fix: private endpoints support (#456)

terraform-ibm-modules · Aug 1, 2024 · 32bef01 · 32bef01
1 parent 869f353
commit 32bef01
Show file tree

Hide file tree

Showing 10 changed files with 89 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -621,11 +621,13 @@ statement instead the previous block.
 | <a name="input_slack_team_name"></a> [slack\_team\_name](#input\_slack\_team\_name) | The Slack team name, which is the word or phrase before `.slack.com` in the team URL. This applies to the CI, CD, and CC toolchains. To set separately, see `ci_slack_team_name`, `cd_slack_team_name`, and `cc_slack_team_name`. | `string` | `""` | no |
 | <a name="input_slack_webhook_secret_crn"></a> [slack\_webhook\_secret\_crn](#input\_slack\_webhook\_secret\_crn) | The CRN for the Slack webhook secret. | `string` | `""` | no |
 | <a name="input_slack_webhook_secret_name"></a> [slack\_webhook\_secret\_name](#input\_slack\_webhook\_secret\_name) | Name of the webhook secret for Slack in the secret provider. This applies to the CI, CD, and CC toolchains. To set separately, see `ci_slack_webhook_secret_name`, `cd_slack_webhook_secret_name`, and `cc_slack_webhook_secret_name` | `string` | `"slack-webhook"` | no |
+| <a name="input_sm_endpoint_type"></a> [sm\_endpoint\_type](#input\_sm\_endpoint\_type) | The types of service endpoints to target for Secrets Manager. | `string` | `"private"` | no |
 | <a name="input_sm_instance_crn"></a> [sm\_instance\_crn](#input\_sm\_instance\_crn) | The CRN of the Secrets Manager instance. Will apply to CI, CD and CC toolchains unless set individually. | `string` | `""` | no |
 | <a name="input_sm_integration_name"></a> [sm\_integration\_name](#input\_sm\_integration\_name) | The name of the Secrets Manager integration. | `string` | `"sm-compliance-secrets"` | no |
 | <a name="input_sm_location"></a> [sm\_location](#input\_sm\_location) | The region location of the Secrets Manager instance. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_location`, `cd_sm_location`, and `cc_sm_location` to set separately. | `string` | `"us-south"` | no |
 | <a name="input_sm_name"></a> [sm\_name](#input\_sm\_name) | The name of the Secret Managers instance. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_name`, `cd_sm_name`, and `cc_sm_name` to set separately. | `string` | `"sm-instance"` | no |
 | <a name="input_sm_resource_group"></a> [sm\_resource\_group](#input\_sm\_resource\_group) | The resource group containing the Secrets Manager instance. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_resource_group`, `cd_sm_resource_group`, and `cc_sm_resource_group` to set separately. | `string` | `"Default"` | no |
+| <a name="input_sm_secret_expiration_period"></a> [sm\_secret\_expiration\_period](#input\_sm\_secret\_expiration\_period) | The number of days until the secret expires. Leave empty to not set an expiration. | `string` | `""` | no |
 | <a name="input_sm_secret_group"></a> [sm\_secret\_group](#input\_sm\_secret\_group) | Group in Secrets Manager for organizing/grouping secrets. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_secret_group`, `cd_sm_secret_group`, and `cc_sm_secret_group` to set separately. | `string` | `"Default"` | no |
 | <a name="input_sonarqube_secret_crn"></a> [sonarqube\_secret\_crn](#input\_sonarqube\_secret\_crn) | The CRN for the SonarQube secret. | `string` | `""` | no |
 | <a name="input_toolchain_name"></a> [toolchain\_name](#input\_toolchain\_name) | Common element of the toolchain name. The toolchain names will be appended with `CI Toolchain` or `CD Toolchain` or `CC Toolchain` followed by a timestamp. Can explicitly be set using `ci_toolchain_name`, `cd_toolchain_name`, and `cc_toolchain_name`. | `string` | `"DevSecOps"` | no |

