feat: add capability to create service credentials in root module (#41)

Author: Soaib024

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-02-07T13:40:16Z",
+  "generated_at": "2023-02-22T09:31:45Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

README.md

@@ -61,6 +61,7 @@ You need the following permissions to run this module.
 | Name | Type |
 |------|------|
 | [ibm_database.postgresql_db](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/database) | resource |
+| [ibm_resource_key.service_credentials](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource |
 
 ## Inputs
 
@@ -83,6 +84,7 @@ You need the following permissions to run this module.
 | <a name="input_region"></a> [region](#input\_region) | The region postgresql is to be created on. The region must support BYOK if key\_protect\_key\_crn is used | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the postgresql will be created | `string` | n/a | yes |
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Optional list of tags to be added to created resources | `list(string)` | `[]` | no |
+| <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | Map of name, role for service credentials that you want to create for the database | `map(string)` | `{}` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Sets the endpoint of the Postgresql instance, valid values are 'public', 'private', or 'public-and-private' | `string` | `"private"` | no |
 
 ## Outputs
@@ -91,6 +93,8 @@ You need the following permissions to run this module.
 |------|-------------|
 | <a name="output_guid"></a> [guid](#output\_guid) | Postgresql instance guid |
 | <a name="output_id"></a> [id](#output\_id) | Postgresql instance id |
+| <a name="output_service_credentials_json"></a> [service\_credentials\_json](#output\_service\_credentials\_json) | Service credentials json map |
+| <a name="output_service_credentials_object"></a> [service\_credentials\_object](#output\_service\_credentials\_object) | Service credentials object |
 | <a name="output_version"></a> [version](#output\_version) | Postgresql instance version |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 <!-- BEGIN CONTRIBUTING HOOK -->

examples/complete/README.md

@@ -3,7 +3,7 @@
 An end-to-end example that uses the module's default variable values. This example uses the IBM Cloud terraform provider to:
 
 - Create a new resource group if one is not passed in.
-- Create a new ICD Postgresql database instance and credentials.
+- Create a new ICD Postgresql database instance.
 - Create Key Protect instance with root key.
 - Backend encryption using generated Key Protect key.
 - Create a Sample VPC.

examples/complete/main.tf

@@ -76,14 +76,15 @@ module "cbr_zone" {
 ##############################################################################
 
 module "postgresql_db" {
-  source              = "../../"
-  resource_group_id   = module.resource_group.resource_group_id
-  name                = "${var.prefix}-postgres"
-  region              = var.region
-  service_endpoints   = "private"
-  pg_version          = var.pg_version
-  key_protect_key_crn = module.key_protect_all_inclusive.keys["icd-pg.${var.prefix}-pg"].crn
-  resource_tags       = var.resource_tags
+  source                   = "../../"
+  resource_group_id        = module.resource_group.resource_group_id
+  name                     = "${var.prefix}-postgres"
+  region                   = var.region
+  service_endpoints        = "private"
+  pg_version               = var.pg_version
+  key_protect_key_crn      = module.key_protect_all_inclusive.keys["icd-pg.${var.prefix}-pg"].crn
+  resource_tags            = var.resource_tags
+  service_credential_names = var.service_credential_names
   cbr_rules = [
     {
       description      = "${var.prefix}-postgres access only from vpc"
@@ -103,14 +104,3 @@ module "postgresql_db" {
     }
   ]
 }
-
-##############################################################################
-# Service Credentials
-##############################################################################
-
-resource "ibm_resource_key" "service_credentials" {
-  count                = length(var.service_credentials)
-  name                 = var.service_credentials[count.index]
-  resource_instance_id = module.postgresql_db.id
-  tags                 = var.resource_tags
-}

examples/complete/outputs.tf

@@ -10,3 +10,15 @@ output "version" {
   description = "Postgresql instance version"
   value       = module.postgresql_db.version
 }
+
+output "service_credentials_json" {
+  description = "Service credentials json map"
+  value       = module.postgresql_db.service_credentials_json
+  sensitive   = true
+}
+
+output "service_credentials_object" {
+  description = "Service credentials object"
+  value       = module.postgresql_db.service_credentials_object
+  sensitive   = true
+}

examples/complete/variables.tf

@@ -34,8 +34,12 @@ variable "pg_version" {
   default     = null
 }
 
-variable "service_credentials" {
-  description = "A list of service credentials that you want to create for the database"
-  type        = list(string)
-  default     = ["postgressql_credential_microservices", "postgressql_credential_dev_1", "postgressql_credential_dev_2"]
+variable "service_credential_names" {
+  description = "Map of name, role for service credentials that you want to create for the database"
+  type        = map(string)
+  default = {
+    "postgressql_credential_microservices" : "Administrator",
+    "postgressql_credential_dev_1" : "Administrator",
+    "postgressql_credential_dev_2" : "Administrator"
+  }
 }

