameters.ServiceidCrn != nil { + if len(parametersMap) == 0 { + parametersMap = make(map[string]interface{}) + } parametersMap["serviceid_crn"] = sourceService.Parameters.ServiceidCrn } mainModelMap["parameters"] = parametersMap diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go new file mode 100644 index 0000000000..85e9c37795 --- /dev/null +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go @@ -0,0 +1,335 @@ +// Copyright IBM Corp. 2023 All Rights Reserved. +// Licensed under the Mozilla Public License v2.0 + +package secretsmanager_test + +import ( + "fmt" + "strings" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + + acc "github.com/IBM-Cloud/terraform-provider-ibm/ibm/acctest" + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns" + "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" +) + +var serviceCredentialsSecretName = "terraform-test-sc-secret" +var modifiedServiceCredentialsSecretName = "modified-terraform-test-sc-secret" +var serviceCredentialsParameters = `{"HMAC":"true"}` +var serviceCredentialsParametersWithServiceId = `{"serviceid_crn": ibm_iam_service_id.ibm_iam_service_id_instance.crn}` +var serviceCredentialsTtl = "86400" +var modifiedServiceCredentialsTtl = "96400" +var serviceCredentialsRoleCrn = "crn:v1:bluemix:public:iam::::serviceRole:Writer" + +func TestAccIbmSmServiceCredentialsSecretBasic(t *testing.T) { + resourceName := "ibm_sm_service_credentials_secret.sm_service_credentials_secret_basic" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { acc.TestAccPreCheck(t) }, + Providers: acc.TestAccProviders, + CheckDestroy: testAccCheckIbmSmServiceCredentialsSecretDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: serviceCredentialsSecretConfigBasic(), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttrSet(resourceName, "secret_id"), + resource.TestCheckResourceAttrSet(resourceName, "created_by"), + resource.TestCheckResourceAttrSet(resourceName, "created_at"), + resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + resource.TestCheckResourceAttrSet(resourceName, "crn"), + resource.TestCheckResourceAttrSet(resourceName, "downloaded"), + resource.TestCheckResourceAttr(resourceName, "state", "1"), + resource.TestCheckResourceAttr(resourceName, "versions_total", "1"), + ), + }, + resource.TestStep{ + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"ttl"}, + }, + }, + }) +} + +func TestAccIbmSmServiceCredentialsSecretAllArgs(t *testing.T) { + resourceName := "ibm_sm_service_credentials_secret.sm_service_credentials_secret" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { acc.TestAccPreCheck(t) }, + Providers: acc.TestAccProviders, + CheckDestroy: testAccCheckIbmSmServiceCredentialsSecretDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: serviceCredentialsSecretConfigAllArgs(), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckIbmSmServiceCredentialsSecretCreated(resourceName), + resource.TestCheckResourceAttrSet(resourceName, "secret_id"), + resource.TestCheckResourceAttrSet(resourceName, "created_by"), + resource.TestCheckResourceAttrSet(resourceName, "created_at"), + resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + resource.TestCheckResourceAttrSet(resourceName, "crn"), + resource.TestCheckResourceAttrSet(resourceName, "downloaded"), + resource.TestCheckResourceAttrSet(resourceName, "next_rotation_date"), + resource.TestCheckResourceAttr(resourceName, "state", "1"), + resource.TestCheckResourceAttr(resourceName, "versions_total", "1"), + ), + }, + resource.TestStep{ + Config: serviceCredentialsSecretConfigUpdated(), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckIbmSmServiceCredentialsSecretUpdated(resourceName), + ), + }, + resource.TestStep{ + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"ttl"}, + }, + }, + }) +} + +func TestAccIbmSmServiceCredentialsSecretAllArgsWithExistingServiceId(t *testing.T) { + resourceName := "ibm_sm_service_credentials_secret.sm_service_credentials_secret_service_id" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { acc.TestAccPreCheck(t) }, + Providers: acc.TestAccProviders, + CheckDestroy: testAccCheckIbmSmServiceCredentialsSecretDestroy, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: serviceCredentialsSecretConfigAllArgsWithExistingServiceId(), + Check: resource.ComposeAggregateTestCheckFunc( + testAccCheckIbmSmServiceCredentialsSecretCreated(resourceName), + resource.TestCheckResourceAttrSet(resourceName, "secret_id"), + resource.TestCheckResourceAttrSet(resourceName, "created_by"), + resource.TestCheckResourceAttrSet(resourceName, "created_at"), + resource.TestCheckResourceAttrSet(resourceName, "updated_at"), + resource.TestCheckResourceAttrSet(resourceName, "crn"), + resource.TestCheckResourceAttrSet(resourceName, "downloaded"), + resource.TestCheckResourceAttrSet(resourceName, "next_rotation_date"), + resource.TestCheckResourceAttr(resourceName, "state", "1"), + resource.TestCheckResourceAttr(resourceName, "versions_total", "1"), + ), + }, + resource.TestStep{ + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"ttl"}, + }, + }, + }) +} + +var serviceCredentialsSecretBasicConfigFormat = ` + resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_basic" { + instance_id = "%s" + region = "%s" + name = "%s" + source_service { + instance { + crn = "%s" + } + role { + crn = "%s" + } + } + ttl = "%s" + }` + +var serviceCredentialsSecretFullConfigFormat = ` + resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { + instance_id = "%s" + region = "%s" + name = "%s-serviceid" + description = "%s" + labels = ["%s"] + source_service { + instance { + crn = "%s" + } + parameters = %s + role { + crn = "%s" + } + } + ttl = "%s" + custom_metadata = %s + secret_group_id = "default" + rotation %s + }` + +var serviceCredentialsSecretFullConfigFormatWithExistingServiceId = ` + resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_service_id" { + instance_id = "%s" + region = "%s" + name = "%s" + description = "%s" + labels = ["%s"] + source_service { + instance { + crn = "%s" + } + parameters = %s + role { + crn = "%s" + } + } + ttl = "%s" + custom_metadata = %s + secret_group_id = "default" + rotation %s + }` + +func iamServiceIdConfig() string { + return fmt.Sprintf(` + resource "ibm_iam_service_id" "ibm_iam_service_id_instance" { + name = "service-id-terraform-tests-sc" + }`) +} + +func serviceCredentialsSecretConfigBasic() string { + return fmt.Sprintf(serviceCredentialsSecretBasicConfigFormat, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, + serviceCredentialsSecretName, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsRoleCrn, serviceCredentialsTtl) +} + +func serviceCredentialsSecretConfigAllArgs() string { + return fmt.Sprintf(serviceCredentialsSecretFullConfigFormat, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, + serviceCredentialsSecretName, description, label, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParametersWithServiceId, serviceCredentialsRoleCrn, serviceCredentialsTtl, customMetadata, rotationPolicy) +} + +func serviceCredentialsSecretConfigAllArgsWithExistingServiceId() string { + return iamServiceIdConfig() + fmt.Sprintf(serviceCredentialsSecretFullConfigFormatWithExistingServiceId, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, + serviceCredentialsSecretName, description, label, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParametersWithServiceId, serviceCredentialsRoleCrn, serviceCredentialsTtl, customMetadata, rotationPolicy) +} + +func serviceCredentialsSecretConfigUpdated() string { + return fmt.Sprintf(serviceCredentialsSecretFullConfigFormat, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, + modifiedServiceCredentialsSecretName, modifiedDescription, modifiedLabel, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParameters, serviceCredentialsRoleCrn, + modifiedServiceCredentialsTtl, modifiedCustomMetadata, modifiedRotationPolicy) +} + +func testAccCheckIbmSmServiceCredentialsSecretCreated(n string) resource.TestCheckFunc { + return func(s *terraform.State) error { + serviceCredentialsSecretIntf, err := getSecret(s, n) + if err != nil { + return err + } + secret := serviceCredentialsSecretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) + + if err := verifyAttr(*secret.Name, serviceCredentialsSecretName, "secret name"); err != nil { + return err + } + if err := verifyAttr(*secret.Description, description, "secret description"); err != nil { + return err + } + if len(secret.Labels) != 1 { + return fmt.Errorf("Wrong number of labels: %d", len(secret.Labels)) + } + if err := verifyAttr(secret.Labels[0], label, "label"); err != nil { + return err + } + if err := verifyJsonAttr(secret.CustomMetadata, customMetadata, "custom metadata"); err != nil { + return err + } + if err := verifyAttr(getAutoRotate(secret.Rotation), "true", "auto_rotate"); err != nil { + return err + } + if err := verifyAttr(getRotationUnit(secret.Rotation), "day", "rotation unit"); err != nil { + return err + } + if err := verifyAttr(getRotationInterval(secret.Rotation), "1", "rotation interval"); err != nil { + return err + } + if err := verifyAttr(*secret.TTL, serviceCredentialsTtl, "ttl"); err != nil { + return err + } + if err := verifyAttr(*secret.SourceService.Instance.Crn, acc.SecretsManagerServiceCredentialsCosCrn, "source_service.Instance.Crn"); err != nil { + return err + } + if err := verifyAttr(*secret.SourceService.Role.Crn, serviceCredentialsRoleCrn, "source_service.Role.Crn"); err != nil { + return err + } + if err := verifyAttr(*secret.Credentials.IamRoleCrn, serviceCredentialsRoleCrn, "credentials.IamRoleCrn"); err != nil { + return err + } + return nil + } +} + +func testAccCheckIbmSmServiceCredentialsSecretUpdated(n string) resource.TestCheckFunc { + return func(s *terraform.State) error { + serviceCredentialsSecretIntf, err := getSecret(s, n) + if err != nil { + return err + } + secret := serviceCredentialsSecretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) + + if err := verifyAttr(*secret.Name, modifiedServiceCredentialsSecretName, "secret name"); err != nil { + return err + } + if err := verifyAttr(*secret.Description, modifiedDescription, "secret description after update"); err != nil { + return err + } + if len(secret.Labels) != 1 { + return fmt.Errorf("Wrong number of labels after update: %d", len(secret.Labels)) + } + if err := verifyAttr(secret.Labels[0], modifiedLabel, "label after update"); err != nil { + return err + } + if err := verifyJsonAttr(secret.CustomMetadata, modifiedCustomMetadata, "custom metadata after update"); err != nil { + return err + } + if err := verifyAttr(*secret.TTL, modifiedServiceCredentialsTtl, "ttl after update"); err != nil { + return err + } + if err := verifyAttr(getAutoRotate(secret.Rotation), "true", "auto_rotate after update"); err != nil { + return err + } + if err := verifyAttr(getRotationUnit(secret.Rotation), "month", "rotation unit after update"); err != nil { + return err + } + if err := verifyAttr(getRotationInterval(secret.Rotation), "2", "rotation interval after update"); err != nil { + return err + } + return nil + } +} + +func testAccCheckIbmSmServiceCredentialsSecretDestroy(s *terraform.State) error { + secretsManagerClient, err := acc.TestAccProvider.Meta().(conns.ClientSession).SecretsManagerV2() + if err != nil { + return err + } + + secretsManagerClient = getClientWithInstanceEndpointTest(secretsManagerClient) + + for _, rs := range s.RootModule().Resources { + if rs.Type != "ibm_sm_service_credentials_secret" { + continue + } + + getSecretOptions := &secretsmanagerv2.GetSecretOptions{} + + id := strings.Split(rs.Primary.ID, "/") + secretId := id[2] + getSecretOptions.SetID(secretId) + + // Try to find the key + _, response, err := secretsManagerClient.GetSecret(getSecretOptions) + + if err == nil { + return fmt.Errorf("ServiceCredentialsSecret still exists: %s", rs.Primary.ID) + } else if response.StatusCode != 404 { + return fmt.Errorf("Error checking for ServiceCredentialsSecret (%s) has been destroyed: %s", rs.Primary.ID, err) + } + } + + return nil +} From 972a9b986bd75f778d14726e6ab8bf77cdb201bb Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Tue, 28 Nov 2023 13:01:11 +0200 Subject: [PATCH 06/25] SC unit tests added --- ...ource_ibm_sm_service_credentials_secret.go | 114 ++-------------- ...ource_ibm_sm_service_credentilas_secret.go | 126 +++--------------- ...m_service_credentials_secret.html.markdown | 16 +++ ...m_service_credentials_secret.html.markdown | 26 ++++ 4 files changed, 66 insertions(+), 216 deletions(-) diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go index 686a553ae7..bc5c17a8c9 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go @@ -5,6 +5,7 @@ package secretsmanager import ( "context" + "encoding/json" "fmt" "github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex" "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" @@ -147,68 +148,10 @@ func DataSourceIbmSmServiceCredentialsSecret() *schema.Resource { Description: "The date that the secret is scheduled for automatic rotation. The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy.", }, "credentials": &schema.Schema{ - Type: schema.TypeList, + Type: schema.TypeMap, Computed: true, + Sensitive: true, Description: "The properties of the service credentials secret payload.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "apikey": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Sensitive: true, - Description: "The API key that is generated for this secret.", - }, - "cos_hmac_keys": &schema.Schema{ - Type: schema.TypeList, - Computed: true, - Description: "The Cloud Object Storage HMAC keys that are returned after you create a service credentials secret.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "access_key_id": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The access key ID for Cloud Object Storage HMAC credentials.", - }, - "secret_access_key": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The secret access key ID for Cloud Object Storage HMAC credentials.", - }, - }, - }, - }, - "endpoints": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The endpoints that are returned after you create a service credentials secret.", - }, - "iam_apikey_description": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The description of the generated IAM API key.", - }, - "iam_apikey_name": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The name of the generated IAM API key.", - }, - "iam_role_crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM role CRN that is returned after you create a service credentials secret.", - }, - "iam_serviceid_crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM serviceId CRN that is returned after you create a service credentials secret.", - }, - "resource_instance_id": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The resource instance CRN that is returned after you create a service credentials secret.", - }, - }, - }, }, "source_service": &schema.Schema{ Type: schema.TypeList, @@ -437,14 +380,11 @@ func dataSourceIbmSmServiceCredentialsSecretRead(context context.Context, d *sch } if ServiceCredentialsSecret.Credentials != nil { - credentialsMap, err := dataSourceIbmSmServiceCredentialsSecretCredentialsToMap(ServiceCredentialsSecret.Credentials) - if err != nil { - return diag.FromErr(err) - } - if len(credentialsMap) > 0 { - if err = d.Set("credentials", []map[string]interface{}{credentialsMap}); err != nil { - return diag.FromErr(fmt.Errorf("Error setting credentialsMap: %s", err)) - } + var credInterface map[string]interface{} + cred, _ := json.Marshal(ServiceCredentialsSecret.Credentials) + json.Unmarshal(cred, &credInterface) + if err = d.Set("credentials", flex.Flatten(credInterface)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting credentials: %s", err)) } } @@ -475,44 +415,6 @@ func dataSourceIbmSmServiceCredentialsSecretRotationPolicyToMap(model *secretsma return modelMap, nil } -func dataSourceIbmSmServiceCredentialsSecretCredentialsToMap(credentials *secretsmanagerv2.ServiceCredentialsSecretCredentials) (map[string]interface{}, error) { - modelMap := make(map[string]interface{}) - if credentials.IamApikeyDescription != nil { - modelMap["iam_apikey_description"] = credentials.IamApikeyDescription - } - if credentials.Apikey != nil { - modelMap["apikey"] = credentials.Apikey - } - if credentials.Endpoints != nil { - modelMap["endpoints"] = credentials.Endpoints - } - if credentials.IamApikeyName != nil { - modelMap["iam_apikey_name"] = credentials.IamApikeyName - } - if credentials.IamRoleCrn != nil { - modelMap["iam_role_crn"] = credentials.IamRoleCrn - } - if credentials.IamServiceidCrn != nil { - modelMap["iam_serviceid_crn"] = credentials.IamServiceidCrn - } - if credentials.ResourceInstanceID != nil { - modelMap["resource_instance_id"] = credentials.ResourceInstanceID - } - if credentials.CosHmacKeys != nil { - cosHmacKeys := [1]map[string]interface{}{} - m := map[string]interface{}{} - if credentials.CosHmacKeys.AccessKeyID != nil { - m["access_key_id"] = credentials.CosHmacKeys.AccessKeyID - } - if credentials.CosHmacKeys.SecretAccessKey != nil { - m["secret_access_key"] = credentials.CosHmacKeys.SecretAccessKey - } - cosHmacKeys[0] = m - modelMap["cos_hmac_keys"] = cosHmacKeys - } - return modelMap, nil -} - func dataSourceIbmSmServiceCredentialsSecretSourceServiceToMap(sourceService *secretsmanagerv2.ServiceCredentialsSecretSourceService) (map[string]interface{}, error) { mainModelMap := make(map[string]interface{}) if sourceService.Instance != nil { diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go index 5795d0ec0a..10d8494813 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go @@ -5,6 +5,7 @@ package secretsmanager import ( "context" + "encoding/json" "fmt" "github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns" "github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex" @@ -80,68 +81,10 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { Description: "The date when a resource was created. The date format follows RFC 3339.", }, "credentials": &schema.Schema{ - Type: schema.TypeList, + Type: schema.TypeMap, Computed: true, + Sensitive: true, Description: "The properties of the service credentials secret payload.