From 1efb42030798abc466fbea61bc2c04a30b4c0631 Mon Sep 17 00:00:00 2001 From: Haim Date: Tue, 24 Sep 2024 09:44:47 +0300 Subject: [PATCH] Secrets Manager IAM credentials secrets with S2S --- go.mod | 2 +- go.sum | 4 ++-- ...rce_ibm_sm_iam_credentials_configuration.go | 10 ++++++++++ ...ata_source_ibm_sm_iam_credentials_secret.go | 17 ++++++++++++++--- ...e_ibm_sm_iam_credentials_secret_metadata.go | 12 ++++++++++++ ...rce_ibm_sm_iam_credentials_configuration.go | 18 ++++++++++++++++++ .../resource_ibm_sm_iam_credentials_secret.go | 16 ++++++++++++++++ ...iam_credentials_configuration.html.markdown | 2 ++ .../d/sm_iam_credentials_secret.html.markdown | 12 +++++++----- ...m_credentials_secret_metadata.html.markdown | 2 ++ ...iam_credentials_configuration.html.markdown | 1 + .../r/sm_iam_credentials_secret.html.markdown | 11 ++++++----- 12 files changed, 91 insertions(+), 16 deletions(-) diff --git a/go.mod b/go.mod index 096ed2a443..88af53d1a6 100644 --- a/go.mod +++ b/go.mod @@ -36,7 +36,7 @@ require ( github.com/IBM/sarama v1.41.2 github.com/IBM/scc-go-sdk/v5 v5.4.1 github.com/IBM/schematics-go-sdk v0.3.0 - github.com/IBM/secrets-manager-go-sdk/v2 v2.0.6 + github.com/IBM/secrets-manager-go-sdk/v2 v2.0.7 github.com/IBM/vmware-go-sdk v0.1.2 github.com/IBM/vpc-beta-go-sdk v0.6.0 github.com/IBM/vpc-go-sdk v0.58.0 diff --git a/go.sum b/go.sum index 0df522c953..8950e2fc1a 100644 --- a/go.sum +++ b/go.sum @@ -188,8 +188,8 @@ github.com/IBM/scc-go-sdk/v5 v5.4.1 h1:RXIuxOo9/hxkWyHCI69ae+KIJgSbXcAkJwTEl+fO3 github.com/IBM/scc-go-sdk/v5 v5.4.1/go.mod h1:2xQTDgNXG5QMEfQxBDKB067z+5ha6OgcaKCTcdGDAo8= github.com/IBM/schematics-go-sdk v0.3.0 h1:Vwxw85SONflakiBsNHAfViKLyp9zJiH5/hh6SewOP5Q= github.com/IBM/schematics-go-sdk v0.3.0/go.mod h1:Tw2OSAPdpC69AxcwoyqcYYaGTTW6YpERF9uNEU+BFRQ= -github.com/IBM/secrets-manager-go-sdk/v2 v2.0.6 h1:bF6bAdI4wDZSje6+Yx1mJxvirboxO+uMuKhzgfRCNxE= -github.com/IBM/secrets-manager-go-sdk/v2 v2.0.6/go.mod h1:XWYnbcc5vN1RnKwk/fCzfD8aZd7At/Y1/b6c+oDyliU= +github.com/IBM/secrets-manager-go-sdk/v2 v2.0.7 h1:5lKt1rHuKaAaiZtbPfsF8dgiko/gGbVgreiut3zU128= +github.com/IBM/secrets-manager-go-sdk/v2 v2.0.7/go.mod h1:RglK3v6CPe3T1myRtQCD6z+nBygXvNJwufAon0qcZok= github.com/IBM/vmware-go-sdk v0.1.2 h1:5lKWFyInWz9e2hwGsoFTEoLa1jYkD30SReN0fQ10w9M= github.com/IBM/vmware-go-sdk v0.1.2/go.mod h1:2UGPBJju3jiv5VKKBBm9a5L6bzF/aJdKOKAzJ7HaOjA= github.com/IBM/vpc-beta-go-sdk v0.6.0 h1:wfM3AcW3zOM3xsRtZ+EA6+sESlGUjQ6Yf4n5QQyz4uc= diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_configuration.go b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_configuration.go index d6e80959ee..6d0b8e701d 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_configuration.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_configuration.go @@ -57,6 +57,11 @@ func DataSourceIbmSmIamCredentialsConfiguration() *schema.Resource { Sensitive: true, Description: "An IBM Cloud API key that can create and manage service IDs. The API key must be assigned the Editor platform role on the Access Groups Service and the Operator platform role on the IAM Identity Service. For more information, see the [docs](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-configure-iam-engine).", }, + "disabled": &schema.Schema{ + Type: schema.TypeBool, + Computed: true, + Description: "This attribute indicates whether the API key configuration is disabled. If it is set to `true`, the IAM credentials engine doesn't use the configured API key for credentials management.", + }, }, } } @@ -120,5 +125,10 @@ func dataSourceIbmSmIamCredentialsConfigurationRead(context context.Context, d * return tfErr.GetDiag() } + if err = d.Set("disabled", iAMCredentialsConfiguration.Disabled); err != nil { + tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting disabled"), fmt.Sprintf("(Data) %s", IAMCredentialsConfigResourceName), "read") + return tfErr.GetDiag() + } + return nil } diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret.go b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret.go index 6c0a18e03e..753bc047ba 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret.go @@ -6,11 +6,10 @@ package secretsmanager import ( "context" "fmt" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex" "github.com/IBM/secrets-manager-go-sdk/v2/secretsmanagerv2" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" ) func DataSourceIbmSmIamCredentialsSecret() *schema.Resource { @@ -125,6 +124,11 @@ func DataSourceIbmSmIamCredentialsSecret() *schema.Resource { Computed: true, Description: "The date a secret is expired. The date format follows RFC 3339.", }, + "account_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The ID of the account in which the IAM credentials are created. Use this field only if the target account is not the same as the account of the Secrets Manager instance.", + }, "access_groups": &schema.Schema{ Type: schema.TypeList, Computed: true, @@ -302,6 +306,13 @@ func dataSourceIbmSmIamCredentialsSecretRead(context context.Context, d *schema. return tfErr.GetDiag() } + if iAMCredentialsSecret.AccountID != nil { + if err = d.Set("account_id", iAMCredentialsSecret.AccountID); err != nil { + tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting account_id"), fmt.Sprintf("(Data) %s", IAMCredentialsSecretResourceName), "read") + return tfErr.GetDiag() + } + } + if err = d.Set("service_id_is_static", iAMCredentialsSecret.ServiceIdIsStatic); err != nil { tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting service_id_is_static"), fmt.Sprintf("(Data) %s", IAMCredentialsSecretResourceName), "read") return tfErr.GetDiag() diff --git a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret_metadata.go b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret_metadata.go index 0bca907e28..175a5c3e5d 100644 --- a/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret_metadata.go +++ b/ibm/service/secretsmanager/data_source_ibm_sm_iam_credentials_secret_metadata.go @@ -117,6 +117,11 @@ func DataSourceIbmSmIamCredentialsSecretMetadata() *schema.Resource { Computed: true, Description: "The date a secret is expired. The date format follows RFC 3339.", }, + "account_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The ID of the account in which the IAM credentials are created. Use this field only if the target account is not the same as the account of the Secrets Manager instance.", + }, "access_groups": &schema.Schema{ Type: schema.TypeList, Computed: true, @@ -299,6 +304,13 @@ func dataSourceIbmSmIamCredentialsSecretMetadataRead(context context.Context, d return tfErr.GetDiag() } + if iAMCredentialsSecretMetadata.AccountID != nil { + if err = d.Set("account_id", iAMCredentialsSecretMetadata.AccountID); err != nil { + tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting account_id"), fmt.Sprintf("(Data) %s_metadata", IAMCredentialsSecretResourceName), "read") + return tfErr.GetDiag() + } + } + if err = d.Set("service_id", iAMCredentialsSecretMetadata.ServiceID); err != nil { tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting service_id"), fmt.Sprintf("(Data) %s_metadata", IAMCredentialsSecretResourceName), "read") return tfErr.GetDiag() diff --git a/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_configuration.go b/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_configuration.go index cfda48d0bd..ad3f89b324 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_configuration.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_configuration.go @@ -44,6 +44,12 @@ func ResourceIbmSmIamCredentialsConfiguration() *schema.Resource { Sensitive: true, Description: "An IBM Cloud API key that can create and manage service IDs. The API key must be assigned the Editor platform role on the Access Groups Service and the Operator platform role on the IAM Identity Service. For more information, see the [docs](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-configure-iam-engine).", }, + "disabled": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "This attribute indicates whether the API key configuration is disabled. If it is set to `true`, the IAM credentials engine doesn't use the configured API key for credentials management.", + }, "secret_type": &schema.Schema{ Type: schema.TypeString, Computed: true, @@ -166,6 +172,10 @@ func resourceIbmSmIamCredentialsConfigurationRead(context context.Context, d *sc tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting api_key"), IAMCredentialsConfigResourceName, "read") return tfErr.GetDiag() } + if err = d.Set("disabled", configuration.Disabled); err != nil { + tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting disabled"), IAMCredentialsConfigResourceName, "read") + return tfErr.GetDiag() + } return nil } @@ -197,6 +207,11 @@ func resourceIbmSmIamCredentialsConfigurationUpdate(context context.Context, d * hasChange = true } + if d.HasChange("disabled") { + patchVals.Disabled = core.BoolPtr(d.Get("disabled").