main.tf

@@ -126,3 +126,35 @@ module "cbr_rule" {
     ]
   }]
 }
+
+##############################################################################
+# Service Credentials
+##############################################################################
+
+resource "ibm_resource_key" "service_credentials" {
+  for_each             = var.service_credential_names
+  name                 = each.key
+  role                 = each.value
+  resource_instance_id = ibm_database.postgresql_db.id
+  tags                 = var.resource_tags
+}
+
+locals {
+  # used for output only
+  service_credentials_json = length(var.service_credential_names) > 0 ? {
+    for service_credential in ibm_resource_key.service_credentials :
+    service_credential["name"] => service_credential["credentials_json"]
+  } : null
+
+  service_credentials_object = length(var.service_credential_names) > 0 ? {
+    hostname    = ibm_resource_key.service_credentials[keys(var.service_credential_names)[0]].credentials["connection.postgres.hosts.0.hostname"]
+    certificate = ibm_resource_key.service_credentials[keys(var.service_credential_names)[0]].credentials["connection.postgres.certificate.certificate_base64"]
+    credentials = {
+      for service_credential in ibm_resource_key.service_credentials :
+      service_credential["name"] => {
+        username = service_credential.credentials["connection.postgres.authentication.username"]
+        password = service_credential.credentials["connection.postgres.authentication.password"]
+      }
+    }
+  } : null
+}

module-metadata.json

@@ -8,7 +8,7 @@
       "default": [],
       "pos": {
         "filename": "variables.tf",
-        "line": 126
+        "line": 137
       }
     },
     "auto_scaling": {
@@ -22,7 +22,7 @@
       },
       "pos": {
         "filename": "variables.tf",
-        "line": 153
+        "line": 164
       }
     },
     "backup_crn": {
@@ -43,7 +43,7 @@
       "description": "(Optional) The CRN of a key protect key, that you want to use for encrypting disk that holds deployment backups. If null, will use 'key_protect_key_crn' as encryption key. If 'key_protect_key_crn' is also null database is encrypted by using randomly generated keys.",
       "pos": {
         "filename": "variables.tf",
-        "line": 196
+        "line": 207
       }
     },
     "cbr_rules": {
@@ -60,7 +60,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 207
+        "line": 218
       }
     },
     "configuration": {
@@ -72,7 +72,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 135
+        "line": 146
       }
     },
     "key_protect_key_crn": {
@@ -84,7 +84,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 190
+        "line": 201
       },
       "immutable": true
     },
@@ -125,7 +125,7 @@
       "default": 3,
       "pos": {
         "filename": "variables.tf",
-        "line": 97
+        "line": 108
       }
     },
     "name": {
@@ -208,12 +208,14 @@
       "description": "Optional list of tags to be added to created resources",
       "default": [],
       "source": [
-        "ibm_database.postgresql_db.tags"
+        "ibm_database.postgresql_db.tags",
+        "ibm_resource_key.service_credentials.tags"
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 120
+        "line": 131
       },
+      "cloud_data_type": "tags",
       "min_length": 1,
       "max_length": 128,
       "matches": "^[A-Za-z0-9:_ .-]+$",
@@ -222,6 +224,19 @@
         "type": "TypeString"
       }
     },
+    "service_credential_names": {
+      "name": "service_credential_names",
+      "type": "map(string)",
+      "description": "Map of name, role for service credentials that you want to create for the database",
+      "default": {},
+      "source": [
+        "ibm_resource_key.service_credentials.for_each"
+      ],
+      "pos": {
+        "filename": "variables.tf",
+        "line": 95
+      }
+    },
     "service_endpoints": {
       "name": "service_endpoints",
       "type": "string",
@@ -232,7 +247,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 110
+        "line": 121
       },
       "options": "public, private, public-and-private"
     }
@@ -257,6 +272,26 @@
         "line": 5
       }
     },
+    "service_credentials_json": {
+      "name": "service_credentials_json",
+      "description": "Service credentials json map",
+      "value": "local.service_credentials_json",
+      "sensitive": true,
+      "pos": {
+        "filename": "outputs.tf",
+        "line": 20
+      }
+    },
+    "service_credentials_object": {
+      "name": "service_credentials_object",
+      "description": "Service credentials object",
+      "value": "local.service_credentials_object",
+      "sensitive": true,
+      "pos": {
+        "filename": "outputs.tf",
+        "line": 26
+      }
+    },
     "version": {
       "name": "version",
       "description": "Postgresql instance version",
@@ -303,6 +338,22 @@
         "filename": "main.tf",
         "line": 12
       }
+    },
+    "ibm_resource_key.service_credentials": {
+      "mode": "managed",
+      "type": "ibm_resource_key",
+      "name": "service_credentials",
+      "attributes": {
+        "for_each": "service_credential_names",
+        "tags": "resource_tags"
+      },
+      "provider": {
+        "name": "ibm"
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 134
+      }
     }
   },
   "data_resources": {},

outputs.tf

@@ -16,3 +16,15 @@ output "version" {
   description = "Postgresql instance version"
   value       = ibm_database.postgresql_db.version
 }
+
+output "service_credentials_json" {
+  description = "Service credentials json map"
+  value       = local.service_credentials_json
+  sensitive   = true
+}
+
+output "service_credentials_object" {
+  description = "Service credentials object"
+  value       = local.service_credentials_object
+  sensitive   = true
+}

variables.tf

@@ -92,6 +92,17 @@ variable "member_cpu_count" {
   }
 }
 
+variable "service_credential_names" {
+  description = "Map of name, role for service credentials that you want to create for the database"
+  type        = map(string)
+  default     = {}
+
+  validation {
+    condition     = alltrue([for name, role in var.service_credential_names : contains(["Administrator", "Operator", "Viewer", "Editor"], role)])
+    error_message = "Valid values for service credential roles are 'Administrator', 'Operator', 'Viewer', and `Editor`"
+  }
+}
+
 # actual scaling of the resources could take some time to apply
 # Members can be scaled up but not down
 variable "members" {