Use this module to create a services ID API key (associated with an existing service ID) and stores it as a dynamic secret (existing or new) in an existing IBM Secrets Manager instance. Use this module to creates a services ID API key (associated with an existing service ID) and stores it as a dynamic secret (existing or new) in an existing IBM Secrets Manager instance.
Dynamic secrets, unlike (arbitrary) static secrets, create IAM service ID API key credentials that are automatically rotated by Secrets Manager engine every time the secret payload is read or accessed when the lease duration is met. The credential changes are controlled by two input variables that you specify when you create the secret: sm_iam_secret_ttl
(sometimes referred to as time to live, TTL, or lease duration) and sm_iam_secret_api_key_persistence
(sometimes referred to as reuse IAM credentials).
In addition to rotation when the TTL or lease expires, you can create a rotation policy to trigger rotation before the leasing time expires. Triggering rotation before expiration provides transition time between the older and the new credentials. You enable this setting by setting sm_iam_secret_auto_rotation
to true
and configuring the related rotation variables sm_iam_secret_auto_rotation_unit
and sm_iam_secret_auto_rotation_interval
.
provider "ibm" {
ibmcloud_api_key = "XXXXXXXXXXXXXX"
region = "us-south"
}
module "dynamic_serviceid_apikey1" {
source = "terraform-ibm-modules/iam-serviceid-apikey-secrets-manager/ibm"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
region = "us-south"
sm_iam_secret_name = "example-arbitrary-secret"
sm_iam_secret_description = "Example of dynamic IAM secret"
secrets_manager_guid = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
serviceid_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
secret_group_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
You need the following permissions to run this module.
- Account Management
- IAM Access Groups service
Editor
platform access
- IAM Identity service
Operator
platform accessService ID creator
service access if the service id creation is disabled in the iam settings
- Resource Group service
Viewer
platform access
- IAM Access Groups service
- IAM Services
- Secrets Manager service
Administrator
platform accessManager
service access
- Secrets Manager service
Name | Version |
---|---|
terraform | >= 1.3.0, <1.7.0 |
ibm | >=1.61.0, <2.0.0 |
No modules.
Name | Type |
---|---|
ibm_sm_iam_credentials_secret.sm_iam_credentials_secret | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
region | Region where resources will be created | string |
n/a | yes |
secret_group_id | Secret Group ID of secret where IAM Secret will be added to, leave default (null) to add in default secret-group | string |
null |
no |
secrets_manager_guid | Instance ID of Secrets Manager instance in where secret is stored | string |
n/a | yes |
service_endpoints | The service endpoint type to communicate with the provided secrets manager instance. Possible values are public or private |
string |
"public" |
no |
serviceid_id | ID of ServiceID the dynamic secret/API key authenticates | string |
n/a | yes |
sm_iam_secret_api_key_persistence | Whether to use the same service ID and API key for future read operations. Set this to true if IAM credentials are managed by the Terraform code. |
bool |
true |
no |
sm_iam_secret_auto_rotation | Set to true to configure automatic rotation policy. |
bool |
false |
no |
sm_iam_secret_auto_rotation_interval | Specifies the rotation interval for the rotation policy. | number |
60 |
no |
sm_iam_secret_auto_rotation_unit | Specifies the unit of time for rotation policy. Acceptable values are day or month . |
string |
"day" |
no |
sm_iam_secret_description | Description of SM IAM secret (dynamic ServiceID API Key) to be created | string |
n/a | yes |
sm_iam_secret_name | Name of SM IAM secret (dynamic ServiceID API Key) to be created | string |
n/a | yes |
sm_iam_secret_ttl | Specify validity / lease duration of ServiceID API key. Accepted values and formats are: SECONDS, Xm or Xh (where X is the number of minutes or hours appended to m or h respectively) | string |
"7776000" |
no |
Name | Description |
---|---|
secret_id | Secrets-Manager IAM secret ID containing ServiceID API key |
sm_iam_secret_next_rotation_date | Next rotation date for iam_credential secret |
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.