fix: fix cspm_service_account_email variable condition

- fixing variable condition for `local.cspm_service_account_email` in `project_attachment` module
- adding variable validation for `var.aqua_api_key` & `var.aqua_api_secret` in `project_attachment` module
- running terraform fmt on `modules/onboarding/modules/iam/locals.tf`
- update `README` in `modules/onboarding/README.md`
- update `README` in `modules/org_projects/README.md`

Author: Noamstrauss

.github/workflows/pr-checks.yaml

@@ -31,6 +31,12 @@ jobs:
             echo "--> Running tests at $tcase"
             (
               cd $tcase || exit 1
+              echo "Replacing <REPLACE_ME> placeholders"
+              if [[ "$OSTYPE" == "darwin"* ]]; then
+                sed -i '' 's/<REPLACE_ME>/dummy_value/g' *.tf
+              else
+                sed -i 's/<REPLACE_ME>/dummy_value/g' *.tf
+              fi
               echo "Terraform Format Check"
               terraform fmt -check
               echo "Terraform Init"

modules/onboarding/README.md

@@ -37,7 +37,6 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_aqua_aws_account_id"></a> [aqua\_aws\_account\_id](#input\_aqua\_aws\_account\_id) | Aqua AWS Account ID | `string` | n/a | yes |
 | <a name="input_aqua_bucket_name"></a> [aqua\_bucket\_name](#input\_aqua\_bucket\_name) | Aqua Bucket Name | `string` | n/a | yes |
-| <a name="input_aqua_tenant_id"></a> [aqua\_tenant\_id](#input\_aqua\_tenant\_id) | Aqua Tenant ID | `string` | n/a | yes |
 | <a name="input_aqua_volscan_api_token"></a> [aqua\_volscan\_api\_token](#input\_aqua\_volscan\_api\_token) | Aqua Volume Scanning API Token | `string` | n/a | yes |
 | <a name="input_aqua_volscan_api_url"></a> [aqua\_volscan\_api\_url](#input\_aqua\_volscan\_api\_url) | Aqua Volume Scanning API URL | `string` | n/a | yes |
 | <a name="input_create_network"></a> [create\_network](#input\_create\_network) | Toggle to create network resources | `bool` | n/a | yes |

modules/onboarding/modules/iam/locals.tf

@@ -12,6 +12,6 @@ locals {
   cspm_role_id   = var.type == "organization" && var.dedicated_project ? google_organization_iam_custom_role.cspm_role[0].id : null
 
   # Defining service account emails
-  cspm_service_account_email  = var.type == "organization" && var.dedicated_project ? (var.create_service_account ? google_service_account.cspm_service_account[0].email : data.google_service_account.cspm_service_account[0].email) : null
-  service_account_email       = var.create_service_account ? google_service_account.service_account[0].email : data.google_service_account.service_account[0].email
+  cspm_service_account_email = var.type == "organization" && var.dedicated_project ? (var.create_service_account ? google_service_account.cspm_service_account[0].email : data.google_service_account.cspm_service_account[0].email) : null
+  service_account_email      = var.create_service_account ? google_service_account.service_account[0].email : data.google_service_account.service_account[0].email
 }

modules/org_projects/README.md

@@ -2,7 +2,7 @@
 
 ---
 
-This Terraform module retrieves information about the Google Cloud Platform (GCP) organization. It fetches all project IDs, including projects nested under folders, and allows the use of regex patterns to exclude specific project IDs or project names. Note that the GCP Cloud Asset API must be enabled on the project specified in the provider block passed to this module.
+This Terraform module retrieves information about the Google Cloud Platform (GCP) organization. It fetches all project IDs, including projects nested under folders, and allows the use of regex patterns to exclude specific project IDs or project names. Note that the GCP Cloud Asset API and the Cloud Resource Manager API must be enabled on the project specified in the provider block passed to this module.
 
 
 <!-- BEGIN_TF_DOCS -->

modules/project_attachment/locals.tf

@@ -1,10 +1,10 @@
 # modules/project_attachment/locals.tf
 
 locals {
-  cspm_role_permissions       = var.type == "single" ? yamldecode(data.http.autoconnect_cspm_role_yaml[0].response_body).includedPermissions : null
-  cspm_service_account_name   = var.cspm_service_account_name != null ? var.cspm_service_account_name : "aqua-cspm-scanner-${var.aqua_tenant_id}"
-  cspm_service_account_email  = var.create_service_account ? google_service_account.cspm_service_account[0].email : data.google_service_account.cspm_service_account[0].email
-  service_account_key         = var.type == "organization" || (!var.create_service_account && var.type == "single") ? base64decode(nonsensitive(var.onboarding_cspm_service_account_key)) : base64decode(google_service_account_key.cspm_service_account_key[0].private_key)
-  client_config_rendered      = replace(jsonencode(local.client_config), "/\\\\u0026/", "&")
-  api_services                = var.type == "single" ? ["cloudresourcemanager.googleapis.com", "iam.googleapis.com", "compute.googleapis.com"] : ["cloudresourcemanager.googleapis.com", "storage.googleapis.com", "compute.googleapis.com"]
+  cspm_role_permissions      = var.type == "single" ? yamldecode(data.http.autoconnect_cspm_role_yaml[0].response_body).includedPermissions : null
+  cspm_service_account_name  = var.cspm_service_account_name != null ? var.cspm_service_account_name : "aqua-cspm-scanner-${var.aqua_tenant_id}"
+  cspm_service_account_email = var.type == "single" ? (var.create_service_account ? google_service_account.cspm_service_account[0].email : data.google_service_account.cspm_service_account[0].email) : null
+  service_account_key        = var.type == "organization" || (!var.create_service_account && var.type == "single") ? base64decode(nonsensitive(var.onboarding_cspm_service_account_key)) : base64decode(google_service_account_key.cspm_service_account_key[0].private_key)
+  client_config_rendered     = replace(jsonencode(local.client_config), "/\\\\u0026/", "&")
+  api_services               = var.type == "single" ? ["cloudresourcemanager.googleapis.com", "iam.googleapis.com", "compute.googleapis.com"] : ["cloudresourcemanager.googleapis.com", "storage.googleapis.com", "compute.googleapis.com"]
 }

modules/project_attachment/variables.tf

@@ -69,6 +69,10 @@ variable "aqua_api_key" {
     condition     = length(var.aqua_api_key) > 0
     error_message = "Aqua API key must not be empty"
   }
+  validation {
+    condition     = var.aqua_api_key != "<REPLACE_ME>"
+    error_message = "Aqua API key must be replaced from its default value of <REPLACE_ME>"
+  }
 }
 
 variable "aqua_api_secret" {
@@ -78,6 +82,10 @@ variable "aqua_api_secret" {
     condition     = length(var.aqua_api_secret) > 0
     error_message = "Aqua API secret must not be empty"
   }
+  validation {
+    condition     = var.aqua_api_secret != "<REPLACE_ME>"
+    error_message = "Aqua API secret must be replaced from its default value of <REPLACE_ME>"
+  }
 }
 
 variable "aqua_autoconnect_url" {