Secrets Manager IAM credentials secrets with S2S

powervs-ibm · Sep 30, 2024 · 1efb420 · 1efb420
1 parent e30b5c6
commit 1efb420
Show file tree

Hide file tree

Showing 12 changed files with 91 additions and 16 deletions.
diff --git a/go.mod b/go.mod
@@ -36,7 +36,7 @@ require (
 	github.com/IBM/sarama v1.41.2
 	github.com/IBM/scc-go-sdk/v5 v5.4.1
 	github.com/IBM/schematics-go-sdk v0.3.0
-	github.com/IBM/secrets-manager-go-sdk/v2 v2.0.6
+	github.com/IBM/secrets-manager-go-sdk/v2 v2.0.7
 	github.com/IBM/vmware-go-sdk v0.1.2
 	github.com/IBM/vpc-beta-go-sdk v0.6.0
 	github.com/IBM/vpc-go-sdk v0.58.0

diff --git a/go.sum b/go.sum
@@ -188,8 +188,8 @@ github.com/IBM/scc-go-sdk/v5 v5.4.1 h1:RXIuxOo9/hxkWyHCI69ae+KIJgSbXcAkJwTEl+fO3
 github.com/IBM/scc-go-sdk/v5 v5.4.1/go.mod h1:2xQTDgNXG5QMEfQxBDKB067z+5ha6OgcaKCTcdGDAo8=
 github.com/IBM/schematics-go-sdk v0.3.0 h1:Vwxw85SONflakiBsNHAfViKLyp9zJiH5/hh6SewOP5Q=
 github.com/IBM/schematics-go-sdk v0.3.0/go.mod h1:Tw2OSAPdpC69AxcwoyqcYYaGTTW6YpERF9uNEU+BFRQ=
-github.com/IBM/secrets-manager-go-sdk/v2 v2.0.6 h1:bF6bAdI4wDZSje6+Yx1mJxvirboxO+uMuKhzgfRCNxE=
-github.com/IBM/secrets-manager-go-sdk/v2 v2.0.6/go.mod h1:XWYnbcc5vN1RnKwk/fCzfD8aZd7At/Y1/b6c+oDyliU=
+github.com/IBM/secrets-manager-go-sdk/v2 v2.0.7 h1:5lKt1rHuKaAaiZtbPfsF8dgiko/gGbVgreiut3zU128=
+github.com/IBM/secrets-manager-go-sdk/v2 v2.0.7/go.mod h1:RglK3v6CPe3T1myRtQCD6z+nBygXvNJwufAon0qcZok=
 github.com/IBM/vmware-go-sdk v0.1.2 h1:5lKWFyInWz9e2hwGsoFTEoLa1jYkD30SReN0fQ10w9M=
 github.com/IBM/vmware-go-sdk v0.1.2/go.mod h1:2UGPBJju3jiv5VKKBBm9a5L6bzF/aJdKOKAzJ7HaOjA=
 github.com/IBM/vpc-beta-go-sdk v0.6.0 h1:wfM3AcW3zOM3xsRtZ+EA6+sESlGUjQ6Yf4n5QQyz4uc=

diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_configuration.go b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_configuration.go
@@ -57,6 +57,11 @@ func DataSourceIbmSmIamCredentialsConfiguration() *schema.Resource {
 				Sensitive:   true,
 				Description: "An IBM Cloud API key that can create and manage service IDs. The API key must be assigned the Editor platform role on the Access Groups Service and the Operator platform role on the IAM Identity Service. For more information, see the [docs](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-configure-iam-engine).",
 			},
+			"disabled": &schema.Schema{
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "This attribute indicates whether the API key configuration is disabled. If it is set to `true`, the IAM credentials engine doesn't use the configured API key for credentials management.",
+			},
 		},
 	}
 }
@@ -120,5 +125,10 @@ func dataSourceIbmSmIamCredentialsConfigurationRead(context context.Context, d *
 		return tfErr.GetDiag()
 	}
 
+	if err = d.Set("disabled", iAMCredentialsConfiguration.Disabled); err != nil {
+		tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting disabled"), fmt.Sprintf("(Data) %s", IAMCredentialsConfigResourceName), "read")
+		return tfErr.GetDiag()
+	}
+
 	return nil
 }
diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret.go b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret.go
@@ -6,11 +6,10 @@ package secretsmanager
 import (
 	"context"
 	"fmt"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
-
 	"github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex"
 	"github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
 func DataSourceIbmSmIamCredentialsSecret() *schema.Resource {
@@ -125,6 +124,11 @@ func DataSourceIbmSmIamCredentialsSecret() *schema.Resource {
 				Computed:    true,
 				Description: "The date a secret is expired. The date format follows RFC 3339.",
 			},
+			"account_id": &schema.Schema{
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The ID of the account in which the IAM credentials are created. Use this field only if the target account is not the same as the account of the Secrets Manager instance.",
+			},
 			"access_groups": &schema.Schema{
 				Type:        schema.TypeList,
 				Computed:    true,
@@ -302,6 +306,13 @@ func dataSourceIbmSmIamCredentialsSecretRead(context context.Context, d *schema.
 		return tfErr.GetDiag()
 	}
 
