@ibm-cloud/cd-tools 1.1.1 → 1.2.0

package/cmd/utils/requests.js

@@ -185,7 +185,7 @@ async function getPipelineData(bearer, pipelineId, region) {
 }
 
 // takes in resource group ID or name
-async function getResourceGroupId(bearer, accountId, resourceGroup) {
+async function getResourceGroupIdAndName(bearer, accountId, resourceGroup) {
     const apiBaseUrl = 'https://api.global-search-tagging.cloud.ibm.com/v3';
     const options = {
         url: apiBaseUrl + '/resources/search',
@@ -196,7 +196,7 @@ async function getResourceGroupId(bearer, accountId, resourceGroup) {
         },
         data: {
             'query': `type:resource-group AND (name:${resourceGroup} OR doc.id:${resourceGroup}) AND doc.state:ACTIVE`,
-            'fields': ['doc.id']
+            'fields': ['doc.id', 'doc.name']
         },
         params: { account_id: accountId },
         validateStatus: () => true
@@ -205,7 +205,7 @@ async function getResourceGroupId(bearer, accountId, resourceGroup) {
     switch (response.status) {
         case 200:
             if (response.data.items.length != 1) throw Error('The resource group with provided ID or name was not found or is not accessible');
-            return response.data.items[0].doc.id;
+            return { id: response.data.items[0].doc.id, name: response.data.items[0].doc.name };
         default:
             throw Error('The resource group with provided ID or name was not found or is not accessible');
     }
@@ -320,6 +320,7 @@ async function getGritGroup(privToken, region, groupName) {
             throw Error('Get GRIT group failed');
     }
 }
+
 async function getGritGroupProject(privToken, region, groupId, projectName) {
     const url = `https://${region}.git.cloud.ibm.com/api/v4/groups/${groupId}/projects`
     const options = {
@@ -342,6 +343,48 @@ async function getGritGroupProject(privToken, region, groupId, projectName) {
     }
 }
 
+async function getIamAuthPolicies(bearer, accountId) {
+    const apiBaseUrl = 'https://iam.cloud.ibm.com/v1';
+    const options = {
+        url: apiBaseUrl + '/policies',
+        method: 'GET',
+        headers: {
+            'Authorization': `Bearer ${bearer}`,
+            'Content-Type': 'application/json',
+        },
+        params: { account_id: accountId, type: 'authorization' },
+        validateStatus: () => true
+    };
+    const response = await axios(options);
+    switch (response.status) {
+        case 200:
+            return response.data;
+        default:
+            throw Error('Get auth policies failed');
+    }
+}
+
+async function deleteToolchain(bearer, toolchainId, region) {
+    const apiBaseUrl = `https://api.${region}.devops.cloud.ibm.com/toolchain/v2`;
+    const options = {
+        method: 'DELETE',
+        url: `${apiBaseUrl}/toolchains/${toolchainId}`,
+        headers: {
+            'Accept': 'application/json',
+            'Authorization': `Bearer ${bearer}`,
+            'Content-Type': 'application/json',
+        },
+        validateStatus: () => true
+    };
+    const response = await axios(options);
+    switch (response.status) {
+        case 200:
+            return toolchainId;
+        default:
+            throw Error(response.statusText);
+    }
+}
+
 export {
     getBearerToken,
     getAccountId,
@@ -349,11 +392,13 @@ export {
     getToolchainsByName,
     getToolchainTools,
     getPipelineData,
-    getResourceGroupId,
+    getResourceGroupIdAndName,
     getAppConfigHealthcheck,
     getSecretsHealthcheck,
     getGitOAuth,
     getGritUserProject,
     getGritGroup,
-    getGritGroupProject
-}
+    getGritGroupProject,
+    getIamAuthPolicies,
+    deleteToolchain
+}

package/cmd/utils/terraform.js

@@ -17,7 +17,7 @@ import { jsonToTf } from 'json-to-tf';
 
 import { validateToolchainId, validateGritUrl } from './validate.js';
 import { logger } from './logger.js';
-import { promptUserInput, replaceUrlRegion } from './utils.js';
+import { getRandChars, promptUserInput, replaceUrlRegion } from './utils.js';
 
