terraform-ibm-modules · jojustin · Sep 11, 2023 · Aug 24, 2023 · Aug 24, 2023 · Aug 25, 2023
@@ -968,7 +968,7 @@ statement instead the previous block.
 | <a name="input_f5_vsi"></a> [f5\_vsi](#input\_f5\_vsi) | A list describing F5 VSI workloads to create | <pre>list(<br>    object({<br>      name                   = string<br>      vpc_name               = string<br>      primary_subnet_name    = string<br>      secondary_subnet_names = list(string)<br>      secondary_subnet_security_group_names = list(<br>        object({<br>          group_name     = string<br>          interface_name = string<br>        })<br>      )<br>      ssh_keys                        = list(string)<br>      f5_image_name                   = string<br>      machine_type                    = string<br>      resource_group                  = optional(string)<br>      enable_management_floating_ip   = optional(bool)<br>      enable_external_floating_ip     = optional(bool)<br>      security_groups                 = optional(list(string))<br>      boot_volume_encryption_key_name = optional(string)<br>      hostname                        = string<br>      domain                          = string<br>      access_tags                     = optional(list(string), [])<br>      security_group = optional(<br>        object({<br>          name = string<br>          rules = list(<br>            object({<br>              name      = string<br>              direction = string<br>              source    = string<br>              tcp = optional(<br>                object({<br>                  port_max = number<br>                  port_min = number<br>                })<br>              )<br>              udp = optional(<br>                object({<br>                  port_max = number<br>                  port_min = number<br>                })<br>              )<br>              icmp = optional(<br>                object({<br>                  type = number<br>                  code = number<br>                })<br>              )<br>            })<br>          )<br>        })<br>      )<br>      block_storage_volumes = optional(list(<br>        object({<br>          name           = string<br>          profile        = string<br>          capacity       = optional(number)<br>          iops           = optional(number)<br>          encryption_key = optional(string)<br>        })<br>      ))<br>      load_balancers = optional(list(<br>        object({<br>          name              = string<br>          type              = string<br>          listener_port     = number<br>          listener_protocol = string<br>          connection_limit  = number<br>          algorithm         = string<br>          protocol          = string<br>          health_delay      = number<br>          health_retries    = number<br>          health_timeout    = number<br>          health_type       = string<br>          pool_member_port  = string<br>          security_group = optional(<br>            object({<br>              name = string<br>              rules = list(<br>                object({<br>                  name      = string<br>                  direction = string<br>                  source    = string<br>                  tcp = optional(<br>                    object({<br>                      port_max = number<br>                      port_min = number<br>                    })<br>                  )<br>                  udp = optional(<br>                    object({<br>                      port_max = number<br>                      port_min = number<br>                    })<br>                  )<br>                  icmp = optional(<br>                    object({<br>                      type = number<br>                      code = number<br>                    })<br>                  )<br>                })<br>              )<br>            })<br>          )<br>        })<br>      ))<br>    })<br>  )</pre> | `[]` | no |
 | <a name="input_iam_account_settings"></a> [iam\_account\_settings](#input\_iam\_account\_settings) | IAM Account Settings. | <pre>object({<br>    enable                          = bool<br>    mfa                             = optional(string)<br>    allowed_ip_addresses            = optional(string)<br>    include_history                 = optional(bool)<br>    if_match                        = optional(string)<br>    max_sessions_per_identity       = optional(string)<br>    restrict_create_service_id      = optional(string)<br>    restrict_create_platform_apikey = optional(string)<br>    session_expiration_in_seconds   = optional(string)<br>    session_invalidation_in_seconds = optional(string)<br>  })</pre> | <pre>{<br>  "enable": false<br>}</pre> | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | IBM Cloud API Key that will be used for authentication in scripts run in this module. Only required if certain options are required. | `string` | `null` | no |
-| <a name="input_key_management"></a> [key\_management](#input\_key\_management) | Key Protect instance variables | <pre>object({<br>    name           = string<br>    resource_group = string<br>    use_data       = optional(bool)<br>    use_hs_crypto  = optional(bool)<br>    access_tags    = optional(list(string), [])<br>    keys = optional(<br>      list(<br>        object({<br>          name            = string<br>          root_key        = optional(bool)<br>          payload         = optional(string)<br>          key_ring        = optional(string) # Any key_ring added will be created<br>          force_delete    = optional(bool)<br>          endpoint        = optional(string) # can be public or private<br>          iv_value        = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.<br>          encrypted_nonce = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.<br>          policies = optional(<br>            object({<br>              rotation = optional(<br>                object({<br>                  interval_month = number<br>                })<br>              )<br>              dual_auth_delete = optional(<br>                object({<br>                  enabled = bool<br>                })<br>              )<br>            })<br>          )<br>        })<br>      )<br>    )<br>  })</pre> | n/a | yes |
+| <a name="input_key_management"></a> [key\_management](#input\_key\_management) | Key Protect instance variables | <pre>object({<br>    name           = optional(string)<br>    resource_group = optional(string)<br>    use_data       = optional(bool)<br>    use_hs_crypto  = optional(bool)<br>    access_tags    = optional(list(string), [])<br>    keys = optional(<br>      list(<br>        object({<br>          name             = string<br>          root_key         = optional(bool)<br>          payload          = optional(string)<br>          key_ring         = optional(string) # Any key_ring added will be created<br>          force_delete     = optional(bool)<br>          existing_key_crn = optional(string)<br>          endpoint         = optional(string) # can be public or private<br>          iv_value         = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.<br>          encrypted_nonce  = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.<br>          policies = optional(<br>            object({<br>              rotation = optional(<br>                object({<br>                  interval_month = number<br>                })<br>              )<br>              dual_auth_delete = optional(<br>                object({<br>                  enabled = bool<br>                })<br>              )<br>            })<br>          )<br>        })<br>      )<br>    )<br>  })</pre> | n/a | yes |
 | <a name="input_network_cidr"></a> [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | A unique identifier for resources. Must begin with a letter and end with a letter or number. This prefix will be prepended to any resources provisioned by this template. Prefixes must be 16 or fewer characters. | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | Region where VPC will be created. To find your VPC region, use `ibmcloud is regions` command to find available regions. | `string` | n/a | yes |

