feat: added support for creating resource key with private endpoints

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-10-07T09:32:06Z",
+  "generated_at": "2025-10-27T07:44:08Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

README.md

@@ -156,6 +156,7 @@ You need the following permissions to run this module.
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the Event Streams instance is created. | `string` | n/a | yes |
 | <a name="input_schema_global_rule"></a> [schema\_global\_rule](#input\_schema\_global\_rule) | Schema global compatibility rule. Allowed values are 'NONE', 'FULL', 'FULL\_TRANSITIVE', 'FORWARD', 'FORWARD\_TRANSITIVE', 'BACKWARD', 'BACKWARD\_TRANSITIVE'. | `string` | `null` | no |
 | <a name="input_schemas"></a> [schemas](#input\_schemas) | The list of schema objects. Include the `schema_id` and the `type` and `name` of the schema in the `schema` object. | <pre>list(object(<br/>    {<br/>      schema_id = string<br/>      schema = object({<br/>        type = string<br/>        name = string<br/>        fields = optional(list(object({<br/>          name = string<br/>          type = string<br/>        })))<br/>      })<br/>    }<br/>  ))</pre> | `[]` | no |
+| <a name="input_service_credential_endpoint"></a> [service\_credential\_endpoint](#input\_service\_credential\_endpoint) | Service credential endpoint type (public or private). If not specified, defaults to public. | `string` | `"public"` | no |
 | <a name="input_service_credential_names"></a> [service\_credential\_names](#input\_service\_credential\_names) | The mapping of names and roles for service credentials that you want to create for the Event streams. | `map(string)` | `{}` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The type of service endpoints. Possible values: 'public', 'private', 'public-and-private'. | `string` | `"public"` | no |
 | <a name="input_skip_es_s2s_iam_authorization_policy"></a> [skip\_es\_s2s\_iam\_authorization\_policy](#input\_skip\_es\_s2s\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that will allow all Event Streams instances in the given resource group access to read from the mirror source instance. This policy is required when creating a mirroring instance, and will only be created if a value is passed in the mirroring input. | `bool` | `false` | no |

ibm_catalog.json

@@ -247,6 +247,19 @@
             {
               "key": "service_credential_names"
             },
+            {
+              "key": "service_credential_endpoint",
+              "options": [
+                {
+                  "displayname": "private",
+                  "value": "private"
+                },
+                {
+                  "displayname": "public",
+                  "value": "public"
+                }
+              ]
+            },
             {
               "key": "existing_secrets_manager_endpoint_type",
               "hidden": true

main.tf

@@ -230,6 +230,9 @@ resource "ibm_resource_key" "service_credentials" {
   name                 = each.key
   role                 = each.value
   resource_instance_id = ibm_resource_instance.es_instance.id
+  parameters = {
+    service-endpoints = var.service_credential_endpoint
+  }
 }
 
 locals {

modules/fscloud/main.tf

@@ -15,6 +15,7 @@ module "event_streams" {
   service_endpoints                    = "private"
   cbr_rules                            = var.cbr_rules
   service_credential_names             = var.service_credential_names
+  service_credential_endpoint          = "private"
   metrics                              = var.metrics
   quotas                               = var.quotas
   kms_encryption_enabled               = true

solutions/quickstart/main.tf

@@ -16,18 +16,19 @@ module "resource_group" {
 #######################################################################################################################
 
 module "event_streams" {
-  source                   = "../../"
-  resource_group_id        = module.resource_group.resource_group_id
-  es_name                  = "${local.prefix}${var.event_streams_name}"
-  plan                     = var.plan
-  region                   = var.region
-  topics                   = var.topics
-  tags                     = var.resource_tags
-  access_tags              = var.access_tags
-  service_credential_names = var.service_credential_names
-  create_timeout           = var.create_timeout
-  update_timeout           = var.update_timeout
-  delete_timeout           = var.delete_timeout
+  source                      = "../../"
+  resource_group_id           = module.resource_group.resource_group_id
+  es_name                     = "${local.prefix}${var.event_streams_name}"
+  plan                        = var.plan
+  region                      = var.region
+  topics                      = var.topics
+  tags                        = var.resource_tags
+  access_tags                 = var.access_tags
+  service_credential_names    = var.service_credential_names
+  service_credential_endpoint = var.service_credential_endpoint
+  create_timeout              = var.create_timeout
+  update_timeout              = var.update_timeout
+  delete_timeout              = var.delete_timeout
 }
 
 ########################################################################################################################

solutions/quickstart/variables.tf

@@ -178,3 +178,9 @@ variable "skip_event_streams_secrets_manager_auth_policy" {
   nullable    = false
   description = "Whether an IAM authorization policy is created for Secrets Manager instance to create a service credential secrets for Event Streams.If set to false, the Secrets Manager instance passed by the user is granted the Key Manager access to the Event Streams instance created by the Deployable Architecture. Set to `true` to use an existing policy. The value of this is ignored if any value for 'existing_secrets_manager_instance_crn' is not passed."
 }
+
+variable "service_credential_endpoint" {
+  description = "Service credential endpoint type (public or private). If not specified, defaults to public."
+  type        = string
+  default     = "public"
+}

solutions/security-enforced/main.tf

@@ -154,6 +154,7 @@ module "event_streams" {
   access_tags                          = var.access_tags
   service_endpoints                    = "private"
   service_credential_names             = var.service_credential_names
+  service_credential_endpoint          = "private"
   cbr_rules                            = var.cbr_rules
   schema_global_rule                   = var.schema_global_rule
   iam_token_only                       = var.iam_token_only

variables.tf

@@ -350,3 +350,9 @@ variable "iam_token_only" {
     error_message = "iam_token_only is only supported for enterprise plan."
   }
 }
+
+variable "service_credential_endpoint" {
+  description = "Service credential endpoint type (public or private). If not specified, defaults to public."
+  type        = string
+  default     = "public"
+}