feat: added support to create service credentials + fixed bug in fscloud submodule (#312)

dishankkalra23 · web-flow · commit 9586187cde77 · 2024-10-25T16:53:25.000+01:00
diff --git a/README.md b/README.md
@@ -123,6 +123,7 @@ You need the following permissions to run this module.
 | [ibm_event_streams_topic.es_topic](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/event_streams_topic) | resource |
 | [ibm_iam_authorization_policy.kms_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_resource_instance.es_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_instance) | resource |
+| [ibm_resource_key.service_credentials](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/resource_key) | resource |
 | [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 
 ### Inputs
@@ -140,6 +141,7 @@ You need the following permissions to run this module.
 | <a name="input_region"></a> [region](#input\_region) | The region where the Event Streams are created. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes |
 | <a name="input_schemas"></a> [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | <pre>list(object(<br/>    {<br/>      schema_id = string<br/>      schema = object({<br/>        type = string<br/>        name = string<br/>        fields = optional(list(object({<br/>          name = string<br/>          type = string<br/>        })))<br/>      })<br/>    }<br/>  ))</pre> | `[]` | no |
+| <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event streams. | `map(string)` | `{}` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The type of service endpoints. Possible values: 'public', 'private', 'public-and-private'. | `string` | `"public"` | no |
 | <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Event Streams database instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing\_kms\_instance\_guid variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no |
 | <a name="input_storage_size"></a> [storage\_size](#input\_storage\_size) | Storage size of the Event Streams in GB. Applies only to Enterprise plan instances. Possible values: `2048`, `4096`, `6144`, `8192`, `10240`, `12288`. Storage capacity cannot be reduced after the instance is created. When the `throughput` input variable is set to `300`, storage size starts at 4096. When `throughput` is `450`, storage size starts starts at `6144`. | `number` | `"2048"` | no |
@@ -158,6 +160,8 @@ You need the following permissions to run this module.
 | <a name="output_kafka_broker_version"></a> [kafka\_broker\_version](#output\_kafka\_broker\_version) | The Kafka version |
 | <a name="output_kafka_brokers_sasl"></a> [kafka\_brokers\_sasl](#output\_kafka\_brokers\_sasl) | (Array of Strings) Kafka brokers use for interacting with Kafka native API |
 | <a name="output_kafka_http_url"></a> [kafka\_http\_url](#output\_kafka\_http\_url) | The API endpoint to interact with Event Streams REST API |
+| <a name="output_service_credentials_json"></a> [service\_credentials\_json](#output\_service\_credentials\_json) | The service credentials JSON map. |
+| <a name="output_service_credentials_object"></a> [service\_credentials\_object](#output\_service\_credentials\_object) | The service credentials object. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 <!-- BEGIN CONTRIBUTING HOOK -->
 
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -7,4 +7,3 @@ This example uses the IBM Cloud Terraform provider to create the following infra
 - A new resource group, if one is not passed in.
 - A sample virtual private cloud (VPC).
 - A instance of Event Streams in the provided resource group and region. You can identify topics and schemas to apply to the instance.
-- A context-based restriction rule to allow Event Streams to be accessible only from within the VPC.
