feat: create service credentials

Author: dishankkalra23

README.md

@@ -124,6 +124,7 @@ You need the following permissions to run this module.
 | [ibm_event_streams_schema.es_schema](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/event_streams_schema) | resource |
 | [ibm_event_streams_topic.es_topic](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/event_streams_topic) | resource |
 | [ibm_resource_instance.es_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
+| [ibm_resource_key.service_credentials](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource |
 
 ### Inputs
 
@@ -138,6 +139,7 @@ You need the following permissions to run this module.
 | <a name="input_region"></a> [region](#input\_region) | The region where the Event Streams are created. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes |
 | <a name="input_schemas"></a> [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | <pre>list(object(<br/>    {<br/>      schema_id = string<br/>      schema = object({<br/>        type = string<br/>        name = string<br/>        fields = optional(list(object({<br/>          name = string<br/>          type = string<br/>        })))<br/>      })<br/>    }<br/>  ))</pre> | `[]` | no |
+| <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event Notifications streams. | `map(string)` | `{}` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The type of service endpoints. Possible values: 'public', 'private', 'public-and-private'. | `string` | `"public"` | no |
 | <a name="input_storage_size"></a> [storage\_size](#input\_storage\_size) | Storage size of the Event Streams in GB. Applies only to Enterprise plan instances. Possible values: `2048`, `4096`, `6144`, `8192`, `10240`, `12288`. Storage capacity cannot be reduced after the instance is created. When the `throughput` input variable is set to `300`, storage size starts at 4096. When `throughput` is `450`, storage size starts starts at `6144`. | `number` | `"2048"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | The list of tags associated with the Event Steams instance. | `list(string)` | `[]` | no |
@@ -155,6 +157,8 @@ You need the following permissions to run this module.
 | <a name="output_kafka_broker_version"></a> [kafka\_broker\_version](#output\_kafka\_broker\_version) | The Kafka version |
 | <a name="output_kafka_brokers_sasl"></a> [kafka\_brokers\_sasl](#output\_kafka\_brokers\_sasl) | (Array of Strings) Kafka brokers use for interacting with Kafka native API |
 | <a name="output_kafka_http_url"></a> [kafka\_http\_url](#output\_kafka\_http\_url) | The API endpoint to interact with Event Streams REST API |
+| <a name="output_service_credentials_json"></a> [service\_credentials\_json](#output\_service\_credentials\_json) | The service credentials JSON map. |
+| <a name="output_service_credentials_object"></a> [service\_credentials\_object](#output\_service\_credentials\_object) | The service credentials object. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 <!-- BEGIN CONTRIBUTING HOOK -->
 

examples/complete/main.tf

@@ -54,12 +54,13 @@ module "cbr_zone" {
 ##############################################################################
 
 module "event_streams" {
-  source            = "../../"
-  resource_group_id = module.resource_group.resource_group_id
-  es_name           = "${var.prefix}-es"
-  schemas           = var.schemas
-  tags              = var.resource_tags
-  topics            = var.topics
+  source                   = "../../"
+  resource_group_id        = module.resource_group.resource_group_id
+  es_name                  = "${var.prefix}-es"
+  schemas                  = var.schemas
+  tags                     = var.resource_tags
+  topics                   = var.topics
+  service_credential_names = var.service_credential_names
   cbr_rules = [
     {
       description      = "${var.prefix}-event stream access only from vpc"

examples/complete/outputs.tf

@@ -35,3 +35,15 @@ output "kafka_broker_version" {
   description = "The Kafka version"
   value       = module.event_streams.kafka_broker_version
 }
+
+output "service_credentials_json" {
+  description = "Service credentials json map"
+  value       = module.event_streams.service_credentials_json
+  sensitive   = true
+}
+
+output "service_credentials_object" {
+  description = "Service credentials object"
+  value       = module.event_streams.service_credentials_object
+  sensitive   = true
+}

examples/complete/variables.tf

@@ -99,3 +99,14 @@ variable "topics" {
     }
   ]
 }
+
+variable "service_credential_names" {
+  description = "Map of name, role for service credentials that you want to create for the event streams"
+  type        = map(string)
+  default = {
+    "en_writer" : "Writer",
+    "en_reader" : "Reader",
+    "en_manager" : "Manager",
+    "en_none" : "None"
+  }
+}

main.tf

@@ -90,3 +90,24 @@ module "cbr_rule" {
     ]
   }]
 }
+
+resource "ibm_resource_key" "service_credentials" {
+  for_each             = var.service_credential_names
+  name                 = each.key
+  role                 = each.value
+  resource_instance_id = ibm_resource_instance.es_instance.id
+}
+
+locals {
+  service_credentials_json = length(var.service_credential_names) > 0 ? {
+    for service_credential in ibm_resource_key.service_credentials :
+    service_credential["name"] => service_credential["credentials_json"]
+  } : null
+
+  service_credentials_object = length(var.service_credential_names) > 0 ? {
+    credentials = {
+      for service_credential in ibm_resource_key.service_credentials :
+      service_credential["name"] => service_credential["credentials"]
+    }
+  } : null
+}

outputs.tf

@@ -31,3 +31,15 @@ output "kafka_broker_version" {
   description = "The Kafka version"
   value       = ibm_resource_instance.es_instance.extensions.kafka_broker_version
 }
+
+output "service_credentials_json" {
+  description = "The service credentials JSON map."
+  value       = local.service_credentials_json
+  sensitive   = true
+}
+
+output "service_credentials_object" {
+  description = "The service credentials object."
+  value       = local.service_credentials_object
+  sensitive   = true
+}

variables.tf

@@ -156,3 +156,14 @@ variable "cbr_rules" {
   default     = []
   # Validation happens in the rule module
 }
+
+variable "service_credential_names" {
+  description = "The mapping of names and roles for service credentials that you want to create for the Event Notifications streams."
+  type        = map(string)
+  default     = {}
+
+  validation {
+    condition     = alltrue([for name, role in var.service_credential_names : contains(["Writer", "Reader", "Manager", "None"], role)])
+    error_message = "The specified service credential role is not valid. The following values are valid for service credential roles: 'Writer', 'Reader', 'Manager', 'None'"
+  }
+}