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "apikey": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Sensitive: true, - Description: "The API key that is generated for this secret.", - }, - "cos_hmac_keys": &schema.Schema{ - Type: schema.TypeList, - Computed: true, - Description: "The Cloud Object Storage HMAC keys that are returned after you create a service credentials secret.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "access_key_id": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The access key ID for Cloud Object Storage HMAC credentials.", - }, - "secret_access_key": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The secret access key ID for Cloud Object Storage HMAC credentials.", - }, - }, - }, - }, - "endpoints": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The endpoints that are returned after you create a service credentials secret.", - }, - "iam_apikey_description": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The description of the generated IAM API key.", - }, - "iam_apikey_name": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The name of the generated IAM API key.", - }, - "iam_role_crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM role CRN that is returned after you create a service credentials secret.", - }, - "iam_serviceid_crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM serviceId CRN that is returned after you create a service credentials secret.", - }, - "resource_instance_id": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The resource instance CRN that is returned after you create a service credentials secret.", - }, - }, - }, }, "crn": &schema.Schema{ Type: schema.TypeString, @@ -206,12 +149,14 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { Type: schema.TypeList, Required: true, MaxItems: 1, + ForceNew: true, Description: "The source service instance identifier.", Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "crn": &schema.Schema{ Type: schema.TypeString, Required: true, + ForceNew: true, Description: "A CRN that uniquely identifies a service credentials target.", }, }, @@ -221,6 +166,7 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { Type: schema.TypeList, Optional: true, Computed: true, + ForceNew: true, MaxItems: 1, Description: "The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles.", Elem: &schema.Resource{ @@ -229,6 +175,7 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { Type: schema.TypeString, Optional: true, Computed: true, + ForceNew: true, Description: "The CRN role identifier for creating a service-id.", }, }, @@ -312,6 +259,7 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { "parameters": &schema.Schema{ Type: schema.TypeMap, Optional: true, + ForceNew: true, Description: "The collection of parameters for the service credentials target.", }, }, @@ -328,10 +276,9 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { Description: "A text representation of the secret state.", }, "ttl": &schema.Schema{ - Type: schema.TypeString, - Required: true, - ValidateFunc: StringIsIntBetween(86400, 7776000), - Description: "The time-to-live (TTL) or lease duration to assign to generated credentials.", + Type: schema.TypeString, + Required: true, + Description: "The time-to-live (TTL) or lease duration to assign to generated credentials.", }, "updated_at": &schema.Schema{ Type: schema.TypeString, @@ -489,14 +436,11 @@ func resourceIbmSmServiceCredentialsSecretRead(context context.Context, d *schem } } if secret.Credentials != nil { - credentialsMap, err := resourceIbmSmServiceCredentialsSecretCredentialsToMap(secret.Credentials) - if err != nil { - return diag.FromErr(err) - } - if len(credentialsMap) > 0 { - if err = d.Set("credentials", []map[string]interface{}{credentialsMap}); err != nil { - return diag.FromErr(fmt.Errorf("Error setting credentialsMap: %s", err)) - } + var credInterface map[string]interface{} + cred, _ := json.Marshal(secret.Credentials) + json.Unmarshal(cred, &credInterface) + if err = d.Set("credentials", flex.Flatten(credInterface)); err != nil { + return diag.FromErr(fmt.Errorf("Error setting credentials: %s", err)) } } if err = d.Set("next_rotation_date", DateTimeToRFC3339(secret.NextRotationDate)); err != nil { @@ -844,41 +788,3 @@ func resourceIbmSmServiceCredentialsSecretSourceServiceToMap(sourceService *secr return mainModelMap, nil } - -func resourceIbmSmServiceCredentialsSecretCredentialsToMap(credentials *secretsmanagerv2.ServiceCredentialsSecretCredentials) (map[string]interface{}, error) { - modelMap := make(map[string]interface{}) - if credentials.IamApikeyDescription != nil { - modelMap["iam_apikey_description"] = credentials.IamApikeyDescription - } - if credentials.Apikey != nil { - modelMap["apikey"] = credentials.Apikey - } - if credentials.Endpoints != nil { - modelMap["endpoints"] = credentials.Endpoints - } - if credentials.IamApikeyName != nil { - modelMap["iam_apikey_name"] = credentials.IamApikeyName - } - if credentials.IamRoleCrn != nil { - modelMap["iam_role_crn"] = credentials.IamRoleCrn - } - if credentials.IamServiceidCrn != nil { - modelMap["iam_serviceid_crn"] = credentials.IamServiceidCrn - } - if credentials.ResourceInstanceID != nil { - modelMap["resource_instance_id"] = credentials.ResourceInstanceID - } - if credentials.CosHmacKeys != nil { - cosHmacKeys := [1]map[string]interface{}{} - m := map[string]interface{}{} - if credentials.CosHmacKeys.AccessKeyID != nil { - m["access_key_id"] = credentials.CosHmacKeys.AccessKeyID - } - if credentials.CosHmacKeys.SecretAccessKey != nil { - m["secret_access_key"] = credentials.CosHmacKeys.SecretAccessKey - } - cosHmacKeys[0] = m - modelMap["cos_hmac_keys"] = cosHmacKeys - } - return modelMap, nil -} diff --git a/website/docs/d/sm_service_credentials_secret.html.markdown b/website/docs/d/sm_service_credentials_secret.html.markdown index 0bce29f26e..bef56d1469 100644 --- a/website/docs/d/sm_service_credentials_secret.html.markdown +++ b/website/docs/d/sm_service_credentials_secret.html.markdown @@ -32,6 +32,22 @@ data "ibm_sm_service_credentials_secret" "service_credentials_secret" { } ``` +### Example to access resource credentials using credentials attribute: + +```terraform +data "ibm_sm_service_credentials_secret" "service_credentials_secret" { + instance_id = ibm_resource_instance.sm_instance.guid + region = "us-south" + secret_id = "0b5571f7-21e6-42b7-91c5-3f5ac9793a46" +} +output "access_key_id" { + value = data.ibm_sm_service_credentials_secret.service_credentials_secret.credentials["cos_hmac_keys.access_key_id"] +} +output "secret_access_key" { + value = data.ibm_sm_service_credentials_secret.service_credentials_secret.credentials["cos_hmac_keys.secret_access_key"] +} +``` + ## Argument Reference Review the argument reference that you can specify for your data source. diff --git a/website/docs/r/sm_service_credentials_secret.html.markdown b/website/docs/r/sm_service_credentials_secret.html.markdown index fdeb388008..cdf60c3e9f 100644 --- a/website/docs/r/sm_service_credentials_secret.html.markdown +++ b/website/docs/r/sm_service_credentials_secret.html.markdown @@ -39,6 +39,32 @@ resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { } ``` +### Example to access resource credentials using credentials attribute: + +```terraform +resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { + region = "us-south" + name = "secret-name" + source_service { + instance { + crn = "crn:v1:staging:public:cloud-object-storage:global:a/111f5fb10986423e9saa8512f1db7e65:111133c8-49ea-41xe-8c40-122038246f5b::" + } + role { + crn = "crn:v1:bluemix:public:iam::::serviceRole:Writer" + } + parameters = {"HMAC": true} + } + ttl = "1800" +} + +output "access_key_id" { + value = ibm_sm_service_credentials_secret.sm_service_credentials_secret.credentials["cos_hmac_keys.access_key_id"] +} +output "secret_access_key" { + value = ibm_sm_service_credentials_secret.sm_service_credentials_secret.credentials["cos_hmac_keys.secret_access_key"] +} +``` + ## Argument Reference Review the argument reference that you can specify for your resource. From 59c5e72bbb9381d46965d10a34f1fe5b29c7bc20 Mon Sep 17 00:00:00 2001 From: Avi Ribchinsky Date: Wed, 6 Dec 2023 11:38:29 +0200 Subject: [PATCH 07/25] d --- .../resource_ibm_sm_service_credentilas_secret.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go index 10d8494813..7d5e211b0d 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go @@ -1,6 +1,6 @@ // Copyright IBM Corp. 2023 All Rights Reserved. // Licensed under the Mozilla Public License v2.0 - +// . package secretsmanager import ( From 2ff98ad7a2917ea3837552fa4c7f6d554999d906 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 6 Dec 2023 12:36:44 +0200 Subject: [PATCH 08/25] tests fixes --- .../data_source_ibm_sm_service_credentials_secret_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go index ff445e0778..eadf2f92c8 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_test.go @@ -32,7 +32,6 @@ func TestAccIbmSmServiceCredentialsSecretDataSourceBasic(t *testing.T) { resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "rotation.#"), resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "ttl"), resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "source_service.#"), - resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret", "credentials.#"), resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret_by_name", "name"), resource.TestCheckResourceAttrSet("data.ibm_sm_service_credentials_secret.sm_service_credentials_secret_by_name", "secret_group_name"), ), From 40ea122d32b0339fc9314b400f2ebde941952c80 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 6 Dec 2023 12:37:25 +0200 Subject: [PATCH 09/25] tests fixes --- .../resource_ibm_sm_service_credentilas_secret_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go index 85e9c37795..7de340208c 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go @@ -20,8 +20,8 @@ var serviceCredentialsSecretName = "terraform-test-sc-secret" var modifiedServiceCredentialsSecretName = "modified-terraform-test-sc-secret" var serviceCredentialsParameters = `{"HMAC":"true"}` var serviceCredentialsParametersWithServiceId = `{"serviceid_crn": ibm_iam_service_id.ibm_iam_service_id_instance.crn}` -var serviceCredentialsTtl = "86400" -var modifiedServiceCredentialsTtl = "96400" +var serviceCredentialsTtl = "172800" +var modifiedServiceCredentialsTtl = "6048000" var serviceCredentialsRoleCrn = "crn:v1:bluemix:public:iam::::serviceRole:Writer" func TestAccIbmSmServiceCredentialsSecretBasic(t *testing.T) { @@ -147,7 +147,7 @@ var serviceCredentialsSecretFullConfigFormat = ` resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { instance_id = "%s" region = "%s" - name = "%s-serviceid" + name = "%s" description = "%s" labels = ["%s"] source_service { @@ -201,7 +201,7 @@ func serviceCredentialsSecretConfigBasic() string { func serviceCredentialsSecretConfigAllArgs() string { return fmt.Sprintf(serviceCredentialsSecretFullConfigFormat, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, - serviceCredentialsSecretName, description, label, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParametersWithServiceId, serviceCredentialsRoleCrn, serviceCredentialsTtl, customMetadata, rotationPolicy) + serviceCredentialsSecretName, description, label, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParameters, serviceCredentialsRoleCrn, serviceCredentialsTtl, customMetadata, rotationPolicy) } func serviceCredentialsSecretConfigAllArgsWithExistingServiceId() string { From f3a195f69c96fd8c80b4a59d57922b64d35d8e7b Mon Sep 17 00:00:00 2001 From: Tatyana Date: Mon, 11 Dec 2023 11:32:05 +0200 Subject: [PATCH 10/25] update sdk --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index ddb9fcf327..8a622f0227 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/IBM/push-notifications-go-sdk v0.0.0-20210310100607-5790b96c47f5 github.com/IBM/scc-go-sdk/v5 v5.1.3 github.com/IBM/schematics-go-sdk v0.2.2 - github.com/IBM/secrets-manager-go-sdk/v2 v2.0.1 + github.com/IBM/secrets-manager-go-sdk/v2 v2.0.2 github.com/IBM/vpc-beta-go-sdk v0.6.0 github.com/IBM/vpc-go-sdk v0.43.0 github.com/ScaleFT/sshkeys v0.0.0-20200327173127-6142f742bca5 diff --git a/go.sum b/go.sum index abd13996b4..2507c980b0 100644 --- a/go.sum +++ b/go.sum @@ -167,8 +167,8 @@ github.com/IBM/scc-go-sdk/v5 v5.1.3 h1:8zqJx/HgChTlMaC21HzthIR4HbFkuJ3dR/D68254j github.com/IBM/scc-go-sdk/v5 v5.1.3/go.mod h1:YtAVlzq10bwR82QX4ZavhDIwa1s85RuVO9N/KmXVcuk= github.com/IBM/schematics-go-sdk v0.2.2 h1:8S3hoVLzF/ZRgWDaLqwHnLmZvlEBHCKgHszmMh7yD2E= github.com/IBM/schematics-go-sdk v0.2.2/go.mod h1:Tw2OSAPdpC69AxcwoyqcYYaGTTW6YpERF9uNEU+BFRQ= -github.com/IBM/secrets-manager-go-sdk/v2 v2.0.1 h1:0Ouu31RsuOLdH26oNsnPErEjctWTplLEIXxwExnTZT0= -github.com/IBM/secrets-manager-go-sdk/v2 v2.0.1/go.mod h1:jagqWmjZ0zUEqh5jdGB42ApSQS40fu2LWw6pdg8JJko= +github.com/IBM/secrets-manager-go-sdk/v2 v2.0.2 h1:+Svh1OmoFxMBnZQSOUtp2UUzrOGFsSQlE5TFL/ptJco= +github.com/IBM/secrets-manager-go-sdk/v2 v2.0.2/go.mod h1:WII+LS4VkQYykmq65NWSuPb5xGNvsqkcK1aCWZoU2x4= github.com/IBM/vpc-beta-go-sdk v0.6.0 h1:wfM3AcW3zOM3xsRtZ+EA6+sESlGUjQ6Yf4n5QQyz4uc= github.com/IBM/vpc-beta-go-sdk v0.6.0/go.mod h1:fzHDAQIqH/5yJmYsKodKHLcqxMDT+yfH6vZjdiw8CQA= github.com/IBM/vpc-go-sdk v0.43.0 h1:uy/qWIqETCXraUG2cq5sjScr6pZ79ZteY1v5iLUVQ3Q= From 8fa09ae490bb853ea384b68858adac0e41df4257 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Mon, 11 Dec 2023 18:24:21 +0200 Subject: [PATCH 11/25] .secrets.baseline update --- .secrets.baseline | 130 ++++++++++++++++++++++++++++------------------ 1 file changed, 80 insertions(+), 50 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index c90644602f..f9d2be69de 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,11 +3,8 @@ "files": "go.mod|go.sum|.*.map|^.secrets.baseline$", "lines": null }, - "generated_at": "2023-11-10T20:51:53Z", + "generated_at": "2023-12-11T16:20:36Z", "plugins_used": [ - { - "name": "AWSKeyDetector" - }, { "name": "ArtifactoryDetector" }, @@ -21,12 +18,6 @@ { "name": "BasicAuthDetector" }, - { - "name": "BoxDetector" - }, - { - "name": "CloudantDetector" - }, { "ghe_instance": "github.ibm.com", "name": "GheDetector" @@ -51,9 +42,6 @@ "keyword_exclude": null, "name": "KeywordDetector" }, - { - "name": "MailchimpDetector" - }, { "name": "NpmDetector" }, @@ -68,12 +56,6 @@ }, { "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" } ], "results": { @@ -696,7 +678,7 @@ "hashed_secret": "912accc17209bb36cb22d76d430ef9e9ec99dd4c", "is_secret": false, "is_verified": false, - "line_number": 163, + "line_number": 188, "type": "Secret Keyword", "verified_result": null }, @@ -704,7 +686,7 @@ "hashed_secret": "514edd121688f936809a62aecd24419c7eaa772b", "is_secret": false, "is_verified": false, - "line_number": 250, + "line_number": 275, "type": "Secret Keyword", "verified_result": null }, @@ -712,7 +694,7 @@ "hashed_secret": "fa33d07da58b52eee9f13b88e9cda8b98f1c19b6", "is_secret": false, "is_verified": false, - "line_number": 261, + "line_number": 286, "type": "Secret Keyword", "verified_result": null }, @@ -720,7 +702,7 @@ "hashed_secret": "5926151b9a84e25fbc262e88ef6c1d58f0c95548", "is_secret": false, "is_verified": false, - "line_number": 273, + "line_number": 298, "type": "Secret Keyword", "verified_result": null } @@ -760,7 +742,7 @@ "hashed_secret": "731438016c5ab94431f61820f35e3ae5f8ad6004", "is_secret": false, "is_verified": false, - "line_number": 412, + "line_number": 417, "type": "Secret Keyword", "verified_result": null }, @@ -768,7 +750,7 @@ "hashed_secret": "12da2e35d6b50c902c014f1ab9e3032650368df7", "is_secret": false, "is_verified": false, - "line_number": 418, + "line_number": 423, "type": "Secret Keyword", "verified_result": null }, @@ -776,7 +758,7 @@ "hashed_secret": "813274ccae5b6b509379ab56982d862f7b5969b6", "is_secret": false, "is_verified": false, - "line_number": 1123, + "line_number": 1128, "type": "Base64 High Entropy String", "verified_result": null } @@ -846,7 +828,7 @@ "hashed_secret": "da8cae6284528565678de15e03d461e23fe22538", "is_secret": false, "is_verified": false, - "line_number": 1845, + "line_number": 1858, "type": "Secret Keyword", "verified_result": null }, @@ -854,7 +836,7 @@ "hashed_secret": "1a0334cfa65f4be58b9d914b8e96e9d9478bfbac", "is_secret": false, "is_verified": false, - "line_number": 3226, + "line_number": 3239, "type": "Secret Keyword", "verified_result": null } @@ -864,7 +846,7 @@ "hashed_secret": "c8b6f5ef11b9223ac35a5663975a466ebe7ebba9", "is_secret": false, "is_verified": false, - "line_number": 1803, + "line_number": 1806, "type": "Secret Keyword", "verified_result": null }, @@ -872,7 +854,7 @@ "hashed_secret": "8abf4899c01104241510ba87685ad4de76b0c437", "is_secret": false, "is_verified": false, - "line_number": 1809, + "line_number": 1812, "type": "Secret Keyword", "verified_result": null } @@ -1268,15 +1250,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 129, - "type": "Secret Keyword", - "verified_result": null - }, - { - "hashed_secret": "505032eaf8a3acf9b094a326dfb1cd0537c75a0d", - "is_secret": false, - "is_verified": false, - "line_number": 235, + "line_number": 104, "type": "Secret Keyword", "verified_result": null } @@ -1364,15 +1338,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 94, - "type": "Secret Keyword", - "verified_result": null - }, - { - "hashed_secret": "505032eaf8a3acf9b094a326dfb1cd0537c75a0d", - "is_secret": false, - "is_verified": false, - "line_number": 364, + "line_number": 68, "type": "Secret Keyword", "verified_result": null } @@ -2014,7 +1980,7 @@ "hashed_secret": "884a58e4c2c5d195d3876787bdc63af6c5af2924", "is_secret": false, "is_verified": false, - "line_number": 1589, + "line_number": 1595, "type": "Secret Keyword", "verified_result": null } @@ -2940,7 +2906,7 @@ "hashed_secret": "3c2ecad9b250fd6d99893e4d05ec02ca19aa95d0", "is_secret": false, "is_verified": false, - "line_number": 383, + "line_number": 389, "type": "Secret Keyword", "verified_result": null } @@ -3355,6 +3321,34 @@ "verified_result": null } ], + "ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret.go": [ + { + "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", + "is_secret": false, + "is_verified": false, + "line_number": 196, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", + "is_secret": false, + "is_verified": false, + "line_number": 387, + "type": "Secret Keyword", + "verified_result": null + } + ], + "ibm/service/secretsmanager/data_source_ibm_sm_service_credentials_secret_metadata.go": [ + { + "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", + "is_secret": false, + "is_verified": false, + "line_number": 179, + "type": "Secret Keyword", + "verified_result": null + } + ], "ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret.go": [ { "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", @@ -3663,6 +3657,24 @@ "verified_result": null } ], + "ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go": [ + { + "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", + "is_secret": false, + "is_verified": false, + "line_number": 190, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", + "is_secret": false, + "is_verified": false, + "line_number": 443, + "type": "Secret Keyword", + "verified_result": null + } + ], "ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go": [ { "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", @@ -4801,6 +4813,24 @@ "verified_result": null } ], + "website/docs/r/sm_service_credentials_secret.html.markdown": [ + { + "hashed_secret": "d47dcacc720a39e236679ac3e311a0d58bb6519e", + "is_secret": false, + "is_verified": false, + "line_number": 191, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "e66e7d67fdf3c596c435fc7828b13205e4950a0f", + "is_secret": false, + "is_verified": false, + "line_number": 193, + "type": "Secret Keyword", + "verified_result": null + } + ], "website/docs/r/sm_username_password_secret.html.markdown": [ { "hashed_secret": "e3efaa78f2f6ca38f70ded91b232d8dac947315d", From a6b779c726db1c91c7619003fc79c05360f37945 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Mon, 11 Dec 2023 18:26:37 +0200 Subject: [PATCH 12/25] .secrets.baseline update --- .secrets.baseline | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.secrets.baseline b/.secrets.baseline index f9d2be69de..2f29990cf4 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.mod|go.sum|.*.map|^.secrets.baseline$", "lines": null }, - "generated_at": "2023-12-11T16:20:36Z", + "generated_at": "2023-12-11T16:26:19Z", "plugins_used": [ { "name": "ArtifactoryDetector" From cea9bd43196031714d31657113996522d9912054 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Mon, 11 Dec 2023 18:30:51 +0200 Subject: [PATCH 13/25] .secrets.baseline update --- .secrets.baseline | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.secrets.baseline b/.secrets.baseline index 2f29990cf4..9d2216f283 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -5,6 +5,9 @@ }, "generated_at": "2023-12-11T16:26:19Z", "plugins_used": [ + { + "name": "AWSKeyDetector" + }, { "name": "ArtifactoryDetector" }, @@ -18,6 +21,12 @@ { "name": "BasicAuthDetector" }, + { + "name": "BoxDetector" + }, + { + "name": "CloudantDetector" + }, { "ghe_instance": "github.ibm.com", "name": "GheDetector" @@ -42,6 +51,9 @@ "keyword_exclude": null, "name": "KeywordDetector" }, + { + "name": "MailchimpDetector" + }, { "name": "NpmDetector" }, @@ -56,6 +68,12 @@ }, { "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" } ], "results": { From ad75820af0514073951748edea910de9268c5872 Mon Sep 17 00:00:00 2001 From: Idan Adar Date: Wed, 13 Dec 2023 06:40:12 +0200 Subject: [PATCH 14/25] Update sm_service_credentials_secret_metadata.html.markdown --- .../docs/d/sm_service_credentials_secret_metadata.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/d/sm_service_credentials_secret_metadata.html.markdown b/website/docs/d/sm_service_credentials_secret_metadata.html.markdown index 0710616c26..94b9d8d648 100644 --- a/website/docs/d/sm_service_credentials_secret_metadata.html.markdown +++ b/website/docs/d/sm_service_credentials_secret_metadata.html.markdown @@ -6,7 +6,7 @@ description: |- subcategory: "Secrets Manager" --- -# ibm_sm_service_credentials_secret +# ibm_sm_service_credentials_secret_metadata Provides a read-only data source for the metadata of an service credentials secret. You can then reference the fields of the data source in other resources within the same configuration using interpolation syntax. From e91f4292c7615ada18f0ffa33922afa1cbeccadf Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Tue, 26 Dec 2023 14:37:47 +0200 Subject: [PATCH 15/25] bugs fixes --- .secrets.baseline | 2 +- .../data_source_ibm_sm_iam_credentials_secret.go | 8 -------- ..._source_ibm_sm_iam_credentials_secret_metadata.go | 8 -------- .../data_source_ibm_sm_private_certificate.go | 8 -------- ...ata_source_ibm_sm_private_certificate_metadata.go | 8 -------- .../data_source_ibm_sm_username_password_secret.go | 8 -------- ...ource_ibm_sm_username_password_secret_metadata.go | 8 -------- .../resource_ibm_sm_iam_credentials_secret.go | 12 ------------ .../resource_ibm_sm_private_certificate.go | 3 +-- .../docs/d/sm_iam_credentials_secret.html.markdown | 1 - .../sm_iam_credentials_secret_metadata.html.markdown | 1 - website/docs/d/sm_private_certificate.html.markdown | 1 - .../d/sm_private_certificate_metadata.html.markdown | 1 - .../docs/d/sm_username_password_secret.html.markdown | 1 - ...m_username_password_secret_metadata.html.markdown | 1 - .../docs/r/sm_iam_credentials_secret.html.markdown | 1 - website/docs/r/sm_private_certificate.html.markdown | 1 - ..._certificate_configuration_template.html.markdown | 2 ++ .../docs/r/sm_username_password_secret.html.markdown | 1 - 19 files changed, 4 insertions(+), 72 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index cb30966a3b..75ebe186bb 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.mod|go.sum|.*.map|^.secrets.baseline$", "lines": null }, - "generated_at": "2023-12-14T01:01:48Z", + "generated_at": "2023-12-26T12:35:45Z", "plugins_used": [ { "name": "AWSKeyDetector" diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret.go b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret.go index 75ad6a8306..bce495303b 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret.go @@ -169,11 +169,6 @@ func DataSourceIbmSmIamCredentialsSecret() *schema.Resource { Computed: true, Description: "The units for the secret rotation time interval.", }, - "rotate_keys": &schema.Schema{ - Type: schema.TypeBool, - Computed: true, - Description: "Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate.", - }, }, }, }, @@ -330,9 +325,6 @@ func dataSourceIbmSmIamCredentialsSecretRotationPolicyToMap(model secretsmanager if model.Unit != nil { modelMap["unit"] = *model.Unit } - if model.RotateKeys != nil { - modelMap["rotate_keys"] = *model.RotateKeys - } return modelMap, nil } else { return nil, fmt.Errorf("Unrecognized secretsmanagerv2.RotationPolicyIntf subtype encountered") diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret_metadata.go b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret_metadata.go index d1124752b9..f58be6333d 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret_metadata.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret_metadata.go @@ -161,11 +161,6 @@ func DataSourceIbmSmIamCredentialsSecretMetadata() *schema.Resource { Computed: true, Description: "The units for the secret rotation time interval.", }, - "rotate_keys": &schema.Schema{ - Type: schema.TypeBool, - Computed: true, - Description: "Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate.", - }, }, }, }, @@ -325,9 +320,6 @@ func dataSourceIbmSmIamCredentialsSecretMetadataRotationPolicyToMap(model secret if model.Unit != nil { modelMap["unit"] = *model.Unit } - if model.RotateKeys != nil { - modelMap["rotate_keys"] = *model.RotateKeys - } return modelMap, nil } else { return nil, fmt.Errorf("Unrecognized secretsmanagerv2.RotationPolicyIntf subtype encountered") diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate.go b/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate.go index 31043b4a78..59ce4a1fa8 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate.go @@ -184,11 +184,6 @@ func DataSourceIbmSmPrivateCertificate() *schema.Resource { Computed: true, Description: "The units for the secret rotation time interval.", }, - "rotate_keys": &schema.Schema{ - Type: schema.TypeBool, - Computed: true, - Description: "Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate.", - }, }, }, }, @@ -436,9 +431,6 @@ func dataSourceIbmSmPrivateCertificateRotationPolicyToMap(model secretsmanagerv2 if model.Unit != nil { modelMap["unit"] = *model.Unit } - if model.RotateKeys != nil { - modelMap["rotate_keys"] = *model.RotateKeys - } return modelMap, nil } else { return nil, fmt.Errorf("Unrecognized secretsmanagerv2.RotationPolicyIntf subtype encountered") diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate_metadata.go b/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate_metadata.go index 1585e1a831..a1afb4a638 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate_metadata.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_private_certificate_metadata.go @@ -176,11 +176,6 @@ func DataSourceIbmSmPrivateCertificateMetadata() *schema.Resource { Computed: true, Description: "The units for the secret rotation time interval.", }, - "rotate_keys": &schema.Schema{ - Type: schema.TypeBool, - Computed: true, - Description: "Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate.", - }, }, }, }, @@ -403,9 +398,6 @@ func dataSourceIbmSmPrivateCertificateMetadataRotationPolicyToMap(model secretsm if model.Unit != nil { modelMap["unit"] = *model.Unit } - if model.RotateKeys != nil { - modelMap["rotate_keys"] = *model.RotateKeys - } return modelMap, nil } else { return nil, fmt.Errorf("Unrecognized secretsmanagerv2.RotationPolicyIntf subtype encountered") diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret.go b/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret.go index 5a9fa84aff..a1119f17e0 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret.go @@ -136,11 +136,6 @@ func DataSourceIbmSmUsernamePasswordSecret() *schema.Resource { Computed: true, Description: "The units for the secret rotation time interval.", }, - "rotate_keys": &schema.Schema{ - Type: schema.TypeBool, - Computed: true, - Description: "Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate.", - }, }, }, }, @@ -296,9 +291,6 @@ func dataSourceIbmSmUsernamePasswordSecretRotationPolicyToMap(model secretsmanag if model.Unit != nil { modelMap["unit"] = *model.Unit } - if model.RotateKeys != nil { - modelMap["rotate_keys"] = *model.RotateKeys - } return modelMap, nil } else { return nil, fmt.Errorf("Unrecognized secretsmanagerv2.RotationPolicyIntf subtype encountered") diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret_metadata.go b/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret_metadata.go index 35d24ef67b..6eada6eb8b 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret_metadata.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_username_password_secret_metadata.go @@ -128,11 +128,6 @@ func DataSourceIbmSmUsernamePasswordSecretMetadata() *schema.Resource { Computed: true, Description: "The units for the secret rotation time interval.", }, - "rotate_keys": &schema.Schema{ - Type: schema.TypeBool, - Computed: true, - Description: "Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate.", - }, }, }, }, @@ -282,9 +277,6 @@ func dataSourceIbmSmUsernamePasswordSecretMetadataRotationPolicyToMap(model secr if model.Unit != nil { modelMap["unit"] = *model.Unit } - if model.RotateKeys != nil { - modelMap["rotate_keys"] = *model.RotateKeys - } return modelMap, nil } else { return nil, fmt.Errorf("Unrecognized secretsmanagerv2.RotationPolicyIntf subtype encountered") diff --git a/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go index e47da2cee7..542275b142 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go @@ -113,12 +113,6 @@ func ResourceIbmSmIamCredentialsSecret() *schema.Resource { Description: "The units for the secret rotation time interval.", DiffSuppressFunc: rotationAttributesDiffSuppress, }, - "rotate_keys": &schema.Schema{ - Type: schema.TypeBool, - Optional: true, - Computed: true, - Description: "Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate.", - }, }, }, }, @@ -576,9 +570,6 @@ func resourceIbmSmIamCredentialsSecretMapToRotationPolicy(modelMap map[string]in if modelMap["unit"] != nil && modelMap["unit"].(string) != "" { model.Unit = core.StringPtr(modelMap["unit"].(string)) } - if modelMap["rotate_keys"] != nil { - model.RotateKeys = core.BoolPtr(modelMap["rotate_keys"].(bool)) - } return model, nil } @@ -594,8 +585,5 @@ func resourceIbmSmIamCredentialsSecretRotationPolicyToMap(modelIntf secretsmanag if model.Unit != nil { modelMap["unit"] = model.Unit } - if model.RotateKeys != nil { - modelMap["rotate_keys"] = model.RotateKeys - } return modelMap, nil } diff --git a/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go b/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go index dfbbc39e69..7fe6c10bd6 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go @@ -245,9 +245,8 @@ func ResourceIbmSmPrivateCertificate() *schema.Resource { }, "key_algorithm": &schema.Schema{ Type: schema.TypeString, - Optional: true, + Computed: true, ForceNew: true, - Default: "RSA2048", Description: "The identifier for the cryptographic algorithm to be used to generate the public key that is associated with the certificate.The algorithm that you select determines the encryption algorithm (`RSA` or `ECDSA`) and key size to be used to generate keys and sign certificates. For longer living certificates, it is recommended to use longer keys to provide more encryption protection. Allowed values: RSA2048, RSA4096, EC256, EC384.", }, "next_rotation_date": &schema.Schema{ diff --git a/website/docs/d/sm_iam_credentials_secret.html.markdown b/website/docs/d/sm_iam_credentials_secret.html.markdown index 8355a081f0..79fe4ce3c0 100644 --- a/website/docs/d/sm_iam_credentials_secret.html.markdown +++ b/website/docs/d/sm_iam_credentials_secret.html.markdown @@ -93,7 +93,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. diff --git a/website/docs/d/sm_iam_credentials_secret_metadata.html.markdown b/website/docs/d/sm_iam_credentials_secret_metadata.html.markdown index e429c1892f..1db8123221 100644 --- a/website/docs/d/sm_iam_credentials_secret_metadata.html.markdown +++ b/website/docs/d/sm_iam_credentials_secret_metadata.html.markdown @@ -74,7 +74,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. diff --git a/website/docs/d/sm_private_certificate.html.markdown b/website/docs/d/sm_private_certificate.html.markdown index 22bc586770..abecd98dc0 100644 --- a/website/docs/d/sm_private_certificate.html.markdown +++ b/website/docs/d/sm_private_certificate.html.markdown @@ -119,7 +119,6 @@ In addition to all argument references listed, you can access the following attr * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. diff --git a/website/docs/d/sm_private_certificate_metadata.html.markdown b/website/docs/d/sm_private_certificate_metadata.html.markdown index caf491c86c..4d16d2b1a8 100644 --- a/website/docs/d/sm_private_certificate_metadata.html.markdown +++ b/website/docs/d/sm_private_certificate_metadata.html.markdown @@ -90,7 +90,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. diff --git a/website/docs/d/sm_username_password_secret.html.markdown b/website/docs/d/sm_username_password_secret.html.markdown index c18a55df9c..64768e067f 100644 --- a/website/docs/d/sm_username_password_secret.html.markdown +++ b/website/docs/d/sm_username_password_secret.html.markdown @@ -88,7 +88,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. diff --git a/website/docs/d/sm_username_password_secret_metadata.html.markdown b/website/docs/d/sm_username_password_secret_metadata.html.markdown index e4a10d832b..781f524f1a 100644 --- a/website/docs/d/sm_username_password_secret_metadata.html.markdown +++ b/website/docs/d/sm_username_password_secret_metadata.html.markdown @@ -69,7 +69,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. diff --git a/website/docs/r/sm_iam_credentials_secret.html.markdown b/website/docs/r/sm_iam_credentials_secret.html.markdown index 2f3e78f8f6..3c108eb82c 100644 --- a/website/docs/r/sm_iam_credentials_secret.html.markdown +++ b/website/docs/r/sm_iam_credentials_secret.html.markdown @@ -55,7 +55,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Optional, Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Optional, Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Optional, Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (Optional, String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. * `secret_group_id` - (Optional, Forces new resource, String) A v4 UUID identifier, or `default` secret group. diff --git a/website/docs/r/sm_private_certificate.html.markdown b/website/docs/r/sm_private_certificate.html.markdown index 64f1bb83b7..98c1d2c122 100644 --- a/website/docs/r/sm_private_certificate.html.markdown +++ b/website/docs/r/sm_private_certificate.html.markdown @@ -56,7 +56,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Optional, Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Optional, Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Optional, Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (Optional, String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. * `secret_group_id` - (Optional, Forces new resource, String) A v4 UUID identifier, or `default` secret group. diff --git a/website/docs/r/sm_private_certificate_configuration_template.html.markdown b/website/docs/r/sm_private_certificate_configuration_template.html.markdown index d34b20e904..00f6d033fd 100644 --- a/website/docs/r/sm_private_certificate_configuration_template.html.markdown +++ b/website/docs/r/sm_private_certificate_configuration_template.html.markdown @@ -67,6 +67,7 @@ Review the argument reference that you can specify for your resource. * Constraints: The list items must match regular expression `/^[a-zA-Z]+$/`. The maximum length is `100` items. The minimum length is `0` items. * `locality` - (Optional, Forces new resource, List) The Locality (L) values to define in the subject field of the resulting certificate. * Constraints: The list items must match regular expression `/(.