 // promisify
 const readFilePromise = promisify(fs.readFile);
@@ -34,15 +34,9 @@ async function execPromise(command, options) {
     }
 }
 
-function setTerraformerEnv(apiKey, tcId, includeS2S) {
-    process.env['IC_API_KEY'] = apiKey;
-    process.env['IBM_CD_TOOLCHAIN_TARGET'] = tcId;
-    if (includeS2S) process.env['IBM_CD_TOOLCHAIN_INCLUDE_S2S'] = 1;
-}
-
-function setTerraformEnv(verbosity) {
+function setTerraformEnv(apiKey, verbosity) {
     if (verbosity >= 2) process.env['TF_LOG'] = 'DEBUG';
-    process.env['TF_VAR_ibmcloud_api_key'] = process.env.IC_API_KEY;
+    process.env['TF_VAR_ibmcloud_api_key'] = apiKey;
 }
 
 async function initProviderFile(targetRegion, dir) {
@@ -54,13 +48,7 @@ async function initProviderFile(targetRegion, dir) {
 
     const newProviderTfStr = JSON.stringify(newProviderTf)
 
-    return writeFilePromise(`${dir}/provider.tf`, jsonToTf(newProviderTfStr), () => { });
-}
-
-async function runTerraformerImport(srcRegion, tempDir, isCompact, verbosity) {
-    const stdout = await execPromise(`terraformer import ibm --resources=ibm_cd_toolchain --region=${srcRegion} -S ${isCompact ? '--compact' : ''} ${verbosity >= 2 ? '--verbose' : ''}`, { cwd: tempDir });
-    if (verbosity >= 2) logger.print(stdout);
-    return stdout;
+    return writeFilePromise(`${dir}/provider.tf`, jsonToTf(newProviderTfStr));
 }
 
 async function setupTerraformFiles({ token, srcRegion, targetRegion, targetTag, targetToolchainName, targetRgId, disableTriggers, isCompact, outputDir, tempDir, moreTfResources, gritMapping, skipUserConfirmation }) {
@@ -71,7 +59,7 @@ async function setupTerraformFiles({ token, srcRegion, targetRegion, targetTag,
 
     // Get toolchain resource
     const toolchainLocation = isCompact ? 'resources.tf' : 'cd_toolchain.tf'
-    const resources = await readFilePromise(`${tempDir}/generated/ibm/ibm_cd_toolchain/${toolchainLocation}`, 'utf8');
+    const resources = await readFilePromise(`${tempDir}/generated/${toolchainLocation}`, 'utf8');
     const resourcesObj = await tfToJson('output.tf', resources);
     const newTcId = Object.keys(resourcesObj['resource']['ibm_cd_toolchain'])[0];
 
@@ -84,7 +72,7 @@ async function setupTerraformFiles({ token, srcRegion, targetRegion, targetTag,
     promises.push(writeOutputPromise);
 
     // Copy over cd_*.tf
-    let files = await readDirPromise(`${tempDir}/generated/ibm/ibm_cd_toolchain`);
+    let files = await readDirPromise(`${tempDir}/generated`);
 
     if (isCompact) {
         files = files.filter((f) => f === 'resources.tf');
@@ -108,17 +96,6 @@ async function setupTerraformFiles({ token, srcRegion, targetRegion, targetTag,
     const newConvertedTf = {};
 
     if (hasGHE) {
-        const getRandChars = (size) => {
-            const charSet = 'abcdefghijklmnopqrstuvwxyz0123456789';
-            let res = '';
-
-            for (let i = 0; i < size; i++) {
-                const pos = randomInt(charSet.length);
-                res += charSet[pos];
-            }
-            return res;
-        };
-
         moreTfResources['github_integrated'].forEach(t => {
             const gitUrl = t['parameters']['repo_url'];
             const tfName = `converted--githubconsolidated_${getRandChars(4)}`;
@@ -146,7 +123,7 @@ async function setupTerraformFiles({ token, srcRegion, targetRegion, targetTag,
     }
 