diff --git a/code-engine/README.md b/code-engine/README.md
@@ -626,11 +626,13 @@ statement instead the previous block.
 | <a name="input_slack_team_name"></a> [slack\_team\_name](#input\_slack\_team\_name) | The Slack team name, which is the word or phrase before `.slack.com` in the team URL. This applies to the CI, CD, and CC toolchains. To set separately, see `ci_slack_team_name`, `cd_slack_team_name`, and `cc_slack_team_name`. | `string` | `""` | no |
 | <a name="input_slack_webhook_secret_crn"></a> [slack\_webhook\_secret\_crn](#input\_slack\_webhook\_secret\_crn) | The CRN for the Slack webhook secret. | `string` | `""` | no |
 | <a name="input_slack_webhook_secret_name"></a> [slack\_webhook\_secret\_name](#input\_slack\_webhook\_secret\_name) | Name of the webhook secret for Slack in the secret provider. This applies to the CI, CD, and CC toolchains. To set separately, see `ci_slack_webhook_secret_name`, `cd_slack_webhook_secret_name`, and `cc_slack_webhook_secret_name` | `string` | `"slack-webhook"` | no |
+| <a name="input_sm_endpoint_type"></a> [sm\_endpoint\_type](#input\_sm\_endpoint\_type) | The types of service endpoints to target for Secrets Manager. | `string` | `"private"` | no |
 | <a name="input_sm_instance_crn"></a> [sm\_instance\_crn](#input\_sm\_instance\_crn) | The CRN of the Secrets Manager instance. Will apply to CI, CD and CC toolchains unless set individually. | `string` | `""` | no |
 | <a name="input_sm_integration_name"></a> [sm\_integration\_name](#input\_sm\_integration\_name) | The name of the Secrets Manager integration. | `string` | `"sm-compliance-secrets"` | no |
 | <a name="input_sm_location"></a> [sm\_location](#input\_sm\_location) | The region location of the Secrets Manager instance. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_location`, `cd_sm_location`, and `cc_sm_location` to set separately. | `string` | `"us-south"` | no |
 | <a name="input_sm_name"></a> [sm\_name](#input\_sm\_name) | The name of the Secret Managers instance. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_name`, `cd_sm_name`, and `cc_sm_name` to set separately. | `string` | `"sm-instance"` | no |
 | <a name="input_sm_resource_group"></a> [sm\_resource\_group](#input\_sm\_resource\_group) | The resource group containing the Secrets Manager instance. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_resource_group`, `cd_sm_resource_group`, and `cc_sm_resource_group` to set separately. | `string` | `"Default"` | no |
+| <a name="input_sm_secret_expiration_period"></a> [sm\_secret\_expiration\_period](#input\_sm\_secret\_expiration\_period) | The number of days until the secret expires. Leave empty to not set an expiration. | `string` | `""` | no |
 | <a name="input_sm_secret_group"></a> [sm\_secret\_group](#input\_sm\_secret\_group) | Group in Secrets Manager for organizing/grouping secrets. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_secret_group`, `cd_sm_secret_group`, and `cc_sm_secret_group` to set separately. | `string` | `"Default"` | no |
 | <a name="input_sonarqube_secret_crn"></a> [sonarqube\_secret\_crn](#input\_sonarqube\_secret\_crn) | The CRN for the SonarQube secret. | `string` | `""` | no |
 | <a name="input_toolchain_name"></a> [toolchain\_name](#input\_toolchain\_name) | Common element of the toolchain name. The toolchain names will be appended with `CI Toolchain` or `CD Toolchain` or `CC Toolchain` followed by a timestamp. Can explicitly be set using `ci_toolchain_name`, `cd_toolchain_name`, and `cc_toolchain_name`. | `string` | `"DevSecOps"` | no |

diff --git a/code-engine/main.tf b/code-engine/main.tf
@@ -114,7 +114,9 @@ module "prereqs" {
   iam_api_key_secret_name        = var.pipeline_ibmcloud_api_key_secret_name
   signing_key_secret_name        = var.ci_signing_key_secret_name
   signing_certifcate_secret_name = var.cd_code_signing_cert_secret_name
+  sm_secret_expiration_period    = var.sm_secret_expiration_period
   sm_exists                      = var.enable_secrets_manager
+  sm_endpoint_type               = var.sm_endpoint_type
 }
 
 module "devsecops_ci_toolchain" {

diff --git a/code-engine/variables.tf b/code-engine/variables.tf
@@ -181,6 +181,18 @@ variable "sm_secret_group" {
   default     = "Default"
 }
 
