feat: added support to enable Secrets Manager integration using new input enable_secrets_manager_integration so you can centrally manage Ingress subdomain certificates and other secrets (#672)

Author: vkuma17

README.md

@@ -388,6 +388,21 @@
             },
             {
               "key": "cbr_rules"
+            },
+            {
+              "key": "enable_secrets_manager_integration"
+            },
+            {
+              "key": "existing_secrets_manager_instance_crn"
+            },
+            {
+              "key": "secrets_manager_secret_group_id"
+            },
+            {
+              "key": "secrets_manager_endpoint_type"
+            },
+            {
+              "key": "skip_ocp_secrets_manager_iam_auth_policy"
             }
           ],
           "dependencies": [
@@ -561,14 +576,22 @@
                   "reference_version": true
                 },
                 {
-                  "dependency_input": "resource_group_name",
-                  "version_input": "existing_resource_group_name",
+                  "dependency_input": "secrets_manager_endpoint_type",
+                  "version_input": "secrets_manager_endpoint_type",
                   "reference_version": true
                 },
                 {
                   "dependency_input": "use_existing_resource_group",
                   "value": true,
                   "reference_version": true
+                },
+                {
+                  "dependency_output": "secrets_manager_crn",
+                  "version_input": "existing_secrets_manager_instance_crn"
+                },
+                {
+                  "version_input": "enable_secrets_manager_integration",
+                  "value": true
                 }
               ]
             }

ibm_catalog.json

@@ -719,3 +719,40 @@ module "cbr_rule" {
   }]
   operations = var.cbr_rules[count.index].operations == null ? local.default_operations : var.cbr_rules[count.index].operations
 }
+
+##############################################################
+# Ingress Secrets Manager Integration
+##############################################################
+
+module "existing_secrets_manager_instance_parser" {
+  count   = var.enable_secrets_manager_integration ? 1 : 0
+  source  = "terraform-ibm-modules/common-utilities/ibm//modules/crn-parser"
+  version = "1.1.0"
+  crn     = var.existing_secrets_manager_instance_crn
+}
+
+resource "ibm_iam_authorization_policy" "ocp_secrets_manager_iam_auth_policy" {
+  count                       = var.enable_secrets_manager_integration && !var.skip_ocp_secrets_manager_iam_auth_policy ? 1 : 0
+  depends_on                  = [ibm_container_vpc_cluster.cluster, ibm_container_vpc_cluster.autoscaling_cluster, ibm_container_vpc_worker_pool.pool, ibm_container_vpc_worker_pool.autoscaling_pool]
+  source_service_name         = "containers-kubernetes"
+  source_resource_instance_id = local.cluster_id
+  target_service_name         = "secrets-manager"
+  target_resource_instance_id = module.existing_secrets_manager_instance_parser[0].service_instance
+  roles                       = ["Manager"]
+}
+
+resource "time_sleep" "wait_for_auth_policy" {
+  count           = var.enable_secrets_manager_integration ? 1 : 0
+  depends_on      = [ibm_iam_authorization_policy.ocp_secrets_manager_iam_auth_policy[0]]
+  create_duration = "30s"
+}
+
+
+resource "ibm_container_ingress_instance" "instance" {
+  count           = var.enable_secrets_manager_integration ? 1 : 0
+  depends_on      = [time_sleep.wait_for_auth_policy]
+  cluster         = var.cluster_name
+  instance_crn    = var.existing_secrets_manager_instance_crn
+  is_default      = true
+  secret_group_id = var.secrets_manager_secret_group_id
+}

main.tf

@@ -3,19 +3,19 @@
 ##############################################################################
 
 output "cluster_id" {
-  description = "ID of cluster created"
+  description = "ID of the cluster"
   value       = var.ignore_worker_pool_size_changes ? ibm_container_vpc_cluster.autoscaling_cluster[0].id : ibm_container_vpc_cluster.cluster[0].id
   depends_on  = [null_resource.confirm_network_healthy]
 }
 
 output "cluster_name" {
-  description = "Name of the created cluster"
+  description = "Name of the cluster"
   value       = var.ignore_worker_pool_size_changes ? ibm_container_vpc_cluster.autoscaling_cluster[0].name : ibm_container_vpc_cluster.cluster[0].name
   depends_on  = [null_resource.confirm_network_healthy]
 }
 
 output "cluster_crn" {
-  description = "CRN for the created cluster"
+  description = "CRN of the cluster"
   value       = var.ignore_worker_pool_size_changes ? ibm_container_vpc_cluster.autoscaling_cluster[0].crn : ibm_container_vpc_cluster.cluster[0].crn
   depends_on  = [null_resource.confirm_network_healthy]
 }
@@ -41,7 +41,7 @@ output "vpc_id" {
 }
 
 output "region" {
-  description = "Region cluster is deployed in"
+  description = "Region that the cluster is deployed to"
   value       = var.region
 }
 
@@ -104,3 +104,8 @@ output "registry_vpe" {
   description = "Info about the registry VPE, if it exists. For more info about schema, see https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_virtual_endpoint_gateway"
   value       = local.registry_vpe_id
 }
+
+output "secrets_manager_integration_config" {
+  description = "Information about the Secrets Manager instance that is used to store the Ingress certificates."
+  value       = var.enable_secrets_manager_integration ? ibm_container_ingress_instance.instance[0] : null
+}