*?)/`. The maximum length is `10` items. The minimum length is `0` items. +* `max_ttl` - (Optional, String) The maximum time-to-live (TTL) for certificates that are created by this template. * `name` - (Required, String) A human-readable unique name to assign to your configuration. * `organization` - (Optional, Forces new resource, List) The Organization (O) values to define in the subject field of the resulting certificate. * Constraints: The list items must match regular expression `/(.*?)/`. The maximum length is `10` items. The minimum length is `0` items. @@ -84,6 +85,7 @@ Review the argument reference that you can specify for your resource. * Constraints: The maximum length is `64` characters. The minimum length is `32` characters. The value must match regular expression `/[^a-fA-F0-9]/`. * `street_address` - (Optional, Forces new resource, List) The street address values to define in the subject field of the resulting certificate. * Constraints: The list items must match regular expression `/(.*?)/`. The maximum length is `10` items. The minimum length is `0` items. +* `ttl` - The requested time-to-live (TTL) for certificates that are created by this template. This field's value can't be longer than the max_ttl limit. * `use_csr_common_name` - (Optional, Boolean) When used with the `private_cert_configuration_action_sign_csr` action, this field determines whether to use the common name (CN) from a certificate signing request (CSR) instead of the CN that's included in the data of the certificate.Does not include any requested Subject Alternative Names (SANs) in the CSR. To use the alternative names, include the `use_csr_sans` property. * `use_csr_sans` - (Optional, Boolean) When used with the `private_cert_configuration_action_sign_csr` action, this field determines whether to use the Subject Alternative Names(SANs) from a certificate signing request (CSR) instead of the SANs that are included in the data of the certificate.Does not include the common name in the CSR. To use the common name, include the `use_csr_common_name` property. diff --git a/website/docs/r/sm_username_password_secret.html.markdown b/website/docs/r/sm_username_password_secret.html.markdown index b8a07c3af0..fdb4605f15 100644 --- a/website/docs/r/sm_username_password_secret.html.markdown +++ b/website/docs/r/sm_username_password_secret.html.markdown @@ -55,7 +55,6 @@ Nested scheme for **rotation**: * `auto_rotate` - (Optional, Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. * `interval` - (Optional, Integer) The length of the secret rotation time interval. * Constraints: The minimum value is `1`. - * `rotate_keys` - (Optional, Boolean) Determines whether Secrets Manager rotates the private key for your public certificate automatically.Default is `false`. If it is set to `true`, the service generates and stores a new private key for your rotated certificate. * `unit` - (Optional, String) The units for the secret rotation time interval. * Constraints: Allowable values are: `day`, `month`. * `secret_group_id` - (Optional, Forces new resource, String) A v4 UUID identifier, or `default` secret group. From c44ff91d82de43d35366c678af5efc41f0492754 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Tue, 26 Dec 2023 14:43:28 +0200 Subject: [PATCH 16/25] bugs fixes --- .secrets.baseline | 74 +- ...ource_ibm_sm_service_credentials_secret.go | 790 ------------------ ..._ibm_sm_service_credentials_secret_test.go | 335 -------- 3 files changed, 46 insertions(+), 1153 deletions(-) delete mode 100644 ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go delete mode 100644 ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret_test.go diff --git a/.secrets.baseline b/.secrets.baseline index 75ebe186bb..c7f19872a8 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -760,7 +760,7 @@ "hashed_secret": "731438016c5ab94431f61820f35e3ae5f8ad6004", "is_secret": false, "is_verified": false, - "line_number": 426, + "line_number": 428, "type": "Secret Keyword", "verified_result": null }, @@ -768,7 +768,7 @@ "hashed_secret": "12da2e35d6b50c902c014f1ab9e3032650368df7", "is_secret": false, "is_verified": false, - "line_number": 432, + "line_number": 434, "type": "Secret Keyword", "verified_result": null }, @@ -776,7 +776,7 @@ "hashed_secret": "813274ccae5b6b509379ab56982d862f7b5969b6", "is_secret": false, "is_verified": false, - "line_number": 1143, + "line_number": 1157, "type": "Base64 High Entropy String", "verified_result": null } @@ -2056,7 +2056,7 @@ "hashed_secret": "deab23f996709b4e3d14e5499d1cc2de677bfaa8", "is_secret": false, "is_verified": false, - "line_number": 1367, + "line_number": 1372, "type": "Secret Keyword", "verified_result": null }, @@ -2064,7 +2064,7 @@ "hashed_secret": "20a25bac21219ffff1904bde871ded4027eca2f8", "is_secret": false, "is_verified": false, - "line_number": 1957, + "line_number": 1962, "type": "Secret Keyword", "verified_result": null }, @@ -2072,7 +2072,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 1976, + "line_number": 1981, "type": "Secret Keyword", "verified_result": null }, @@ -2080,7 +2080,7 @@ "hashed_secret": "1f5e25be9b575e9f5d39c82dfd1d9f4d73f1975c", "is_secret": false, "is_verified": false, - "line_number": 2189, + "line_number": 2194, "type": "Secret Keyword", "verified_result": null } @@ -3224,7 +3224,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 185, + "line_number": 180, "type": "Secret Keyword", "verified_result": null }, @@ -3232,7 +3232,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 312, + "line_number": 307, "type": "Secret Keyword", "verified_result": null } @@ -3250,7 +3250,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 291, + "line_number": 286, "type": "Secret Keyword", "verified_result": null } @@ -3298,7 +3298,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 235, + "line_number": 230, "type": "Secret Keyword", "verified_result": null }, @@ -3306,7 +3306,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 414, + "line_number": 409, "type": "Secret Keyword", "verified_result": null } @@ -3510,7 +3510,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 162, + "line_number": 157, "type": "Secret Keyword", "verified_result": null }, @@ -3518,7 +3518,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 278, + "line_number": 273, "type": "Secret Keyword", "verified_result": null } @@ -3556,7 +3556,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 204, + "line_number": 198, "type": "Secret Keyword", "verified_result": null }, @@ -3564,7 +3564,7 @@ "hashed_secret": "108b310facc1a193833fc2971fd83081f775ea0c", "is_secret": false, "is_verified": false, - "line_number": 395, + "line_number": 389, "type": "Secret Keyword", "verified_result": null }, @@ -3572,7 +3572,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 398, + "line_number": 392, "type": "Secret Keyword", "verified_result": null } @@ -3636,7 +3636,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 298, + "line_number": 297, "type": "Secret Keyword", "verified_result": null }, @@ -3644,7 +3644,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 539, + "line_number": 538, "type": "Secret Keyword", "verified_result": null } @@ -3831,6 +3831,24 @@ "verified_result": null } ], + "ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go": [ + { + "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", + "is_secret": false, + "is_verified": false, + "line_number": 190, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", + "is_secret": false, + "is_verified": false, + "line_number": 443, + "type": "Secret Keyword", + "verified_result": null + } + ], "ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go": [ { "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", @@ -4736,7 +4754,7 @@ "hashed_secret": "d47dcacc720a39e236679ac3e311a0d58bb6519e", "is_secret": false, "is_verified": false, - "line_number": 128, + "line_number": 127, "type": "Secret Keyword", "verified_result": null }, @@ -4744,7 +4762,7 @@ "hashed_secret": "e66e7d67fdf3c596c435fc7828b13205e4950a0f", "is_secret": false, "is_verified": false, - "line_number": 130, + "line_number": 129, "type": "Secret Keyword", "verified_result": null } @@ -4790,7 +4808,7 @@ "hashed_secret": "d47dcacc720a39e236679ac3e311a0d58bb6519e", "is_secret": false, "is_verified": false, - "line_number": 148, + "line_number": 147, "type": "Secret Keyword", "verified_result": null }, @@ -4798,7 +4816,7 @@ "hashed_secret": "e66e7d67fdf3c596c435fc7828b13205e4950a0f", "is_secret": false, "is_verified": false, - "line_number": 150, + "line_number": 149, "type": "Secret Keyword", "verified_result": null } @@ -4844,7 +4862,7 @@ "hashed_secret": "d47dcacc720a39e236679ac3e311a0d58bb6519e", "is_secret": false, "is_verified": false, - "line_number": 137, + "line_number": 139, "type": "Secret Keyword", "verified_result": null }, @@ -4852,7 +4870,7 @@ "hashed_secret": "e66e7d67fdf3c596c435fc7828b13205e4950a0f", "is_secret": false, "is_verified": false, - "line_number": 139, + "line_number": 141, "type": "Secret Keyword", "verified_result": null } @@ -5010,7 +5028,7 @@ "hashed_secret": "d47dcacc720a39e236679ac3e311a0d58bb6519e", "is_secret": false, "is_verified": false, - "line_number": 122, + "line_number": 121, "type": "Secret Keyword", "verified_result": null }, @@ -5018,7 +5036,7 @@ "hashed_secret": "e66e7d67fdf3c596c435fc7828b13205e4950a0f", "is_secret": false, "is_verified": false, - "line_number": 124, + "line_number": 123, "type": "Secret Keyword", "verified_result": null } @@ -5034,7 +5052,7 @@ } ] }, - "version": "0.13.1+ibm.51.dss", + "version": "0.13.1+ibm.61.dss", "word_list": { "file": null, "hash": null diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go deleted file mode 100644 index 7d5e211b0d..0000000000 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go +++ /dev/null @@ -1,790 +0,0 @@ -// Copyright IBM Corp. 2023 All Rights Reserved. -// Licensed under the Mozilla Public License v2.0 -// . -package secretsmanager - -import ( - "context" - "encoding/json" - "fmt" - "github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns" - "github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex" - "github.com/IBM/go-sdk-core/v5/core" - "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "log" - "strconv" - "strings" -) - -func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { - return &schema.Resource{ - CreateContext: resourceIbmSmServiceCredentialsSecretCreate, - ReadContext: resourceIbmSmServiceCredentialsSecretRead, - UpdateContext: resourceIbmSmServiceCredentialsSecretUpdate, - DeleteContext: resourceIbmSmServiceCredentialsSecretDelete, - Importer: &schema.ResourceImporter{}, - - Schema: map[string]*schema.Schema{ - "secret_type": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials.", - }, - "name": &schema.Schema{ - Type: schema.TypeString, - Required: true, - Description: "A human-readable name to assign to your secret.To protect your privacy, do not use personal data, such as your name or location, as a name for your secret.", - }, - "description": &schema.Schema{ - Type: schema.TypeString, - Optional: true, - Description: "An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group.", - }, - "secret_group_id": &schema.Schema{ - Type: schema.TypeString, - Optional: true, - Computed: true, - ForceNew: true, - Description: "A v4 UUID identifier, or `default` secret group.", - }, - "labels": &schema.Schema{ - Type: schema.TypeList, - Optional: true, - Computed: true, - Description: "Labels that you can use to search for secrets in your instance.Up to 30 labels can be created.", - Elem: &schema.Schema{Type: schema.TypeString}, - }, - "custom_metadata": &schema.Schema{ - Type: schema.TypeMap, - Optional: true, - Computed: true, - Description: "The secret metadata that a user can customize.", - Elem: &schema.Schema{Type: schema.TypeString}, - }, - "version_custom_metadata": &schema.Schema{ - Type: schema.TypeMap, - Optional: true, - Computed: true, - Description: "The secret version metadata that a user can customize.", - Elem: &schema.Schema{Type: schema.TypeString}, - }, - "created_by": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The unique identifier that is associated with the entity that created the secret.", - }, - "created_at": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The date when a resource was created. The date format follows RFC 3339.", - }, - "credentials": &schema.Schema{ - Type: schema.TypeMap, - Computed: true, - Sensitive: true, - Description: "The properties of the service credentials secret payload.", - }, - "crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "A CRN that uniquely identifies an IBM Cloud resource.", - }, - "downloaded": &schema.Schema{ - Type: schema.TypeBool, - Computed: true, - Description: "Indicates whether the secret data that is associated with a secret version was retrieved in a call to the service API.", - }, - "locks_total": &schema.Schema{ - Type: schema.TypeInt, - Computed: true, - Description: "The number of locks of the secret.", - }, - "next_rotation_date": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The date that the secret is scheduled for automatic rotation. The service automatically creates a new version of the secret on its next rotation date. This field exists only for secrets that have an existing rotation policy.", - }, - "rotation": &schema.Schema{ - Type: schema.TypeList, - MaxItems: 1, - Optional: true, - Computed: true, - Description: "Determines whether Secrets Manager rotates your secrets automatically.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "auto_rotate": &schema.Schema{ - Type: schema.TypeBool, - Optional: true, - Computed: true, - Description: "Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval.", - }, - "interval": &schema.Schema{ - Type: schema.TypeInt, - Optional: true, - Computed: true, - Description: "The length of the secret rotation time interval.", - DiffSuppressFunc: rotationAttributesDiffSuppress, - }, - "unit": &schema.Schema{ - Type: schema.TypeString, - Optional: true, - Computed: true, - Description: "The units for the secret rotation time interval.", - DiffSuppressFunc: rotationAttributesDiffSuppress, - }, - }, - }, - }, - "source_service": &schema.Schema{ - Type: schema.TypeList, - MaxItems: 1, - Required: true, - ForceNew: true, - Description: "The properties required for creating the service credentials for the specified source service instance.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "instance": &schema.Schema{ - Type: schema.TypeList, - Required: true, - MaxItems: 1, - ForceNew: true, - Description: "The source service instance identifier.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "crn": &schema.Schema{ - Type: schema.TypeString, - Required: true, - ForceNew: true, - Description: "A CRN that uniquely identifies a service credentials target.", - }, - }, - }, - }, - "role": &schema.Schema{ - Type: schema.TypeList, - Optional: true, - Computed: true, - ForceNew: true, - MaxItems: 1, - Description: "The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "crn": &schema.Schema{ - Type: schema.TypeString, - Optional: true, - Computed: true, - ForceNew: true, - Description: "The CRN role identifier for creating a service-id.", - }, - }, - }, - }, - "iam": &schema.Schema{ - Type: schema.TypeList, - Computed: true, - Description: "The source service IAM data is returned in case IAM credentials where created for this secret.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "apikey": &schema.Schema{ - Type: schema.TypeList, - Computed: true, - Description: "The IAM apikey metadata for the IAM credentials that were generated.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "name": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM API key name for the generated service credentials.", - }, - "description": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM API key description for the generated service credentials.", - }, - }, - }, - }, - "role": &schema.Schema{ - Type: schema.TypeList, - Computed: true, - Description: "The IAM role for the generate service credentials.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM role CRN assigned to the generated service credentials.", - }, - }, - }, - }, - "serviceid": &schema.Schema{ - Type: schema.TypeList, - Computed: true, - Description: "The IAM serviceid for the generated service credentials.