feat: updated the service_credential_secrets input object schema of the DA to support creating service specific roles<br>* The service_credentials_source_service_role attribute has been renamed to service_credentials_source_service_role_crn and now requires a full CRN value. For example: service_credentials_source_service_role_crn = "crn:v1:bluemix:public:iam::::role:Editor" (#374)

Author: shemau

solutions/standard/DA-types.md

@@ -53,7 +53,7 @@ In the configuration, specify the secret group name, whether it already exists o
     #### Options for service_credentials
 
   - `secret_name`: (required): A unique human-readable name of the secret to create.
-  - `service_credentials_source_service_role`: (required): The role to give the service credential in the Event Notification service. Acceptable values are `Writer`, `Reader`, `Manager`, `None`, `Event Source Manager`, `Channel Editor`, `Event Notification Publisher`, `Status Reporter`, `Device Manager`, `Email Sender`, `Custom Email Status Reporter` , and `Pool ID Manager`
+  - `service_credentials_source_service_role_crn`: (required): The CRN of the role to give the service credential in the Event Nofication service. Service credentials role CRNs can be found at https://cloud.ibm.com/iam/roles, select Event Notifications and select the role. Role CRNs can be for the roles `Writer`, `Reader`, `Manager`, `Event Source Manager`, `Channel Editor`, `Event Notification Publisher`, `Status Reporter`, `Device Manager`, `Email Sender`, `Custom Email Status Reporter` , or `Pool ID Manager`
   - `secret_labels`: (optional, default = `[]`): Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|).
   - `secret_auto_rotation`: (optional, default = `true`): Whether to configure automatic rotation of service credential.
   - `secret_auto_rotation_unit`: (optional, default = `day`): Specifies the unit of time for rotation of a secret. Acceptable values are `day` or `month`.
@@ -70,7 +70,7 @@ In the configuration, specify the secret group name, whether it already exists o
       "service_credentials": [
         {
           "secret_name": "cred-1"
-          "service_credentials_source_service_role":  "Writer"
+          "service_credentials_source_service_role_crn":  "crn:v1:bluemix:public:iam::::serviceRole:Writer"
           "secret_labels": ["test-writer-1", "test-writer-2"]
           "secret_auto_rotation": true
           "secret_auto_rotation_unit": "day"
@@ -80,7 +80,7 @@ In the configuration, specify the secret group name, whether it already exists o
         },
         {
           "secret_name": "cred-2"
-          "service_credentials_source_service_role": "Reader"
+          "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Reader"
         }
       ]
     },
@@ -89,11 +89,7 @@ In the configuration, specify the secret group name, whether it already exists o
       "service_credentials": [
         {
           "secret_name": "cred-3"
-          "service_credentials_source_service_role": "Editor"
-        },
-        {
-          "secret_name": "cred-4"
-          "service_credentials_source_service_role": "None"
+          "service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor"
         }
       ]
     }

solutions/standard/main.tf

@@ -353,16 +353,16 @@ locals {
       existing_secret_group    = service_credentials.existing_secret_group
       secrets = [
         for secret in service_credentials.service_credentials : {
-          secret_name                             = secret.secret_name
-          secret_labels                           = secret.secret_labels
-          secret_auto_rotation                    = secret.secret_auto_rotation
-          secret_auto_rotation_unit               = secret.secret_auto_rotation_unit
-          secret_auto_rotation_interval           = secret.secret_auto_rotation_interval
-          service_credentials_ttl                 = secret.service_credentials_ttl
-          service_credential_secret_description   = secret.service_credential_secret_description
-          service_credentials_source_service_role = secret.service_credentials_source_service_role
-          service_credentials_source_service_crn  = local.eventnotification_crn
-          secret_type                             = "service_credentials" #checkov:skip=CKV_SECRET_6
+          secret_name                                 = secret.secret_name
+          secret_labels                               = secret.secret_labels
+          secret_auto_rotation                        = secret.secret_auto_rotation
+          secret_auto_rotation_unit                   = secret.secret_auto_rotation_unit
+          secret_auto_rotation_interval               = secret.secret_auto_rotation_interval
+          service_credentials_ttl                     = secret.service_credentials_ttl
+          service_credential_secret_description       = secret.service_credential_secret_description
+          service_credentials_source_service_role_crn = secret.service_credentials_source_service_role_crn
+          service_credentials_source_service_crn      = local.eventnotification_crn
+          secret_type                                 = "service_credentials" #checkov:skip=CKV_SECRET_6
         }
       ]
     }
@@ -390,7 +390,7 @@ module "secrets_manager_service_credentials" {
   count                       = length(local.service_credential_secrets) > 0 ? 1 : 0
   depends_on                  = [time_sleep.wait_for_en_authorization_policy]
   source                      = "terraform-ibm-modules/secrets-manager/ibm//modules/secrets"
-  version                     = "1.20.0"
+  version                     = "1.22.0"
   existing_sm_instance_guid   = local.existing_secrets_manager_instance_guid
   existing_sm_instance_region = local.existing_secrets_manager_instance_region
   endpoint_type               = var.existing_secrets_manager_endpoint_type