+variable "sm_endpoint_type" {
+  type        = string
+  description = "The types of service endpoints to target for Secrets Manager."
+  default     = "private"
+}
+
+variable "sm_secret_expiration_period" {
+  type        = string
+  description = "The number of days until the secret expires. Leave empty to not set an expiration."
+  default     = ""
+}
+
 variable "kp_resource_group" {
   type        = string
   description = "The resource group containing the Key Protect instance. This applies to the CI, CD and CC Key Protect integrations. See `ci_kp_resource_group`, `cd_kp_resource_group`, and `cc_kp_resource_group` to set separately."

diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -225,6 +225,13 @@
 							"description": "The CRN of the Secrets Manager instance. Will apply to CI, CD and CC toolchains unless set individually.",
 							"required": false
 						},
+						{
+							"key": "sm_endpoint_type",
+							"type": "string",
+							"default_value": "private",
+							"description": "The types of service endpoints to target for Secrets Manager.",
+							"required": false
+						},
 						{
 							"key": "ci_pipeline_properties",
 							"type": "string",
@@ -326,6 +333,13 @@
 							"description": "Set to `true` to create and add a `cos-api-key` to the Secrets Provider.",
 							"required": false
 						},
+						{
+							"key": "sm_secret_expiration_period",
+							"type": "string",
+							"default_value": "",
+							"description": "The number of days until the secret expires. Leave empty to not set an expiration.",
+							"required": false
+						},
 						{
 							"key": "create_cd_instance",
 							"type": "boolean",
@@ -4154,6 +4168,13 @@
 							"description": "The CRN of the Secrets Manager instance. Will apply to CI, CD and CC toolchains unless set individually.",
 							"required": false
 						},
+						{
+							"key": "sm_endpoint_type",
+							"type": "string",
+							"default_value": "private",
+							"description": "The types of service endpoints to target for Secrets Manager.",
+							"required": false
+						},
 						{
 							"key": "ci_pipeline_properties",
 							"type": "string",
@@ -4619,6 +4640,13 @@
 							"description": "Set to `true` to create and add a `cos-api-key` to the Secrets Provider.",
 							"required": false
 						},
+						{
+							"key": "sm_secret_expiration_period",
+							"type": "string",
+							"default_value": "",
+							"description": "The number of days until the secret expires. Leave empty to not set an expiration.",
+							"required": false
+						},
 						{
 							"key": "create_cd_instance",
 							"type": "boolean",

diff --git a/main.tf b/main.tf
@@ -98,7 +98,9 @@ module "prereqs" {
   iam_api_key_secret_name        = var.pipeline_ibmcloud_api_key_secret_name
   signing_key_secret_name        = var.ci_signing_key_secret_name
   signing_certifcate_secret_name = var.cd_code_signing_cert_secret_name
+  sm_secret_expiration_period    = var.sm_secret_expiration_period
   sm_exists                      = var.enable_secrets_manager
+  sm_endpoint_type               = var.sm_endpoint_type
 }
 
 module "devsecops_ci_toolchain" {

diff --git a/prereqs/main.tf b/prereqs/main.tf
@@ -15,6 +15,14 @@ locals {
   # 3) retrive that object from the list and get the ID from it
   secret_group_list = (var.sm_exists) ? data.ibm_sm_secret_groups.secret_groups[0].secret_groups : []
   secret_group_id   = try(local.secret_group_list[index(local.secret_group_list[*].name, var.sm_secret_group_name)].id, "")
+
+  sm_secret_expiration_period_hours = ((var.sm_secret_expiration_period != "") && (var.sm_secret_expiration_period != "0")) ? var.sm_secret_expiration_period * 24 : null
+
+  expiration_date = (local.sm_secret_expiration_period_hours != null) ? timeadd(time_static.timestamp[0].rfc3339, "${local.sm_secret_expiration_period_hours}h") : null
+}
+
+resource "time_static" "timestamp" {
+  count = (local.sm_secret_expiration_period_hours != null) ? 1 : 0
 }
 