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The IAM Service ID CRN.", - }, - }, - }, - }, - }, - }, - }, - "resource_key": &schema.Schema{ - Type: schema.TypeList, - Computed: true, - Description: "The source service resource key data of the generated service credentials.", - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "crn": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The resource key CRN of the generated service credentials.", - }, - "name": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The resource key name of the generated service credentials.", - }, - }, - }, - }, - "parameters": &schema.Schema{ - Type: schema.TypeMap, - Optional: true, - ForceNew: true, - Description: "The collection of parameters for the service credentials target.", - }, - }, - }, - }, - "state": &schema.Schema{ - Type: schema.TypeInt, - Computed: true, - Description: "The secret state that is based on NIST SP 800-57. States are integers and correspond to the `Pre-activation = 0`, `Active = 1`, `Suspended = 2`, `Deactivated = 3`, and `Destroyed = 5` values.", - }, - "state_description": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "A text representation of the secret state.", - }, - "ttl": &schema.Schema{ - Type: schema.TypeString, - Required: true, - Description: "The time-to-live (TTL) or lease duration to assign to generated credentials.", - }, - "updated_at": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "The date when a resource was recently modified. The date format follows RFC 3339.", - }, - "versions_total": &schema.Schema{ - Type: schema.TypeInt, - Computed: true, - Description: "The number of versions of the secret.", - }, - "secret_id": &schema.Schema{ - Type: schema.TypeString, - Computed: true, - Description: "A v4 UUID identifier.", - }, - }, - } -} - -func resourceIbmSmServiceCredentialsSecretCreate(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() - if err != nil { - return diag.FromErr(err) - } - - region := getRegion(secretsManagerClient, d) - instanceId := d.Get("instance_id").(string) - secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) - - createSecretOptions := &secretsmanagerv2.CreateSecretOptions{} - - secretPrototypeModel, err := resourceIbmSmServiceCredentialsSecretMapToSecretPrototype(d) - if err != nil { - return diag.FromErr(err) - } - createSecretOptions.SetSecretPrototype(secretPrototypeModel) - - secretIntf, response, err := secretsManagerClient.CreateSecretWithContext(context, createSecretOptions) - if err != nil { - log.Printf("[DEBUG] CreateSecretWithContext failed %s\n%s", err, response) - return diag.FromErr(fmt.Errorf("CreateSecretWithContext failed %s\n%s", err, response)) - } - - secret := secretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) - d.SetId(fmt.Sprintf("%s/%s/%s", region, instanceId, *secret.ID)) - d.Set("secret_id", *secret.ID) - - return resourceIbmSmServiceCredentialsSecretRead(context, d, meta) -} - -func resourceIbmSmServiceCredentialsSecretRead(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() - if err != nil { - return diag.FromErr(err) - } - - id := strings.Split(d.Id(), "/") - if len(id) != 3 { - return diag.Errorf("Wrong format of resource ID. To import a secret use the format `//`") - } - region := id[0] - instanceId := id[1] - secretId := id[2] - secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) - - getSecretOptions := &secretsmanagerv2.GetSecretOptions{} - - getSecretOptions.SetID(secretId) - - secretIntf, response, err := secretsManagerClient.GetSecretWithContext(context, getSecretOptions) - if err != nil { - if response != nil && response.StatusCode == 404 { - d.SetId("") - return nil - } - log.Printf("[DEBUG] GetSecretWithContext failed %s\n%s", err, response) - return diag.FromErr(fmt.Errorf("GetSecretWithContext failed %s\n%s", err, response)) - } - - secret := secretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) - - if err = d.Set("secret_id", secretId); err != nil { - return diag.FromErr(fmt.Errorf("Error setting secret_id: %s", err)) - } - if err = d.Set("instance_id", instanceId); err != nil { - return diag.FromErr(fmt.Errorf("Error setting instance_id: %s", err)) - } - if err = d.Set("region", region); err != nil { - return diag.FromErr(fmt.Errorf("Error setting region: %s", err)) - } - if err = d.Set("created_by", secret.CreatedBy); err != nil { - return diag.FromErr(fmt.Errorf("Error setting created_by: %s", err)) - } - if err = d.Set("created_at", DateTimeToRFC3339(secret.CreatedAt)); err != nil { - return diag.FromErr(fmt.Errorf("Error setting created_at: %s", err)) - } - if err = d.Set("crn", secret.Crn); err != nil { - return diag.FromErr(fmt.Errorf("Error setting crn: %s", err)) - } - if err = d.Set("downloaded", secret.Downloaded); err != nil { - return diag.FromErr(fmt.Errorf("Error setting downloaded: %s", err)) - } - if err = d.Set("locks_total", flex.IntValue(secret.LocksTotal)); err != nil { - return diag.FromErr(fmt.Errorf("Error setting locks_total: %s", err)) - } - if err = d.Set("name", secret.Name); err != nil { - return diag.FromErr(fmt.Errorf("Error setting name: %s", err)) - } - if err = d.Set("secret_group_id", secret.SecretGroupID); err != nil { - return diag.FromErr(fmt.Errorf("Error setting secret_group_id: %s", err)) - } - if err = d.Set("secret_type", secret.SecretType); err != nil { - return diag.FromErr(fmt.Errorf("Error setting secret_type: %s", err)) - } - if err = d.Set("state", flex.IntValue(secret.State)); err != nil { - return diag.FromErr(fmt.Errorf("Error setting state: %s", err)) - } - if err = d.Set("state_description", secret.StateDescription); err != nil { - return diag.FromErr(fmt.Errorf("Error setting state_description: %s", err)) - } - if err = d.Set("updated_at", DateTimeToRFC3339(secret.UpdatedAt)); err != nil { - return diag.FromErr(fmt.Errorf("Error setting updated_at: %s", err)) - } - if err = d.Set("versions_total", flex.IntValue(secret.VersionsTotal)); err != nil { - return diag.FromErr(fmt.Errorf("Error setting versions_total: %s", err)) - } - if secret.CustomMetadata != nil { - d.Set("custom_metadata", secret.CustomMetadata) - } - if err = d.Set("description", secret.Description); err != nil { - return diag.FromErr(fmt.Errorf("Error setting description: %s", err)) - } - if secret.Labels != nil { - if err = d.Set("labels", secret.Labels); err != nil { - return diag.FromErr(fmt.Errorf("Error setting labels: %s", err)) - } - } - rotationMap, err := resourceIbmSmServiceCredentialsSecretRotationPolicyToMap(secret.Rotation) - if err != nil { - return diag.FromErr(err) - } - if len(rotationMap) > 0 { - if err = d.Set("rotation", []map[string]interface{}{rotationMap}); err != nil { - return diag.FromErr(fmt.Errorf("Error setting rotation: %s", err)) - } - } - sourceServiceMap, err := resourceIbmSmServiceCredentialsSecretSourceServiceToMap(secret.SourceService) - if err != nil { - return diag.FromErr(err) - } - if len(sourceServiceMap) > 0 { - if err = d.Set("source_service", []map[string]interface{}{sourceServiceMap}); err != nil { - return diag.FromErr(fmt.Errorf("Error setting source_service: %s", err)) - } - } - if secret.Credentials != nil { - var credInterface map[string]interface{} - cred, _ := json.Marshal(secret.Credentials) - json.Unmarshal(cred, &credInterface) - if err = d.Set("credentials", flex.Flatten(credInterface)); err != nil { - return diag.FromErr(fmt.Errorf("Error setting credentials: %s", err)) - } - } - if err = d.Set("next_rotation_date", DateTimeToRFC3339(secret.NextRotationDate)); err != nil { - return diag.FromErr(fmt.Errorf("Error setting next_rotation_date: %s", err)) - } - - // Call get version metadata API to get the current version_custom_metadata - getVersionMetdataOptions := &secretsmanagerv2.GetSecretVersionMetadataOptions{} - getVersionMetdataOptions.SetSecretID(secretId) - getVersionMetdataOptions.SetID("current") - - versionMetadataIntf, response, err := secretsManagerClient.GetSecretVersionMetadataWithContext(context, getVersionMetdataOptions) - if err != nil { - log.Printf("[DEBUG] GetSecretVersionMetadataWithContext failed %s\n%s", err, response) - return diag.FromErr(fmt.Errorf("GetSecretVersionMetadataWithContext failed %s\n%s", err, response)) - } - - versionMetadata := versionMetadataIntf.(*secretsmanagerv2.ServiceCredentialsSecretVersionMetadata) - if versionMetadata.VersionCustomMetadata != nil { - if err = d.Set("version_custom_metadata", versionMetadata.VersionCustomMetadata); err != nil { - return diag.FromErr(fmt.Errorf("Error setting version_custom_metadata: %s", err)) - } - } - - return nil -} - -func resourceIbmSmServiceCredentialsSecretUpdate(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() - if err != nil { - return diag.FromErr(err) - } - - id := strings.Split(d.Id(), "/") - region := id[0] - instanceId := id[1] - secretId := id[2] - secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) - - updateSecretMetadataOptions := &secretsmanagerv2.UpdateSecretMetadataOptions{} - - updateSecretMetadataOptions.SetID(secretId) - - hasChange := false - - patchVals := &secretsmanagerv2.SecretMetadataPatch{} - - if d.HasChange("name") { - patchVals.Name = core.StringPtr(d.Get("name").(string)) - hasChange = true - } - if d.HasChange("description") { - patchVals.Description = core.StringPtr(d.Get("description").(string)) - hasChange = true - } - if d.HasChange("ttl") { - patchVals.TTL = core.StringPtr(d.Get("ttl").(string)) - hasChange = true - } - if d.HasChange("labels") { - labels := d.Get("labels").([]interface{}) - labelsParsed := make([]string, len(labels)) - for i, v := range labels { - labelsParsed[i] = fmt.Sprint(v) - } - patchVals.Labels = labelsParsed - hasChange = true - } - if d.HasChange("custom_metadata") { - patchVals.CustomMetadata = d.Get("custom_metadata").(map[string]interface{}) - hasChange = true - } - if d.HasChange("rotation") { - RotationModel, err := resourceIbmSmServiceCredentialsSecretMapToRotationPolicy(d.Get("rotation").([]interface{})[0].(map[string]interface{})) - if err != nil { - log.Printf("[DEBUG] UpdateSecretMetadataWithContext failed: Reading Rotation parameter failed: %s", err) - return diag.FromErr(fmt.Errorf("UpdateSecretMetadataWithContext failed: Reading Rotation parameter failed: %s", err)) - } - patchVals.Rotation = RotationModel - hasChange = true - } - - // Apply change in metadata (if changed) - if hasChange { - updateSecretMetadataOptions.SecretMetadataPatch, _ = patchVals.AsPatch() - _, response, err := secretsManagerClient.UpdateSecretMetadataWithContext(context, updateSecretMetadataOptions) - if err != nil { - log.Printf("[DEBUG] UpdateSecretMetadataWithContext failed %s\n%s", err, response) - return diag.FromErr(fmt.Errorf("UpdateSecretMetadataWithContext failed %s\n%s", err, response)) - } - } - - if d.HasChange("version_custom_metadata") { - // Apply change to version_custom_metadata in current version - secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) - secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) - secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() - - updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} - updateSecretVersionOptions.SetSecretID(secretId) - updateSecretVersionOptions.SetID("current") - updateSecretVersionOptions.SetSecretVersionMetadataPatch(secretVersionMetadataPatchModelAsPatch) - _, response, err := secretsManagerClient.UpdateSecretVersionMetadataWithContext(context, updateSecretVersionOptions) - if err != nil { - if hasChange { - // Call the read function to update the Terraform state with the change already applied to the metadata - resourceIbmSmServiceCredentialsSecretRead(context, d, meta) - } - log.Printf("[DEBUG] UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response) - return diag.FromErr(fmt.Errorf("UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response)) - } - } - - return resourceIbmSmServiceCredentialsSecretRead(context, d, meta) -} - -func resourceIbmSmServiceCredentialsSecretDelete(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - secretsManagerClient, err := meta.(conns.ClientSession).SecretsManagerV2() - if err != nil { - return diag.FromErr(err) - } - - id := strings.Split(d.Id(), "/") - region := id[0] - instanceId := id[1] - secretId := id[2] - secretsManagerClient = getClientWithInstanceEndpoint(secretsManagerClient, instanceId, region, getEndpointType(secretsManagerClient, d)) - - deleteSecretOptions := &secretsmanagerv2.DeleteSecretOptions{} - - deleteSecretOptions.SetID(secretId) - - response, err := secretsManagerClient.DeleteSecretWithContext(context, deleteSecretOptions) - if err != nil { - log.Printf("[DEBUG] DeleteSecretWithContext failed %s\n%s", err, response) - return diag.FromErr(fmt.Errorf("DeleteSecretWithContext failed %s\n%s", err, response)) - } - - d.SetId("") - - return nil -} - -func resourceIbmSmServiceCredentialsSecretMapToSecretPrototype(d *schema.ResourceData) (*secretsmanagerv2.ServiceCredentialsSecretPrototype, error) { - model := &secretsmanagerv2.ServiceCredentialsSecretPrototype{} - model.SecretType = core.StringPtr("service_credentials") - - if _, ok := d.GetOk("name"); ok { - model.Name = core.StringPtr(d.Get("name").(string)) - } - if _, ok := d.GetOk("description"); ok { - model.Description = core.StringPtr(d.Get("description").(string)) - } - if _, ok := d.GetOk("secret_group_id"); ok { - model.SecretGroupID = core.StringPtr(d.Get("secret_group_id").(string)) - } - if _, ok := d.GetOk("labels"); ok { - labels := d.Get("labels").([]interface{}) - labelsParsed := make([]string, len(labels)) - for i, v := range labels { - labelsParsed[i] = fmt.Sprint(v) - } - model.Labels = labelsParsed - } - if _, ok := d.GetOk("ttl"); ok { - model.TTL = core.StringPtr(d.Get("ttl").(string)) - } - if _, ok := d.GetOk("rotation"); ok { - RotationModel, err := resourceIbmSmServiceCredentialsSecretMapToRotationPolicy(d.Get("rotation").([]interface{})[0].(map[string]interface{})) - if err != nil { - return model, err - } - model.Rotation = RotationModel - } - if _, ok := d.GetOk("source_service"); ok { - SourceServiceModel, err := resourceIbmSmServiceCredentialsSecretMapToSourceService(d.Get("source_service").([]interface{})[0].(map[string]interface{})) - if err != nil { - return model, err - } - model.SourceService = SourceServiceModel - } - if _, ok := d.GetOk("custom_metadata"); ok { - model.CustomMetadata = d.Get("custom_metadata").(map[string]interface{}) - } - if _, ok := d.GetOk("version_custom_metadata"); ok { - model.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) - } - return model, nil -} - -func resourceIbmSmServiceCredentialsSecretMapToRotationPolicy(modelMap map[string]interface{}) (secretsmanagerv2.RotationPolicyIntf, error) { - model := &secretsmanagerv2.RotationPolicy{} - if modelMap["auto_rotate"] != nil { - model.AutoRotate = core.BoolPtr(modelMap["auto_rotate"].(bool)) - } - if modelMap["interval"].(int) == 0 { - model.Interval = nil - } else { - model.Interval = core.Int64Ptr(int64(modelMap["interval"].(int))) - } - if modelMap["unit"] != nil && modelMap["unit"].(string) != "" { - model.Unit = core.StringPtr(modelMap["unit"].(string)) - } - return model, nil -} - -func resourceIbmSmServiceCredentialsSecretMapToSourceService(modelMap map[string]interface{}) (*secretsmanagerv2.ServiceCredentialsSecretSourceService, error) { - mainModel := &secretsmanagerv2.ServiceCredentialsSecretSourceService{} - - if modelMap["instance"] != nil && len(modelMap["instance"].([]interface{})) > 0 { - instanceModel := &secretsmanagerv2.ServiceCredentialsSourceServiceInstance{} - if modelMap["instance"].([]interface{})[0].(map[string]interface{})["crn"].(string) != "" { - instanceModel.Crn = core.StringPtr(modelMap["instance"].([]interface{})[0].(map[string]interface{})["crn"].(string)) - mainModel.Instance = instanceModel - } - } - - if modelMap["role"] != nil && len(modelMap["role"].([]interface{})) > 0 { - roleModel := &secretsmanagerv2.ServiceCredentialsSourceServiceRole{} - if modelMap["role"].([]interface{})[0].(map[string]interface{})["crn"].(string) != "" { - roleModel.Crn = core.StringPtr(modelMap["role"].([]interface{})[0].(map[string]interface{})["crn"].(string)) - mainModel.Role = roleModel - } - } - - if modelMap["parameters"] != nil { - mainModel.Parameters = &secretsmanagerv2.ServiceCredentialsSourceServiceParameters{} - parametersMap := modelMap["parameters"].(map[string]interface{}) - for k, v := range parametersMap { - if k == "serviceid_crn" { - serviceIdCrn := v.(string) - mainModel.Parameters.ServiceidCrn = &serviceIdCrn - } else if v == "true" || v == "false" { - b, _ := strconv.ParseBool(v.(string)) - mainModel.Parameters.SetProperty(k, b) - } else { - mainModel.Parameters.SetProperty(k, v) - } - } - } - return mainModel, nil -} - -func resourceIbmSmServiceCredentialsSecretRotationPolicyToMap(modelIntf secretsmanagerv2.RotationPolicyIntf) (map[string]interface{}, error) { - modelMap := make(map[string]interface{}) - model := modelIntf.