Setting up Terraform for Secrets Manager
Terraform on IBM Cloud enables predictable and consistent creation of IBM Cloud services so that you can rapidly build complex, multitier cloud environments that follow Infrastructure as Code (IaC) principles. Similar to using the IBM Cloud CLI or API and SDKs, you can automate the creation, update, and deletion of your Secrets Manager instances by using HashiCorp Configuration Language (HCL).
Looking for a managed Terraform on IBM Cloud solution? Try out IBM Cloud® Schematics. With Schematics, you can use the Terraform scripting language that you are familiar with. But you don't need to worry about setting up and maintaining the Terraform command line and the IBM Cloud Provider plug-in. Schematics also provides pre-defined Terraform templates that you can easily install from the IBM Cloud catalog.
Installing Terraform and configuring resources for Secrets Manager
Before you can create an authorization by using Terraform, make sure that you completed the following steps:
- Make sure that you have the required access to create and work with Secrets Manager resources.
- Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
- Create a Terraform configuration file that is named
main.tf
. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.
-
After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.
terraform init
-
Create a Secrets Manager instance by using the
ibm_resource_instance
resource argument in yourmain.tf
file.-
The Secrets Manager instance in the following example is named
secrets-manager-london
and is created with the trial plan in theeu-gb
region. Theuser@ibm.com
is assigned the Administrator role in the IAM access policy. For other supported regions, see Regions and endpoints. Plan options includetrial
andstandard
.resource "ibm_resource_instance" "sm_instance" { name = "Secrets Manager-London" service = "secrets-manager" plan = "trial" location = "eu-gb" timeouts { create = "60m" delete = "2h" }, }
To view a complete list of the supported attributes, see
ibm_resource_instance
. -
Optionally, you can create a data source to retrieve information about an existing Secrets Manager instance from IBM Cloud, by running the following command.
data "ibm_resource_instance" "sm_resource_instance" { name = "Secrets Manager-London" location = "eu-gb" service = "secrets-manager" }
For a complete list of the supported attributes, see
ibm_resource_instance
. -
-
Provision the resources from the
main.tf
file. For more information, see Provisioning Infrastructure with Terraform.-
Run
terraform plan
to generate a Terraform execution plan to preview the proposed actions.terraform plan
-
Run
terraform apply
to create the resources that are defined in the plan.terraform apply
-
-
Define local values for your Secrets Manager instance to be used when you are creating resources.
locals { instance_id = data.ibm_resource_instance.sm_resource_instance.guid region = data.ibm_resource_instance.sm_resource_instance.location }
-
From the IBM Cloud resource list in the UI, select the Secrets Manager instance that you created and note the instance ID.
-
Verify that the access policy is successfully assigned. For more information, see Reviewing assigned access in the console.
Managing Resource Drift
With Terraform, you can safely and predictably manage the lifecycle of your infrastructure by using declarative configuration files. One challenge that exists when you are managing infrastructure as code is drift. Drift occurs when resources are added, deleted, or modified outside of applying Terraform configuration changes. For example, when a secret expires or is rotated. To avoid drift, always use Terraform to manage resources initially created with Terraform.
The Terraform state file is a record of all resources that Terraform manages. You must not make manual changes to resources that are controlled by Terraform because by doing so, the state file becomes out of sync or "drift", from the real infrastructure. If your state and configuration do not match your infrastructure, Terraform attempts to reconcile your infrastructure, which might unintentionally destroy or re-create resources.
When you are using the Secrets Manager Terraform provider, a drift might occur in cases such as:
- Secret expiration
- Secret auto-rotation
- External changes to Secret Manager resources that are controlled by Terraform
When you are designing your Terraform project, follow Terraform best practices for managing drift and lifecycle changes to avoid unintentional destruction or recreation of Secrets Manager resources.
What's next?
Now that you successfully created your first Secrets Manager service instance with Terraform on IBM Cloud, You can review the Secrets Manager resources and data sources in the Terraform registry. You can also review how to manage your Secrets Manager resources by following the Terraform steps that are included in the How to section. For example, you can follow the directions on how to create arbitrary secrets by using Terraform.