feat: add support for creating git access token to SM (#490)

Author: huayuenh

README.md

@@ -477,6 +477,7 @@ statement instead the previous block.
 | <a name="input_create_cd_toolchain"></a> [create\_cd\_toolchain](#input\_create\_cd\_toolchain) | Boolean flag which determines if the DevSecOps CD toolchain is created. | `bool` | `true` | no |
 | <a name="input_create_ci_toolchain"></a> [create\_ci\_toolchain](#input\_create\_ci\_toolchain) | Flag which determines if the DevSecOps CI toolchain is created. If this toolchain is not created then values must be set for the following variables, evidence\_repo\_url, issues\_repo\_url and inventory\_repo\_url. | `bool` | `true` | no |
 | <a name="input_create_cos_api_key"></a> [create\_cos\_api\_key](#input\_create\_cos\_api\_key) | Set to `true` to create and add a `cos-api-key` to the Secrets Provider. | `bool` | `false` | no |
+| <a name="input_create_git_token"></a> [create\_git\_token](#input\_create\_git\_token) | Set to `true` to create and add the specified personal access token secret to the Secrets Provider. | `bool` | `false` | no |
 | <a name="input_create_ibmcloud_api_key"></a> [create\_ibmcloud\_api\_key](#input\_create\_ibmcloud\_api\_key) | Set to `true` to create and add an `ibmcloud-api-key` to the Secrets Provider. | `bool` | `false` | no |
 | <a name="input_create_icr_namespace"></a> [create\_icr\_namespace](#input\_create\_icr\_namespace) | Set to `true` to have Terraform create the registry namespace. Setting to `false` will have the CI pipeline create the namespace if it does not already exist. Note: If a Terraform destroy is used, the ICR namespace along with all images will be removed. | `bool` | `false` | no |
 | <a name="input_create_secret_group"></a> [create\_secret\_group](#input\_create\_secret\_group) | Set to `true` to create the specified Secrets Manager secret group. | `bool` | `false` | no |
@@ -545,6 +546,7 @@ statement instead the previous block.
 | <a name="input_registry_namespace"></a> [registry\_namespace](#input\_registry\_namespace) | A unique namespace within the IBM Cloud Container Registry region where the application image is stored. | `string` | `""` | no |
 | <a name="input_repo_git_token_secret_crn"></a> [repo\_git\_token\_secret\_crn](#input\_repo\_git\_token\_secret\_crn) | The CRN for the repositories Git Token. | `string` | `""` | no |
 | <a name="input_repo_git_token_secret_name"></a> [repo\_git\_token\_secret\_name](#input\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider. Specifying a secret name for the Git Token automatically sets the authentication type to `pat`. | `string` | `""` | no |
+| <a name="input_repo_git_token_secret_value"></a> [repo\_git\_token\_secret\_value](#input\_repo\_git\_token\_secret\_value) | The personal access token that will be added to the `repo_git_token_secret_name` secret in the secrets provider. | `string` | `""` | no |
 | <a name="input_repo_group"></a> [repo\_group](#input\_repo\_group) | Specify the Git user or group for your application. This must be set if the repository authentication type is `pat` (personal access token). | `string` | `""` | no |
 | <a name="input_repo_secret_group"></a> [repo\_secret\_group](#input\_repo\_secret\_group) | Secret group in Secrets Manager that contains the secret for the repository. This variable will set the same secret group for all the repositories. Can be overriden on a per secret group basis. Only applies when using Secrets Manager. | `string` | `""` | no |
 | <a name="input_repositories_prefix"></a> [repositories\_prefix](#input\_repositories\_prefix) | Prefix name for the cloned compliance repos. For the repositories\_prefix value only a-z, A-Z and 0-9 and the special characters `-_` are allowed. In addition the string must not end with a special character or have two consecutive special characters. | `string` | `"compliance"` | no |