(*secretsmanagerv2.RotationPolicy) - if model.AutoRotate != nil { - modelMap["auto_rotate"] = model.AutoRotate - } - if model.Interval != nil { - modelMap["interval"] = flex.IntValue(model.Interval) - } - if model.Unit != nil { - modelMap["unit"] = model.Unit - } - return modelMap, nil -} - -func resourceIbmSmServiceCredentialsSecretSourceServiceToMap(sourceService *secretsmanagerv2.ServiceCredentialsSecretSourceService) (map[string]interface{}, error) { - mainModelMap := make(map[string]interface{}) - if sourceService.Instance != nil { - instanceMap := make(map[string]interface{}) - instanceModel := sourceService.Instance - if instanceModel.Crn != nil { - instanceMap["crn"] = instanceModel.Crn - } - mainModelMap["instance"] = []map[string]interface{}{instanceMap} - } - - if sourceService.Role != nil { - roleMap := make(map[string]interface{}) - roleModel := sourceService.Role - if roleModel.Crn != nil { - roleMap["crn"] = roleModel.Crn - } - mainModelMap["role"] = []map[string]interface{}{roleMap} - } - - if sourceService.Iam != nil { - iamMap := make(map[string]interface{}) - iamModel := sourceService.Iam - - // apikey - if iamModel.Apikey != nil { - iamApikeyMap := make(map[string]interface{}) - iamApikeyModel := iamModel.Apikey - if iamApikeyModel.Name != nil { - iamApikeyMap["name"] = iamApikeyModel.Name - } - if iamApikeyModel.Description != nil { - iamApikeyMap["description"] = iamApikeyModel.Description - } - iamMap["apikey"] = []map[string]interface{}{iamApikeyMap} - } - - // role - if iamModel.Role != nil { - iamRoleMap := make(map[string]interface{}) - iamRoleModel := iamModel.Role - if iamRoleModel.Crn != nil { - iamRoleMap["crn"] = iamRoleModel.Crn - } - iamMap["role"] = []map[string]interface{}{iamRoleMap} - } - - // service id - if iamModel.Serviceid != nil { - iamServiceidMap := make(map[string]interface{}) - iamServiceidModel := iamModel.Serviceid - if iamServiceidModel.Crn != nil { - iamServiceidMap["crn"] = iamServiceidModel.Crn - } - iamMap["serviceid"] = []map[string]interface{}{iamServiceidMap} - } - - mainModelMap["iam"] = []map[string]interface{}{iamMap} - - } - - if sourceService.ResourceKey != nil { - resourceKeyMap := make(map[string]interface{}) - resourceKeyModel := sourceService.ResourceKey - if resourceKeyModel.Crn != nil { - resourceKeyMap["crn"] = resourceKeyModel.Crn - } - if resourceKeyModel.Name != nil { - resourceKeyMap["name"] = resourceKeyModel.Name - } - mainModelMap["resource_key"] = []map[string]interface{}{resourceKeyMap} - } - - if sourceService.Parameters != nil { - parametersMap := sourceService.Parameters.GetProperties() - for k, v := range parametersMap { - parametersMap[k] = fmt.Sprint(v) - } - if sourceService.Parameters.ServiceidCrn != nil { - if len(parametersMap) == 0 { - parametersMap = make(map[string]interface{}) - } - parametersMap["serviceid_crn"] = sourceService.Parameters.ServiceidCrn - } - mainModelMap["parameters"] = parametersMap - } - - return mainModelMap, nil -} diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret_test.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret_test.go deleted file mode 100644 index 7de340208c..0000000000 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret_test.go +++ /dev/null @@ -1,335 +0,0 @@ -// Copyright IBM Corp. 2023 All Rights Reserved. -// Licensed under the Mozilla Public License v2.0 - -package secretsmanager_test - -import ( - "fmt" - "strings" - "testing" - - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" - - acc "github.com/IBM-Cloud/terraform-provider-ibm/ibm/acctest" - "github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns" - "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" -) - -var serviceCredentialsSecretName = "terraform-test-sc-secret" -var modifiedServiceCredentialsSecretName = "modified-terraform-test-sc-secret" -var serviceCredentialsParameters = `{"HMAC":"true"}` -var serviceCredentialsParametersWithServiceId = `{"serviceid_crn": ibm_iam_service_id.ibm_iam_service_id_instance.crn}` -var serviceCredentialsTtl = "172800" -var modifiedServiceCredentialsTtl = "6048000" -var serviceCredentialsRoleCrn = "crn:v1:bluemix:public:iam::::serviceRole:Writer" - -func TestAccIbmSmServiceCredentialsSecretBasic(t *testing.T) { - resourceName := "ibm_sm_service_credentials_secret.sm_service_credentials_secret_basic" - - resource.Test(t, resource.TestCase{ - PreCheck: func() { acc.TestAccPreCheck(t) }, - Providers: acc.TestAccProviders, - CheckDestroy: testAccCheckIbmSmServiceCredentialsSecretDestroy, - Steps: []resource.TestStep{ - resource.TestStep{ - Config: serviceCredentialsSecretConfigBasic(), - Check: resource.ComposeAggregateTestCheckFunc( - resource.TestCheckResourceAttrSet(resourceName, "secret_id"), - resource.TestCheckResourceAttrSet(resourceName, "created_by"), - resource.TestCheckResourceAttrSet(resourceName, "created_at"), - resource.TestCheckResourceAttrSet(resourceName, "updated_at"), - resource.TestCheckResourceAttrSet(resourceName, "crn"), - resource.TestCheckResourceAttrSet(resourceName, "downloaded"), - resource.TestCheckResourceAttr(resourceName, "state", "1"), - resource.TestCheckResourceAttr(resourceName, "versions_total", "1"), - ), - }, - resource.TestStep{ - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, - ImportStateVerifyIgnore: []string{"ttl"}, - }, - }, - }) -} - -func TestAccIbmSmServiceCredentialsSecretAllArgs(t *testing.T) { - resourceName := "ibm_sm_service_credentials_secret.sm_service_credentials_secret" - - resource.Test(t, resource.TestCase{ - PreCheck: func() { acc.TestAccPreCheck(t) }, - Providers: acc.TestAccProviders, - CheckDestroy: testAccCheckIbmSmServiceCredentialsSecretDestroy, - Steps: []resource.TestStep{ - resource.TestStep{ - Config: serviceCredentialsSecretConfigAllArgs(), - Check: resource.ComposeAggregateTestCheckFunc( - testAccCheckIbmSmServiceCredentialsSecretCreated(resourceName), - resource.TestCheckResourceAttrSet(resourceName, "secret_id"), - resource.TestCheckResourceAttrSet(resourceName, "created_by"), - resource.TestCheckResourceAttrSet(resourceName, "created_at"), - resource.TestCheckResourceAttrSet(resourceName, "updated_at"), - resource.TestCheckResourceAttrSet(resourceName, "crn"), - resource.TestCheckResourceAttrSet(resourceName, "downloaded"), - resource.TestCheckResourceAttrSet(resourceName, "next_rotation_date"), - resource.TestCheckResourceAttr(resourceName, "state", "1"), - resource.TestCheckResourceAttr(resourceName, "versions_total", "1"), - ), - }, - resource.TestStep{ - Config: serviceCredentialsSecretConfigUpdated(), - Check: resource.ComposeAggregateTestCheckFunc( - testAccCheckIbmSmServiceCredentialsSecretUpdated(resourceName), - ), - }, - resource.TestStep{ - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, - ImportStateVerifyIgnore: []string{"ttl"}, - }, - }, - }) -} - -func TestAccIbmSmServiceCredentialsSecretAllArgsWithExistingServiceId(t *testing.T) { - resourceName := "ibm_sm_service_credentials_secret.sm_service_credentials_secret_service_id" - - resource.Test(t, resource.TestCase{ - PreCheck: func() { acc.TestAccPreCheck(t) }, - Providers: acc.TestAccProviders, - CheckDestroy: testAccCheckIbmSmServiceCredentialsSecretDestroy, - Steps: []resource.TestStep{ - resource.TestStep{ - Config: serviceCredentialsSecretConfigAllArgsWithExistingServiceId(), - Check: resource.ComposeAggregateTestCheckFunc( - testAccCheckIbmSmServiceCredentialsSecretCreated(resourceName), - resource.TestCheckResourceAttrSet(resourceName, "secret_id"), - resource.TestCheckResourceAttrSet(resourceName, "created_by"), - resource.TestCheckResourceAttrSet(resourceName, "created_at"), - resource.TestCheckResourceAttrSet(resourceName, "updated_at"), - resource.TestCheckResourceAttrSet(resourceName, "crn"), - resource.TestCheckResourceAttrSet(resourceName, "downloaded"), - resource.TestCheckResourceAttrSet(resourceName, "next_rotation_date"), - resource.TestCheckResourceAttr(resourceName, "state", "1"), - resource.TestCheckResourceAttr(resourceName, "versions_total", "1"), - ), - }, - resource.TestStep{ - ResourceName: resourceName, - ImportState: true, - ImportStateVerify: true, - ImportStateVerifyIgnore: []string{"ttl"}, - }, - }, - }) -} - -var serviceCredentialsSecretBasicConfigFormat = ` - resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_basic" { - instance_id = "%s" - region = "%s" - name = "%s" - source_service { - instance { - crn = "%s" - } - role { - crn = "%s" - } - } - ttl = "%s" - }` - -var serviceCredentialsSecretFullConfigFormat = ` - resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { - instance_id = "%s" - region = "%s" - name = "%s" - description = "%s" - labels = ["%s"] - source_service { - instance { - crn = "%s" - } - parameters = %s - role { - crn = "%s" - } - } - ttl = "%s" - custom_metadata = %s - secret_group_id = "default" - rotation %s - }` - -var serviceCredentialsSecretFullConfigFormatWithExistingServiceId = ` - resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret_service_id" { - instance_id = "%s" - region = "%s" - name = "%s" - description = "%s" - labels = ["%s"] - source_service { - instance { - crn = "%s" - } - parameters = %s - role { - crn = "%s" - } - } - ttl = "%s" - custom_metadata = %s - secret_group_id = "default" - rotation %s - }` - -func iamServiceIdConfig() string { - return fmt.Sprintf(` - resource "ibm_iam_service_id" "ibm_iam_service_id_instance" { - name = "service-id-terraform-tests-sc" - }`) -} - -func serviceCredentialsSecretConfigBasic() string { - return fmt.Sprintf(serviceCredentialsSecretBasicConfigFormat, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, - serviceCredentialsSecretName, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsRoleCrn, serviceCredentialsTtl) -} - -func serviceCredentialsSecretConfigAllArgs() string { - return fmt.Sprintf(serviceCredentialsSecretFullConfigFormat, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, - serviceCredentialsSecretName, description, label, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParameters, serviceCredentialsRoleCrn, serviceCredentialsTtl, customMetadata, rotationPolicy) -} - -func serviceCredentialsSecretConfigAllArgsWithExistingServiceId() string { - return iamServiceIdConfig() + fmt.Sprintf(serviceCredentialsSecretFullConfigFormatWithExistingServiceId, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, - serviceCredentialsSecretName, description, label, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParametersWithServiceId, serviceCredentialsRoleCrn, serviceCredentialsTtl, customMetadata, rotationPolicy) -} - -func serviceCredentialsSecretConfigUpdated() string { - return fmt.Sprintf(serviceCredentialsSecretFullConfigFormat, acc.SecretsManagerInstanceID, acc.SecretsManagerInstanceRegion, - modifiedServiceCredentialsSecretName, modifiedDescription, modifiedLabel, acc.SecretsManagerServiceCredentialsCosCrn, serviceCredentialsParameters, serviceCredentialsRoleCrn, - modifiedServiceCredentialsTtl, modifiedCustomMetadata, modifiedRotationPolicy) -} - -func testAccCheckIbmSmServiceCredentialsSecretCreated(n string) resource.TestCheckFunc { - return func(s *terraform.State) error { - serviceCredentialsSecretIntf, err := getSecret(s, n) - if err != nil { - return err - } - secret := serviceCredentialsSecretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) - - if err := verifyAttr(*secret.Name, serviceCredentialsSecretName, "secret name"); err != nil { - return err - } - if err := verifyAttr(*secret.Description, description, "secret description"); err != nil { - return err - } - if len(secret.Labels) != 1 { - return fmt.Errorf("Wrong number of labels: %d", len(secret.Labels)) - } - if err := verifyAttr(secret.Labels[0], label, "label"); err != nil { - return err - } - if err := verifyJsonAttr(secret.CustomMetadata, customMetadata, "custom metadata"); err != nil { - return err - } - if err := verifyAttr(getAutoRotate(secret.Rotation), "true", "auto_rotate"); err != nil { - return err - } - if err := verifyAttr(getRotationUnit(secret.Rotation), "day", "rotation unit"); err != nil { - return err - } - if err := verifyAttr(getRotationInterval(secret.Rotation), "1", "rotation interval"); err != nil { - return err - } - if err := verifyAttr(*secret.TTL, serviceCredentialsTtl, "ttl"); err != nil { - return err - } - if err := verifyAttr(*secret.SourceService.Instance.Crn, acc.SecretsManagerServiceCredentialsCosCrn, "source_service.Instance.Crn"); err != nil { - return err - } - if err := verifyAttr(*secret.SourceService.Role.Crn, serviceCredentialsRoleCrn, "source_service.Role.Crn"); err != nil { - return err - } - if err := verifyAttr(*secret.Credentials.IamRoleCrn, serviceCredentialsRoleCrn, "credentials.IamRoleCrn"); err != nil { - return err - } - return nil - } -} - -func testAccCheckIbmSmServiceCredentialsSecretUpdated(n string) resource.TestCheckFunc { - return func(s *terraform.State) error { - serviceCredentialsSecretIntf, err := getSecret(s, n) - if err != nil { - return err - } - secret := serviceCredentialsSecretIntf.(*secretsmanagerv2.ServiceCredentialsSecret) - - if err := verifyAttr(*secret.Name, modifiedServiceCredentialsSecretName, "secret name"); err != nil { - return err - } - if err := verifyAttr(*secret.Description, modifiedDescription, "secret description after update"); err != nil { - return err - } - if len(secret.Labels) != 1 { - return fmt.Errorf("Wrong number of labels after update: %d", len(secret.Labels)) - } - if err := verifyAttr(secret.Labels[0], modifiedLabel, "label after update"); err != nil { - return err - } - if err := verifyJsonAttr(secret.CustomMetadata, modifiedCustomMetadata, "custom metadata after update"); err != nil { - return err - } - if err := verifyAttr(*secret.TTL, modifiedServiceCredentialsTtl, "ttl after update"); err != nil { - return err - } - if err := verifyAttr(getAutoRotate(secret.Rotation), "true", "auto_rotate after update"); err != nil { - return err - } - if err := verifyAttr(getRotationUnit(secret.Rotation), "month", "rotation unit after update"); err != nil { - return err - } - if err := verifyAttr(getRotationInterval(secret.Rotation), "2", "rotation interval after update"); err != nil { - return err - } - return nil - } -} - -func testAccCheckIbmSmServiceCredentialsSecretDestroy(s *terraform.State) error { - secretsManagerClient, err := acc.TestAccProvider.Meta().(conns.ClientSession).SecretsManagerV2() - if err != nil { - return err - } - - secretsManagerClient = getClientWithInstanceEndpointTest(secretsManagerClient) - - for _, rs := range s.RootModule().Resources { - if rs.Type != "ibm_sm_service_credentials_secret" { - continue - } - - getSecretOptions := &secretsmanagerv2.GetSecretOptions{} - - id := strings.Split(rs.Primary.ID, "/") - secretId := id[2] - getSecretOptions.SetID(secretId) - - // Try to find the key - _, response, err := secretsManagerClient.GetSecret(getSecretOptions) - - if err == nil { - return fmt.Errorf("ServiceCredentialsSecret still exists: %s", rs.Primary.ID) - } else if response.StatusCode != 404 { - return fmt.Errorf("Error checking for ServiceCredentialsSecret (%s) has been destroyed: %s", rs.Primary.ID, err) - } - } - - return nil -} From 74626d8d3cd1bb23260726096022032b1cd74688 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Tue, 26 Dec 2023 14:45:19 +0200 Subject: [PATCH 17/25] bugs fixes --- ...as_secret.go => resource_ibm_sm_service_credentials_secret.go} | 0 ...test.go => resource_ibm_sm_service_credentials_secret_test.go} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename ibm/service/secretsmanager/{resource_ibm_sm_service_credentilas_secret.go => resource_ibm_sm_service_credentials_secret.go} (100%) rename ibm/service/secretsmanager/{resource_ibm_sm_service_credentilas_secret_test.go => resource_ibm_sm_service_credentials_secret_test.go} (100%) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go similarity index 100% rename from ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go rename to ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret_test.go similarity index 100% rename from ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret_test.go rename to ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret_test.go From fbf61c65a90dd20c11738ebb683fc09a6790ba05 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 3 Jan 2024 15:55:31 +0200 Subject: [PATCH 18/25] docs bugs fixes --- website/docs/r/sm_service_credentials_secret.html.markdown | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/website/docs/r/sm_service_credentials_secret.html.markdown b/website/docs/r/sm_service_credentials_secret.html.markdown index cdf60c3e9f..12b43a166b 100644 --- a/website/docs/r/sm_service_credentials_secret.html.markdown +++ b/website/docs/r/sm_service_credentials_secret.html.markdown @@ -43,6 +43,7 @@ resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { ```terraform resource "ibm_sm_service_credentials_secret" "sm_service_credentials_secret" { + instance_id = ibm_resource_instance.sm_instance.guid region = "us-south" name = "secret-name" source_service { @@ -89,11 +90,11 @@ Nested scheme for **rotation**: * Constraints: Allowable values are: `day`, `month`. * `secret_group_id` - (Optional, Forces new resource, String) A v4 UUID identifier, or `default` secret group. * Constraints: The maximum length is `36` characters. The minimum length is `7` characters. The value must match regular expression `/^([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|default)$/`. -* `source_service` - (Optional, List) The properties required for creating the service credentials for the specified source service instance. +* `source_service` - (Required, List) The properties required for creating the service credentials for the specified source service instance. Nested scheme for **source_service**: - * `instance` - (Optional, List) The source service instance identifier. + * `instance` - (Required, List) The source service instance identifier. Nested scheme for **instance**: - * `crn` - (Optional, String) A CRN that uniquely identifies a service credentials source. + * `crn` - (Required, String) A CRN that uniquely identifies a service credentials source. * `role` - (Optional, List) The service-specific custom role object, CRN role is accepted. Refer to the service’s documentation for supported roles. Nested scheme for **role**: * `crn` - (Optional, String) The service role CRN. From e63a564fd3bbc0b784276ccb6d682ab77e11400e Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Mon, 15 Jan 2024 14:34:40 +0200 Subject: [PATCH 19/25] preferred_chain added for public cert lets encrypt configuration --- ...rtificate_configuration_ca_lets_encrypt.go | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_public_certificate_configuration_ca_lets_encrypt.go b/ibm/service/secretsmanager/resource_ibm_sm_public_certificate_configuration_ca_lets_encrypt.go index 1e5620511c..4d23c48659 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_public_certificate_configuration_ca_lets_encrypt.