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -10,45 +10,6 @@ module "resource_group" {
   existing_resource_group_name = var.resource_group
 }
 
-##############################################################################
-# Get Cloud Account ID
-##############################################################################
-
-data "ibm_iam_account_settings" "iam_account_settings" {
-}
-
-##############################################################################
-# VPC
-##############################################################################
-resource "ibm_is_vpc" "example_vpc" {
-  name           = "${var.prefix}-vpc"
-  resource_group = module.resource_group.resource_group_id
-  tags           = var.resource_tags
-}
-
-resource "ibm_is_subnet" "testacc_subnet" {
-  name                     = "${var.prefix}-subnet"
-  vpc                      = ibm_is_vpc.example_vpc.id
-  zone                     = "${var.region}-1"
-  total_ipv4_address_count = 256
-  resource_group           = module.resource_group.resource_group_id
-}
-
-##############################################################################
-# Create CBR Zone
-##############################################################################
-module "cbr_zone" {
-  source           = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module"
-  version          = "1.27.0"
-  name             = "${var.prefix}-VPC-network-zone"
-  zone_description = "CBR Network zone representing VPC"
-  account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
-  addresses = [{
-    type  = "vpc", # to bind a specific vpc to the zone
-    value = ibm_is_vpc.example_vpc.crn,
-  }]
-}
-
 ##############################################################################
 # Events-streams-instance
 ##############################################################################
@@ -60,22 +21,9 @@ module "event_streams" {
   schemas           = var.schemas
   tags              = var.resource_tags
   topics            = var.topics
-  cbr_rules = [
-    {
-      description      = "${var.prefix}-event stream access only from vpc"
-      enforcement_mode = "enabled"
-      account_id       = data.ibm_iam_account_settings.iam_account_settings.account_id
-      rule_contexts = [{
-        attributes = [
-          {
-            "name" : "endpointType",
-            "value" : "private"
-          },
-          {
-            name  = "networkZoneId"
-            value = module.cbr_zone.zone_id
-        }]
-      }]
-    }
-  ]
+  service_credential_names = {
+    "es_writer" : "Writer",
+    "es_reader" : "Reader",
+    "es_manager" : "Manager"
+  }
 }
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
@@ -35,3 +35,15 @@ output "kafka_broker_version" {
   description = "The Kafka version"
   value       = module.event_streams.kafka_broker_version
 }
+
+output "service_credentials_json" {
+  description = "Service credentials json map"
+  value       = module.event_streams.service_credentials_json
+  sensitive   = true
+}
+
+output "service_credentials_object" {
+  description = "Service credentials object"
+  value       = module.event_streams.service_credentials_object
+  sensitive   = true
+}
diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf
@@ -62,6 +62,11 @@ module "event_streams" {
   tags                       = var.resource_tags
   topics                     = var.topics
   existing_kms_instance_guid = var.existing_kms_instance_guid
+  service_credential_names = {
+    "es_writer" : "Writer",
+    "es_reader" : "Reader",
+    "es_manager" : "Manager"
+  }
   cbr_rules = [
     {
       description      = "${var.prefix}-event stream access only from vpc"
diff --git a/examples/fscloud/outputs.tf b/examples/fscloud/outputs.tf
@@ -31,3 +31,15 @@ output "kafka_http_url" {
   description = "The API endpoint to interact with Event Streams REST API"
   value       = module.event_streams.kafka_http_url
 }
+
+output "service_credentials_json" {
+  description = "Service credentials json map"
+  value       = module.event_streams.service_credentials_json
+  sensitive   = true
+}
+
+output "service_credentials_object" {
+  description = "Service credentials object"
+  value       = module.event_streams.service_credentials_object
+  sensitive   = true
+}
diff --git a/main.tf b/main.tf
@@ -123,3 +123,24 @@ module "cbr_rule" {
     ]
   }]
 }
+
+resource "ibm_resource_key" "service_credentials" {
+  for_each             = var.service_credential_names
+  name                 = each.key
+  role                 = each.value
+  resource_instance_id = ibm_resource_instance.es_instance.id
+}
+
+locals {
+  service_credentials_json = length(var.service_credential_names) > 0 ? {
+    for service_credential in ibm_resource_key.service_credentials :
+    service_credential["name"] => service_credential["credentials_json"]
+  } : null
+
+  service_credentials_object = length(var.service_credential_names) > 0 ? {
+    credentials = {
+      for service_credential in ibm_resource_key.service_credentials :
+      service_credential["name"] => service_credential["credentials"]
+    }
+  } : null
+}
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
@@ -33,6 +33,7 @@ No resources.