ibm_catalog.json

@@ -1066,6 +1066,13 @@
                             "description": "Set to `true` to create and add a `cos-api-key` to the Secrets Provider.",
                             "required": false
                         },
+                        {
+                            "key": "create_git_token",
+                            "type": "boolean",
+                            "default_value": false,
+                            "description": "Set to `true` to create and add the specified personal access token secret to the Secrets Provider.",
+                            "required": false
+                        },
                         {
                             "key": "create_ibmcloud_api_key",
                             "type": "boolean",
@@ -1486,6 +1493,13 @@
                             "description": "Name of the Git token secret in the secret provider. Specifying a secret name for the Git Token automatically sets the authentication type to `pat`.",
                             "required": false
                         },
+                        {
+                            "key": "repo_git_token_secret_value",
+                            "type": "password",
+                            "default_value": "",
+                            "description": "The personal access token that will be added to the `repo_git_token_secret_name` secret in the secrets provider.",
+                            "required": false
+                        },
                         {
                             "key": "repo_group",
                             "type": "string",
@@ -2848,6 +2862,13 @@
                             "description": "Set to `true` to create and add a `cos-api-key` to the Secrets Provider.",
                             "required": false
                         },
+                        {
+                            "key": "create_git_token",
+                            "type": "boolean",
+                            "default_value": false,
+                            "description": "Set to `true` to create and add the specified personal access token secret to the Secrets Provider.",
+                            "required": false
+                        },
                         {
                             "key": "create_ibmcloud_api_key",
                             "type": "boolean",
@@ -3268,6 +3289,13 @@
                             "description": "Name of the Git token secret in the secret provider. Specifying a secret name for the Git Token automatically sets the authentication type to `pat`.",
                             "required": false
                         },
+                        {
+                            "key": "repo_git_token_secret_value",
+                            "type": "password",
+                            "default_value": "",
+                            "description": "The personal access token that will be added to the `repo_git_token_secret_name` secret in the secrets provider.",
+                            "required": false
+                        },
                         {
                             "key": "repo_group",
                             "type": "string",

main.tf

@@ -231,6 +231,7 @@ module "prereqs" {
   source                         = "./prereqs"
   create_ibmcloud_api_key        = var.create_ibmcloud_api_key
   create_cos_api_key             = var.create_cos_api_key
+  create_git_token               = var.create_git_token
   create_signing_key             = var.create_signing_key
   create_signing_certificate     = var.create_signing_certificate
   service_name_pipeline          = var.service_name_pipeline
@@ -244,6 +245,8 @@ module "prereqs" {
   iam_api_key_secret_name        = var.pipeline_ibmcloud_api_key_secret_name
   signing_key_secret_name        = var.ci_signing_key_secret_name
   signing_certifcate_secret_name = var.cd_code_signing_cert_secret_name
+  repo_git_token_secret_name     = var.repo_git_token_secret_name
+  repo_git_token_secret_value    = var.repo_git_token_secret_value
   rotation_period                = var.rotation_period
   sm_secret_expiration_period    = var.sm_secret_expiration_period
   sm_exists                      = var.enable_secrets_manager

prereqs/main.tf

@@ -198,6 +198,20 @@ resource "ibm_sm_arbitrary_secret" "secret_signing_certifcate" {
   endpoint_type   = var.sm_endpoint_type
 }
 
+resource "ibm_sm_arbitrary_secret" "git_token" {
+  count           = ((var.create_git_token == true) && (var.sm_exists == true)) ? 1 : 0
+  depends_on      = [ibm_sm_secret_group.sm_secret_group]
+  region          = var.sm_location
+  instance_id     = (local.sm_instance_id != "") ? local.sm_instance_id : var.sm_instance_id
+  secret_group_id = (var.create_secret_group == false) ? data.ibm_sm_secret_group.existing_sm_secret_group[0].secret_group_id : ibm_sm_secret_group.sm_secret_group[0].secret_group_id
+  name            = var.repo_git_token_secret_name
+  description     = "A personal access token for accessing your repositories."
+  labels          = []
+  payload         = var.repo_git_token_secret_value
+  expiration_date = local.expiration_date
+  endpoint_type   = var.sm_endpoint_type
+}
+
 ################## IAM CREDENTIALS###############################
 resource "ibm_sm_iam_credentials_secret" "iam_pipeline_apikey_credentials_secret" {
   count       = ((var.create_ibmcloud_api_key == true) && (var.sm_exists == true)) ? 1 : 0

prereqs/variables.tf

@@ -40,6 +40,25 @@ variable "create_signing_certificate" {
   default     = false
 }
 
+variable "create_git_token" {
+  type        = bool
+  description = "Set to `true` to create and add the specified personal access token secret to the Secrets Provider."
+  default     = false
+}
+
+variable "repo_git_token_secret_name" {
+  type        = string
+  description = "Name of the Git token secret in the secret provider. Specifying a secret name for the Git Token automatically sets the authentication type to `pat`."
+  default     = ""
+}
+
+variable "repo_git_token_secret_value" {
+  type        = string
+  sensitive   = true
+  description = "The personal access token that will be added to the `repo_git_token_secret_name` secret in the secrets provider."
+  default     = ""
+}
+
 variable "sm_exists" {
   description = "Only connect to the Secrets Manager instance if it has been enabled for the toolchain."
   type        = bool

