terraform-ibm-modules
diff --git a/‎README.md‎
Lines changed: 6 additions & 2 deletions b/‎README.md‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎ibm_catalog.json‎
Lines changed: 23 additions & 9 deletions b/‎ibm_catalog.json‎
Lines changed: 23 additions & 9 deletions
diff --git a/‎main.tf‎
Lines changed: 4 additions & 0 deletions b/‎main.tf‎
Lines changed: 4 additions & 0 deletions
@@ -548,6 +548,7 @@ statement instead the previous block.
 | <a name="input_repo_group"></a> [repo\_group](#input\_repo\_group) | Specify the Git user or group for your application. This must be set if the repository authentication type is `pat` (personal access token). | `string` | `""` | no |
 | <a name="input_repo_secret_group"></a> [repo\_secret\_group](#input\_repo\_secret\_group) | Secret group in Secrets Manager that contains the secret for the repository. This variable will set the same secret group for all the repositories. Can be overriden on a per secret group basis. Only applies when using Secrets Manager. | `string` | `""` | no |
 | <a name="input_repositories_prefix"></a> [repositories\_prefix](#input\_repositories\_prefix) | Prefix name for the cloned compliance repos. For the repositories\_prefix value only a-z, A-Z and 0-9 and the special characters `-_` are allowed. In addition the string must not end with a special character or have two consecutive special characters. | `string` | `"compliance"` | no |
+| <a name="input_rotation_period"></a> [rotation\_period](#input\_rotation\_period) | The number of days until the `ibmcloud-api-key` and the `cos-api-key` are auto rotated. | `number` | `90` | no |
 | <a name="input_sample_default_application"></a> [sample\_default\_application](#input\_sample\_default\_application) | The name of the sample application repository. The repository source URL is automatically computed based on the toolchain region. The other currently supported name is `code-engine-compliance-app`. Alternatively an integration can be created that can link to or clone from an existing repository. See `app_repo_existing_url` and `app_repo_clone_from_url` to override the sample application default behavior. | `string` | `"hello-compliance-app"` | no |
 | <a name="input_scc_attachment_id"></a> [scc\_attachment\_id](#input\_scc\_attachment\_id) | An attachment ID. An attachment is configured under a profile to define how a scan will be run. To find the attachment ID, in the browser, in the attachments list, click on the attachment link, and a panel appears with a button to copy the attachment ID. This parameter is only relevant when the `scc_use_profile_attachment` parameter is enabled. | `string` | `""` | no |
 | <a name="input_scc_enable_scc"></a> [scc\_enable\_scc](#input\_scc\_enable\_scc) | Adds the SCC tool integration to the toolchain. | `string` | `"true"` | no |
@@ -558,6 +559,8 @@ statement instead the previous block.
 | <a name="input_scc_scc_api_key_secret_group"></a> [scc\_scc\_api\_key\_secret\_group](#input\_scc\_scc\_api\_key\_secret\_group) | Secret group for the Security and Compliance tool secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |
 | <a name="input_scc_scc_api_key_secret_name"></a> [scc\_scc\_api\_key\_secret\_name](#input\_scc\_scc\_api\_key\_secret\_name) | The name of the Security and Compliance Center api-key secret in the secret provider. | `string` | `"scc-api-key"` | no |
 | <a name="input_scc_use_profile_attachment"></a> [scc\_use\_profile\_attachment](#input\_scc\_use\_profile\_attachment) | Set to `enabled` to enable use profile with attachment, so that the scripts in the pipeline can interact with the Security and Compliance Center service. When enabled, other parameters become relevant; `scc_scc_api_key_secret_name`, `scc_instance_crn`, `scc_profile_name`, `scc_profile_version`, `scc_attachment_id`. Can individually be `enabled` and `disabled` in the CD and CC toolchains using `cd_scc_use_profile_attachment` and `cc_scc_use_profile_attachment`. | `string` | `"disabled"` | no |
+| <a name="input_service_name_cos"></a> [service\_name\_cos](#input\_service\_name\_cos) | The name of the Service ID for COS access. | `string` | `"cos-service-id"` | no |
+| <a name="input_service_name_pipeline"></a> [service\_name\_pipeline](#input\_service\_name\_pipeline) | The name of the Service ID for pipeline and toolchain access. | `string` | `"toolchain-pipeline-service-id"` | no |
 | <a name="input_slack_channel_name"></a> [slack\_channel\_name](#input\_slack\_channel\_name) | The name of the Slack channel where notifications are posted. This applies to the CI, CD, and CC toolchains. To set independently see `ci_slack_channel_name`, `cd_slack_channel_name`, and `cc_slack_channel_name`. | `string` | `""` | no |
 | <a name="input_slack_integration_name"></a> [slack\_integration\_name](#input\_slack\_integration\_name) | The name of the Slack integration. | `string` | `"slack-compliance"` | no |
 | <a name="input_slack_team_name"></a> [slack\_team\_name](#input\_slack\_team\_name) | The Slack team name, which is the word or phrase before `.slack.com` in the team URL. This applies to the CI, CD, and CC toolchains. To set independently, see `ci_slack_team_name`, `cd_slack_team_name`, and `cc_slack_team_name`. | `string` | `""` | no |
@@ -568,7 +571,7 @@ statement instead the previous block.