(bool)) + hasChange = true + } + if hasChange { updateConfigurationOptions.ConfigurationPatch, _ = patchVals.AsPatch() _, response, err := secretsManagerClient.UpdateConfigurationWithContext(context, updateConfigurationOptions) @@ -249,5 +264,8 @@ func resourceIbmSmIamCredentialsConfigurationMapToConfigurationPrototype(d *sche if _, ok := d.GetOk("api_key"); ok { model.ApiKey = core.StringPtr(d.Get("api_key").(string)) } + if _, ok := d.GetOk("disabled"); ok { + model.Disabled = core.BoolPtr(d.Get("disabled").(bool)) + } return model, nil } diff --git a/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go b/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go index 0a78d80a50..d8855437fe 100644 --- a/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go +++ b/ibm/service/secretsmanager/resource_ibm_sm_iam_credentials_secret.go @@ -70,6 +70,13 @@ func ResourceIbmSmIamCredentialsSecret() *schema.Resource { Computed: true, Description: "The date a secret is expired. The date format follows RFC 3339.", }, + "account_id": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Computed: true, + ForceNew: true, + Description: "The ID of the account in which the IAM credentials are created. Use this field only if the target account is not the same as the account of the Secrets Manager instance. Otherwise, the field can be omitted.", + }, "access_groups": &schema.Schema{ Type: schema.TypeList, Optional: true, @@ -408,6 +415,12 @@ func resourceIbmSmIamCredentialsSecretRead(context context.Context, d *schema.Re tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting api_key_id"), IAMCredentialsSecretResourceName, "read") return tfErr.GetDiag() } + if secret.AccountID != nil { + if err = d.Set("account_id", secret.AccountID); err != nil { + tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting account_id"), IAMCredentialsSecretResourceName, "read") + return tfErr.GetDiag() + } + } if err = d.Set("service_id", secret.ServiceID); err != nil { tfErr := flex.TerraformErrorf(err, fmt.Sprintf("Error setting service_id"), IAMCredentialsSecretResourceName, "read") return tfErr.GetDiag() @@ -622,6 +635,9 @@ func resourceIbmSmIamCredentialsSecretMapToSecretPrototype(d *schema.ResourceDat if _, ok := d.GetOk("ttl"); ok { model.TTL = core.StringPtr(d.Get("ttl").(string)) } + if _, ok := d.GetOk("account_id"); ok { + model.AccountID = core.StringPtr(d.Get("account_id").(string)) + } if _, ok := d.GetOk("access_groups"); ok { accessGroups := d.Get("access_groups").([]interface{}) accessGroupsParsed := make([]string, len(accessGroups)) diff --git a/website/docs/d/sm_iam_credentials_configuration.html.markdown b/website/docs/d/sm_iam_credentials_configuration.html.markdown index 48e45d1e91..2cc2118d5a 100644 --- a/website/docs/d/sm_iam_credentials_configuration.html.markdown +++ b/website/docs/d/sm_iam_credentials_configuration.html.markdown @@ -47,6 +47,8 @@ In addition to all argument references listed, you can access the following attr * `created_by` - (String) The unique identifier that is associated with the entity that created the secret. * Constraints: The maximum length is `128` characters. The minimum length is `4` characters. +* `disabled` - (Boolean) Indicates whether the API key configuration is disabled. If it is set to `true`, the IAM credentials engine doesn't use the configured API key for credentials management. + * `secret_type` - (String) The secret type. Supported types are arbitrary, certificates (imported, public, and private), IAM credentials, key-value, and user credentials. * Constraints: Allowable values are: `arbitrary`, `imported_cert`, `public_cert`, `iam_credentials`, `kv`, `username_password`, `private_cert`. diff --git