terraform-ibm-modules
diff --git a/‎README.md
+5 b/‎README.md
+5
diff --git a/‎ibm_catalog.json
+14 b/‎ibm_catalog.json
+14
diff --git a/‎main.tf
+36 b/‎main.tf
+36
diff --git a/‎prereqs/main.tf
+40-29 b/‎prereqs/main.tf
+40-29
diff --git a/‎prereqs/variables.tf
+6 b/‎prereqs/variables.tf
+6
diff --git a/‎solutions/code-engine/README.md
+1 b/‎solutions/code-engine/README.md
+1
@@ -74,6 +74,10 @@ statement instead the previous block.
 
 | Name | Type |
 |------|------|
+| [ibm_cd_tekton_pipeline_property.cc_pipeline_ibmcloud_api](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.70.0/docs/resources/cd_tekton_pipeline_property) | resource |
+| [ibm_cd_tekton_pipeline_property.cd_pipeline_ibmcloud_api](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.70.0/docs/resources/cd_tekton_pipeline_property) | resource |
+| [ibm_cd_tekton_pipeline_property.ci_pipeline_ibmcloud_api](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.70.0/docs/resources/cd_tekton_pipeline_property) | resource |
+| [ibm_cd_tekton_pipeline_property.pr_pipeline_ibmcloud_api](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.70.0/docs/resources/cd_tekton_pipeline_property) | resource |
 | [ibm_cd_tekton_pipeline_trigger.ci_pipeline_webhook](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.70.0/docs/resources/cd_tekton_pipeline_trigger) | resource |
 | [ibm_cd_tekton_pipeline_trigger_property.ci_pipeline_webhook_branch_property](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.70.0/docs/resources/cd_tekton_pipeline_trigger_property) | resource |
 | [ibm_cd_tekton_pipeline_trigger_property.ci_pipeline_webhook_name_property](https://registry.terraform.io/providers/IBM-Cloud/ibm/1.70.0/docs/resources/cd_tekton_pipeline_trigger_property) | resource |
@@ -523,6 +527,7 @@ statement instead the previous block.
 | <a name="input_evidence_repo_name"></a> [evidence\_repo\_name](#input\_evidence\_repo\_name) | Set to use a custom name for the Evidence repository. | `string` | `""` | no |
 | <a name="input_evidence_repo_secret_group"></a> [evidence\_repo\_secret\_group](#input\_evidence\_repo\_secret\_group) | Secret group for the Evidence repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |
 | <a name="input_force_create_standard_api_key"></a> [force\_create\_standard\_api\_key](#input\_force\_create\_standard\_api\_key) | Set to `true` to force create a standard api key. By default the generated apikey will be a service api key. It is recommended to use a Git Token when using the service api key. In the case where the user has been invited to an account and that user not the account owner, during toolchain creation the default compliance repositories will be created in that user's account and the service api will not have access to those repositories. In this case a Git Token for the repositories is required. See `repo_git_token_secret_name` for more details. The alternative is to set `force_create_standard_api_key` to `true` to create a standard api key. | `bool` | `false` | no |
+| <a name="input_ibmcloud_api"></a> [ibmcloud\_api](#input\_ibmcloud\_api) | The environment URL. When left unset this will default to `https://cloud.ibm.com` | `string` | `""` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The API key used to create the toolchains. (See deployment guide.) | `string` | n/a | yes |
 | <a name="input_inventory_group"></a> [inventory\_group](#input\_inventory\_group) | Specify the Git user or group for the inventory repository. | `string` | `""` | no |
 | <a name="input_inventory_repo_auth_type"></a> [inventory\_repo\_auth\_type](#input\_inventory\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |
 
