allowed_network |
The types of service endpoints to set on the Secrets Manager instance. Possible values are private-only or public-and-private . |
string |
"public-and-private" |
no |
cbr_rules |
(Optional, list) List of CBR rules to create |
list(object({ description = string account_id = string rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string })) |
[] |
no |
enable_event_notification |
Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for existing_en_instance_crn variable. |
bool |
false |
no |
endpoint_type |
The type of endpoint (public or private) to connect to the Secrets Manager API. The Terraform provider uses this endpoint type to interact with the Secrets Manager API and configure Event Notifications. |
string |
"public" |
no |
existing_en_instance_crn |
The CRN of the Event Notifications service to enable lifecycle notifications for your Secrets Manager instance. |
string |
null |
no |
existing_kms_instance_guid |
The GUID of the Hyper Protect Crypto Services or Key Protect instance in which the key specified in kms_key_crn is coming from. Required only if kms_encryption_enabled is set to true, and skip_kms_iam_authorization_policy is set to false. |
string |
null |
no |
kms_encryption_enabled |
Set this to true to control the encryption keys used to encrypt the data that you store in Secrets Manager. If set to false, the data that you store is encrypted at rest by using envelope encryption. For more details, see https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-mng-data&interface=ui#about-encryption. |
bool |
false |
no |
kms_key_crn |
The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for encryption. Only used if kms_encryption_enabled is set to true. |
string |
null |
no |
region |
The region to provision the Secrets Manager instance to. |
string |
n/a |
yes |
resource_group_id |
The ID of the resource group to provision the Secrets Manager instance to. |
string |
n/a |
yes |
secrets |
Secret Manager secrets configurations. |
list(object({ secret_group_name = string secret_group_description = optional(string) existing_secret_group = optional(bool, false) secrets = optional(list(object({ secret_name = string secret_description = optional(string) secret_type = optional(string) imported_cert_certificate = optional(string) imported_cert_private_key = optional(string) imported_cert_intermediate = optional(string) secret_username = optional(string) secret_labels = optional(list(string), []) secret_payload_password = optional(string, "") secret_auto_rotation = optional(bool, true) secret_auto_rotation_unit = optional(string, "day") secret_auto_rotation_interval = optional(number, 89) service_credentials_ttl = optional(string, "7776000") # 90 days service_credentials_source_service_crn = optional(string) service_credentials_source_service_role = optional(string) }))) })) |
[] |
no |
secrets_manager_name |
The name to give the Secrets Manager instance. |
string |
n/a |
yes |
skip_en_iam_authorization_policy |
Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the existing_en_instance_crn input variable. In addition, no policy is created if enable_event_notification is set to false. |
bool |
false |
no |
skip_kms_iam_authorization_policy |
Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing_kms_instance_guid variable. In addition, no policy is created if kms_encryption_enabled is set to false. |
bool |
false |
no |
sm_service_plan |
The Secrets Manager plan to provision. |
string |
"standard" |
no |
sm_tags |
The list of resource tags that you want to associate with your Secrets Manager instance. |
list(string) |
[] |
no |