     for (const fileName of files) {
-        const tfFile = await readFilePromise(`${tempDir}/generated/ibm/ibm_cd_toolchain/${fileName}`, 'utf8');
+        const tfFile = await readFilePromise(`${tempDir}/generated/${fileName}`, 'utf8');
         const tfFileObj = await tfToJson(fileName, tfFile);
 
         const newTfFileObj = { 'resource': {} }
@@ -203,7 +180,6 @@ async function setupTerraformFiles({ token, srcRegion, targetRegion, targetTag,
                             newTfFileObj['resource']['ibm_cd_toolchain_tool_hostedgit'][k]['initialization'][0]['repo_url'] = newUrl;
                             attemptAddUsedGritUrl(newUrl);
                             gritMapping[thisUrl] = newUrl;
-                            logger.print('\n');
                         }
                     }
                     catch (e) {
@@ -325,6 +301,10 @@ async function setupTerraformFiles({ token, srcRegion, targetRegion, targetTag,
     return Promise.all(promises);
 }
 
+async function runTerraformPlanGenerate(dir, fileName) {
+    return await execPromise(`terraform plan -generate-config-out=${fileName}`, { cwd: dir });
+}
+
 async function runTerraformInit(dir) {
     return await execPromise('terraform init', { cwd: dir });
 }
@@ -428,12 +408,11 @@ function replaceDependsOn(str) {
 }
 
 export {
-    setTerraformerEnv,
     setTerraformEnv,
     initProviderFile,
-    runTerraformerImport,
     setupTerraformFiles,
     runTerraformInit,
+    runTerraformPlanGenerate,
     getNumResourcesPlanned,
     runTerraformApply,
     getNewToolchainId,

package/cmd/utils/utils.js

@@ -8,6 +8,8 @@
  */
 
 import * as readline from 'node:readline/promises';
+import { randomInt } from 'node:crypto';
+
 import { logger } from './logger.js';
 import { VAULT_REGEX } from '../../config.js';
 
@@ -25,7 +27,7 @@ export async function promptUserConfirmation(question, expectedAns, exitMsg) {
         output: process.stdout
     });
 
-    const fullPrompt = question + `\n\nOnly '${expectedAns}' will be accepted to proceed.\n\nEnter a value: `;
+    const fullPrompt = question + `\n\nOnly '${expectedAns}' will be accepted to proceed. (Ctrl-C to abort)\n\nEnter a value: `;
     const answer = await rl.question(fullPrompt);
 
     logger.dump(fullPrompt + '\n' + answer + '\n');
@@ -38,7 +40,7 @@ export async function promptUserConfirmation(question, expectedAns, exitMsg) {
     }
 
     rl.close();
-    logger.print('\n');
+    logger.print();
 }
 
 export async function promptUserInput(question, initialInput, validationFn) {
@@ -67,7 +69,7 @@ export async function promptUserInput(question, initialInput, validationFn) {
             break;
         } catch (e) {
             // loop
-            logger.print('Validation failed...', e.message, '\n');
+            logger.warn(`Validation failed... ${e.message}`, '', true);
 
             rl.prompt(true);
             rl.write(initialInput);
@@ -75,6 +77,7 @@ export async function promptUserInput(question, initialInput, validationFn) {
     }
 
     rl.close();
+    logger.print();
     return answer.trim();
 }
 
@@ -97,12 +100,12 @@ export function replaceUrlRegion(inputUrl, srcRegion, targetRegion) {
 *
 * @param {String} crn - The crn to decompose.
 **/
-export function decomposeCrn (crn) {
+export function decomposeCrn(crn) {
     const crnParts = crn.split(':');
 