@@ -1531,6 +1531,13 @@
                             "description": "Set to `true` to force create a standard api key. By default the generated apikey will be a service api key. It is recommended to use a Git Token when using the service api key. In the case where the user has been invited to an account and that user not the account owner, during toolchain creation the default compliance repositories will be created in that user's account and the service api will not have access to those repositories. In this case a Git Token for the repositories is required. See `repo_git_token_secret_name` for more details. The alternative is to set `force_create_standard_api_key` to `true` to create a standard api key.",
                             "required": false
                         },
+                        {
+                            "key": "ibmcloud_api",
+                            "type": "string",
+                            "default_value": "",
+                            "description": "The environment URL. When left unset this will default to `https://cloud.ibm.com`",
+                            "required": false
+                        },
                         {
                             "key": "inventory_group",
                             "type": "string",
@@ -3672,6 +3679,13 @@
                             "description": "Set to `true` to force create a standard api key. By default the generated apikey will be a service api key. It is recommended to use a Git Token when using the service api key. In the case where the user has been invited to an account and that user not the account owner, during toolchain creation the default compliance repositories will be created in that user's account and the service api will not have access to those repositories. In this case a Git Token for the repositories is required. See `repo_git_token_secret_name` for more details. The alternative is to set `force_create_standard_api_key` to `true` to create a standard api key.",
                             "required": false
                         },
+                        {
+                            "key": "ibmcloud_api",
+                            "type": "string",
+                            "default_value": "",
+                            "description": "The environment URL. When left unset this will default to `https://cloud.ibm.com`",
+                            "required": false
+                        },
                         {
                             "key": "inventory_group",
                             "type": "string",
 
@@ -326,6 +326,7 @@ module "prereqs" {
   create_kubernetes_access_policy  = var.create_kubernetes_access_policy
   toolchain_access_group_name      = var.toolchain_access_group_name
   create_access_group              = var.create_access_group
+  prefix                           = var.prefix
 }
 
 module "devsecops_ci_toolchain" {
@@ -1188,6 +1189,41 @@ resource "null_resource" "ci_pipeline_run" {
   }
 }
 
+############# Additional pipeline property for Stack airgap support ############################
+
+resource "ibm_cd_tekton_pipeline_property" "ci_pipeline_ibmcloud_api" {
+  count       = (var.create_ci_toolchain == true && var.ibmcloud_api != "") ? 1 : 0
+  name        = "ibmcloud-api"
+  type        = "text"
+  value       = var.ibmcloud_api
+  pipeline_id = module.devsecops_ci_toolchain[0].ci_pipeline_id
+}
+
+resource "ibm_cd_tekton_pipeline_property" "pr_pipeline_ibmcloud_api" {
+  count       = (var.create_ci_toolchain == true && var.ibmcloud_api != "") ? 1 : 0
+  name        = "ibmcloud-api"
+  type        = "text"
+  value       = var.ibmcloud_api
+  pipeline_id = module.devsecops_ci_toolchain[0].pr_pipeline_id
+}
+
+resource "ibm_cd_tekton_pipeline_property" "cd_pipeline_ibmcloud_api" {
+  count       = (var.create_cd_toolchain == true && var.ibmcloud_api != "") ? 1 : 0
+  name        = "ibmcloud-api"
+  type        = "text"
+  value       = var.ibmcloud_api
+  pipeline_id = module.devsecops_cd_toolchain[0].cd_pipeline_id
+}
+
+resource "ibm_cd_tekton_pipeline_property" "cc_pipeline_ibmcloud_api" {
+  count       = (var.create_cc_toolchain == true && var.ibmcloud_api != "") ? 1 : 0
+  name        = "ibmcloud-api"
+  type        = "text"
+  value       = var.ibmcloud_api
+  pipeline_id = module.devsecops_cc_toolchain[0].cc_pipeline_id
+}
+
+
 #############################################################
 ## Example resources to extend the ci_toolchain created above
 #############################################################
 
@@ -56,24 +56,24 @@ resource "time_static" "timestamp" {
 
 resource "ibm_iam_service_id" "pipeline_service_id" {
   count = (local.create_pipeline_service_api_key) ? 1 : 0
-  name  = var.service_name_pipeline
+  name  = (var.prefix == "") ? var.service_name_pipeline : format("${var.prefix}-%s", var.service_name_pipeline)
 }
 
 resource "ibm_iam_service_id" "cos_service_id" {
   count = (local.create_cos_service_api_key) ? 1 : 0
-  name  = var.service_name_cos
+  name  = (var.prefix == "") ? var.service_name_cos : format("${var.prefix}-%s", var.service_name_cos)
 }
 
