From 901366b49e0aa576eb3734cd0433896e0bd4ed26 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Thu, 9 Oct 2025 14:39:18 +0530 Subject: [PATCH 1/7] refactor: Update iam_service_id to iam_id --- .trivyignore | 2 ++ .../all-combined/imagepull-apikey-secrets-manager/main.tf | 2 +- examples/all-combined/secretsmanager.tf | 2 +- examples/basic/main.tf | 2 +- solutions/fully-configurable/main.tf | 4 ++-- 5 files changed, 7 insertions(+), 5 deletions(-) create mode 100644 .trivyignore diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..54c4fba --- /dev/null +++ b/.trivyignore @@ -0,0 +1,2 @@ +# Ignore misconfigurations +AVD-AZU-0012 \ No newline at end of file diff --git a/examples/all-combined/imagepull-apikey-secrets-manager/main.tf b/examples/all-combined/imagepull-apikey-secrets-manager/main.tf index f3b8419..b4e8d26 100644 --- a/examples/all-combined/imagepull-apikey-secrets-manager/main.tf +++ b/examples/all-combined/imagepull-apikey-secrets-manager/main.tf @@ -14,7 +14,7 @@ resource "ibm_iam_service_id" "image_secret_pull_service_id" { resource "ibm_iam_service_policy" "cr_policy" { - iam_service_id = ibm_iam_service_id.image_secret_pull_service_id.id + iam_id = ibm_iam_service_id.image_secret_pull_service_id.id roles = ["Reader"] resources { diff --git a/examples/all-combined/secretsmanager.tf b/examples/all-combined/secretsmanager.tf index 0685bbb..4b7e421 100644 --- a/examples/all-combined/secretsmanager.tf +++ b/examples/all-combined/secretsmanager.tf @@ -72,7 +72,7 @@ resource "ibm_iam_service_id" "secret_puller" { # Create policy to allow new service id to pull secrets from secrets manager resource "ibm_iam_service_policy" "secret_puller_policy" { - iam_service_id = ibm_iam_service_id.secret_puller.id + iam_id = ibm_iam_service_id.secret_puller.id roles = ["Viewer", "SecretsReader"] resources { diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 4bbc127..61b576e 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -290,7 +290,7 @@ resource "ibm_iam_service_id" "secret_puller" { # Create policy to allow new service id to pull secrets from secrets manager resource "ibm_iam_service_policy" "secret_puller_policy" { - iam_service_id = ibm_iam_service_id.secret_puller.id + iam_id = ibm_iam_service_id.secret_puller.id roles = ["Viewer", "SecretsReader"] resources { diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 0012682..1f4ab14 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -279,7 +279,7 @@ locals { # Create policy to allow new service id to pull secrets from secrets manager resource "ibm_iam_service_policy" "cluster_secrets_store_secrets_puller_policy" { for_each = local.cluster_secrets_stores_policies_to_create_map - iam_service_id = each.value.accountServiceID + iam_id = each.value.accountServiceID roles = ["Viewer", "SecretsReader"] resources { service = "secrets-manager" @@ -538,7 +538,7 @@ locals { # Create policy to allow new service id to pull secrets from secrets manager resource "ibm_iam_service_policy" "secrets_store_secrets_puller_policy" { for_each = local.secrets_stores_policies_to_create_map - iam_service_id = each.value.accountServiceID + iam_id = each.value.accountServiceID roles = ["Viewer", "SecretsReader"] resources { service = "secrets-manager" From 9ecba96288835700d8efc5d4ab0771165e98bba1 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Thu, 9 Oct 2025 14:59:26 +0530 Subject: [PATCH 2/7] refactor: Update iam_service_id to iam_id --- .trivyignore | 2 +- .../imagepull-apikey-secrets-manager/main.tf | 2 +- examples/all-combined/secretsmanager.tf | 2 +- examples/basic/main.tf | 2 +- solutions/fully-configurable/main.tf | 12 ++++++------ 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.trivyignore b/.trivyignore index 54c4fba..5c1001e 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,2 +1,2 @@ # Ignore misconfigurations -AVD-AZU-0012 \ No newline at end of file +AVD-AZU-0012 diff --git a/examples/all-combined/imagepull-apikey-secrets-manager/main.tf b/examples/all-combined/imagepull-apikey-secrets-manager/main.tf index b4e8d26..609b700 100644 --- a/examples/all-combined/imagepull-apikey-secrets-manager/main.tf +++ b/examples/all-combined/imagepull-apikey-secrets-manager/main.tf @@ -15,7 +15,7 @@ resource "ibm_iam_service_policy" "cr_policy" { iam_id = ibm_iam_service_id.image_secret_pull_service_id.id - roles = ["Reader"] + roles = ["Reader"] resources { service = "container-registry" diff --git a/examples/all-combined/secretsmanager.tf b/examples/all-combined/secretsmanager.tf index 4b7e421..8f55a84 100644 --- a/examples/all-combined/secretsmanager.tf +++ b/examples/all-combined/secretsmanager.tf @@ -73,7 +73,7 @@ resource "ibm_iam_service_id" "secret_puller" { # Create policy to allow new service id to pull secrets from secrets manager resource "ibm_iam_service_policy" "secret_puller_policy" { iam_id = ibm_iam_service_id.secret_puller.id - roles = ["Viewer", "SecretsReader"] + roles = ["Viewer", "SecretsReader"] resources { service = "secrets-manager" diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 61b576e..94c1ef0 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -291,7 +291,7 @@ resource "ibm_iam_service_id" "secret_puller" { # Create policy to allow new service id to pull secrets from secrets manager resource "ibm_iam_service_policy" "secret_puller_policy" { iam_id = ibm_iam_service_id.secret_puller.id - roles = ["Viewer", "SecretsReader"] + roles = ["Viewer", "SecretsReader"] resources { service = "secrets-manager" diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 1f4ab14..4ff725f 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -278,9 +278,9 @@ locals { # Create policy to allow new service id to pull secrets from secrets manager resource "ibm_iam_service_policy" "cluster_secrets_store_secrets_puller_policy" { - for_each = local.cluster_secrets_stores_policies_to_create_map - iam_id = each.value.accountServiceID - roles = ["Viewer", "SecretsReader"] + for_each = local.cluster_secrets_stores_policies_to_create_map + iam_id = each.value.accountServiceID + roles = ["Viewer", "SecretsReader"] resources { service = "secrets-manager" resource_instance_id = local.sm_guid @@ -537,9 +537,9 @@ locals { # Create policy to allow new service id to pull secrets from secrets manager resource "ibm_iam_service_policy" "secrets_store_secrets_puller_policy" { - for_each = local.secrets_stores_policies_to_create_map - iam_id = each.value.accountServiceID - roles = ["Viewer", "SecretsReader"] + for_each = local.secrets_stores_policies_to_create_map + iam_id = each.value.accountServiceID + roles = ["Viewer", "SecretsReader"] resources { service = "secrets-manager" resource_instance_id = local.sm_guid From 6da5508ef39df47d99fbb620bd6352182bc8f52b Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Wed, 26 Nov 2025 18:13:34 +0530 Subject: [PATCH 3/7] fix: Updated value --- .trivyignore | 2 -- .../all-combined/imagepull-apikey-secrets-manager/README.md | 2 +- examples/all-combined/imagepull-apikey-secrets-manager/main.tf | 2 +- .../all-combined/imagepull-apikey-secrets-manager/version.tf | 2 +- examples/all-combined/secretsmanager.tf | 2 +- examples/all-combined/version.tf | 2 +- examples/basic/main.tf | 2 +- examples/basic/version.tf | 2 +- solutions/fully-configurable/main.tf | 2 +- 9 files changed, 8 insertions(+), 10 deletions(-) delete mode 100644 .trivyignore diff --git a/.trivyignore b/.trivyignore deleted file mode 100644 index 5c1001e..0000000 --- a/.trivyignore +++ /dev/null @@ -1,2 +0,0 @@ -# Ignore misconfigurations -AVD-AZU-0012 diff --git a/examples/all-combined/imagepull-apikey-secrets-manager/README.md b/examples/all-combined/imagepull-apikey-secrets-manager/README.md index 49e9db4..2231f70 100644 --- a/examples/all-combined/imagepull-apikey-secrets-manager/README.md +++ b/examples/all-combined/imagepull-apikey-secrets-manager/README.md @@ -8,7 +8,7 @@ This module generate and store a service ID API key in IBM Cloud Secrets Manager | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= v1.0.0 | -| [ibm](#requirement\_ibm) | >= 1.51.0, < 2.0.0 | +| [ibm](#requirement\_ibm) | >= 1.83.0, < 2.0.0 | | [time](#requirement\_time) | >= 0.9.1, < 1.0.0 | ### Modules diff --git a/examples/all-combined/imagepull-apikey-secrets-manager/main.tf b/examples/all-combined/imagepull-apikey-secrets-manager/main.tf index 609b700..067395a 100644 --- a/examples/all-combined/imagepull-apikey-secrets-manager/main.tf +++ b/examples/all-combined/imagepull-apikey-secrets-manager/main.tf @@ -14,7 +14,7 @@ resource "ibm_iam_service_id" "image_secret_pull_service_id" { resource "ibm_iam_service_policy" "cr_policy" { - iam_id = ibm_iam_service_id.image_secret_pull_service_id.id + iam_id = ibm_iam_service_id.image_secret_pull_service_id.iam_id roles = ["Reader"] resources { diff --git