solutions/code-engine/README.md

@@ -461,6 +461,7 @@ No resources.
 | <a name="input_create_cd_toolchain"></a> [create\_cd\_toolchain](#input\_create\_cd\_toolchain) | Boolean flag which determines if the DevSecOps CD toolchain is created. | `bool` | `true` | no |
 | <a name="input_create_ci_toolchain"></a> [create\_ci\_toolchain](#input\_create\_ci\_toolchain) | Flag which determines if the DevSecOps CI toolchain is created. If this toolchain is not created then values must be set for the following variables, evidence\_repo\_url, issues\_repo\_url and inventory\_repo\_url. | `bool` | `true` | no |
 | <a name="input_create_cos_api_key"></a> [create\_cos\_api\_key](#input\_create\_cos\_api\_key) | Set to `true` to create and add a `cos-api-key` to the Secrets Provider. | `bool` | `false` | no |
+| <a name="input_create_git_token"></a> [create\_git\_token](#input\_create\_git\_token) | Set to `true` to create and add the specified personal access token secret to the Secrets Provider. | `bool` | `false` | no |
 | <a name="input_create_ibmcloud_api_key"></a> [create\_ibmcloud\_api\_key](#input\_create\_ibmcloud\_api\_key) | Set to `true` to create and add an `ibmcloud-api-key` to the Secrets Provider. | `bool` | `false` | no |
 | <a name="input_create_icr_namespace"></a> [create\_icr\_namespace](#input\_create\_icr\_namespace) | Set to `true` to have Terraform create the registry namespace. Setting to `false` will have the CI pipeline create the namespace if it does not already exist. Note: If a Terraform destroy is used, the ICR namespace along with all images will be removed. | `bool` | `false` | no |
 | <a name="input_create_secret_group"></a> [create\_secret\_group](#input\_create\_secret\_group) | Set to `true` to create the specified Secrets Manager secret group. | `bool` | `false` | no |
@@ -529,6 +530,7 @@ No resources.
 | <a name="input_registry_namespace"></a> [registry\_namespace](#input\_registry\_namespace) | A unique namespace within the IBM Cloud Container Registry region where the application image is stored. | `string` | `""` | no |
 | <a name="input_repo_git_token_secret_crn"></a> [repo\_git\_token\_secret\_crn](#input\_repo\_git\_token\_secret\_crn) | The CRN for the repositories Git Token. | `string` | `""` | no |
 | <a name="input_repo_git_token_secret_name"></a> [repo\_git\_token\_secret\_name](#input\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider. Specifying a secret name for the Git Token automatically sets the authentication type to `pat`. | `string` | `""` | no |
+| <a name="input_repo_git_token_secret_value"></a> [repo\_git\_token\_secret\_value](#input\_repo\_git\_token\_secret\_value) | The personal access token that will be added to the `repo_git_token_secret_name` secret in the secrets provider. | `string` | `""` | no |
 | <a name="input_repo_group"></a> [repo\_group](#input\_repo\_group) | Specify the Git user or group for your application. This must be set if the repository authentication type is `pat` (personal access token). | `string` | `""` | no |
 | <a name="input_repo_secret_group"></a> [repo\_secret\_group](#input\_repo\_secret\_group) | Secret group in Secrets Manager that contains the secret for the repository. This variable will set the same secret group for all the repositories. Can be overriden on a per secret group basis. Only applies when using Secrets Manager. | `string` | `""` | no |
 | <a name="input_repositories_prefix"></a> [repositories\_prefix](#input\_repositories\_prefix) | Prefix name for the cloned compliance repos. For the repositories\_prefix value only a-z, A-Z and 0-9 and the special characters `-_` are allowed. In addition the string must not end with a special character or have two consecutive special characters. | `string` | `"compliance"` | no |

solutions/code-engine/main.tf

@@ -35,6 +35,7 @@ module "devsecops_da" {
   create_cd_toolchain                               = var.create_cd_toolchain
   create_ci_toolchain                               = var.create_ci_toolchain
   create_cos_api_key                                = var.create_cos_api_key
+  create_git_token                                  = var.create_git_token
   create_ibmcloud_api_key                           = var.create_ibmcloud_api_key
   create_icr_namespace                              = var.create_icr_namespace
   create_secret_group                               = var.create_secret_group
@@ -102,6 +103,7 @@ module "devsecops_da" {
   registry_namespace                                = var.registry_namespace
   repo_git_token_secret_crn                         = var.repo_git_token_secret_crn
   repo_git_token_secret_name                        = var.repo_git_token_secret_name
+  repo_git_token_secret_value                       = var.repo_git_token_secret_value
   repo_group                                        = var.repo_group
   repo_secret_group                                 = var.repo_secret_group
   repositories_prefix                               = var.repositories_prefix

solutions/code-engine/variables.tf

@@ -223,6 +223,12 @@ variable "create_cos_api_key" {
   default     = false
 }
 
+variable "create_git_token" {
+  type        = bool
+  description = "Set to `true` to create and add the specified personal access token secret to the Secrets Provider."
+  default     = false
+}
+
 variable "create_ibmcloud_api_key" {
   type        = bool
   description = "Set to `true` to create and add an `ibmcloud-api-key` to the Secrets Provider."
@@ -678,6 +684,13 @@ variable "repo_git_token_secret_name" {
   default     = ""
 }
 