 data "ibm_iam_service_id" "pipeline_service_id" {
   count      = (local.create_pipeline_service_api_key) ? 1 : 0
   depends_on = [ibm_iam_service_id.pipeline_service_id]
-  name       = var.service_name_pipeline
+  name       = (var.prefix == "") ? var.service_name_pipeline : format("${var.prefix}-%s", var.service_name_pipeline)
 }
 
 data "ibm_iam_service_id" "cos_service_id" {
   count      = (local.create_cos_service_api_key) ? 1 : 0
   depends_on = [ibm_iam_service_id.cos_service_id]
-  name       = var.service_name_cos
+  name       = (var.prefix == "") ? var.service_name_cos : format("${var.prefix}-%s", var.service_name_cos)
 }
 
 resource "ibm_iam_service_policy" "cos_policy" {
@@ -122,6 +122,16 @@ resource "ibm_iam_service_policy" "cr_policy" {
   }
 }
 
+resource "ibm_iam_service_policy" "toolchain_policy" {
+  count          = (local.create_pipeline_service_api_key) ? 1 : 0
+  iam_service_id = ibm_iam_service_id.pipeline_service_id[0].id
+  roles          = ["Editor"]
+  resources {
+    service           = "toolchain"
+    resource_group_id = data.ibm_resource_group.resource_group.id
+  }
+}
+
 resource "ibm_iam_service_policy" "cd_policy" {
   count          = (local.create_pipeline_service_api_key) ? 1 : 0
   iam_service_id = ibm_iam_service_id.pipeline_service_id[0].id
@@ -137,7 +147,8 @@ resource "ibm_iam_service_policy" "kube_policy" {
   iam_service_id = ibm_iam_service_id.pipeline_service_id[0].id
   roles          = ["Manager", "Editor"]
   resources {
-    service = "containers-kubernetes"
+    service           = "containers-kubernetes"
+    resource_group_id = data.ibm_resource_group.resource_group.id
   }
 }
 
@@ -265,18 +276,25 @@ resource "ibm_sm_arbitrary_secret" "private_worker_secret" {
 
 ################## IAM CREDENTIALS SERVICE API KEYS ###############################
 
-resource "ibm_sm_iam_credentials_configuration" "iam_credentials_configuration" {
-  count         = (local.create_pipeline_service_api_key == true || local.create_auto_rotatable_cos_service_api_key == true) ? 1 : 0
-  instance_id   = (local.sm_instance_id != "") ? local.sm_instance_id : var.sm_instance_id
-  region        = var.sm_location
-  name          = "iam_credentials_config"
-  api_key       = var.ibmcloud_api_key
-  endpoint_type = var.sm_endpoint_type
+resource "ibm_iam_authorization_policy" "secretsmanager_iam_group_auth_policy" {
+  count                       = (local.create_pipeline_service_api_key == true || local.create_auto_rotatable_cos_service_api_key == true) ? 1 : 0
+  source_service_name         = "secrets-manager"
+  source_resource_instance_id = (local.sm_instance_id != "") ? local.sm_instance_id : var.sm_instance_id
+  target_service_name         = "iam-groups"
+  roles                       = ["Groups Service Member Manage"]
+}
+
+resource "ibm_iam_authorization_policy" "secretsmanager_iam_identitiy_auth_policy" {
+  count                       = (local.create_pipeline_service_api_key == true || local.create_auto_rotatable_cos_service_api_key == true) ? 1 : 0
+  source_service_name         = "secrets-manager"
+  source_resource_instance_id = (local.sm_instance_id != "") ? local.sm_instance_id : var.sm_instance_id
+  target_service_name         = "iam-identity"
+  roles                       = ["Operator"]
 }
 