     // Remove the 'a/' segment.
     let accountId = crnParts[6];
-    if(accountId) {
+    if (accountId) {
         accountId = accountId.split('/')[1];
     }
 
@@ -123,6 +126,28 @@ export function decomposeCrn (crn) {
 *
 * @param {String} value - The value to verify.
 **/
-export function isSecretReference (value) {
+export function isSecretReference(value) {
     return !!(VAULT_REGEX.find(r => r.test(value)));
+};
+
+export function getRandChars(size) {
+    const charSet = 'abcdefghijklmnopqrstuvwxyz0123456789';
+    let res = '';
+
+    for (let i = 0; i < size; i++) {
+        const pos = randomInt(charSet.length);
+        res += charSet[pos];
+    }
+    return res;
+};
+
+export function normalizeName(str) {
+    const specialChars = `-<>()*#{}[]|@_ .%'",&`;
+    let newStr = str;
+
+    for (const char of specialChars) {
+        newStr = newStr.replaceAll(char, '_');
+    }
+
+    return newStr.toLowerCase();
 };

package/cmd/utils/validate.js

@@ -9,29 +9,11 @@
 
 import { execSync } from 'child_process';
 import { logger, LOG_STAGES } from './logger.js'
-import { RESERVED_GRIT_PROJECT_NAMES, RESERVED_GRIT_GROUP_NAMES, RESERVED_GRIT_SUBGROUP_NAME, TERRAFORM_REQUIRED_VERSION, TERRAFORMER_REQUIRED_VERSION } from '../../config.js';
+import { RESERVED_GRIT_PROJECT_NAMES, RESERVED_GRIT_GROUP_NAMES, RESERVED_GRIT_SUBGROUP_NAME, TERRAFORM_REQUIRED_VERSION, SECRET_KEYS_MAP } from '../../config.js';
 import { getToolchainsByName, getToolchainTools, getPipelineData, getAppConfigHealthcheck, getSecretsHealthcheck, getGitOAuth, getGritUserProject, getGritGroup, getGritGroupProject } from './requests.js';
 import { promptUserConfirmation, promptUserInput } from './utils.js';
 
 
-const SECRETS_MAP = {
-    'artifactory': ['token'],
-    'hashicorpvault': ['token', 'role_id', 'secret_id', 'password'],
-    'jenkins': ['webhook_url', 'api_token'],
-    'jira': ['api_token'],
-    'nexus': ['token'],
-    'pagerduty': ['service_key'],
-    'privateworker': ['worker_queue_credentials'],
-    'saucelabs': ['access_key'],
-    'securitycompliance': ['scc_api_key'],
-    'slack': ['webhook'],
-    'sonarqube': ['user_password'],
-    'gitlab': ['api_token'],
-    'githubconsolidated': ['api_token'],
-    'github_integrated': ['api_token']
-};
-
-
 function validatePrereqsVersions() {
     const compareVersions = (verInstalled, verRequired) => {
         const installedSplit = verInstalled.split('.').map(Number);
@@ -58,17 +40,6 @@ function validatePrereqsVersions() {
         throw Error(`Terraform does not meet minimum version requirement: ${TERRAFORM_REQUIRED_VERSION}`);
     }
     logger.info(`\x1b[32m✔\x1b[0m Terraform Version: ${version}`, LOG_STAGES.setup);
-
-    try {
-        stdout = execSync('terraformer version').toString();
-    } catch {
-        throw Error('Terraformer is not installed or not in PATH');
-    }
-    version = stdout.match(/\d+(\.\d+)+/)[0];
-    if (!compareVersions(version, TERRAFORMER_REQUIRED_VERSION)) {
-        throw Error(`Terraformer does not meet minimum version requirement: ${TERRAFORMER_REQUIRED_VERSION}`);
-    }
-    logger.info(`\x1b[32m✔\x1b[0m Terraformer Version: ${version}`, LOG_STAGES.setup);
 }
 
 function validateToolchainId(tcId) {
@@ -95,18 +66,6 @@ function validateToolchainName(tcName) {
     throw Error('Provided toolchain name is invalid');
 }
 