 ####### SECRETS MANAGER #####################
@@ -32,9 +40,10 @@ data "ibm_resource_instance" "sm_instance" {
 }
 
 data "ibm_sm_secret_groups" "secret_groups" {
-  count       = (var.sm_exists) ? 1 : 0
-  instance_id = (local.sm_instance_id != "") ? local.sm_instance_id : var.sm_instance_id
-  region      = var.sm_location
+  count         = (var.sm_exists) ? 1 : 0
+  instance_id   = (local.sm_instance_id != "") ? local.sm_instance_id : var.sm_instance_id
+  region        = var.sm_location
+  endpoint_type = var.sm_endpoint_type
 }
 
 #################### SECRETS #######################
@@ -72,6 +81,7 @@ data "ibm_sm_secret_group" "existing_sm_secret_group" {
   instance_id     = (local.sm_instance_id != "") ? local.sm_instance_id : var.sm_instance_id
   region          = var.sm_location
   secret_group_id = local.secret_group_id
+  endpoint_type   = var.sm_endpoint_type
 }
 
 resource "ibm_sm_arbitrary_secret" "secret_ibmcloud_api_key" {
@@ -84,7 +94,7 @@ resource "ibm_sm_arbitrary_secret" "secret_ibmcloud_api_key" {
   description     = "The IBMCloud apikey for running the pipelines."
   labels          = []
   payload         = (var.iam_api_key_secret == "") ? ibm_iam_api_key.iam_api_key[0].apikey : var.iam_api_key_secret
-  expiration_date = null
+  expiration_date = local.expiration_date
   endpoint_type   = var.sm_endpoint_type
 }
 
@@ -98,7 +108,7 @@ resource "ibm_sm_arbitrary_secret" "secret_cos_api_key" {
   description     = "The COS apikey for accessing the associated COS instance."
   labels          = []
   payload         = (var.cos_api_key_secret == "") ? ibm_iam_api_key.cos_iam_api_key[0].apikey : var.cos_api_key_secret
-  expiration_date = null
+  expiration_date = local.expiration_date
   endpoint_type   = var.sm_endpoint_type
 }
 
@@ -112,7 +122,7 @@ resource "ibm_sm_arbitrary_secret" "secret_signing_key" {
   description     = "The gpg signing key for signing images."
   labels          = []
   payload         = (var.signing_key_secret == "") ? data.external.signing_keys[0].result.signingkey : var.signing_key_secret
-  expiration_date = null
+  expiration_date = local.expiration_date
   endpoint_type   = var.sm_endpoint_type
 }
 
@@ -126,6 +136,6 @@ resource "ibm_sm_arbitrary_secret" "secret_signing_certifcate" {
   description     = "The public component of the GPG signing key for validating image signatures."
   labels          = []
   payload         = (var.signing_certificate_secret == "") ? data.external.signing_keys[0].result.publickey : var.signing_certificate_secret
-  expiration_date = null
+  expiration_date = local.expiration_date
   endpoint_type   = var.sm_endpoint_type
 }
diff --git a/prereqs/variables.tf b/prereqs/variables.tf
@@ -72,10 +72,16 @@ variable "sm_secret_group_name" {
 
 variable "sm_endpoint_type" {
   type        = string
-  description = "The types of service endpoints to target for the secret group`."
+  description = "The types of service endpoints to target for Secrets Manager."
   default     = "public"
 }
 
+variable "sm_secret_expiration_period" {
+  type        = string
+  description = "The number of days until the secret expires. Leave empty to not set an expiration."
+  default     = ""
+}
+
 variable "cos_api_key_secret" {
   type        = string
   description = "apikey"

diff --git a/prereqs/versions.tf b/prereqs/versions.tf
@@ -10,5 +10,10 @@ terraform {
       source  = "hashicorp/external"
       version = "2.3.3"
     }
+
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9.1"
+    }
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -181,6 +181,18 @@ variable "sm_secret_group" {
   default     = "Default"
 }
 
+variable "sm_endpoint_type" {
+  type        = string
+  description = "The types of service endpoints to target for Secrets Manager."
+  default     = "private"
+}
+
+variable "sm_secret_expiration_period" {
+  type        = string
+  description = "The number of days until the secret expires. Leave empty to not set an expiration."
+  default     = ""
+}
+
 variable "kp_resource_group" {
   type        = string
   description = "The resource group containing the Key Protect instance. This applies to the CI, CD and CC Key Protect integrations. See `ci_kp_resource_group`, `cd_kp_resource_group`, and `cc_kp_resource_group` to set separately."