 | <a name="input_sm_instance_crn"></a> [sm\_instance\_crn](#input\_sm\_instance\_crn) | The CRN of the Secrets Manager instance. Will apply to CI, CD and CC toolchains unless set individually. Setting up the Secrets Manager integration using a CRN takes precendence over the non CRN setup. | `string` | `""` | no |
 | <a name="input_sm_integration_name"></a> [sm\_integration\_name](#input\_sm\_integration\_name) | The name of the Secrets Manager integration. | `string` | `"sm-compliance-secrets"` | no |
 | <a name="input_sm_location"></a> [sm\_location](#input\_sm\_location) | The region hosting the Secrets Manager instance. This applies to the CI, CD and CC Secret Manager integrations. | `string` | `"us-south"` | no |
-| <a name="input_sm_name"></a> [sm\_name](#input\_sm\_name) | The name of an existing Secret Managers instance. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_name`, `cd_sm_name`, and `cc_sm_name` to set these values independently. | `string` | `"sm-instance"` | no |
+| <a name="input_sm_name"></a> [sm\_name](#input\_sm\_name) | The name of an existing Secret Managers instance. This applies to the CI, CD and CC Secret Manager integrations. | `string` | `"sm-instance"` | no |
 | <a name="input_sm_resource_group"></a> [sm\_resource\_group](#input\_sm\_resource\_group) | The name of the existing resource group containing the Secrets Manager instance for your secrets.. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_resource_group`, `cd_sm_resource_group`, and `cc_sm_resource_group` to set these values independently. | `string` | `"Default"` | no |
 | <a name="input_sm_secret_expiration_period"></a> [sm\_secret\_expiration\_period](#input\_sm\_secret\_expiration\_period) | The number of days until the secrets expire. Leave empty to not set an expiration for the created secrets. | `string` | `""` | no |
 | <a name="input_sm_secret_group"></a> [sm\_secret\_group](#input\_sm\_secret\_group) | The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_secret_group`, `cd_sm_secret_group`, and `cc_sm_secret_group` to set these values independently. | `string` | `"Default"` | no |
@@ -579,9 +582,10 @@ statement instead the previous block.