-function validateResourceGroupId(rgId) {
-    if (typeof rgId != 'string') throw Error('Provided resource group ID is not a string');
-    const trimmed = rgId.trim();
-
-    // pattern from api docs
-    const pattern = /^[0-9a-f]{32}$/;
-    if (pattern.test(trimmed)) {
-        return trimmed;
-    }
-    throw Error('Provided resource group ID is invalid');
-}
-
 function validateTag(tag) {
     if (typeof tag != 'string') throw Error('Provided resource group ID is not a string');
     const trimmed = tag.trim();
@@ -120,7 +79,7 @@ function validateTag(tag) {
 }
 
 
-async function warnDuplicateName(token, accountId, tcName, srcRegion, targetRegion, targetResourceGroupId, targetTag, skipPrompt) {
+async function warnDuplicateName(token, accountId, tcName, srcRegion, targetRegion, targetResourceGroupId, targetResourceGroupName, targetTag, skipPrompt) {
     const toolchains = await getToolchainsByName(token, accountId, tcName);
 
     let hasSameRegion = false;
@@ -145,19 +104,19 @@ async function warnDuplicateName(token, accountId, tcName, srcRegion, targetRegi
 
         if (hasBoth) {
             // warning! prompt user to cancel, rename (e.g. add a suffix) or continue
-            logger.warn('Warning! You have a toolchain with the same name within the target region and resource group! \n', LOG_STAGES.setup, true);
+            logger.warn(`\nWarning! A toolchain named '${tcName}' already exists in:\n - Region: ${targetRegion}\n - Resource Group: ${targetResourceGroupName} (${targetResourceGroupId})`, '', true);
 
             if (!skipPrompt) {
-                newTcName = await promptUserInput('(Recommended) Change the cloned toolchain\'s name:\n', tcName, validateToolchainName);
+                newTcName = await promptUserInput(`\n(Recommended) Edit the cloned toolchain's name [default: ${tcName}] (Ctrl-C to abort):\n`, tcName, validateToolchainName);
             }
         } else {
             if (hasSameRegion) {
                 // soft warning of confusion
-                logger.warn('Warning! You have a toolchain with the same name within the target region!\n', LOG_STAGES.setup, true);
+                logger.warn(`\nWarning! A toolchain named '${tcName}' already exists in:\n - Region: ${targetRegion}`, '', true);
             }
             if (hasSameResourceGroup) {
                 // soft warning of confusion
-                logger.warn('Warning! You have a toolchain with the same name within the target resource group!\n', LOG_STAGES.setup, true);
+                logger.warn(`\nWarning! A toolchain named '${tcName}' already exists in:\n - Resource Group: ${targetResourceGroupName} (${targetResourceGroupId})`, '', true);
             }
         }
 
@@ -169,7 +128,7 @@ async function warnDuplicateName(token, accountId, tcName, srcRegion, targetRegi
                         if (str.trim() === '') return null;
                         return validateTag(str);
                     }
-                    newTag = await promptUserInput('(Recommended) Add a tag to the cloned toolchain:\n', `cloned-from-${srcRegion}`, validateTagOrEmpty);
+                    newTag = await promptUserInput('\n(Recommended) Add a tag to the cloned toolchain (Ctrl-C to abort):\n', `cloned-from-${srcRegion}`, validateTagOrEmpty);
                 }
             }
             return [newTcName, newTag];
@@ -264,7 +223,7 @@ async function validateTools(token, tcId, region, skipPrompt) {
                 });
             }
             else {
-                const secretsToCheck = SECRETS_MAP[tool.tool_type_id] || [];    // Check for secrets in the rest of the tools
+                const secretsToCheck = (SECRET_KEYS_MAP[tool.tool_type_id] || []).map((entry) => entry.key);    // Check for secrets in the rest of the tools
                 Object.entries(tool.parameters).forEach(([key, value]) => {
                     if (secretPattern.test(value) && secretsToCheck.includes(key)) secrets.push(key);
                 });
@@ -279,14 +238,17 @@ async function validateTools(token, tcId, region, skipPrompt) {
             }
         }
     }
-    const invalid = nonConfiguredTools.length > 0 || patTools.length > 0 || classicPipelines.length > 0 || toolsWithHashedParams.length > 0;
+    const hasInvalidConfig = nonConfiguredTools.length > 0 || patTools.length > 0 || toolsWithHashedParams.length > 0;
 