+	if iAMCredentialsSecret.AccountID != nil {
+		if err = d.Set("account_id", iAMCredentialsSecret.AccountID); err != nil {
+			tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting account_id"), fmt.Sprintf("(Data) %s", IAMCredentialsSecretResourceName), "read")
+			return tfErr.GetDiag()
+		}
+	}
+
 	if err = d.Set("service_id_is_static", iAMCredentialsSecret.ServiceIdIsStatic); err != nil {
 		tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting service_id_is_static"), fmt.Sprintf("(Data) %s", IAMCredentialsSecretResourceName), "read")
 		return tfErr.GetDiag()

diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret_metadata.go b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret_metadata.go
@@ -117,6 +117,11 @@ func DataSourceIbmSmIamCredentialsSecretMetadata() *schema.Resource {
 				Computed:    true,
 				Description: "The date a secret is expired. The date format follows RFC 3339.",
 			},
+			"account_id": &schema.Schema{
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "The ID of the account in which the IAM credentials are created. Use this field only if the target account is not the same as the account of the Secrets Manager instance.",
+			},
 			"access_groups": &schema.Schema{
 				Type:        schema.TypeList,
 				Computed:    true,
@@ -299,6 +304,13 @@ func dataSourceIbmSmIamCredentialsSecretMetadataRead(context context.Context, d
 		return tfErr.GetDiag()
 	}
 
+	if iAMCredentialsSecretMetadata.AccountID != nil {
+		if err = d.Set("account_id", iAMCredentialsSecretMetadata.AccountID); err != nil {
+			tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting account_id"), fmt.Sprintf("(Data) %s_metadata", IAMCredentialsSecretResourceName), "read")
+			return tfErr.GetDiag()
+		}
+	}
+
 	if err = d.Set("service_id", iAMCredentialsSecretMetadata.ServiceID); err != nil {
 		tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting service_id"), fmt.Sprintf("(Data) %s_metadata", IAMCredentialsSecretResourceName), "read")
 		return tfErr.GetDiag()

diff --git a/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_configuration.go b/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_configuration.go
@@ -44,6 +44,12 @@ func ResourceIbmSmIamCredentialsConfiguration() *schema.Resource {
 				Sensitive:   true,
 				Description: "An IBM Cloud API key that can create and manage service IDs. The API key must be assigned the Editor platform role on the Access Groups Service and the Operator platform role on the IAM Identity Service. For more information, see the [docs](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-configure-iam-engine).",
 			},
+			"disabled": &schema.Schema{
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				Description: "This attribute indicates whether the API key configuration is disabled. If it is set to `true`, the IAM credentials engine doesn't use the configured API key for credentials management.",
+			},
 			"secret_type": &schema.Schema{
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -166,6 +172,10 @@ func resourceIbmSmIamCredentialsConfigurationRead(context context.Context, d *sc
 		tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting api_key"), IAMCredentialsConfigResourceName, "read")
 		return tfErr.GetDiag()
 	}
+	if err = d.Set("disabled", configuration.Disabled); err != nil {
+		tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting disabled"), IAMCredentialsConfigResourceName, "read")
+		return tfErr.GetDiag()
+	}
 
 	return nil
 }
@@ -197,6 +207,11 @@ func resourceIbmSmIamCredentialsConfigurationUpdate(context context.Context, d *
 		hasChange = true
 	}
 
