IAM Service ID API key Secrets Manager

Use this module to create a services ID API key (associated with an existing service ID) and stores it as a dynamic secret (existing or new) in an existing IBM Secrets Manager instance. Use this module to creates a services ID API key (associated with an existing service ID) and stores it as a dynamic secret (existing or new) in an existing IBM Secrets Manager instance.

Dynamic secrets, unlike (arbitrary) static secrets, create IAM service ID API key credentials that are automatically rotated by Secrets Manager engine every time the secret payload is read or accessed when the lease duration is met. The credential changes are controlled by two input variables that you specify when you create the secret: sm_iam_secret_ttl (sometimes referred to as time to live, TTL, or lease duration) and sm_iam_secret_api_key_persistence (sometimes referred to as reuse IAM credentials).

In addition to rotation when the TTL or lease expires, you can create a rotation policy to trigger rotation before the leasing time expires. Triggering rotation before expiration provides transition time between the older and the new credentials. You enable this setting by setting sm_iam_secret_auto_rotation to true and configuring the related rotation variables sm_iam_secret_auto_rotation_unit and sm_iam_secret_auto_rotation_interval.

Overview

• terraform-ibm-iam-serviceid-apikey-secrets-manager
• Examples
  • Complete with no rotation example
  • Complete with rotation policy example
• Contributing

terraform-ibm-iam-serviceid-apikey-secrets-manager

Usage

provider "ibm" {
  ibmcloud_api_key     = "XXXXXXXXXXXXXX"
  region               = "us-south"
}
module "dynamic_serviceid_apikey1" {
  source                               = "terraform-ibm-modules/iam-serviceid-apikey-secrets-manager/ibm"
  version                              = "X.X.X"  # Replace "X.X.X" with a release version to lock into a specific release
  resource_group_id                    = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
  region                               = "us-south"
  sm_iam_secret_name                   = "example-arbitrary-secret"
  sm_iam_secret_description            = "Example of dynamic IAM secret"
  secrets_manager_guid                 = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
  serviceid_id                         = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
  secret_group_id                      = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}

Required IAM access policies

You need the following permissions to run this module.

• Account Management
  • IAM Access Groups service
    • Editor platform access
  • IAM Identity service
    • Operator platform access
    • Service ID creator service access if the service id creation is disabled in the iam settings
  • Resource Group service
    • Viewer platform access
• IAM Services
  • Secrets Manager service
    • Administrator platform access
    • Manager service access

Requirements

Name	Version
terraform	>= 1.3.0, <1.7.0
ibm	>=1.61.0, <2.0.0

Modules

No modules.

Resources

Name	Type
ibm_sm_iam_credentials_secret.sm_iam_credentials_secret	resource

Inputs

Name	Description	Type	Default	Required
region	Region where resources will be created	string	n/a	yes
secret_group_id	Secret Group ID of secret where IAM Secret will be added to, leave default (null) to add in default secret-group	string	null	no
secrets_manager_guid	Instance ID of Secrets Manager instance in where secret is stored	string	n/a	yes
service_endpoints	The service endpoint type to communicate with the provided secrets manager instance. Possible values are public or private	string	"public"	no
serviceid_id	ID of ServiceID the dynamic secret/API key authenticates	string	n/a	yes
sm_iam_secret_api_key_persistence	Whether to use the same service ID and API key for future read operations. Set this to true if IAM credentials are managed by the Terraform code.	bool	true	no
sm_iam_secret_auto_rotation	Set to true to configure automatic rotation policy.	bool	false	no
sm_iam_secret_auto_rotation_interval	Specifies the rotation interval for the rotation policy.	number	60	no
sm_iam_secret_auto_rotation_unit	Specifies the unit of time for rotation policy. Acceptable values are day or month.	string	"day"	no
sm_iam_secret_description	Description of SM IAM secret (dynamic ServiceID API Key) to be created	string	n/a	yes
sm_iam_secret_name	Name of SM IAM secret (dynamic ServiceID API Key) to be created	string	n/a	yes
sm_iam_secret_ttl	Specify validity / lease duration of ServiceID API key. Accepted values and formats are: SECONDS, Xm or Xh (where X is the number of minutes or hours appended to m or h respectively)	string	"7776000"	no

Outputs

Name	Description
secret_id	Secrets-Manager IAM secret ID containing ServiceID API key
sm_iam_secret_next_rotation_date	Next rotation date for iam_credential secret

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.