-    // Manually fail and reset spinner to prevent duplicate spinners
-    if (invalid) {
-        logger.failSpinner('Invalid tools found!');
-        logger.resetSpinner();
+    if (classicPipelines.length > 0) {
+        logger.failSpinner('Unsupported tools found!');
+        logger.warn('Warning! Classic pipelines are currently not supported in migration:\n', LOG_STAGES.setup, true);
+        logger.table(classicPipelines);
     }
 
+    if (hasInvalidConfig) logger.failSpinner('Configuration problems found!');
+    if (classicPipelines.length > 0 || hasInvalidConfig) logger.resetSpinner();    // Manually reset spinner to prevent duplicate spinners
+
     if (nonConfiguredTools.length > 0) {
         logger.warn('Warning! The following tool(s) are not in configured state in toolchain, please reconfigure them before proceeding: \n', LOG_STAGES.setup, true);
         logger.table(nonConfiguredTools);
@@ -297,17 +259,13 @@ async function validateTools(token, tcId, region, skipPrompt) {
         logger.table(patTools);
     }
 
-    if (classicPipelines.length > 0) {
-        logger.warn('Warning! Classic pipelines are currently not supported in migration:\n', LOG_STAGES.setup, true);
-        logger.table(classicPipelines);
-    }
-
     if (toolsWithHashedParams.length > 0) {
         logger.warn('Warning! The following tools contain secrets that cannot be migrated, please use the \'check-secret\' command to export the secrets: \n', LOG_STAGES.setup, true);
         logger.table(toolsWithHashedParams);
     }
 
-    if (!skipPrompt && invalid) await promptUserConfirmation('Caution: The above tool(s) will not be properly configured post migration. Do you want to proceed?', 'yes', 'Toolchain migration cancelled.');
+    if (!skipPrompt && (classicPipelines.length > 0 || hasInvalidConfig))
+        await promptUserConfirmation('Caution: The above tool(s) will not be properly configured post migration. Do you want to proceed?', 'yes', 'Toolchain migration cancelled.');
 
     return allTools.tools;
 }
@@ -397,7 +355,7 @@ async function validateOAuth(token, tools, targetRegion, skipPrompt) {
                     if (isGHE) {
                         oauthLinks.push({ type: 'githubconsolidated (GHE)', link: authorizeUrl?.message });
                     } else {
-                        oauthLinks.push({ type: tool.tool_type_id, link: authorizeUrl?.message });
+                        oauthLinks.push({ type: tool.tool_type_id, link: authorizeUrl?.message ?? 'Could not get OAuth link' });
                     }
                 }
             }
@@ -412,11 +370,16 @@ async function validateOAuth(token, tools, targetRegion, skipPrompt) {
         logger.warn('Warning! The following git tool integration(s) are not authorized in the target region: \n', LOG_STAGES.setup, true);
         logger.table(failedTools);
 
+        let hasFailedLink = false;
+
         logger.print('Authorize using the following links: \n');
         oauthLinks.forEach((o) => {
-            logger.print(`${o.type}: \x1b[34m${o.link}\x1b[0m\n`);
+            if (o.link === 'Could not get OAuth link') hasFailedLink = true;
+            logger.print(`${o.type}: \x1b[36m${o.link}\x1b[0m\n`);
         });
 