a/examples/all-combined/imagepull-apikey-secrets-manager/version.tf b/examples/all-combined/imagepull-apikey-secrets-manager/version.tf index 4f2be55..4c4e694 100644 --- a/examples/all-combined/imagepull-apikey-secrets-manager/version.tf +++ b/examples/all-combined/imagepull-apikey-secrets-manager/version.tf @@ -4,7 +4,7 @@ terraform { # Use "greater than or equal to" range in modules ibm = { source = "IBM-Cloud/ibm" - version = ">= 1.51.0, < 2.0.0" + version = ">= 1.83.0, < 2.0.0" } time = { source = "hashicorp/time" diff --git a/examples/all-combined/secretsmanager.tf b/examples/all-combined/secretsmanager.tf index ccfe928..d41dc18 100644 --- a/examples/all-combined/secretsmanager.tf +++ b/examples/all-combined/secretsmanager.tf @@ -72,7 +72,7 @@ resource "ibm_iam_service_id" "secret_puller" { # Create policy to allow new service id to pull secrets from secrets manager resource "ibm_iam_service_policy" "secret_puller_policy" { - iam_id = ibm_iam_service_id.secret_puller.id + iam_id = ibm_iam_service_id.secret_puller.iam_id roles = ["Viewer", "SecretsReader"] resources { diff --git a/examples/all-combined/version.tf b/examples/all-combined/version.tf index 54a785c..de73d88 100644 --- a/examples/all-combined/version.tf +++ b/examples/all-combined/version.tf @@ -15,7 +15,7 @@ terraform { } ibm = { source = "IBM-Cloud/ibm" - version = ">= 1.62.0" + version = ">= 1.83.0" } null = { source = "hashicorp/null" diff --git a/examples/basic/main.tf b/examples/basic/main.tf index d81df74..2da5cf0 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -290,7 +290,7 @@ resource "ibm_iam_service_id" "secret_puller" { # Create policy to allow new service id to pull secrets from secrets manager resource "ibm_iam_service_policy" "secret_puller_policy" { - iam_id = ibm_iam_service_id.secret_puller.id + iam_id = ibm_iam_service_id.secret_puller.iam_id roles = ["Viewer", "SecretsReader"] resources { diff --git a/examples/basic/version.tf b/examples/basic/version.tf index f3de3ba..169c7b0 100644 --- a/examples/basic/version.tf +++ b/examples/basic/version.tf @@ -15,7 +15,7 @@ terraform { } ibm = { source = "IBM-Cloud/ibm" - version = "= 1.79.2" + version = "= 1.83.0" } null = { source = "hashicorp/null" diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 387e8bc..d565359 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -511,7 +511,7 @@ locals { for secrets_store_key, secrets_store in var.eso_secretsstores_configuration.secrets_stores : secrets_store_key => { # if the existing_serviceid_id is null it collects the service id created otherwise will use the existing one - "accountServiceID" : (secrets_store.existing_serviceid_id == null || secrets_store.existing_serviceid_id == "") ? ibm_iam_service_id.secrets_stores_secret_puller[secrets_store_key].id : secrets_store.existing_serviceid_id + "accountServiceID" : (secrets_store.existing_serviceid_id == null || secrets_store.existing_serviceid_id == "") ? ibm_iam_service_id.secrets_stores_secret_puller[secrets_store_key].iam_id : secrets_store.existing_serviceid_id "service_secrets_groups_IDs" : local.secrets_stores_service_secrets_groups_fulllist[secrets_store_key] } }) From 454d8d517fb94109736d4c9826b6d7b04fe9680e Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Wed, 26 Nov 2025 18:19:04 +0530 Subject: [PATCH 4/7] fix: Resolved pipx issue --- common-dev-assets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common-dev-assets b/common-dev-assets index 37f2eb4..191c3ec 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 37f2eb4d1f5286752b21be52d89e77ae1614570c +Subproject commit 191c3ec328a8bc402b28104c9ed5249ee5fafab3 From 427f659defd15e885a7c19972b5bf27df1dbcb4e Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Mon, 8 Dec 2025 13:11:34 +0530 Subject: [PATCH 5/7] fix: Updated code --- solutions/fully-configurable/main.tf | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index d565359..47ef610 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -177,6 +177,17 @@ module "cluster_secrets_stores_account_secrets_groups" { } } +data "ibm_iam_service_id" "existing_serviceid" { + for_each = { + for k, v in var.eso_secretsstores_configuration.cluster_secrets_stores : + k => v + if v.existing_serviceid_id != null && v.existing_serviceid_id != "" + } + + name = each.value.serviceid_name + +} + locals { # map of cluster secrets stores account secrets groups enriched with the created secrets