-brightgreen){kind=icon}
This module configures a public certificates engine for a Secrets Manager instance. For more information about enabling Secrets Manager for public certificates, see Preparing to order public certificates.
The module handles the following resources:
- Authorization between Secrets Manager and Cloud Internet Services (CIS)
- CIS DNS configuration
- Let's Encrypt certificate authority configuration
The two configurations make up the public_cert secrets type. This module also signs the intermediate certificate authority (CA) when the engine is created.
Make sure that you have the following prerequisites:
- An IBM Cloud Internet Services (CIS) instance
- A private key
.pemfile generated by the ACME account creation tool
ℹ️ Tip: The Secrets Manager module provides automation to create a Secret Manager instance.
# Provider aliases
providers = {
ibm = ibm
ibm.secret-store = ibm
}
# Authentication with IAM policy
module "public_secret_engine" {
source = "terraform-ibm-modules/secrets-manager-public-cert-engine/ibm"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
secrets_manager_guid = "<secrets_manager_instance_id>"
region = "us-south"
dns_config_name = "My DNS Config"
internet_services_crn = "<internet_services_instance_id>"
ca_config_name = "My CA Config"
acme_letsencrypt_private_key = "<acme_letsnecrypt_private_key>" # pragma: allowlist secret
}
# Authentication with API key
module "public_secret_engine" {
source = "terraform-ibm-modules/secrets-manager-public-cert-engine/ibm"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
secrets_manager_guid = "<secrets_manager_instance_id>"
region = "us-south"
dns_config_name = "My DNS Config"
internet_services_crn = "<internet_services_instance_id>"
ca_config_name = "My CA Config"
acme_letsencrypt_private_key = "<acme_letsnecrypt_private_key>" # pragma: allowlist secret
ibmcloud_cis_api_key = "<ibmcloud_api_key>" # pragma: allowlist secret
}
# Authentication with IAM policy, ACME private key stored in Secrets Manager
module "public_secret_engine" {
source = "terraform-ibm-modules/secrets-manager-public-cert-engine/ibm"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
secrets_manager_guid = "<secrets_manager_instance_id>"
region = "us-south"
dns_config_name = "My DNS Config"
internet_services_crn = "<internet_services_instance_id>"
ca_config_name = "My CA Config"
secrets_manager_instance_id = "<my secrets manager instance ID>" # pragma: allowlist secret
secrets_manager_secret_id = "<the secret ID of the private key>" # pragma: allowlist secret
}
# Authentication with API key, ACME private key stored in Secrets Manager
module "public_secret_engine" {
source = "terraform-ibm-modules/secrets-manager-public-cert-engine/ibm"
version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
secrets_manager_guid = "<secrets_manager_instance_id>"
region = "us-south"
dns_config_name = "My DNS Config"
internet_services_crn = "<internet_services_instance_id>"
ca_config_name = "My CA Config"
ibmcloud_cis_api_key = "<ibmcloud_api_key>" # pragma: allowlist secret
secrets_manager_instance_id = "<my secrets manager instance ID>" # pragma: allowlist secret
secrets_manager_secret_id = "<the secret ID of the private key>" # pragma: allowlist secret
}Because the ACME Let's Encrypt private key is a multi-line string, you may encounter errors passing it into terraform. You can store it as an arbitrary secret in Secrets Manager which terraform will pull or you can use one of the following methods to provide it through the CLI:
acme_letsencrypt_private_key = <<-EOT # pragma: allowlist secret
-----PRIVATE KEY----- # pragma: allowlist secret
CONTENTS
OFYOUR
PRIVATEKEY
-----END PRIVATE KEY-----
EOT
export TF_VAR_acme_letsencrypt_private_key='-----PRIVATE KEY----- # pragma: allowlist secret
CONTENTS
OFYOUR
PRIVATEKEY
-----END PRIVATE KEY-----'
This will work with most UNIX-based shells. You may need to change the ' character depending on your shell.
acme_letsencrypt_private_key = "-----PRIVATE KEY-----\nCONTENTS\nOFYOUR\nPRIVATEKEY\n-----END PRIVATE KEY-----" # pragma: allowlist secret
You can replace the new lines in the private key with newline characters \n.
You need the following permissions to run this module.
- Account Management
- IAM Access Groups service
Editorplatform access
- IAM Identity service
Operatorplatform access
- Resource Group service
Viewerplatform access
- IAM Access Groups service
- IAM Services
- Secrets Manager service
Administratorplatform accessManagerservice access
- Secrets Manager service
| Name | Version |
|---|---|
| terraform | >= 1.3.0 |
| ibm | >= 1.70.0, < 2.0.0 |
| time | >= 0.9.1, < 1.0.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| acme_letsencrypt_private_key | The private key generated by the ACME account creation tool. Required if private_key_secrets_manager_instance_guid and private_key_secrets_manager_secret_id are not set. | string |
null |
no |
| ca_config_name | Name of the CA config for the public_cert secrets engine | string |
null |
no |
| cis_account_id | Account ID of the CIS instance (only needed if different from Secrets Manager account) | string |
null |
no |
| dns_config_name | Name of the DNS config for the public_cert secrets engine | string |
null |
no |
| ibmcloud_cis_api_key | Optional, when not using IAM authorization, use an API key for CIS DNS configuration | string |
null |
no |
| internet_service_domain_id | (optional) Specific domain in the CIS to authorize Secrets Manager access to. | string |
null |
no |
| internet_services_crn | CRN of the CIS instance to authorize Secrets Manager against | string |
null |
no |
| lets_encrypt_environment | Let's Encrtyp environment (staging, production) | string |
"production" |
no |
| private_key_secrets_manager_instance_guid | The Secrets Manager instance GUID of the Secrets Manager containing your ACME private key. Required if acme_letsencrypt_private_key is not set. | string |
null |
no |
| private_key_secrets_manager_region | The region of the Secrets Manager instance containing your ACME private key. (Only needed if different from the region variable) | string |
null |
no |
| private_key_secrets_manager_secret_id | The secret ID of your ACME private key. Required if acme_letsencrypt_private_key is not set. If both are set, this value will be used as the private key. | string |
null |
no |
| region | Region where resources will be created or fetched from | string |
"us-south" |
no |
| secrets_manager_guid | GUID of secrets manager instance to create the secret engine in | string |
n/a | yes |
| service_endpoints | The service endpoint type to communicate with the provided secrets manager instance. Possible values are public or private |
string |
"public" |
no |
| skip_iam_authorization_policy | Set to true to skip the creation of an IAM authorization policy that permits Secrets Manager to create a DNS config in the CIS specified in internet_services_crn. WARNING: An authorization policy must exist before a DNS config can be created, OR an API key must be provided in ibmcloud_cis_api_key |
bool |
false |
no |
No outputs.
You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.
To set up your local development environment, see Local development setup in the project documentation.