+        if (hasFailedLink) logger.print(`Please manually verify failed authorization(s): https://cloud.ibm.com/devops/git?env_id=ibm:yp:${targetRegion}\n`);
+
         if (!skipPrompt) await promptUserConfirmation('Caution: The above git tool integration(s) will not be properly configured post migration. Do you want to proceed?', 'yes', 'Toolchain migration cancelled.');
     }
 }
@@ -494,7 +457,6 @@ export {
     validatePrereqsVersions,
     validateToolchainId,
     validateToolchainName,
-    validateResourceGroupId,
     validateTag,
     validateTools,
     validateOAuth,

package/config.js

@@ -51,8 +51,6 @@ const TARGET_REGIONS = [
 
 const TERRAFORM_REQUIRED_VERSION = '1.13.3';
 
-const TERRAFORMER_REQUIRED_VERSION = '0.8.30';
-
 // see https://docs.gitlab.com/user/reserved_names/
 const RESERVED_GRIT_PROJECT_NAMES = [
 	'\\-',
@@ -122,65 +120,98 @@ const RESERVED_GRIT_GROUP_NAMES = [
 
 const RESERVED_GRIT_SUBGROUP_NAME = '\\-';
 
-const UPDATEABLE_SECRET_PROPERTIES_BY_TOOL_TYPE = {
+/* 
+Format:
+	Maps tool_type_id to a list of the following ...
+	{ 
+		key: str, // tool parameter key
+		tfKey?: str, // terraform-equivalent key
+		prereq?: { key: string, values: [string] }, // proceed only if tool parameter "prereq.key" is one of "values"
+		required?: bool // is this key required for terraform?
+	}
+	... which represents a secret/sensitive value
+*/
+const SECRET_KEYS_MAP = {
 	"artifactory": [
-		"token"
+		{ key: "token", tfKey: "token" }
 	],
 	"cloudobjectstorage": [
-		"cos_api_key",
-		"hmac_access_key_id",
-		"hmac_secret_access_key"
+		{ key: "cos_api_key", tfKey: "cos_api_key", prereq: { key: "auth_type", values: ["apikey"] } },
+		{ key: "hmac_access_key_id", tfKey: "hmac_access_key_id", prereq: { key: "auth_type", values: ["hmac"] } },
+		{ key: "hmac_secret_access_key", tfKey: "hmac_secret_access_key", prereq: { key: "auth_type", values: ["hmac"] } },
 	],
 	"github_integrated": [
-		"api_token"
+		{ key: "api_token" } // no terraform equivalent
 	],
 	"githubconsolidated": [
-		"api_token"
+		{ key: "api_token", tfKey: "api_token", prereq: { key: "auth_type", values: ["pat"] } },
 	],
 	"gitlab": [
-		"api_token"
+		{ key: "api_token", tfKey: "api_token", prereq: { key: "auth_type", values: ["pat"] } },
 	],
 	"hashicorpvault": [
-		"token",
-		"role_id",
-		"secret_id",
-		"password"
+		{ key: "token", tfKey: "token", prereq: { key: "authentication_method", values: ["github", "token"] } },
+		{ key: "role_id", tfKey: "role_id", prereq: { key: "authentication_method", values: ["approle"] } },
+		{ key: "secret_id", tfKey: "secret_id", prereq: { key: "authentication_method", values: ["approle"] } },
+		{ key: "password", tfKey: "password", prereq: { key: "authentication_method", values: ["userpass"] } },
 	],
 	"hostedgit": [
-		"api_token"
+		{ key: "api_token", tfKey: "api_token", prereq: { key: "auth_type", values: ["pat"] } },
 	],
 	"jenkins": [
-		"api_token"
+		{ key: "api_token", tfKey: "api_token" },
 	],
 	"jira": [
-		"password",
-		"api_token"
+		{ key: "password", tfKey: "api_token" },
 	],
 	"nexus": [
-		"token"
+		{ key: "token", tfKey: "token" },
 	],
 	"pagerduty": [
-		"service_key"
+		{ key: "service_key", tfKey: "service_key", required: true },
 	],
 	"private_worker": [
-		"workerQueueCredentials"
+		{ key: "workerQueueCredentials", tfKey: "worker_queue_credentials", required: true },
 	],
 	"saucelabs": [
-		"key",
-		"access_key"
+		{ key: "key", tfKey: "access_key", required: true },
 	],
 	"security_compliance": [
-		"scc_api_key"
+		{ key: "scc_api_key", tfKey: "scc_api_key", prereq: { key: "use_profile_attachment", values: ["enabled"] } },
 	],
 	"slack": [
-		"api_token",
-		"webhook"
+		{ key: "api_token", tfKey: "webhook", required: true },
 	],
 	"sonarqube": [
-		"user_password"
+		{ key: "user_password", tfKey: "user_password" },
 	]
 };
 