@@ -55,7 +55,7 @@ module "bastion_host" {
   vsi_per_subnet                = 1
   boot_volume_encryption_key = each.value.boot_volume_encryption_key_name == null ? "" : [
     for keys in module.key_management.keys :
-    keys.id if keys.name == each.value.boot_volume_encryption_key_name
+    keys.crn if keys.name == each.value.boot_volume_encryption_key_name
   ][0]
   image_id  = data.ibm_is_image.image["${var.prefix}-${each.value.name}"].id
   user_data = module.teleport_config[0].cloud_init

@@ -95,7 +95,7 @@ resource "ibm_cos_bucket" "buckets" {
   hard_quota            = each.value.hard_quota
   key_protect = each.value.kms_key == null ? null : [
     for key in module.key_management.keys :
-    key.id if key.name == each.value.kms_key
+    key.crn if key.name == each.value.kms_key
   ][0]
 
   dynamic "archive_rule" {

@@ -37,7 +37,7 @@ variable "atracker_cos_bucket" {
 ##############################################################################
 
 locals {
-  target_key_management_service = lookup(var.key_management, "use_hs_crypto", false) == true ? "hs-crypto" : "kms"
+  target_key_management_service = lookup(var.key_management, "name", null) != null ? lookup(var.key_management, "use_hs_crypto", false) == true ? "hs-crypto" : "kms" : null
 }
 
 module "kms_to_block_storage" {
@@ -51,7 +51,7 @@ module "kms_to_block_storage" {
       roles                       = ["Reader"]
       target_service_name         = local.target_key_management_service
       target_resource_instance_id = var.key_management_guid
-    }
+    } if local.target_key_management_service != null
   ]
 }
 
@@ -73,7 +73,7 @@ module "cos_to_key_management" {
       roles                       = ["Reader"]
       target_service_name         = local.target_key_management_service
       target_resource_instance_id = var.key_management_guid
-    }
+    } if local.target_key_management_service != null
   ]
 }
 
@@ -105,7 +105,7 @@ module "secrets_manager_to_cos" {
       roles                       = ["Reader"]
       target_service_name         = local.target_key_management_service
       target_resource_instance_id = var.key_management_guid
-    }
+    } if local.target_key_management_service != null
   ]
 }
 

@@ -145,7 +145,7 @@ module "f5_vsi" {
   # Get boot volume
   boot_volume_encryption_key = each.value.boot_volume_encryption_key_name == null ? "" : [
     for keys in module.key_management.keys :
-    keys.id if keys.name == each.value.boot_volume_encryption_key_name
+    keys.crn if keys.name == each.value.boot_volume_encryption_key_name
   ][0]
   # Get security group ids
   security_group_ids = each.value.security_groups == null ? [] : [
@@ -169,7 +169,7 @@ module "f5_vsi" {
       iops     = volume.iops
       encryption_key = lookup(volume, "encryption_key", null) == null ? null : [
         for key in module.key_management.keys :
-        key.id if key.name == volume.encryption_key
+        key.crn if key.name == volume.encryption_key
       ][0]
     }
   ]

@@ -10,6 +10,7 @@ module "dynamic_values" {
   kms_data      = data.ibm_resource_instance.kms
   kms_resource  = ibm_resource_instance.kms
   keys          = var.keys
+  name          = var.key_management.name
 }
 
 ##############################################################################
@@ -59,6 +60,7 @@ module "unit_test_kms_resource" {
   source    = "./dynamic_values"
   hpcs_data = []
   kms_data  = []
+  name      = "test-kms"
   kms_resource = [{
     guid = "resource"
     crn  = "resource"

@@ -34,6 +34,11 @@ variable "keys" {
   default     = []
 }
 
+variable "name" {
+  description = "Name of the kms instance"
+  default     = null
+}
+
 ##############################################################################
 