+variable "repo_git_token_secret_value" {
+  type        = string
+  sensitive   = true
+  description = "The personal access token that will be added to the `repo_git_token_secret_name` secret in the secrets provider."
+  default     = ""
+}
+
 variable "repo_group" {
   type        = string
   description = "Specify the Git user or group for your application. This must be set if the repository authentication type is `pat` (personal access token)."

solutions/kubernetes/README.md

@@ -461,6 +461,7 @@ No resources.
 | <a name="input_create_cd_toolchain"></a> [create\_cd\_toolchain](#input\_create\_cd\_toolchain) | Boolean flag which determines if the DevSecOps CD toolchain is created. | `bool` | `true` | no |
 | <a name="input_create_ci_toolchain"></a> [create\_ci\_toolchain](#input\_create\_ci\_toolchain) | Flag which determines if the DevSecOps CI toolchain is created. If this toolchain is not created then values must be set for the following variables, evidence\_repo\_url, issues\_repo\_url and inventory\_repo\_url. | `bool` | `true` | no |
 | <a name="input_create_cos_api_key"></a> [create\_cos\_api\_key](#input\_create\_cos\_api\_key) | Set to `true` to create and add a `cos-api-key` to the Secrets Provider. | `bool` | `false` | no |
+| <a name="input_create_git_token"></a> [create\_git\_token](#input\_create\_git\_token) | Set to `true` to create and add the specified personal access token secret to the Secrets Provider. | `bool` | `false` | no |
 | <a name="input_create_ibmcloud_api_key"></a> [create\_ibmcloud\_api\_key](#input\_create\_ibmcloud\_api\_key) | Set to `true` to create and add an `ibmcloud-api-key` to the Secrets Provider. | `bool` | `false` | no |
 | <a name="input_create_icr_namespace"></a> [create\_icr\_namespace](#input\_create\_icr\_namespace) | Set to `true` to have Terraform create the registry namespace. Setting to `false` will have the CI pipeline create the namespace if it does not already exist. Note: If a Terraform destroy is used, the ICR namespace along with all images will be removed. | `bool` | `false` | no |
 | <a name="input_create_secret_group"></a> [create\_secret\_group](#input\_create\_secret\_group) | Set to `true` to create the specified Secrets Manager secret group. | `bool` | `false` | no |
@@ -529,6 +530,7 @@ No resources.
 | <a name="input_registry_namespace"></a> [registry\_namespace](#input\_registry\_namespace) | A unique namespace within the IBM Cloud Container Registry region where the application image is stored. | `string` | `""` | no |
 | <a name="input_repo_git_token_secret_crn"></a> [repo\_git\_token\_secret\_crn](#input\_repo\_git\_token\_secret\_crn) | The CRN for the repositories Git Token. | `string` | `""` | no |
 | <a name="input_repo_git_token_secret_name"></a> [repo\_git\_token\_secret\_name](#input\_repo\_git\_token\_secret\_name) | Name of the Git token secret in the secret provider. Specifying a secret name for the Git Token automatically sets the authentication type to `pat`. | `string` | `""` | no |
+| <a name="input_repo_git_token_secret_value"></a> [repo\_git\_token\_secret\_value](#input\_repo\_git\_token\_secret\_value) | The personal access token that will be added to the `repo_git_token_secret_name` secret in the secrets provider. | `string` | `""` | no |
 | <a name="input_repo_group"></a> [repo\_group](#input\_repo\_group) | Specify the Git user or group for your application. This must be set if the repository authentication type is `pat` (personal access token). | `string` | `""` | no |
 | <a name="input_repo_secret_group"></a> [repo\_secret\_group](#input\_repo\_secret\_group) | Secret group in Secrets Manager that contains the secret for the repository. This variable will set the same secret group for all the repositories. Can be overriden on a per secret group basis. Only applies when using Secrets Manager. | `string` | `""` | no |
 | <a name="input_repositories_prefix"></a> [repositories\_prefix](#input\_repositories\_prefix) | Prefix name for the cloned compliance repos. For the repositories\_prefix value only a-z, A-Z and 0-9 and the special characters `-_` are allowed. In addition the string must not end with a special character or have two consecutive special characters. | `string` | `"compliance"` | no |