+// maps tool parameter tool_type_id to terraform resource type
+const SUPPORTED_TOOLS_MAP = {
+	"appconfig": "ibm_cd_toolchain_tool_appconfig",
+	"artifactory": "ibm_cd_toolchain_tool_artifactory",
+	"bitbucketgit": "ibm_cd_toolchain_tool_bitbucketgit",
+	"private_worker": "ibm_cd_toolchain_tool_privateworker",
+	"draservicebroker": "ibm_cd_toolchain_tool_devopsinsights",
+	"eventnotifications": "ibm_cd_toolchain_tool_eventnotifications",
+	"hostedgit": "ibm_cd_toolchain_tool_hostedgit",
+	"githubconsolidated": "ibm_cd_toolchain_tool_githubconsolidated",
+	"gitlab": "ibm_cd_toolchain_tool_gitlab",
+	"hashicorpvault": "ibm_cd_toolchain_tool_hashicorpvault",
+	"jenkins": "ibm_cd_toolchain_tool_jenkins",
+	"jira": "ibm_cd_toolchain_tool_jira",
+	"keyprotect": "ibm_cd_toolchain_tool_keyprotect",
+	"nexus": "ibm_cd_toolchain_tool_nexus",
+	"customtool": "ibm_cd_toolchain_tool_custom",
+	"saucelabs": "ibm_cd_toolchain_tool_saucelabs",
+	"secretsmanager": "ibm_cd_toolchain_tool_secretsmanager",
+	"security_compliance": "ibm_cd_toolchain_tool_securitycompliance",
+	"slack": "ibm_cd_toolchain_tool_slack",
+	"sonarqube": "ibm_cd_toolchain_tool_sonarqube",
+	"pipeline": "ibm_cd_toolchain_tool_pipeline"
+};
+
 const VAULT_REGEX = [
 	new RegExp('[\\{]{1}(?<reference>\\b(?<provider>vault)\\b[:]{2}(?<integration>[ a-zA-Z0-9_-]*)[.]{0,1}(?<secret>.*))[\\}]{1}', 'iu'),
 	new RegExp('^(?<reference>crn:v1:(?:bluemix|staging):public:(?<type>secrets-manager):(?<region>[a-zA-Z0-9-]*)\\b:a\/(?<account_id>[0-9a-fA-F]*)\\b:(?<instance_id>[0-9a-fA-F]{8}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{12})\\b:secret:(?<secret_id>[0-9a-fA-F]{8}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{12}))$', 'iu'),
@@ -189,14 +220,14 @@ const VAULT_REGEX = [
 
 export {
 	COPY_TOOLCHAIN_DESC,
-	UPDATEABLE_SECRET_PROPERTIES_BY_TOOL_TYPE,
 	MIGRATION_DOC_URL,
 	SOURCE_REGIONS,
 	TARGET_REGIONS,
 	TERRAFORM_REQUIRED_VERSION,
-	TERRAFORMER_REQUIRED_VERSION,
 	RESERVED_GRIT_PROJECT_NAMES,
 	RESERVED_GRIT_GROUP_NAMES,
 	RESERVED_GRIT_SUBGROUP_NAME,
+	SECRET_KEYS_MAP,
+	SUPPORTED_TOOLS_MAP,
 	VAULT_REGEX
 };