solutions/standard/variables.tf

@@ -311,30 +311,29 @@ variable "service_credential_secrets" {
     secret_group_description = optional(string)
     existing_secret_group    = optional(bool)
     service_credentials = list(object({
-      secret_name                             = string
-      service_credentials_source_service_role = string
-      secret_labels                           = optional(list(string))
-      secret_auto_rotation                    = optional(bool)
-      secret_auto_rotation_unit               = optional(string)
-      secret_auto_rotation_interval           = optional(number)
-      service_credentials_ttl                 = optional(string)
-      service_credential_secret_description   = optional(string)
+      secret_name                                 = string
+      service_credentials_source_service_role_crn = string
+      secret_labels                               = optional(list(string))
+      secret_auto_rotation                        = optional(bool)
+      secret_auto_rotation_unit                   = optional(string)
+      secret_auto_rotation_interval               = optional(number)
+      service_credentials_ttl                     = optional(string)
+      service_credential_secret_description       = optional(string)
 
     }))
   }))
   default     = []
   description = "Service credential secrets configuration for Event Notification. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-notifications/tree/main/solutions/standard/DA-types.md#service-credential-secrets)."
 
   validation {
+    # Service roles CRNs can be found at https://cloud.ibm.com/iam/roles, select Event Notifications and select the role
     condition = alltrue([
       for group in var.service_credential_secrets : alltrue([
-        for credential in group.service_credentials : contains(
-          ["Writer", "Reader", "Manager", "None", "Event Source Manager", "Channel Editor", "Event Notification Publisher", "Status Reporter", "Device Manager", "Email Sender", "Custom Email Status Reporter", "Pool ID Manager"], credential.service_credentials_source_service_role
-        )
+        # crn:v?:bluemix; two non-empty segments; three possibly empty segments; :serviceRole or role: non-empty segment
+        for credential in group.service_credentials : can(regex("^crn:v[0-9]:bluemix(:..*){2}(:.*){3}:(serviceRole|role):..*$", credential.service_credentials_source_service_role_crn))
       ])
     ])
-    error_message = "service_credentials_source_service_role role must be one of 'Writer', 'Reader', 'Manager', 'None', 'Event Source Manager', 'Channel Editor', 'Event Notification Publisher', 'Status Reporter', 'Device Manager', 'Email Sender', 'Custom Email Status Reporter' and 'Pool ID Manager'."
-
+    error_message = "service_credentials_source_service_role_crn must be a serviceRole CRN. See https://cloud.ibm.com/iam/roles"
   }
 }
 

tests/pr_test.go

@@ -124,11 +124,15 @@ func TestDAInSchematics(t *testing.T) {
 			"service_credentials": []map[string]string{
 				{
 					"secret_name": fmt.Sprintf("%s-cred-reader", options.Prefix),
-					"service_credentials_source_service_role": "Reader",
+					"service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Reader",
 				},
 				{
 					"secret_name": fmt.Sprintf("%s-cred-writer", options.Prefix),
-					"service_credentials_source_service_role": "Writer",
+					"service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Writer",
+				},
+				{
+					"secret_name": fmt.Sprintf("%s-cred-editor", options.Prefix),
+					"service_credentials_source_service_role_crn": "crn:v1:bluemix:public:iam::::role:Editor",
 				},
 			},
 		},