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_public_certificate_configuration_ca_lets_encrypt.go @@ -36,6 +36,11 @@ func ResourceIbmSmPublicCertificateConfigurationCALetsEncrypt() *schema.Resource Required: true, Description: "The configuration of the Let's Encrypt CA environment.", }, + "lets_encrypt_preferred_chain": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Description: "Prefer the chain with an issuer matching this Subject Common Name.", + }, "lets_encrypt_private_key": &schema.Schema{ Type: schema.TypeString, Required: true, @@ -140,6 +145,9 @@ func resourceIbmSmPublicCertificateConfigurationCALetsEncryptRead(context contex if err = d.Set("lets_encrypt_environment", configuration.LetsEncryptEnvironment); err != nil { return diag.FromErr(fmt.Errorf("Error setting lets_encrypt_environment: %s", err)) } + if err = d.Set("lets_encrypt_preferred_chain", configuration.LetsEncryptPreferredChain); err != nil { + return diag.FromErr(fmt.Errorf("Error setting lets_encrypt_preferred_chain: %s", err)) + } if err = d.Set("lets_encrypt_private_key", configuration.LetsEncryptPrivateKey); err != nil { return diag.FromErr(fmt.Errorf("Error setting lets_encrypt_private_key: %s", err)) } @@ -173,6 +181,11 @@ func resourceIbmSmPublicCertificateConfigurationCALetsEncryptUpdate(context cont hasChange = true } + if d.HasChange("lets_encrypt_preferred_chain") { + patchVals.LetsEncryptPreferredChain = core.StringPtr(d.Get("lets_encrypt_preferred_chain").(string)) + hasChange = true + } + patchVals.LetsEncryptEnvironment = core.StringPtr(d.Get("lets_encrypt_environment").(string)) if d.HasChange("lets_encrypt_environment") { hasChange = true @@ -222,15 +235,15 @@ func resourceIbmSmPublicCertificateConfigurationCALetsEncryptMapToConfigurationP model.ConfigType = core.StringPtr("public_cert_configuration_ca_lets_encrypt") - //if _, ok := d.GetOk("config_type"); ok { - // model.ConfigType = core.StringPtr(d.Get("config_type").(string)) - //} if _, ok := d.GetOk("name"); ok { model.Name = core.StringPtr(d.Get("name").(string)) } if _, ok := d.GetOk("lets_encrypt_environment"); ok { model.LetsEncryptEnvironment = core.StringPtr(d.Get("lets_encrypt_environment").(string)) } + if _, ok := d.GetOk("lets_encrypt_preferred_chain"); ok { + model.LetsEncryptPreferredChain = core.StringPtr(d.Get("lets_encrypt_preferred_chain").(string)) + } if _, ok := d.GetOk("lets_encrypt_private_key"); ok { model.LetsEncryptPrivateKey = core.StringPtr(formatCertificate(d.Get("lets_encrypt_private_key").(string))) } From ef612d90fa2a71221a4a59a0bae16b00c98dc2ec Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Mon, 15 Jan 2024 17:26:48 +0200 Subject: [PATCH 20/25] support for creating secret version for username password & version_custom_metadata for all --- .../resource_ibm_sm_iam_credentials_secret.go | 22 ++++++++- .../resource_ibm_sm_private_certificate.go | 22 ++++++++- .../resource_ibm_sm_public_certificate.go | 22 ++++++++- ...esource_ibm_sm_username_password_secret.go | 48 ++++++++++++++++++- 4 files changed, 109 insertions(+), 5 deletions(-) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go index 542275b142..401488105a 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go @@ -126,7 +126,6 @@ func ResourceIbmSmIamCredentialsSecret() *schema.Resource { "version_custom_metadata": &schema.Schema{ Type: schema.TypeMap, Optional: true, - ForceNew: true, Description: "The secret version metadata that a user can customize.", Elem: &schema.Schema{Type: schema.TypeString}, }, @@ -475,6 +474,27 @@ func resourceIbmSmIamCredentialsSecretUpdate(context context.Context, d *schema. } } + if d.HasChange("version_custom_metadata") { + // Apply change to version_custom_metadata in current version + secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) + secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) + secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() + + updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} + updateSecretVersionOptions.SetSecretID(secretId) + updateSecretVersionOptions.SetID("current") + updateSecretVersionOptions.SetSecretVersionMetadataPatch(secretVersionMetadataPatchModelAsPatch) + _, response, err := secretsManagerClient.UpdateSecretVersionMetadataWithContext(context, updateSecretVersionOptions) + if err != nil { + if hasChange { + // Call the read function to update the Terraform state with the change already applied to the metadata + resourceIbmSmIamCredentialsSecretRead(context, d, meta) + } + log.Printf("[DEBUG] UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response)) + } + } + return resourceIbmSmIamCredentialsSecretRead(context, d, meta) } diff --git a/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go b/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go index 7fe6c10bd6..78d4369c7d 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go @@ -168,7 +168,6 @@ func ResourceIbmSmPrivateCertificate() *schema.Resource { }, "version_custom_metadata": &schema.Schema{ Type: schema.TypeMap, - ForceNew: true, Optional: true, Description: "The secret version metadata that a user can customize.", Elem: &schema.Schema{Type: schema.TypeString}, @@ -608,6 +607,27 @@ func resourceIbmSmPrivateCertificateUpdate(context context.Context, d *schema.Re } } + if d.HasChange("version_custom_metadata") { + // Apply change to version_custom_metadata in current version + secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) + secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) + secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() + + updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} + updateSecretVersionOptions.SetSecretID(secretId) + updateSecretVersionOptions.SetID("current") + updateSecretVersionOptions.SetSecretVersionMetadataPatch(secretVersionMetadataPatchModelAsPatch) + _, response, err := secretsManagerClient.UpdateSecretVersionMetadataWithContext(context, updateSecretVersionOptions) + if err != nil { + if hasChange { + // Call the read function to update the Terraform state with the change already applied to the metadata + resourceIbmSmPrivateCertificateRead(context, d, meta) + } + log.Printf("[DEBUG] UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response)) + } + } + return resourceIbmSmPrivateCertificateRead(context, d, meta) } diff --git a/ibm/service/secretsmanager/resource_ibm_sm_public_certificate.go b/ibm/service/secretsmanager/resource_ibm_sm_public_certificate.go index fb268ad8ed..e4da540d19 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_public_certificate.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_public_certificate.go @@ -140,7 +140,6 @@ func ResourceIbmSmPublicCertificate() *schema.Resource { }, "version_custom_metadata": &schema.Schema{ Type: schema.TypeMap, - ForceNew: true, Optional: true, Description: "The secret version metadata that a user can customize.", Elem: &schema.Schema{Type: schema.TypeString}, @@ -706,6 +705,27 @@ func resourceIbmSmPublicCertificateUpdate(context context.Context, d *schema.Res } } + if d.HasChange("version_custom_metadata") { + // Apply change to version_custom_metadata in current version + secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) + secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) + secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() + + updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} + updateSecretVersionOptions.SetSecretID(secretId) + updateSecretVersionOptions.SetID("current") + updateSecretVersionOptions.SetSecretVersionMetadataPatch(secretVersionMetadataPatchModelAsPatch) + _, response, err := secretsManagerClient.UpdateSecretVersionMetadataWithContext(context, updateSecretVersionOptions) + if err != nil { + if hasChange { + // Call the read function to update the Terraform state with the change already applied to the metadata + resourceIbmSmPublicCertificateRead(context, d, meta) + } + log.Printf("[DEBUG] UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response)) + } + } + return resourceIbmSmPublicCertificateRead(context, d, meta) } diff --git a/ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go index a5d48f33ac..6040163fb8 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go @@ -81,7 +81,7 @@ func ResourceIbmSmUsernamePasswordSecret() *schema.Resource { "version_custom_metadata": &schema.Schema{ Type: schema.TypeMap, Optional: true, - ForceNew: true, + Computed: true, Description: "The secret version metadata that a user can customize.", Elem: &schema.Schema{Type: schema.TypeString}, }, @@ -124,7 +124,6 @@ func ResourceIbmSmUsernamePasswordSecret() *schema.Resource { "password": &schema.Schema{ Type: schema.TypeString, Required: true, - ForceNew: true, Sensitive: true, Description: "The password that is assigned to the secret.", }, @@ -434,6 +433,51 @@ func resourceIbmSmUsernamePasswordSecretUpdate(context context.Context, d *schem } } + // Apply change in payload (if changed) + if d.HasChange("password") { + versionModel := &secretsmanagerv2.UsernamePasswordSecretVersionPrototype{} + versionModel.Password = core.StringPtr(d.Get("password").(string)) + if _, ok := d.GetOk("version_custom_metadata"); ok { + versionModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) + } + if _, ok := d.GetOk("custom_metadata"); ok { + versionModel.CustomMetadata = d.Get("custom_metadata").(map[string]interface{}) + } + + createSecretVersionOptions := &secretsmanagerv2.CreateSecretVersionOptions{} + createSecretVersionOptions.SetSecretID(secretId) + createSecretVersionOptions.SetSecretVersionPrototype(versionModel) + _, response, err := secretsManagerClient.CreateSecretVersionWithContext(context, createSecretVersionOptions) + if err != nil { + if hasChange { + // Before returning an error, call the read function to update the Terraform state with the change + // that was already applied to the metadata + resourceIbmSmUsernamePasswordSecretRead(context, d, meta) + } + log.Printf("[DEBUG] CreateSecretVersionWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("CreateSecretVersionWithContext failed %s\n%s", err, response)) + } + } else if d.HasChange("version_custom_metadata") { + // Apply change to version_custom_metadata in current version + secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) + secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) + secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() + + updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} + updateSecretVersionOptions.SetSecretID(secretId) + updateSecretVersionOptions.SetID("current") + updateSecretVersionOptions.SetSecretVersionMetadataPatch(secretVersionMetadataPatchModelAsPatch) + _, response, err := secretsManagerClient.UpdateSecretVersionMetadataWithContext(context, updateSecretVersionOptions) + if err != nil { + if hasChange { + // Call the read function to update the Terraform state with the change already applied to the metadata + resourceIbmSmUsernamePasswordSecretRead(context, d, meta) + } + log.Printf("[DEBUG] UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("UpdateSecretVersionMetadataWithContext failed %s\n%s", err, response)) + } + } + return resourceIbmSmUsernamePasswordSecretRead(context, d, meta) } From 3bb189afbab9514750b50d7e2ddfb259dd531a1f Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Mon, 15 Jan 2024 17:29:22 +0200 Subject: [PATCH 21/25] support for creating secret version for username password & version_custom_metadata for all --- .secrets.baseline | 64 +++++++++++++++++------------------------------ 1 file changed, 23 insertions(+), 41 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index dae78c7d80..9951ef0b1f 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.mod|go.sum|.*.map|^.secrets.baseline$", "lines": null }, - "generated_at": "2023-12-26T12:35:45Z", + "generated_at": "2024-01-15T15:28:18Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -760,7 +760,7 @@ "hashed_secret": "731438016c5ab94431f61820f35e3ae5f8ad6004", "is_secret": false, "is_verified": false, - "line_number": 428, + "line_number": 432, "type": "Secret Keyword", "verified_result": null }, @@ -768,7 +768,7 @@ "hashed_secret": "12da2e35d6b50c902c014f1ab9e3032650368df7", "is_secret": false, "is_verified": false, - "line_number": 434, + "line_number": 438, "type": "Secret Keyword", "verified_result": null }, @@ -776,7 +776,7 @@ "hashed_secret": "813274ccae5b6b509379ab56982d862f7b5969b6", "is_secret": false, "is_verified": false, - "line_number": 1157, + "line_number": 1161, "type": "Base64 High Entropy String", "verified_result": null } @@ -794,7 +794,7 @@ "hashed_secret": "c427f185ddcb2440be9b77c8e45f1cd487a2e790", "is_secret": false, "is_verified": false, - "line_number": 1451, + "line_number": 1454, "type": "Base64 High Entropy String", "verified_result": null }, @@ -802,7 +802,7 @@ "hashed_secret": "1f7e33de15e22de9d2eaf502df284ed25ca40018", "is_secret": false, "is_verified": false, - "line_number": 1518, + "line_number": 1521, "type": "Secret Keyword", "verified_result": null }, @@ -810,7 +810,7 @@ "hashed_secret": "1f614c2eb6b3da22d89bd1b9fd47d7cb7c8fc670", "is_secret": false, "is_verified": false, - "line_number": 3338, + "line_number": 3342, "type": "Secret Keyword", "verified_result": null }, @@ -818,7 +818,7 @@ "hashed_secret": "7abfce65b8504403afc25c9790f358d513dfbcc6", "is_secret": false, "is_verified": false, - "line_number": 3351, + "line_number": 3355, "type": "Secret Keyword", "verified_result": null }, @@ -826,7 +826,7 @@ "hashed_secret": "0c2d85bf9a9b1579b16f220a4ea8c3d62b2e24b1", "is_secret": false, "is_verified": false, - "line_number": 3392, + "line_number": 3396, "type": "Secret Keyword", "verified_result": null } @@ -2964,7 +2964,7 @@ "hashed_secret": "92f08f2d9a0dc3f0d4cb3796435a48508cf59ecd", "is_secret": false, "is_verified": false, - "line_number": 1091, + "line_number": 1115, "type": "Secret Keyword", "verified_result": null } @@ -2992,7 +2992,7 @@ "hashed_secret": "92f08f2d9a0dc3f0d4cb3796435a48508cf59ecd", "is_secret": false, "is_verified": false, - "line_number": 509, + "line_number": 513, "type": "Secret Keyword", "verified_result": null } @@ -3556,7 +3556,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 198, + "line_number": 197, "type": "Secret Keyword", "verified_result": null }, @@ -3564,7 +3564,7 @@ "hashed_secret": "108b310facc1a193833fc2971fd83081f775ea0c", "is_secret": false, "is_verified": false, - "line_number": 389, + "line_number": 388, "type": "Secret Keyword", "verified_result": null }, @@ -3572,7 +3572,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 392, + "line_number": 391, "type": "Secret Keyword", "verified_result": null } @@ -3636,7 +3636,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 297, + "line_number": 296, "type": "Secret Keyword", "verified_result": null }, @@ -3644,7 +3644,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 538, + "line_number": 537, "type": "Secret Keyword", "verified_result": null } @@ -3690,7 +3690,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 397, + "line_number": 396, "type": "Secret Keyword", "verified_result": null }, @@ -3698,7 +3698,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 637, + "line_number": 636, "type": "Secret Keyword", "verified_result": null } @@ -3718,7 +3718,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 39, + "line_number": 44, "type": "Secret Keyword", "verified_result": null }, @@ -3726,7 +3726,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 144, + "line_number": 152, "type": "Secret Keyword", "verified_result": null } @@ -3831,24 +3831,6 @@ "verified_result": null } ], - "ibm/service/secretsmanager/resource_ibm_sm_service_credentilas_secret.go": [ - { - "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", - "is_secret": false, - "is_verified": false, - "line_number": 190, - "type": "Secret Keyword", - "verified_result": null - }, - { - "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", - "is_secret": false, - "is_verified": false, - "line_number": 443, - "type": "Secret Keyword", - "verified_result": null - } - ], "ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go": [ { "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", @@ -3862,7 +3844,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 356, + "line_number": 355, "type": "Secret Keyword", "verified_result": null } @@ -5002,7 +4984,7 @@ "hashed_secret": "d47dcacc720a39e236679ac3e311a0d58bb6519e", "is_secret": false, "is_verified": false, - "line_number": 191, + "line_number": 192, "type": "Secret Keyword", "verified_result": null }, @@ -5010,7 +4992,7 @@ "hashed_secret": "e66e7d67fdf3c596c435fc7828b13205e4950a0f", "is_secret": false, "is_verified": false, - "line_number": 193, + "line_number": 194, "type": "Secret Keyword", "verified_result": null } From 47ea09c426b0d49f45b3a839a0626a7a7487a321 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 17 Jan 2024 12:11:09 +0200 Subject: [PATCH 22/25] support for creating secret version for username password & version_custom_metadata for all --- .secrets.baseline | 6 +++--- .../resource_ibm_sm_username_password_secret.go | 1 - 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 9951ef0b1f..8ed181f610 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.mod|go.sum|.