a/website/docs/d/sm_iam_credentials_secret.html.markdown b/website/docs/d/sm_iam_credentials_secret.html.markdown index 1f13bd8b32..c6618bfcda 100644 --- a/website/docs/d/sm_iam_credentials_secret.html.markdown +++ b/website/docs/d/sm_iam_credentials_secret.html.markdown @@ -55,6 +55,8 @@ In addition to all argument references listed, you can access the following attr * `access_groups` - (List) Access Groups that you can use for an `iam_credentials` secret.Up to 10 Access Groups can be used for each secret. * Constraints: The list items must match regular expression `/^AccessGroupId-[a-z0-9-]+[a-z0-9]$/`. The maximum length is `10` items. The minimum length is `1` item. +* `account_id` - (String) The ID of the account in which the IAM credentials are created. This field is omitted if the target account is the same as the account of the Secrets Manager instance. + * `api_key` - (String) The API key that is generated for this secret. After the secret reaches the end of its lease (see the `ttl` field), the API key is deleted automatically. * Constraints: The maximum length is `60` characters. The minimum length is `5` characters. The value must match regular expression `/^(?:[A-Za-z0-9_\\-]{4})*(?:[A-Za-z0-9_\\-]{2}==|[A-Za-z0-9_\\-]{3}=)?$/`. @@ -90,11 +92,11 @@ In addition to all argument references listed, you can access the following attr * `rotation` - (List) Determines whether Secrets Manager rotates your secrets automatically. Nested scheme for **rotation**: - * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. - * `interval` - (Integer) The length of the secret rotation time interval. - * Constraints: The minimum value is `1`. - * `unit` - (String) The units for the secret rotation time interval. - * Constraints: Allowable values are: `day`, `month`. + * `auto_rotate` - (Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. + * `interval` - (Integer) The length of the secret rotation time interval. + * Constraints: The minimum value is `1`. + * `unit` - (String) The units for the secret rotation time interval. + * Constraints: Allowable values are: `day`, `month`. * `secret_group_id` - (String) A v4 UUID identifier, or `default` secret group. * Constraints: The maximum length is `36` characters. The minimum length is `7` characters. The value must match regular expression `/^([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|default)$/`. diff --git a/website/docs/d/sm_iam_credentials_secret_metadata.html.markdown b/website/docs/d/sm_iam_credentials_secret_metadata.html.markdown index 711b48fd7b..9ccda1a8f8 100644 --- a/website/docs/d/sm_iam_credentials_secret_metadata.html.markdown +++ b/website/docs/d/sm_iam_credentials_secret_metadata.html.markdown @@ -39,6 +39,8 @@ In addition to all argument references listed, you can access the following attr * `access_groups` - (List) Access Groups that you can use for an `iam_credentials` secret.Up to 10 Access Groups can be used for each secret. * Constraints: The list items must match regular expression `/^AccessGroupId-[a-z0-9-]+[a-z0-9]$/`. The maximum length is `10` items. The minimum length is `1` item. +* `account_id` - (String) The ID of the account in which the IAM credentials are created. This field is omitted if the target account is the same as the account of the Secrets Manager instance. + * `api_key_id` - (String) The ID of the API key that is generated for this secret. * `created_at` - (String) The date when a resource was created. The date format follows RFC 3339. diff --git a/website/docs/r/sm_iam_credentials_configuration.html.markdown b/website/docs/r/sm_iam_credentials_configuration.html.markdown index eb47f0ffcb..731ea1aa71 100644 --- a/website/docs/r/sm_iam_credentials_configuration.html.markdown +++ b/website/docs/r/sm_iam_credentials_configuration.html.markdown @@ -32,6 +32,7 @@ Review the argument reference that you can specify for your resource. * `name` - (Required, String) A human-readable unique name to assign to your IAM Credentials configuration. * `api_key` - (Required, String) An IBM Cloud API key that can create and manage service IDs. The API key must be assigned the Editor platform role on the Access Groups Service and the Operator platform role on the IAM Identity Service. For more information, see the [docs](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-configure-iam-engine). * Constraints: The maximum length is `60` characters. The minimum length is `5` characters. The value must match regular expression `/^(?:[A-Za-z0-9_\\-]{4})*(?:[A-Za-z0-9_\\-]{2}==|[A-Za-z0-9_\\-]{3}=)?