 resource "ibm_sm_iam_credentials_secret" "iam_pipeline_apikey_credentials_secret" {
   count       = (local.create_pipeline_service_api_key) ? 1 : 0
-  depends_on  = [ibm_sm_secret_group.sm_secret_group, data.ibm_sm_secret_group.existing_sm_secret_group, ibm_sm_iam_credentials_configuration.iam_credentials_configuration]
+  depends_on  = [ibm_sm_secret_group.sm_secret_group, data.ibm_sm_secret_group.existing_sm_secret_group, ibm_iam_authorization_policy.secretsmanager_iam_group_auth_policy, ibm_iam_authorization_policy.secretsmanager_iam_identitiy_auth_policy]
   instance_id = data.ibm_resource_instance.sm_instance[0].guid
   region      = var.sm_location
   name        = var.iam_api_key_secret_name
@@ -294,7 +312,7 @@ resource "ibm_sm_iam_credentials_secret" "iam_pipeline_apikey_credentials_secret
 
 resource "ibm_sm_iam_credentials_secret" "iam_cos_apikey_credentials_secret" {
   count       = (local.create_auto_rotatable_cos_service_api_key) ? 1 : 0
-  depends_on  = [ibm_sm_secret_group.sm_secret_group, data.ibm_sm_secret_group.existing_sm_secret_group, ibm_sm_iam_credentials_configuration.iam_credentials_configuration]
+  depends_on  = [ibm_sm_secret_group.sm_secret_group, data.ibm_sm_secret_group.existing_sm_secret_group, ibm_iam_authorization_policy.secretsmanager_iam_group_auth_policy, ibm_iam_authorization_policy.secretsmanager_iam_identitiy_auth_policy]
   instance_id = data.ibm_resource_instance.sm_instance[0].guid
   region      = var.sm_location
   name        = var.cos_api_key_secret_name
@@ -355,18 +373,10 @@ resource "ibm_sm_arbitrary_secret" "secret_cos_api_key" {
 
 resource "ibm_iam_access_group" "toolchain_access_group" {
   count       = (var.create_access_group == true) ? 1 : 0
-  name        = var.toolchain_access_group_name
+  name        = (var.prefix == "") ? var.toolchain_access_group_name : format("${var.prefix}-%s", var.toolchain_access_group_name)
   description = "Access group used for DevSecOps toolchain operations."
 }
 
-
-#resource "ibm_iam_access_group_members" "service_ids" {
-#  count           = (var.create_access_group == true && local.create_pipeline_service_api_key) ? 1 : 0
-#  access_group_id = ibm_iam_access_group.toolchain_access_group[0].id
-#  iam_service_ids = local.service_id_list
-#}
-
-
 resource "ibm_iam_access_group_policy" "resource_group_policy" {
   count           = (var.create_access_group == true && local.create_api_key == true) ? 1 : 0
   access_group_id = ibm_iam_access_group.toolchain_access_group[0].id
@@ -380,7 +390,7 @@ resource "ibm_iam_access_group_policy" "resource_group_policy" {
 resource "ibm_iam_access_group_policy" "toolchain_group_policy" {
   count           = (var.create_access_group == true && local.create_api_key == true) ? 1 : 0
   access_group_id = ibm_iam_access_group.toolchain_access_group[0].id
-  roles           = ["Editor"]
+  roles           = ["Editor", "PipelineRunner"]
   resources {
     service           = "toolchain"
     resource_group_id = data.ibm_resource_group.resource_group.id
@@ -392,13 +402,14 @@ resource "ibm_iam_access_group_policy" "sm_group_policy" {
   access_group_id = ibm_iam_access_group.toolchain_access_group[0].id
   roles           = ["Manager"]
   resources {
-    service = "secrets-manager"
+    service           = "secrets-manager"
+    resource_group_id = data.ibm_resource_group.resource_group.id
   }
 }
 
 ### Access policies specific to restricting the use of a standard api keys to users added to the access group
 resource "ibm_iam_access_group_policy" "cr_group_policy" {
-  count           = (var.create_access_group == true && (local.create_pipeline_api_key == true || local.create_provided_api_key == true)) ? 1 : 0
+  count           = (var.create_access_group == true && (local.create_api_key == true || local.create_provided_api_key == true)) ? 1 : 0
   access_group_id = ibm_iam_access_group.toolchain_access_group[0].id
   roles           = ["Manager"]
   resources {
@@ -407,7 +418,7 @@ resource "ibm_iam_access_group_policy" "cr_group_policy" {
 }
 
 resource "ibm_iam_access_group_policy" "continuous_delivery_group_policy" {
-  count           = (var.create_access_group == true && (local.create_pipeline_api_key == true || local.create_provided_api_key == true)) ? 1 : 0
+  count           = (var.create_access_group == true && (local.create_api_key == true || local.create_provided_api_key == true)) ? 1 : 0
   access_group_id = ibm_iam_access_group.toolchain_access_group[0].id
   roles           = ["Writer"]
   resources {
@@ -417,7 +428,7 @@ resource "ibm_iam_access_group_policy" "continuous_delivery_group_policy" {
 }
 
 resource "ibm_iam_access_group_policy" "ce_group_policy" {
-  count           = (var.create_access_group == true && var.create_code_engine_access_policy == true && (local.create_pipeline_api_key == true || local.create_provided_api_key == true)) ? 1 : 0
+  count           = ((var.create_access_group == true && var.create_code_engine_access_policy == true) && (local.create_api_key == true || local.create_provided_api_key == true)) ? 1 : 0
   access_group_id = ibm_iam_access_group.toolchain_access_group[0].id
   roles           = ["Manager", "Editor"]
   resources {
@@ -427,7 +438,7 @@ resource "ibm_iam_access_group_policy" "ce_group_policy" {
 }
 
 resource "ibm_iam_access_group_policy" "kube_group_policy" {
-  count           = (var.create_access_group == true && var.create_kubernetes_access_policy == true && (local.create_pipeline_api_key == true || local.create_provided_api_key == true)) ? 1 : 0
+  count           = ((var.create_access_group == true && var.create_kubernetes_access_policy == true) && (local.create_api_key == true || local.create_provided_api_key == true)) ? 1 : 0
   access_group_id = ibm_iam_access_group.toolchain_access_group[0].id
   roles           = ["Manager", "Editor"]
   resources {
 
@@ -249,3 +249,9 @@ variable "create_access_group" {
   description = "Set to `true` to create an access group for the operations of the DevSecOps toolchains."
   default     = false
 }
+
+variable "prefix" {
+  type        = string
+  description = "A prefix that is added to the toolchain resources."
+  default     = ""
+}
@@ -241,6 +241,7 @@ No resources.
 | <a name="input_evidence_repo_name"></a> [evidence\_repo\_name](#input\_evidence\_repo\_name) | Set to use a custom name for the Evidence repository. | `string` | `""` | no |
 | <a name="input_evidence_repo_secret_group"></a> [evidence\_repo\_secret\_group](#input\_evidence\_repo\_secret\_group) | Secret group for the Evidence repository secret. Defaults to the value set in `sm_secret_group` if not set. Only used with `Secrets Manager`. | `string` | `""` | no |
 | <a name="input_force_create_standard_api_key"></a> [force\_create\_standard\_api\_key](#input\_force\_create\_standard\_api\_key) | Set to `true` to force create a standard api key. By default the generated apikey will be a service api key. It is recommended to use a Git Token when using the service api key. In the case where the user has been invited to an account and that user not the account owner, during toolchain creation the default compliance repositories will be created in that user's account and the service api will not have access to those repositories. In this case a Git Token for the repositories is required. See `repo_git_token_secret_name` for more details. The alternative is to set `force_create_standard_api_key` to `true` to create a standard api key. | `bool` | `false` | no |
+| <a name="input_ibmcloud_api"></a> [ibmcloud\_api](#input\_ibmcloud\_api) | The environment URL. When left unset this will default to `https://cloud.ibm.com` | `string` | `""` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The API key used to create the toolchains. (See deployment guide.) | `string` | n/a | yes |
 | <a name="input_inventory_group"></a> [inventory\_group](#input\_inventory\_group) | Specify the Git user or group for the inventory repository. | `string` | `""` | no |
 | <a name="input_inventory_repo_auth_type"></a> [inventory\_repo\_auth\_type](#input\_inventory\_repo\_auth\_type) | Select the method of authentication that is used to access the Git repository. Valid values are 'oauth' or 'pat'. Defaults to `oauth` when unset. `pat` is a git `personal access token`. | `string` | `""` | no |