groups details cluster_secrets_stores_account_secrets_groups = { @@ -252,7 +263,7 @@ locals { for cluster_secrets_store_key, cluster_secrets_store in var.eso_secretsstores_configuration.cluster_secrets_stores : cluster_secrets_store_key => { # if the existing_serviceid_id is null it collects the service id created otherwise will use the existing one - "accountServiceID" : (cluster_secrets_store.existing_serviceid_id == null || cluster_secrets_store.existing_serviceid_id == "") ? ibm_iam_service_id.cluster_secrets_stores_secret_puller[cluster_secrets_store_key].id : cluster_secrets_store.existing_serviceid_id + "accountServiceID" : (cluster_secrets_store.existing_serviceid_id == null || cluster_secrets_store.existing_serviceid_id == "") ? ibm_iam_service_id.cluster_secrets_stores_secret_puller[cluster_secrets_store_key].iam_id : data.ibm_iam_service_id.existing_serviceid[cluster_secrets_store_key].iam_id "service_secrets_groups_IDs" : local.cluster_secrets_stores_service_secrets_groups_fulllist[cluster_secrets_store_key] } }) From 0363f92cd53ff6eabff076ad3103c191e45a2618 Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Mon, 8 Dec 2025 13:24:59 +0530 Subject: [PATCH 6/7] updated code --- solutions/fully-configurable/main.tf | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 47ef610..1c4228b 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -186,6 +186,16 @@ data "ibm_iam_service_id" "existing_serviceid" { name = each.value.serviceid_name +} +data "ibm_iam_service_id" "existing_serviceid" { + for_each = { + for k, v in var.eso_secretsstores_configuration.secrets_stores : + k => v + if v.existing_serviceid_id != null && v.existing_serviceid_id != "" + } + + name = each.value.serviceid_name + } locals { @@ -522,7 +532,7 @@ locals { for secrets_store_key, secrets_store in var.eso_secretsstores_configuration.secrets_stores : secrets_store_key => { # if the existing_serviceid_id is null it collects the service id created otherwise will use the existing one - "accountServiceID" : (secrets_store.existing_serviceid_id == null || secrets_store.existing_serviceid_id == "") ? ibm_iam_service_id.secrets_stores_secret_puller[secrets_store_key].iam_id : secrets_store.existing_serviceid_id + "accountServiceID" : (secrets_store.existing_serviceid_id == null || secrets_store.existing_serviceid_id == "") ? ibm_iam_service_id.secrets_stores_secret_puller[secrets_store_key].iam_id : data.ibm_iam_service_id.existing_serviceid[secrets_store_key].iam_id "service_secrets_groups_IDs" : local.secrets_stores_service_secrets_groups_fulllist[secrets_store_key] } }) From 33cdb9e7ed014cb87e33757cae97ca53f6a2558d Mon Sep 17 00:00:00 2001 From: Arya Girish K Date: Mon, 8 Dec 2025 13:49:42 +0530 Subject: [PATCH 7/7] fix: update code --- solutions/fully-configurable/main.tf | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 1c4228b..2d6329a 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -176,7 +176,7 @@ module "cluster_secrets_stores_account_secrets_groups" { ibm = ibm.ibm-sm } } - +#data lookup for iam id data "ibm_iam_service_id" "existing_serviceid" { for_each = { for k, v in var.eso_secretsstores_configuration.cluster_secrets_stores : @@ -187,7 +187,9 @@ data "ibm_iam_service_id" "existing_serviceid" { name = each.value.serviceid_name } -data "ibm_iam_service_id" "existing_serviceid" { + +#data lookup for iam id +data "ibm_iam_service_id" "existing_serviceid_secrets" { for_each = { for k, v in var.eso_secretsstores_configuration.secrets_stores : k => v @@ -532,7 +534,7 @@ locals { for secrets_store_key, secrets_store in var.eso_secretsstores_configuration.secrets_stores : secrets_store_key => { # if the existing_serviceid_id is null it collects the service id created otherwise will use the existing one - "accountServiceID" : (secrets_store.existing_serviceid_id == null || secrets_store.existing_serviceid_id == "") ? ibm_iam_service_id.secrets_stores_secret_puller[secrets_store_key].iam_id : data.ibm_iam_service_id.existing_serviceid[secrets_store_key].iam_id + "accountServiceID" : (secrets_store.existing_serviceid_id == null || secrets_store.existing_serviceid_id == "") ? ibm_iam_service_id.secrets_stores_secret_puller[secrets_store_key].iam_id : data.ibm_iam_service_id.existing_serviceid_secrets[secrets_store_key].iam_id "service_secrets_groups_IDs" : local.secrets_stores_service_secrets_groups_fulllist[secrets_store_key] } })