+	if d.HasChange("disabled") {
+		patchVals.Disabled = core.BoolPtr(d.Get("disabled").(bool))
+		hasChange = true
+	}
+
 	if hasChange {
 		updateConfigurationOptions.ConfigurationPatch, _ = patchVals.AsPatch()
 		_, response, err := secretsManagerClient.UpdateConfigurationWithContext(context, updateConfigurationOptions)
@@ -249,5 +264,8 @@ func resourceIbmSmIamCredentialsConfigurationMapToConfigurationPrototype(d *sche
 	if _, ok := d.GetOk("api_key"); ok {
 		model.ApiKey = core.StringPtr(d.Get("api_key").(string))
 	}
+	if _, ok := d.GetOk("disabled"); ok {
+		model.Disabled = core.BoolPtr(d.Get("disabled").(bool))
+	}
 	return model, nil
 }
diff --git a/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go
@@ -70,6 +70,13 @@ func ResourceIbmSmIamCredentialsSecret() *schema.Resource {
 				Computed:    true,
 				Description: "The date a secret is expired. The date format follows RFC 3339.",
 			},
+			"account_id": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Computed:    true,
+				ForceNew:    true,
+				Description: "The ID of the account in which the IAM credentials are created. Use this field only if the target account is not the same as the account of the Secrets Manager instance. Otherwise, the field can be omitted.",
+			},
 			"access_groups": &schema.Schema{
 				Type:        schema.TypeList,
 				Optional:    true,
@@ -408,6 +415,12 @@ func resourceIbmSmIamCredentialsSecretRead(context context.Context, d *schema.Re
 		tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting api_key_id"), IAMCredentialsSecretResourceName, "read")
 		return tfErr.GetDiag()
 	}
+	if secret.AccountID != nil {
+		if err = d.Set("account_id", secret.AccountID); err != nil {
+			tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting account_id"), IAMCredentialsSecretResourceName, "read")
+			return tfErr.GetDiag()
+		}
+	}
 	if err = d.Set("service_id", secret.ServiceID); err != nil {
 		tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting service_id"), IAMCredentialsSecretResourceName, "read")
 		return tfErr.GetDiag()
@@ -622,6 +635,9 @@ func resourceIbmSmIamCredentialsSecretMapToSecretPrototype(d *schema.ResourceDat
 	if _, ok := d.GetOk("ttl"); ok {
 		model.TTL = core.StringPtr(d.Get("ttl").(string))
 	}
+	if _, ok := d.GetOk("account_id"); ok {
+		model.AccountID = core.StringPtr(d.Get("account_id").(string))
+	}
 	if _, ok := d.GetOk("access_groups"); ok {
 		accessGroups := d.Get("access_groups").([]interface{})
 		accessGroupsParsed := make([]string, len(accessGroups))

diff --git a/website/docs/d/sm_iam_credentials_configuration.html.markdown b/website/docs/d/sm_iam_credentials_configuration.html.markdown
@@ -47,6 +47,8 @@ In addition to all argument references listed, you can access the following attr
 * `created_by` - (String) The unique identifier that is associated with the entity that created the secret.
   * Constraints: The maximum length is `128` characters. The minimum length is `4` characters.
 
+* `disabled` - (Boolean) Indicates whether the API key configuration is disabled. If it is set to `true`, the IAM credentials engine doesn't use the configured API key for credentials management.
+
 * `secret_type` - (String) The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials.
   * Constraints: Allowable values are: `arbitrary`, `imported_cert`, `public_cert`, `iam_credentials`, `kv`, `username_password`, `private_cert`.
 

diff --git a/website/docs/d/sm_iam_credentials_secret.html.markdown b/website/docs/d/sm_iam_credentials_secret.html.markdown
@@ -55,6 +55,8 @@ In addition to all argument references listed, you can access the following attr
 * `access_groups` - (List) Access Groups that you can use for an `iam_credentials` secret.Up to 10 Access Groups can be used for each secret.
   * Constraints: The list items must match regular expression `/^AccessGroupId-[a-z0-9-]+[a-z0-9]$/`. The maximum length is `10` items. The minimum length is `1` item.
 
+* `account_id` - (String) The ID of the account in which the IAM credentials are created. This field is omitted if the target account is the same as the account of the Secrets Manager instance.
+
 * `api_key` - (String) The API key that is generated for this secret. After the secret reaches the end of its lease (see the `ttl` field), the API key is deleted automatically.
   * Constraints: The maximum length is `60` characters. The minimum length is `5` characters. The value must match regular expression `/^(?:[A-Za-z0-9_\\-]{4})*(?:[A-Za-z0-9_\\-]{2}==|[A-Za-z0-9_\\-]{3}=)?$/`.
 
@@ -90,11 +92,11 @@ In addition to all argument references listed, you can access the following attr
 
 * `rotation` - (List) Determines whether Secrets Manager rotates your secrets automatically.
 Nested scheme for **rotation**:
-	* `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval.
-	* `interval` - (Integer) The length of the secret rotation time interval.
-	  * Constraints: The minimum value is `1`.
-	* `unit` - (String) The units for the secret rotation time interval.
-	  * Constraints: Allowable values are: `day`, `month`.
+    * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval.
+    * `interval` - (Integer) The length of the secret rotation time interval.
+      * Constraints: The minimum value is `1`.
+    * `unit` - (String) The units for the secret rotation time interval.
+      * Constraints: Allowable values are: `day`, `month`.
 
