feat: store Kibana account secrets in secrets manager if provided

Author: shemau

ibm_catalog.json

@@ -458,6 +458,12 @@
             {
               "key": "kibana_image_port"
             },
+            {
+              "key": "kibana_system_secret_name"
+            },
+            {
+              "key": "kibana_app_secret_name"
+            },
             {
               "key": "cbr_code_engine_kibana_project_rules"
             },
@@ -841,6 +847,12 @@
             {
               "key": "kibana_image_port"
             },
+            {
+              "key": "kibana_system_secret_name"
+            },
+            {
+              "key": "kibana_app_secret_name"
+            },
             {
               "key": "cbr_rules",
               "type": "array",

solutions/fully-configurable/main.tf

@@ -396,20 +396,34 @@ locals {
     }
   ]
 
+  # Prepare locally generated secrets
+  system_secrets = [{
+    "secret_name"             = "${local.prefix}${var.admin_pass_secrets_manager_secret_name}"
+    "secret_type"             = "arbitrary"
+    "secret_payload_password" = local.admin_pass
+  }]
+  kibana_secrets = var.enable_kibana_dashboard ? [{
+    "secret_name"             = "${local.prefix}${var.kibana_system_secret_name}"
+    "secret_type"             = "arbitrary"
+    "secret_payload_password" = local.kibana_system_password
+    },
+    {
+      "secret_name"             = "${local.prefix}${var.kibana_app_secret_name}"
+      "secret_type"             = "arbitrary"
+      "secret_payload_password" = local.kibana_app_login_password
+  }] : []
+  password_secrets = concat(local.system_secrets, local.kibana_secrets)
+
+
   # Build the structure of the arbitrary credential type secret for admin password
-  admin_pass_secret = [{
+  user_secrets = [{
     secret_group_name     = "${local.prefix}${var.admin_pass_secrets_manager_secret_group}"
     existing_secret_group = var.use_existing_admin_pass_secrets_manager_secret_group
-    secrets = [{
-      secret_name             = "${local.prefix}${var.admin_pass_secrets_manager_secret_name}"
-      secret_type             = "arbitrary"
-      secret_payload_password = local.admin_pass
-      }
-    ]
+    secrets               = local.password_secrets
   }]
 
   # Concatenate into 1 secrets object
-  secrets = concat(local.service_credential_secrets, local.admin_pass_secret)
+  secrets = concat(local.service_credential_secrets, local.user_secrets)
   # Parse Secrets Manager details from the CRN
   existing_secrets_manager_instance_guid   = var.existing_secrets_manager_instance_crn != null ? module.sm_instance_crn_parser[0].service_instance : null
   existing_secrets_manager_instance_region = var.existing_secrets_manager_instance_crn != null ? module.sm_instance_crn_parser[0].region : null

solutions/fully-configurable/variables.tf

@@ -581,6 +581,32 @@ variable "kibana_registry_personal_access_token" {
   }
 }
 
+variable "kibana_system_secret_name" {
+  type        = string
+  description = "The Secrets Manager secret name of a new kibana system secret. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
+  default     = "kibana-system-password"
+
+  validation {
+    condition = (
+      !(var.enable_kibana_dashboard && var.existing_secrets_manager_instance_crn != null && length(var.kibana_system_secret_name) == 0)
+    )
+    error_message = "`kibana_system_secret_name` is required when `existing_secrets_manager_instance_crn` and `enable_kibana_dashboard` are set."
+  }
+}
+
+variable "kibana_app_secret_name" {
+  type        = string
+  description = "The Secrets Manager secret name of a new kibana application secret. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
+  default     = "kibana-app-password"
+
+  validation {
+    condition = (
+      !(var.enable_kibana_dashboard && var.existing_secrets_manager_instance_crn != null && length(var.kibana_app_secret_name) == 0)
+    )
+    error_message = "`kibana_app_secret_name` is required when `existing_secrets_manager_instance_crn` and `enable_kibana_dashboard` are set."
+  }
+}
+
 ##############################################################
 # Context-based restriction (CBR)
 ##############################################################

solutions/security-enforced/main.tf

@@ -53,5 +53,7 @@ module "elasticsearch" {
   kibana_image_digest                 = var.kibana_image_digest
   kibana_image_port                   = var.kibana_image_port
   kibana_visibility                   = "local_private"
+  kibana_system_secret_name           = var.kibana_system_secret_name
+  kibana_app_secret_name              = var.kibana_app_secret_name
   cbr_rules                           = var.cbr_rules
 }

solutions/security-enforced/variables.tf

@@ -431,15 +431,26 @@ variable "kibana_image_digest" {
     condition     = var.kibana_image_digest == null || can(regex("^sha256:", var.kibana_image_digest))
     error_message = "If provided, the value of kibana_image_digest must start with 'sha256:'."
   }
-
-
 }
+
 variable "kibana_image_port" {
   description = "Specify the port number used to connect to the Kibana service exposed by the container image. Default port is 5601 and it is only applicable if `enable_kibana_dashboard` is true"
   type        = number
   default     = 5601
 }
 
+variable "kibana_system_secret_name" {
+  type        = string
+  description = "The Secrets Manager secret name of a new kibana system secret. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
+  default     = "kibana-system-password"
+}
+
+variable "kibana_app_secret_name" {
+  type        = string
+  description = "The Secrets Manager secret name of a new kibana application secret. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
+  default     = "kibana-app-password"
+}
+
 ##############################################################
 # Context-based restriction (CBR)
 ##############################################################