 | <a name="input_sonarqube_secret_name"></a> [sonarqube\_secret\_name](#input\_sonarqube\_secret\_name) | The name of the SonarQube secret in the secrets provider. | `string` | `"sonarqube-secret"` | no |
 | <a name="input_sonarqube_server_url"></a> [sonarqube\_server\_url](#input\_sonarqube\_server\_url) | The URL to the SonarQube server. | `string` | `""` | no |
 | <a name="input_sonarqube_user"></a> [sonarqube\_user](#input\_sonarqube\_user) | The name of the SonarQube user. | `string` | `""` | no |
+| <a name="input_target_deployment"></a> [target\_deployment](#input\_target\_deployment) | The target deployment ,`kubernetes` or `code-engine` to create the relevant access policy. | `string` | `"kubernetes"` | no |
 | <a name="input_toolchain_name"></a> [toolchain\_name](#input\_toolchain\_name) | This variable specifies the root name for the CI, CD and CC toolchain names. A fixed suffix will automatically be appended. Setting `DevSecOps` will generate toolchains with the names `DevSecOps-CI-Toolchain`,  `DevSecOps-CD-Toolchain` and `DevSecOps-CC-Toolchain`. The full name of each toolchain can be set independently using `ci_toolchain_name`, `cd_toolchain_name`, and `cc_toolchain_name`. | `string` | `"DevSecOps"` | no |
 | <a name="input_toolchain_region"></a> [toolchain\_region](#input\_toolchain\_region) | The region identifier that will be used, by default, for all resource creation and service instance lookup. | `string` | `"us-south"` | no |
-| <a name="input_toolchain_resource_group"></a> [toolchain\_resource\_group](#input\_toolchain\_resource\_group) | The resource group that will be used, by default, for all resource creation and service instance lookups. This can be overridden on a per resource/service basis. See `ci_toolchain_resource_group`,`cd_toolchain_resource_group`,`cc_toolchain_resource_group`, `ci_cluster_resource_group`. | `string` | `"Default"` | no |
+| <a name="input_toolchain_resource_group"></a> [toolchain\_resource\_group](#input\_toolchain\_resource\_group) | The resource group that will be used, by default, for all resource creation and service instance lookups. This can be overridden on a per resource/service basis. | `string` | `"Default"` | no |
 | <a name="input_use_app_repo_for_cd_deploy"></a> [use\_app\_repo\_for\_cd\_deploy](#input\_use\_app\_repo\_for\_cd\_deploy) | Set to `true` to use the CI sample application repository as the deployment repository in the CD pipeline. This will be set in the pipeline config integration. | `bool` | `false` | no |
 
 ### Outputs
 
@@ -110,7 +110,7 @@
                         "features": [
                             {
                                 "title": "Application",
-                                "description": "Deploy a sample application to Kubernetes using DevSecOps best practices."
+                                "description": "Deploy a sample application to Code Engine using DevSecOps best practices."
                             }
                         ],
                         "diagrams": [
@@ -159,7 +159,7 @@
                             "key": "toolchain_resource_group",
                             "type": "string",
                             "default_value": "Default",
-                            "description": "The resource group that will be used, by default, for all resource creation and service instance lookups. This can be overridden on a per resource/service basis. See `ci_toolchain_resource_group`,`cd_toolchain_resource_group`,`cc_toolchain_resource_group`, `ci_cluster_resource_group`.",
+                            "description": "The resource group that will be used, by default, for all resource creation and service instance lookups. This can be overridden on a per resource/service basis.",
                             "required": true
                         },
                         {
@@ -215,21 +215,21 @@
                             "key": "sm_name",
                             "type": "string",
                             "default_value": "Secrets Manager",
-                            "description": "The name of an existing Secret Managers instance. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_name`, `cd_sm_name`, and `cc_sm_name` to set these values independently. ",
+                            "description": "The name of an existing Secret Managers instance. This applies to the CI, CD and CC Secret Manager integrations.",
                             "required": true
                         },
                         {
                             "key": "sm_resource_group",
                             "type": "string",
                             "default_value": "Default",
-                            "description": "The name of the existing resource group containing the Secrets Manager instance for your secrets.. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_resource_group`, `cd_sm_resource_group`, and `cc_sm_resource_group` to set these values independently.",
+                            "description": "The name of the existing resource group containing the Secrets Manager instance for your secrets.. This applies to the CI, CD and CC Secret Manager integrations.",
                             "required": true
                         },
                         {
                             "key": "sm_secret_group",
                             "type": "string",
                             "default_value": "Default",
-                            "description": "The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_secret_group`, `cd_sm_secret_group`, and `cc_sm_secret_group` to set these values independently.",
+                            "description": "The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. This applies to the CI, CD and CC Secret Manager integrations.",
                             "required": true
                         },
                         {