$/`. +* `disabled` - (Optional, Boolean) Indicates whether the API key configuration is disabled. If it is set to `true`, the IAM credentials engine doesn't use the configured API key for credentials management. Default is `false`. ## Attribute Reference diff --git a/website/docs/r/sm_iam_credentials_secret.html.markdown b/website/docs/r/sm_iam_credentials_secret.html.markdown index 07d13ccb19..3fe24e5062 100644 --- a/website/docs/r/sm_iam_credentials_secret.html.markdown +++ b/website/docs/r/sm_iam_credentials_secret.html.markdown @@ -42,6 +42,7 @@ Review the argument reference that you can specify for your resource. * Constraints: Allowable values are: `private`, `public`. * `access_groups` - (Optional, Forces new resource, List) Access Groups that you can use for an `iam_credentials` secret.Up to 10 Access Groups can be used for each secret. * Constraints: The list items must match regular expression `/^AccessGroupId-[a-z0-9-]+[a-z0-9]$/`. The maximum length is `10` items. The minimum length is `1` item. +* `account_id` - (Optional, Forces new resource, String) The ID of the account in which the IAM credentials are created. Use this field only if the target account is not the same as the account of the Secrets Manager instance. Otherwise, the field can be omitted. * `custom_metadata` - (Optional, Map) The secret metadata that a user can customize. * `description` - (Optional, String) An extended description of your secret.To protect your privacy, do not use personal data, such as your name or location, as a description for your secret group. * Constraints: The maximum length is `1024` characters. The minimum length is `0` characters. The value must match regular expression `/(.*?)/`. @@ -52,11 +53,11 @@ Review the argument reference that you can specify for your resource. * `reuse_api_key` - (Optional, Boolean) Determines whether to use the same service ID and API key for future read operations on an`iam_credentials` secret. Must be set to `true` for IAM credentials secrets managed by Terraform. * `rotation` - (Optional, List) Determines whether Secrets Manager rotates your secrets automatically. Nested scheme for **rotation**: - * `auto_rotate` - (Optional, Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. - * `interval` - (Optional, Integer) The length of the secret rotation time interval. - * Constraints: The minimum value is `1`. - * `unit` - (Optional, String) The units for the secret rotation time interval. - * Constraints: Allowable values are: `day`, `month`. + * `auto_rotate` - (Optional, Boolean) Determines whether Secrets Manager rotates your secret automatically.Default is `false`. If `auto_rotate` is set to `true` the service rotates your secret based on the defined interval. + * `interval` - (Optional, Integer) The length of the secret rotation time interval. + * Constraints: The minimum value is `1`. + * `unit` - (Optional, String) The units for the secret rotation time interval. + * Constraints: Allowable values are: `day`, `month`. * `secret_group_id` - (Optional, Forces new resource, String) A v4 UUID identifier, or `default` secret group. * Constraints: The maximum length is `36` characters. The minimum length is `7` characters. The value must match regular expression `/^([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|default)$/`. * `service_id` - (Optional, Forces new resource, String) The service ID under which the API key (see the `api_key` field) is created.If you omit this parameter, Secrets Manager generates a new service ID for your secret at its creation and adds it to the access groups that you assign.Optionally, you can use this field to provide your own service ID if you prefer to manage its access directly or retain the service ID after your secret expires, is rotated, or deleted. If you provide a service ID, do not include the `access_groups` parameter.