 * `secret_group_id` - (String) A v4 UUID identifier, or `default` secret group.
   * Constraints: The maximum length is `36` characters. The minimum length is `7` characters. The value must match regular expression `/^([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|default)$/`.

diff --git a/website/docs/d/sm_iam_credentials_secret_metadata.html.markdown b/website/docs/d/sm_iam_credentials_secret_metadata.html.markdown
@@ -39,6 +39,8 @@ In addition to all argument references listed, you can access the following attr
 * `access_groups` - (List) Access Groups that you can use for an `iam_credentials` secret.Up to 10 Access Groups can be used for each secret.
   * Constraints: The list items must match regular expression `/^AccessGroupId-[a-z0-9-]+[a-z0-9]$/`. The maximum length is `10` items. The minimum length is `1` item.
 
+* `account_id` - (String) The ID of the account in which the IAM credentials are created. This field is omitted if the target account is the same as the account of the Secrets Manager instance.
+
 * `api_key_id` - (String) The ID of the API key that is generated for this secret.
 
 * `created_at` - (String) The date when a resource was created. The date format follows RFC 3339.

diff --git a/website/docs/r/sm_iam_credentials_configuration.html.markdown b/website/docs/r/sm_iam_credentials_configuration.html.markdown
@@ -32,6 +32,7 @@ Review the argument reference that you can specify for your resource.
 * `name` - (Required, String) A human-readable unique name to assign to your IAM Credentials configuration.
 * `api_key` - (Required, String) An IBM Cloud API key that can create and manage service IDs. The API key must be assigned the Editor platform role on the Access Groups Service and the Operator platform role on the IAM Identity Service. For more information, see the [docs](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-configure-iam-engine).
 	* Constraints: The maximum length is `60` characters. The minimum length is `5` characters. The value must match regular expression `/^(?:[A-Za-z0-9_\\-]{4})*(?:[A-Za-z0-9_\\-]{2}==|[A-Za-z0-9_\\-]{3}=)?$/`.
+* `disabled` - (Optional, Boolean) Indicates whether the API key configuration is disabled. If it is set to `true`, the IAM credentials engine doesn't use the configured API key for credentials management. Default is `false`.
 
 ## Attribute Reference
 

diff --git a/website/docs/r/sm_iam_credentials_secret.html.markdown b/website/docs/r/sm_iam_credentials_secret.html.markdown
@@ -42,6 +42,7 @@ Review the argument reference that you can specify for your resource.
     * Constraints: Allowable values are: `private`, `public`.
 * `access_groups` - (Optional, Forces new resource, List) Access Groups that you can use for an `iam_credentials` secret.Up to 10 Access Groups can be used for each secret.
   * Constraints: The list items must match regular expression `/^AccessGroupId-[a-z0-9-]+[a-z0-9]$/`. The maximum length is `10` items. The minimum length is `1` item.
+* `account_id` - (Optional, Forces new resource, String) The ID of the account in which the IAM credentials are created. Use this field only if the target account is not the same as the account of the Secrets Manager instance. Otherwise, the field can be omitted.
 * `custom_metadata` - (Optional, Map) The secret metadata that a user can customize.
 * `description` - (Optional, String) An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group.
   * Constraints: The maximum length is `1024` characters. The minimum length is `0` characters. The value must match regular expression `/(.*?)/`.
@@ -52,11 +53,11 @@ Review the argument reference that you can specify for your resource.
 * `reuse_api_key` - (Optional, Boolean) Determines whether to use the same service ID and API key for future read operations on an`iam_credentials` secret. Must be set to `true` for IAM credentials secrets managed by Terraform.
 * `rotation` - (Optional, List) Determines whether Secrets Manager rotates your secrets automatically.
 Nested scheme for **rotation**:
-	* `auto_rotate` - (Optional, Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval.
-	* `interval` - (Optional, Integer) The length of the secret rotation time interval.
-	  * Constraints: The minimum value is `1`.
-	* `unit` - (Optional, String) The units for the secret rotation time interval.
-	  * Constraints: Allowable values are: `day`, `month`.
+    * `auto_rotate` - (Optional, Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval.
+    * `interval` - (Optional, Integer) The length of the secret rotation time interval.
+      * Constraints: The minimum value is `1`.
+    * `unit` - (Optional, String) The units for the secret rotation time interval.
+      * Constraints: Allowable values are: `day`, `month`.
 * `secret_group_id` - (Optional, Forces new resource, String) A v4 UUID identifier, or `default` secret group.
   * Constraints: The maximum length is `36` characters. The minimum length is `7` characters. The value must match regular expression `/^([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|default)$/`.
 * `service_id` - (Optional, Forces new resource, String) The service ID under which the API key (see the `api_key` field) is created.If you omit this parameter, Secrets Manager generates a new service ID for your secret at its creation and adds it to the access groups that you assign.Optionally, you can use this field to provide your own service ID if you prefer to manage its access directly or retain the service ID after your secret expires, is rotated, or deleted. If you provide a service ID, do not include the `access_groups` parameter.