@@ -1507,6 +1507,13 @@
                             "description": "Prefix name for the cloned compliance repos. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters `-_` are allowed. In addition the string must not end with a special character or have two consecutive special characters.",
                             "required": false
                         },
+                        {
+                            "key": "rotation_period",
+                            "type": "string",
+                            "default_value": "90",
+                            "description": "The number of days until the `ibmcloud-api-key` and the `cos-api-key` are auto rotated.",
+                            "required": false
+                        },
                         {
                             "key": "sample_default_application",
                             "type": "string",
@@ -1941,7 +1948,7 @@
                             "key": "toolchain_resource_group",
                             "type": "string",
                             "default_value": "Default",
-                            "description": "The resource group that will be used, by default, for all resource creation and service instance lookups. This can be overridden on a per resource/service basis. See `ci_toolchain_resource_group`,`cd_toolchain_resource_group`,`cc_toolchain_resource_group`, `ci_cluster_resource_group`.",
+                            "description": "The resource group that will be used, by default, for all resource creation and service instance lookups. This can be overridden on a per resource/service basis.",
                             "required": true
                         },
                         {
@@ -1990,21 +1997,21 @@
                             "key": "sm_name",
                             "type": "string",
                             "default_value": "Secrets Manager",
-                            "description": "The name of an existing Secret Managers instance. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_name`, `cd_sm_name`, and `cc_sm_name` to set these values independently. ",
+                            "description": "The name of an existing Secret Managers instance. This applies to the CI, CD and CC Secret Manager integrations.",
                             "required": true
                         },
                         {
                             "key": "sm_resource_group",
                             "type": "string",
                             "default_value": "Default",
-                            "description": "The name of the existing resource group containing the Secrets Manager instance for your secrets.. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_resource_group`, `cd_sm_resource_group`, and `cc_sm_resource_group` to set these values independently.",
+                            "description": "The name of the existing resource group containing the Secrets Manager instance for your secrets.. This applies to the CI, CD and CC Secret Manager integrations.",
                             "required": true
                         },
                         {
                             "key": "sm_secret_group",
                             "type": "string",
                             "default_value": "Default",
-                            "description": "The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. This applies to the CI, CD and CC Secret Manager integrations. See `ci_sm_secret_group`, `cd_sm_secret_group`, and `cc_sm_secret_group` to set these values independently.",
+                            "description": "The Secrets Manager secret group containing the secrets for the DevSecOps pipelines. This applies to the CI, CD and CC Secret Manager integrations.",
                             "required": true
                         },
                         {
@@ -3282,6 +3289,13 @@
                             "description": "Prefix name for the cloned compliance repos. For the repositories_prefix value only a-z, A-Z and 0-9 and the special characters `-_` are allowed. In addition the string must not end with a special character or have two consecutive special characters.",
                             "required": false
                         },
+                        {
+                            "key": "rotation_period",
+                            "type": "string",
+                            "default_value": "90",
+                            "description": "The number of days until the `ibmcloud-api-key` and the `cos-api-key` are auto rotated.",
+                            "required": false
+                        },
                         {
                             "key": "sample_default_application",
                             "type": "string",
 
@@ -233,6 +233,8 @@ module "prereqs" {
   create_cos_api_key             = var.create_cos_api_key
   create_signing_key             = var.create_signing_key
   create_signing_certificate     = var.create_signing_certificate
+  service_name_pipeline          = var.service_name_pipeline
+  service_name_cos               = var.service_name_cos
   sm_name                        = var.sm_name
   sm_location                    = var.sm_location
   sm_secret_group_name           = var.sm_secret_group
@@ -242,9 +244,11 @@ module "prereqs" {
   iam_api_key_secret_name        = var.pipeline_ibmcloud_api_key_secret_name
   signing_key_secret_name        = var.ci_signing_key_secret_name
   signing_certifcate_secret_name = var.cd_code_signing_cert_secret_name
+  rotation_period                = var.rotation_period
   sm_secret_expiration_period    = var.sm_secret_expiration_period
   sm_exists                      = var.enable_secrets_manager
   sm_endpoint_type               = var.sm_endpoint_type
+  target_deployment              = var.target_deployment
 }
 
 module "devsecops_ci_toolchain" {