 ##############################################################################
@@ -42,13 +47,15 @@ variable "keys" {
 
 locals {
   # Get key management type
-  key_management_type = var.use_hs_crypto == true ? "hs-crypto" : var.use_data == true ? "data" : "resource"
+  key_management_type = var.use_hs_crypto == true ? "hs-crypto" : var.use_data == true ? "data" : var.name == null ? null : "resource"
   # Get GUID
   key_management_guid = (
     local.key_management_type == "hs-crypto"
     ? var.hpcs_data[0].guid
     : local.key_management_type == "data"
     ? var.kms_data[0].guid
+    : var.name == null
+    ? null
     : var.kms_resource[0].guid
   )
   # Get CRN
@@ -57,12 +64,14 @@ locals {
     ? var.hpcs_data[0].crn
     : local.key_management_type == "data"
     ? var.kms_data[0].crn
+    : var.name == null
+    ? null
     : var.kms_resource[0].crn
   )
   # Keys
   key_management_keys = {
     for encryption_key in var.keys :
-    (encryption_key.name) => encryption_key
+    (encryption_key.name) => encryption_key if lookup(encryption_key, "existing_key_crn", null) == null
   }
   # Rings
   key_rings = distinct([

@@ -4,12 +4,12 @@
 
 output "key_management_name" {
   description = "Name of key management service"
-  value       = var.key_management.use_hs_crypto == true ? data.ibm_resource_instance.hpcs_instance[0].name : var.key_management.use_data == true ? data.ibm_resource_instance.kms[0].name : ibm_resource_instance.kms[0].name
+  value       = var.key_management.use_hs_crypto == true ? data.ibm_resource_instance.hpcs_instance[0].name : var.key_management.use_data == true ? data.ibm_resource_instance.kms[0].name : var.key_management.name == null ? null : ibm_resource_instance.kms[0].name
 }
 
 output "key_management_crn" {
   description = "CRN for KMS instance"
-  value       = var.key_management.use_hs_crypto == true ? data.ibm_resource_instance.hpcs_instance[0].crn : var.key_management.use_data == true ? data.ibm_resource_instance.kms[0].crn : ibm_resource_instance.kms[0].crn
+  value       = var.key_management.use_hs_crypto == true ? data.ibm_resource_instance.hpcs_instance[0].crn : var.key_management.use_data == true ? data.ibm_resource_instance.kms[0].crn : var.key_management.name == null ? null : ibm_resource_instance.kms[0].crn
 }
 
 output "key_management_guid" {
@@ -38,28 +38,43 @@ output "key_rings" {
 
 output "keys" {
   description = "List of names and ids for keys created."
-  value = [
+  value = concat([
     for kms_key in var.keys :
     {
       name   = kms_key.name
       id     = ibm_kms_key.key[kms_key.name].id
       crn    = ibm_kms_key.key[kms_key.name].crn
       key_id = ibm_kms_key.key[kms_key.name].key_id
-    }
-  ]
+    } if lookup(kms_key, "existing_key_crn", null) == null
+    ],
+    [
+      for kms_key in var.keys :
+      {
+        name = kms_key.name
+        crn  = kms_key.existing_key_crn
+      } if lookup(kms_key, "existing_key_crn", null) != null
+    ]
+  )
 }
 
 output "key_map" {
   description = "Map of ids and keys for keys created"
-  value = {
+  value = merge({
     for kms_key in var.keys :
     (kms_key.name) => {
       name   = kms_key.name
       id     = ibm_kms_key.key[kms_key.name].id
       crn    = ibm_kms_key.key[kms_key.name].crn
       key_id = ibm_kms_key.key[kms_key.name].key_id
-    }
-  }
+    } if lookup(kms_key, "existing_key_crn", null) == null
+    },
+    {
+      for kms_key in var.keys :
+      (kms_key.name) => {
+        name = kms_key.name
+        crn  = kms_key.existing_key_crn
+      } if lookup(kms_key, "existing_key_crn", null) != null
+  })
 }
 
 ##############################################################################
@@ -30,14 +30,15 @@ variable "keys" {
   description = "List of keys to be created for the service"
   type = list(
     object({
-      name            = string
-      root_key        = optional(bool)
-      payload         = optional(string)
-      key_ring        = optional(string) # Any key_ring added will be created
-      force_delete    = optional(bool)
-      endpoint        = optional(string) # can be public or private
-      iv_value        = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
-      encrypted_nonce = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
+      name             = string
+      root_key         = optional(bool)
+      payload          = optional(string)
+      key_ring         = optional(string) # Any key_ring added will be created
+      force_delete     = optional(bool)
+      existing_key_crn = optional(string)
+      endpoint         = optional(string) # can be public or private
+      iv_value         = optional(string) # (Optional, Forces new resource, String) Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
+      encrypted_nonce  = optional(string) # The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the ibmcloud kp import-token get command. Then, encrypt the value by running ibmcloud kp import-token encrypt-nonce. Only for imported root key.
       policies = optional(
         object({
           rotation = optional(