 | <a name="input_region"></a> [region](#input\_region) | The region where the Event Streams are created. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes |
 | <a name="input_schemas"></a> [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | <pre>list(object(<br/>    {<br/>      schema_id = string<br/>      schema = object({<br/>        type = string<br/>        name = string<br/>        fields = optional(list(object({<br/>          name = string<br/>          type = string<br/>        })))<br/>      })<br/>    }<br/>  ))</pre> | `[]` | no |
+| <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event streams. | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | The list of tags associated with the Event Steams instance. | `list(string)` | `[]` | no |
 | <a name="input_topics"></a> [topics](#input\_topics) | The list of topics to apply to resources. Only one topic is allowed for Lite plan instances. | <pre>list(object(<br/>    {<br/>      name       = string<br/>      partitions = number<br/>      config     = object({})<br/>    }<br/>  ))</pre> | `[]` | no |
 
@@ -46,4 +47,6 @@ No resources.
 | <a name="output_kafka_broker_version"></a> [kafka\_broker\_version](#output\_kafka\_broker\_version) | The Kafka version |
 | <a name="output_kafka_brokers_sasl"></a> [kafka\_brokers\_sasl](#output\_kafka\_brokers\_sasl) | (Array of Strings) Kafka brokers use for interacting with Kafka native API |
 | <a name="output_kafka_http_url"></a> [kafka\_http\_url](#output\_kafka\_http\_url) | The API endpoint to interact with Event Streams REST API |
+| <a name="output_service_credentials_json"></a> [service\_credentials\_json](#output\_service\_credentials\_json) | Service credentials json map |
+| <a name="output_service_credentials_object"></a> [service\_credentials\_object](#output\_service\_credentials\_object) | Service credentials object |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
@@ -11,4 +11,7 @@ module "event_streams" {
   topics                     = var.topics
   service_endpoints          = "private"
   cbr_rules                  = var.cbr_rules
+  service_credential_names   = var.service_credential_names
+  kms_encryption_enabled     = true
+
 }
diff --git a/modules/fscloud/outputs.tf b/modules/fscloud/outputs.tf
@@ -31,3 +31,15 @@ output "kafka_broker_version" {
   description = "The Kafka version"
   value       = module.event_streams.kafka_broker_version
 }
+
+output "service_credentials_json" {
+  description = "Service credentials json map"
+  value       = module.event_streams.service_credentials_json
+  sensitive   = true
+}
+
+output "service_credentials_object" {
+  description = "Service credentials object"
+  value       = module.event_streams.service_credentials_object
+  sensitive   = true
+}
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
@@ -81,3 +81,9 @@ variable "cbr_rules" {
   default     = []
   # Validation happens in the rule module
 }
+
+variable "service_credential_names" {
+  description = "The mapping of names and roles for service credentials that you want to create for the Event streams."
+  type        = map(string)
+  default     = {}
+}
diff --git a/outputs.tf b/outputs.tf
@@ -31,3 +31,15 @@ output "kafka_broker_version" {
   description = "The Kafka version"
   value       = ibm_resource_instance.es_instance.extensions.kafka_broker_version
 }
+
+output "service_credentials_json" {
+  description = "The service credentials JSON map."
+  value       = local.service_credentials_json
+  sensitive   = true
+}
+
+output "service_credentials_object" {
+  description = "The service credentials object."
+  value       = local.service_credentials_object
+  sensitive   = true
+}
diff --git a/solutions/quickstart/DA-types.md b/solutions/quickstart/DA-types.md
@@ -0,0 +1,28 @@
+# Configuring complex inputs in Event Streams
+
+Several optional input variables in the IBM Cloud [Event Streams deployable architecture](https://cloud.ibm.com/catalog/7df1e4ca-d54c-4fd0-82ce-3d13247308cd/architecture/deploy-arch-ibm-event-streams-8272d54f-b54f-46a6-8dd6-772c6db82e87) use complex object types. You specify these inputs when you configure you deployable architecture.
+
+- [Service credentials](#svc-credential-name) (`service_credential_names`)
+
+## Service credentials <a name="svc-credential-name"></a>
+
+You can specify a set of IAM credentials to connect to the instance with the `service_credential_names` input variable. Include a credential name and IAM service role for each key-value pair. Each role provides a specific level of access to the instance. For more information, see [Adding and viewing credentials](https://cloud.ibm.com/docs/account?topic=account-service_credentials&interface=ui).