*.map|^.secrets.baseline$", "lines": null }, - "generated_at": "2024-01-15T15:28:18Z", + "generated_at": "2024-01-17T10:10:24Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -3836,7 +3836,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 124, + "line_number": 123, "type": "Secret Keyword", "verified_result": null }, @@ -3844,7 +3844,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 355, + "line_number": 354, "type": "Secret Keyword", "verified_result": null } diff --git a/ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go index 6040163fb8..811d59f990 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go @@ -81,7 +81,6 @@ func ResourceIbmSmUsernamePasswordSecret() *schema.Resource { "version_custom_metadata": &schema.Schema{ Type: schema.TypeMap, Optional: true, - Computed: true, Description: "The secret version metadata that a user can customize.", Elem: &schema.Schema{Type: schema.TypeString}, }, From 27241e546c7e15fdd0d4c0c77c62bb041d76bf2f Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 17 Jan 2024 15:18:27 +0200 Subject: [PATCH 23/25] support for creating secret version for username password & version_custom_metadata for all --- .secrets.baseline | 24 +++---------------- .../resource_ibm_sm_arbitrary_secret.go | 3 +-- .../resource_ibm_sm_iam_credentials_secret.go | 20 +++++++++++++++- .../resource_ibm_sm_imported_certificate.go | 3 +-- .../resource_ibm_sm_kv_secret.go | 3 +-- .../resource_ibm_sm_private_certificate.go | 20 +++++++++++++++- .../resource_ibm_sm_public_certificate.go | 20 +++++++++++++++- ...ource_ibm_sm_service_credentials_secret.go | 3 +-- ...esource_ibm_sm_username_password_secret.go | 20 +++++++++++++++- ibm/service/secretsmanager/utils.go | 11 +++++++++ 10 files changed, 94 insertions(+), 33 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 8ed181f610..de648a2e1f 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,11 +3,8 @@ "files": "go.mod|go.sum|.*.map|^.secrets.baseline$", "lines": null }, - "generated_at": "2024-01-17T10:10:24Z", + "generated_at": "2024-01-17T10:13:16Z", "plugins_used": [ - { - "name": "AWSKeyDetector" - }, { "name": "ArtifactoryDetector" }, @@ -21,12 +18,6 @@ { "name": "BasicAuthDetector" }, - { - "name": "BoxDetector" - }, - { - "name": "CloudantDetector" - }, { "ghe_instance": "github.ibm.com", "name": "GheDetector" @@ -51,9 +42,6 @@ "keyword_exclude": null, "name": "KeywordDetector" }, - { - "name": "MailchimpDetector" - }, { "name": "NpmDetector" }, @@ -68,12 +56,6 @@ }, { "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" } ], "results": { @@ -3818,7 +3800,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 190, + "line_number": 189, "type": "Secret Keyword", "verified_result": null }, @@ -3826,7 +3808,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 443, + "line_number": 442, "type": "Secret Keyword", "verified_result": null } diff --git a/ibm/service/secretsmanager/resource_ibm_sm_arbitrary_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_arbitrary_secret.go index 6c5b4f3661..b4b4e2bd7f 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_arbitrary_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_arbitrary_secret.go @@ -84,7 +84,6 @@ func ResourceIbmSmArbitrarySecret() *schema.Resource { "version_custom_metadata": &schema.Schema{ Type: schema.TypeMap, Optional: true, - Computed: true, Description: "The secret version metadata that a user can customize.", Elem: &schema.Schema{Type: schema.TypeString}, }, @@ -422,7 +421,7 @@ func resourceIbmSmArbitrarySecretUpdate(context context.Context, d *schema.Resou // Apply change to version_custom_metadata in current version secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) - secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() + secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataAsPatchFunction(secretVersionMetadataPatchModel) updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} updateSecretVersionOptions.SetSecretID(secretId) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go index 401488105a..e729325efb 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go @@ -407,6 +407,24 @@ func resourceIbmSmIamCredentialsSecretRead(context context.Context, d *schema.Re return diag.FromErr(fmt.Errorf("Error setting signing_algorithm: %s", err)) } + // Call get version metadata API to get the current version_custom_metadata + getVersionMetdataOptions := &secretsmanagerv2.GetSecretVersionMetadataOptions{} + getVersionMetdataOptions.SetSecretID(secretId) + getVersionMetdataOptions.SetID("current") + + versionMetadataIntf, response, err := secretsManagerClient.GetSecretVersionMetadataWithContext(context, getVersionMetdataOptions) + if err != nil { + log.Printf("[DEBUG] GetSecretVersionMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("GetSecretVersionMetadataWithContext failed %s\n%s", err, response)) + } + + versionMetadata := versionMetadataIntf.(*secretsmanagerv2.IAMCredentialsSecretVersionMetadata) + if versionMetadata.VersionCustomMetadata != nil { + if err = d.Set("version_custom_metadata", versionMetadata.VersionCustomMetadata); err != nil { + return diag.FromErr(fmt.Errorf("Error setting version_custom_metadata: %s", err)) + } + } + return nil } @@ -478,7 +496,7 @@ func resourceIbmSmIamCredentialsSecretUpdate(context context.Context, d *schema. // Apply change to version_custom_metadata in current version secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) - secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() + secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataAsPatchFunction(secretVersionMetadataPatchModel) updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} updateSecretVersionOptions.SetSecretID(secretId) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_imported_certificate.go b/ibm/service/secretsmanager/resource_ibm_sm_imported_certificate.go index b87a9cfdc5..aae9c5503c 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_imported_certificate.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_imported_certificate.go @@ -78,7 +78,6 @@ func ResourceIbmSmImportedCertificate() *schema.Resource { "version_custom_metadata": &schema.Schema{ Type: schema.TypeMap, Optional: true, - Computed: true, Description: "The secret version metadata that a user can customize.", Elem: &schema.Schema{Type: schema.TypeString}, }, @@ -537,7 +536,7 @@ func resourceIbmSmImportedCertificateUpdate(context context.Context, d *schema.R // Apply change to version_custom_metadata in current version secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) - secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() + secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataAsPatchFunction(secretVersionMetadataPatchModel) updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} updateSecretVersionOptions.SetSecretID(secretId) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_kv_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_kv_secret.go index f474f7cb04..f32d9ee23a 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_kv_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_kv_secret.go @@ -75,7 +75,6 @@ func ResourceIbmSmKvSecret() *schema.Resource { "version_custom_metadata": &schema.Schema{ Type: schema.TypeMap, Optional: true, - Computed: true, Description: "The secret version metadata that a user can customize.", Elem: &schema.Schema{Type: schema.TypeString}, }, @@ -396,7 +395,7 @@ func resourceIbmSmKvSecretUpdate(context context.Context, d *schema.ResourceData // Apply change to version_custom_metadata in current version secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) - secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() + secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataAsPatchFunction(secretVersionMetadataPatchModel) updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} updateSecretVersionOptions.SetSecretID(secretId) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go b/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go index 78d4369c7d..19bd04e50c 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_private_certificate.go @@ -544,6 +544,24 @@ func resourceIbmSmPrivateCertificateRead(context context.Context, d *schema.Reso return diag.FromErr(fmt.Errorf("Error setting ca_chain: %s", err)) } } + + // Call get version metadata API to get the current version_custom_metadata + getVersionMetdataOptions := &secretsmanagerv2.GetSecretVersionMetadataOptions{} + getVersionMetdataOptions.SetSecretID(secretId) + getVersionMetdataOptions.SetID("current") + + versionMetadataIntf, response, err := secretsManagerClient.GetSecretVersionMetadataWithContext(context, getVersionMetdataOptions) + if err != nil { + log.Printf("[DEBUG] GetSecretVersionMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("GetSecretVersionMetadataWithContext failed %s\n%s", err, response)) + } + + versionMetadata := versionMetadataIntf.(*secretsmanagerv2.PrivateCertificateVersionMetadata) + if versionMetadata.VersionCustomMetadata != nil { + if err = d.Set("version_custom_metadata", versionMetadata.VersionCustomMetadata); err != nil { + return diag.FromErr(fmt.Errorf("Error setting version_custom_metadata: %s", err)) + } + } return nil } @@ -611,7 +629,7 @@ func resourceIbmSmPrivateCertificateUpdate(context context.Context, d *schema.Re // Apply change to version_custom_metadata in current version secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) - secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() + secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataAsPatchFunction(secretVersionMetadataPatchModel) updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} updateSecretVersionOptions.SetSecretID(secretId) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_public_certificate.go b/ibm/service/secretsmanager/resource_ibm_sm_public_certificate.go index e4da540d19..61b5575d97 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_public_certificate.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_public_certificate.go @@ -635,6 +635,24 @@ func resourceIbmSmPublicCertificateRead(context context.Context, d *schema.Resou if err = d.Set("private_key", secret.PrivateKey); err != nil { return diag.FromErr(fmt.Errorf("Error setting private_key: %s", err)) } + // Call get version metadata API to get the current version_custom_metadata + getVersionMetdataOptions := &secretsmanagerv2.GetSecretVersionMetadataOptions{} + getVersionMetdataOptions.SetSecretID(secretId) + getVersionMetdataOptions.SetID("current") + + versionMetadataIntf, response, err := secretsManagerClient.GetSecretVersionMetadataWithContext(context, getVersionMetdataOptions) + if err != nil { + log.Printf("[DEBUG] GetSecretVersionMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("GetSecretVersionMetadataWithContext failed %s\n%s", err, response)) + } + + versionMetadata := versionMetadataIntf.(*secretsmanagerv2.PublicCertificateVersionMetadata) + if versionMetadata.VersionCustomMetadata != nil { + if err = d.Set("version_custom_metadata", versionMetadata.VersionCustomMetadata); err != nil { + return diag.FromErr(fmt.Errorf("Error setting version_custom_metadata: %s", err)) + } + } + if d.Get("dns").(string) == "akamai" && d.Get("state_description").(string) == "pre_activation" { err := setChallengesWithAkamaiAndValidateManualDns(context, d, meta, secret, secretsManagerClient) if err != nil { @@ -709,7 +727,7 @@ func resourceIbmSmPublicCertificateUpdate(context context.Context, d *schema.Res // Apply change to version_custom_metadata in current version secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) - secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() + secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataAsPatchFunction(secretVersionMetadataPatchModel) updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} updateSecretVersionOptions.SetSecretID(secretId) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go index 7d5e211b0d..8beb6980d2 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_service_credentials_secret.go @@ -66,7 +66,6 @@ func ResourceIbmSmServiceCredentialsSecret() *schema.Resource { "version_custom_metadata": &schema.Schema{ Type: schema.TypeMap, Optional: true, - Computed: true, Description: "The secret version metadata that a user can customize.", Elem: &schema.Schema{Type: schema.TypeString}, }, @@ -537,7 +536,7 @@ func resourceIbmSmServiceCredentialsSecretUpdate(context context.Context, d *sch // Apply change to version_custom_metadata in current version secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) - secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() + secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataAsPatchFunction(secretVersionMetadataPatchModel) updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} updateSecretVersionOptions.SetSecretID(secretId) diff --git a/ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go index 811d59f990..5975f94dac 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_username_password_secret.go @@ -354,6 +354,24 @@ func resourceIbmSmUsernamePasswordSecretRead(context context.Context, d *schema. return diag.FromErr(fmt.Errorf("Error setting password: %s", err)) } + // Call get version metadata API to get the current version_custom_metadata + getVersionMetdataOptions := &secretsmanagerv2.GetSecretVersionMetadataOptions{} + getVersionMetdataOptions.SetSecretID(secretId) + getVersionMetdataOptions.SetID("current") + + versionMetadataIntf, response, err := secretsManagerClient.GetSecretVersionMetadataWithContext(context, getVersionMetdataOptions) + if err != nil { + log.Printf("[DEBUG] GetSecretVersionMetadataWithContext failed %s\n%s", err, response) + return diag.FromErr(fmt.Errorf("GetSecretVersionMetadataWithContext failed %s\n%s", err, response)) + } + + versionMetadata := versionMetadataIntf.(*secretsmanagerv2.UsernamePasswordSecretVersionMetadata) + if versionMetadata.VersionCustomMetadata != nil { + if err = d.Set("version_custom_metadata", versionMetadata.VersionCustomMetadata); err != nil { + return diag.FromErr(fmt.Errorf("Error setting version_custom_metadata: %s", err)) + } + } + return nil } @@ -460,7 +478,7 @@ func resourceIbmSmUsernamePasswordSecretUpdate(context context.Context, d *schem // Apply change to version_custom_metadata in current version secretVersionMetadataPatchModel := new(secretsmanagerv2.SecretVersionMetadataPatch) secretVersionMetadataPatchModel.VersionCustomMetadata = d.Get("version_custom_metadata").(map[string]interface{}) - secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataPatchModel.AsPatch() + secretVersionMetadataPatchModelAsPatch, _ := secretVersionMetadataAsPatchFunction(secretVersionMetadataPatchModel) updateSecretVersionOptions := &secretsmanagerv2.UpdateSecretVersionMetadataOptions{} updateSecretVersionOptions.SetSecretID(secretId) diff --git a/ibm/service/secretsmanager/utils.go b/ibm/service/secretsmanager/utils.go index 07a23380be..da8e661425 100644 --- a/ibm/service/secretsmanager/utils.go +++ b/ibm/service/secretsmanager/utils.go @@ -2,6 +2,7 @@ package secretsmanager import ( "context" + "encoding/json" "fmt" "github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns" "github.com/IBM/go-sdk-core/v5/core" @@ -182,3 +183,13 @@ func getSecretByIdOrByName(context context.Context, d *schema.ResourceData, meta return nil, "", "", diag.FromErr(fmt.Errorf("Missing required arguments. Please make sure that either \"secret_id\" or \"name\" and \"secret_group_name\" are provided\n")) } + +func secretVersionMetadataAsPatchFunction(secretVersionMetadataPatch *secretsmanagerv2.SecretVersionMetadataPatch) (_patch map[string]interface{}, err error) { + jsonData, err := json.Marshal(struct { + VersionCustomMetadata map[string]interface{} `json:"version_custom_metadata"` + }{VersionCustomMetadata: secretVersionMetadataPatch.VersionCustomMetadata}) + if err == nil { + err = json.Unmarshal(jsonData, &_patch) + } + return +} From c1ca0e775cb52dd5d745d45a0feeaa5d0e115583 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 17 Jan 2024 15:23:24 +0200 Subject: [PATCH 24/25] support for creating secret version for username password & version_custom_metadata for all --- .secrets.baseline | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index de648a2e1f..10d6b057a6 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.mod|go.sum|.*.map|^.secrets.baseline$", "lines": null }, - "generated_at": "2024-01-17T10:13:16Z", + "generated_at": "2024-01-17T13:22:37Z", "plugins_used": [ { "name": "ArtifactoryDetector" @@ -3574,7 +3574,7 @@ "hashed_secret": "3046d9f6cfaaeea6eed9bb7a4ab010fe49b0cfd4", "is_secret": false, "is_verified": false, - "line_number": 109, + "line_number": 108, "type": "Secret Keyword", "verified_result": null }, @@ -3582,7 +3582,7 @@ "hashed_secret": "b732fb611fd46a38e8667f9972e0cde777fbe37f", "is_secret": false, "is_verified": false, - "line_number": 430, + "line_number": 429, "type": "Secret Keyword", "verified_result": null }, @@ -3590,7 +3590,7 @@ "hashed_secret": "9beb31de125498074813c6f31c0e4df3e54a5489", "is_secret": false, "is_verified": false, - "line_number": 646, + "line_number": 645, "type": "Secret Keyword", "verified_result": null } From 988d3df5adaf6211e6fb3bbe0a6e49d876d0b0a5 Mon Sep 17 00:00:00 2001 From: Yonathan-Yellin Date: Wed, 17 Jan 2024 15:25:07 +0200 Subject: [PATCH 25/25] support for creating secret version for username password & version_custom_metadata for all --- .secrets.baseline | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.secrets.baseline b/.secrets.baseline index 10d6b057a6..d34b26a7c3 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -5,6 +5,9 @@ }, "generated_at": "2024-01-17T13:22:37Z", "plugins_used": [ + { + "name": "AWSKeyDetector" + }, { "name": "ArtifactoryDetector" }, @@ -18,6 +21,12 @@ { "name": "BasicAuthDetector" }, + { + "name": "BoxDetector" + }, + { + "name": "CloudantDetector" + }, { "ghe_instance": "github.ibm.com", "name": "GheDetector" @@ -42,6 +51,9 @@ "keyword_exclude": null, "name": "KeywordDetector" }, + { + "name": "MailchimpDetector" + }, { "name": "NpmDetector" }, @@ -56,6 +68,12 @@ }, { "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" } ], "results": {