https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager
This module creates a Secrets Manager instance
https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager
core-team deployable-architecture graduated ibm-cloud secrets-manager supported terraform terraform-module
Last synced: about 1 month ago
JSON representation
This module creates a Secrets Manager instance
- Host: GitHub
- URL: https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager
- Owner: terraform-ibm-modules
- License: apache-2.0
- Created: 2023-11-20T11:14:01.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2025-04-12T18:42:31.000Z (about 1 month ago)
- Last Synced: 2025-04-12T21:52:47.835Z (about 1 month ago)
- Topics: core-team, deployable-architecture, graduated, ibm-cloud, secrets-manager, supported, terraform, terraform-module
- Language: HCL
- Size: 778 KB
- Stars: 1
- Watchers: 14
- Forks: 1
- Open Issues: 12
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
README
# Secrets Manager module
[-brightgreen)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
[](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/releases/latest)
[](https://github.com/pre-commit/pre-commit)
[](https://renovatebot.com/)
[](https://github.com/semantic-release/semantic-release)
This module is used to provision and configure an IBM Cloud [Secrets Manager](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-getting-started) instance.
## Overview
* [terraform-ibm-secrets-manager](#terraform-ibm-secrets-manager)
* [Submodules](./modules)
* [fscloud](./modules/fscloud)
* [secrets](./modules/secrets)
* [Examples](./examples)
* [Basic example](./examples/basic)
* [Complete example with BYOK encryption](./examples/complete)
* [Financial Services Cloud profile example with KYOK encryption](./examples/fscloud)
* [Contributing](#contributing)
## Reference architectures
- [Secrets Manager - Standard variation](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/solutions/standard)
## terraform-ibm-secrets-manager
### Usage
```hcl
provider "ibm" {
ibmcloud_api_key = "XXXXXXXXXXXXXX" # pragma: allowlist secret
region = "us-south"
}
module "secrets_manager" {
source = "terraform-ibm-modules/secrets-manager/ibm"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
region = "us-south"
secrets_manager_name = "my-secrets-manager"
sm_service_plan = "trial"
}
```
## Required IAM access policies
You need the following permissions to run this module.
- Account Management
- **Resource Group** service
- `Viewer` platform access
- IAM Services
- **Secrets Manager** service
- `Administrator` platform access
- `Manager` service access
### Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= v1.0.0 |
| [ibm](#requirement\_ibm) | >= 1.76.0, <2.0.0 |
| [time](#requirement\_time) | >= 0.9.1, < 1.0.0 |
### Modules
| Name | Source | Version |
|------|--------|---------|
| [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.29.0 |
| [kms\_key\_crn\_parser](#module\_kms\_key\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
| [secrets](#module\_secrets) | ./modules/secrets | n/a |
### Resources
| Name | Type |
|------|------|
| [ibm_iam_authorization_policy.en_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
| [ibm_iam_authorization_policy.iam_groups_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
| [ibm_iam_authorization_policy.iam_identity_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
| [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
| [ibm_iam_authorization_policy.secrets_manager_hpcs_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
| [ibm_resource_instance.secrets_manager_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
| [ibm_sm_en_registration.sm_en_registration](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/sm_en_registration) | resource |
| [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [time_sleep.wait_for_sm_hpcs_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [ibm_resource_instance.sm_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/resource_instance) | data source |
### Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [allowed\_network](#input\_allowed\_network) | The types of service endpoints to set on the Secrets Manager instance. Possible values are `private-only` or `public-and-private`. | `string` | `"public-and-private"` | no |
| [cbr\_rules](#input\_cbr\_rules) | (Optional, list) List of CBR rules to create |
list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
}))) }))
enforcement_mode = string
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
})) | `[]` | no |
| [enable\_event\_notification](#input\_enable\_event\_notification) | Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null. | `bool` | `false` | no |
| [endpoint\_type](#input\_endpoint\_type) | The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. | `string` | `"public"` | no |
| [existing\_en\_instance\_crn](#input\_existing\_en\_instance\_crn) | The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. | `string` | `null` | no |
| [existing\_sm\_instance\_crn](#input\_existing\_sm\_instance\_crn) | An existing Secrets Manager instance CRN. If not provided an new instance will be provisioned. | `string` | `null` | no |
| [is\_hpcs\_key](#input\_is\_hpcs\_key) | Set it to true if the key provided through the `kms_key_crn` is Hyper Protect Crypto Services key. | `bool` | `false` | no |
| [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption. | `bool` | `false` | no |
| [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for encryption. Only used if `kms_encryption_enabled` is set to true. | `string` | `null` | no |
| [region](#input\_region) | The region where the resource will be provisioned.Its not required if passing a value for `existing_sm_instance_crn`. | `string` | `null` | no |
| [resource\_group\_id](#input\_resource\_group\_id) | The ID of the resource group | `string` | n/a | yes |
| [secrets](#input\_secrets) | Secret Manager secrets configurations. | list(object({
secret_group_name = string
secret_group_description = optional(string)
existing_secret_group = optional(bool, false)
create_access_group = optional(bool, false)
access_group_name = optional(string)
access_group_roles = optional(list(string))
access_group_tags = optional(list(string))
secrets = optional(list(object({
secret_name = string
secret_description = optional(string)
secret_type = optional(string)
imported_cert_certificate = optional(string)
imported_cert_private_key = optional(string)
imported_cert_intermediate = optional(string)
secret_username = optional(string)
secret_labels = optional(list(string), [])
secret_payload_password = optional(string, "")
secret_auto_rotation = optional(bool, true)
secret_auto_rotation_unit = optional(string, "day")
secret_auto_rotation_interval = optional(number, 89)
service_credentials_ttl = optional(string, "7776000") # 90 days
service_credentials_source_service_crn = optional(string)
service_credentials_source_service_role_crn = optional(string)
})))
})) | `[]` | no |
| [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name of the Secrets Manager instance to create | `string` | n/a | yes |
| [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no |
| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |
| [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |
| [sm\_service\_plan](#input\_sm\_service\_plan) | The Secrets Manager plan to provision. | `string` | `"standard"` | no |
| [sm\_tags](#input\_sm\_tags) | The list of resource tags that you want to associate with your Secrets Manager instance. | `list(string)` | `[]` | no |
### Outputs
| Name | Description |
|------|-------------|
| [secret\_groups](#output\_secret\_groups) | IDs of the created Secret Group |
| [secrets](#output\_secrets) | List of secret mananger secret config data |
| [secrets\_manager\_crn](#output\_secrets\_manager\_crn) | CRN of the Secrets Manager instance |
| [secrets\_manager\_guid](#output\_secrets\_manager\_guid) | GUID of Secrets Manager instance |
| [secrets\_manager\_id](#output\_secrets\_manager\_id) | ID of the Secrets Manager instance |
| [secrets\_manager\_name](#output\_secrets\_manager\_name) | Name of the Secrets Manager instance |
| [secrets\_manager\_region](#output\_secrets\_manager\_region) | Region of the Secrets Manager instance |
## Contributing
You can report issues and request features for this module in GitHub issues in the module repo. See [Report an issue or request a feature](https://github.com/terraform-ibm-modules/.github/blob/main/.github/SUPPORT.md).
To set up your local development environment, see [Local development setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation.