From 1ab6fd8fbccf59dd2f153f215af4c6d6ca334628 Mon Sep 17 00:00:00 2001
From: Khuzaima-Shakeel <Khuzaima.Shakeel@ibm.com>
Date: Tue, 11 Jul 2023 13:57:58 +0530
Subject: [PATCH 1/4] chore: add service credentials to secrets manager in
 complete example

---
 examples/complete/main.tf | 55 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index c9f3f204..d4525a0c 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -142,3 +142,58 @@ resource "time_sleep" "wait_30_seconds" {
   depends_on       = [ibm_is_security_group.sg1]
   destroy_duration = "30s"
 }
+
+##############################################################################
+## Secrets Manager layer
+##############################################################################
+
+# Create Secrets Manager Instance (if not using existing one)
+resource "ibm_resource_instance" "secrets_manager" {
+  count             = var.existing_sm_instance_guid == null ? 1 : 0
+  name              = "${var.prefix}-sm" #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value
+  service           = "secrets-manager"
+  service_endpoints = "public-and-private"
+  plan              = "trial"
+  location          = var.region
+  resource_group_id = module.resource_group.resource_group_id
+
+  timeouts {
+    create = "30m" # Extending provisioning time to 30 minutes
+  }
+}
+
+# Add a Secrets Group to the secret manager instance
+module "secrets_manager_secrets_group" {
+  source               = "git::https://github.ibm.com/GoldenEye/secrets-manager-secret-group-module.git?ref=2.0.1"
+  region               = local.sm_region
+  secrets_manager_guid = local.sm_guid
+  #tfsec:ignore:general-secrets-no-plaintext-exposure
+  secret_group_name        = "${var.prefix}-es-secrets"
+  secret_group_description = "service secret-group" #tfsec:ignore:general-secrets-no-plaintext-exposure
+}
+
+# Add service credentials to secret manager as a username/password secret type in the created secret group
+module "secrets_manager_service_credentials_user_pass" {
+  source                  = "git::https://github.ibm.com/GoldenEye/secrets-manager-secret-module?ref=3.1.1"
+  for_each                = var.service_credential_names
+  region                  = local.sm_region
+  secrets_manager_guid    = local.sm_guid
+  secret_group_id         = module.secrets_manager_secrets_group.secret_group_id
+  secret_name             = "${var.prefix}-${each.key}-credentials"
+  secret_description      = "postgresql_db Service Credentials for ${each.key}"
+  secret_username         = module.postgresql_db.service_credentials_object.credentials[each.key].username
+  secret_payload_password = module.postgresql_db.service_credentials_object.credentials[each.key].password
+  secret_type             = "username_password" #checkov:skip=CKV_SECRET_6
+}
+
+# Add secrets manager certificate to secret manager as a certificate secret type in the created secret group
+module "secrets_manager_service_credentials_cert" {
+  source                    = "git::https://github.ibm.com/GoldenEye/secrets-manager-secret-module?ref=3.1.1"
+  region                    = local.sm_region
+  secrets_manager_guid      = local.sm_guid
+  secret_group_id           = module.secrets_manager_secrets_group.secret_group_id
+  secret_name               = "${var.prefix}-es-cert"
+  secret_description        = "postgresql_db Service Credential Certificate"
+  imported_cert_certificate = base64decode(module.postgresql_db.service_credentials_object.certificate)
+  secret_type               = "imported_cert" #checkov:skip=CKV_SECRET_6
+}

From a637819e5df56651cfebe3b5c4f5171ef45a729d Mon Sep 17 00:00:00 2001
From: Khuzaima-Shakeel <Khuzaima.Shakeel@ibm.com>
Date: Tue, 11 Jul 2023 14:25:32 +0530
Subject: [PATCH 2/4] chore: add service credentials to secrets manager in
 complete example

---
 common-dev-assets              |  2 +-
 examples/complete/main.tf      |  5 +++++
 examples/complete/variables.tf | 12 ++++++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/common-dev-assets b/common-dev-assets
index 0a5cc323..c7639a6e 160000
--- a/common-dev-assets
+++ b/common-dev-assets
@@ -1 +1 @@
-Subproject commit 0a5cc323e143b92b70f28302d59b2e6c1cd5e70e
+Subproject commit c7639a6ede17005c03e313889234d431546440cb
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index d4525a0c..f7bd0714 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -1,3 +1,8 @@
+locals {
+  sm_guid   = var.existing_sm_instance_guid == null ? ibm_resource_instance.secrets_manager[0].guid : var.existing_sm_instance_guid
+  sm_region = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region
+}
+
 ##############################################################################
 # Resource Group
 ##############################################################################
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
index fb342eef..e482beb5 100644
--- a/examples/complete/variables.tf
+++ b/examples/complete/variables.tf
@@ -69,3 +69,15 @@ variable "service_credential_names" {
     "postgressql_editor" : "Editor",
   }
 }
+
+variable "existing_sm_instance_guid" {
+  type        = string
+  description = "Existing Secrets Manager GUID. If not provided an new instance will be provisioned"
+  default     = null
+}
+
+variable "existing_sm_instance_region" {
+  type        = string
+  description = "Required if value is passed into var.existing_sm_instance_guid"
+  default     = null
+}

From 1b4c31e73c0b4a5e784d2a01bf38b1ec5d5e7d29 Mon Sep 17 00:00:00 2001
From: Khuzaima-Shakeel <Khuzaima.Shakeel@ibm.com>
Date: Tue, 11 Jul 2023 14:50:08 +0530
Subject: [PATCH 3/4] chore: add service credentials to secrets manager in
 complete example

---
 examples/complete/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
index e482beb5..f5dbad4a 100644
--- a/examples/complete/variables.tf
+++ b/examples/complete/variables.tf
@@ -78,6 +78,6 @@ variable "existing_sm_instance_guid" {
 
 variable "existing_sm_instance_region" {
   type        = string
-  description = "Required if value is passed into var.existing_sm_instance_guid"
+  description = "Required if value is passed into  var.existing_sm_instance_guid"
   default     = null
 }

From f1c4f16973e9b0d5453648aaca659db52e3ce42c Mon Sep 17 00:00:00 2001
From: Khuzaima-Shakeel <Khuzaima.Shakeel@ibm.com>
Date: Tue, 11 Jul 2023 15:31:59 +0530
Subject: [PATCH 4/4] chore: add service credentials to secrets manager in
 complete example

---
 examples/complete/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index f7bd0714..e1ef0261 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -200,5 +200,5 @@ module "secrets_manager_service_credentials_cert" {
   secret_name               = "${var.prefix}-es-cert"
   secret_description        = "postgresql_db Service Credential Certificate"
   imported_cert_certificate = base64decode(module.postgresql_db.service_credentials_object.certificate)
-  secret_type               = "imported_cert" #checkov:skip=CKV_SECRET_6
+  secret_type               = "imported_cert" #checkov: skip=CKV_SECRET_6
 }