+
+- Variable name: `service_credential_names`.
+- Type: A map. The key is the name of the service credential. The value is the role that is assigned to that credential.
+- Default value: An empty map (`{}`).
+
+### Options for service_credential_names
+
+- Key (required): The name of the service credential.
+- Value (required): The IAM service role that is assigned to the credential. The following values are valid for service credential roles: 'Manager', 'Writer', 'Reader'. For more information, see [IBM Cloud IAM roles](https://cloud.ibm.com/docs/account?topic=account-userroles).
+
+### Example service credentials
+
+```hcl
+{
+    "es_writer" : "Writer",
+    "es_reader" : "Reader",
+    "es_manager" : "Manager"
+}
+```
diff --git a/solutions/quickstart/main.tf b/solutions/quickstart/main.tf
@@ -12,11 +12,12 @@ module "resource_group" {
 # Event Streams Instance
 #######################################################################################################################
 module "event_streams" {
-  source            = "../../"
-  resource_group_id = module.resource_group.resource_group_id
-  es_name           = var.prefix != null ? "${var.prefix}-${var.es_name}" : var.es_name
-  plan              = var.plan
-  region            = var.region
-  topics            = var.topics
-  tags              = var.resource_tags
+  source                   = "../../"
+  resource_group_id        = module.resource_group.resource_group_id
+  es_name                  = var.prefix != null ? "${var.prefix}-${var.es_name}" : var.es_name
+  plan                     = var.plan
+  region                   = var.region
+  topics                   = var.topics
+  tags                     = var.resource_tags
+  service_credential_names = var.service_credential_names
 }
diff --git a/solutions/quickstart/outputs.tf b/solutions/quickstart/outputs.tf
@@ -35,3 +35,15 @@ output "kafka_broker_version" {
   description = "The Kafka version"
   value       = module.event_streams.kafka_broker_version
 }
+
+output "service_credentials_json" {
+  description = "Service credentials json map"
+  value       = module.event_streams.service_credentials_json
+  sensitive   = true
+}
+
+output "service_credentials_object" {
+  description = "Service credentials object"
+  value       = module.event_streams.service_credentials_object
+  sensitive   = true
+}
diff --git a/solutions/quickstart/variables.tf b/solutions/quickstart/variables.tf
@@ -61,3 +61,9 @@ variable "topics" {
   description = "The list of topics to apply to resources. Only one topic is allowed for Lite plan instances. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/quickstart/DA-schemas-topics-cbr.md)."
   default     = []
 }
+
+variable "service_credential_names" {
+  description = "The mapping of names and roles for service credentials that you want to create for the Event streams.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-event-streams/tree/main/solutions/quickstart/DA-types.md#svc-credential-name)"
+  type        = map(string)
+  default     = {}
+}
diff --git a/variables.tf b/variables.tf
@@ -174,3 +174,14 @@ variable "cbr_rules" {
   default     = []
   # Validation happens in the rule module
 }
+
+variable "service_credential_names" {
+  description = "The mapping of names and roles for service credentials that you want to create for the Event streams."
+  type        = map(string)
+  default     = {}
+
+  validation {
+    condition     = alltrue([for name, role in var.service_credential_names : contains(["Writer", "Reader", "Manager"], role)])
+    error_message = "The specified service credential role is not valid. The following values are valid for service credential roles: 'Writer', 'Reader', 'Manager'"
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -11,4 +11,7 @@ module "event_streams" {`
`11`	`11`	`topics = var.topics`
`12`	`12`	`service_endpoints = "private"`
`13`	`13`	`cbr_rules = var.cbr_rules`
	`14`	`+ service_credential_names = var.service_credential_names`
	`15`	`+ kms_encryption_enabled = true`
	`16`	`+`
`14`	`17`	`}`