fix: added a fix to the DA where the prefix value was not getting added to the Trusted profile name (#220)

mukulpalit-ibm · web-flow · commit 7abdb45b43c8 · 2025-05-19T14:19:39.000+01:00
diff --git a/README.md b/README.md
@@ -86,8 +86,8 @@ For more information on access and permissions, see <https://cloud.ibm.com/docs/
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.28.0 |
-| <a name="module_config_aggregator_trusted_profile"></a> [config\_aggregator\_trusted\_profile](#module\_config\_aggregator\_trusted\_profile) | terraform-ibm-modules/trusted-profile/ibm | 2.1.1 |
-| <a name="module_config_aggregator_trusted_profile_enterprise"></a> [config\_aggregator\_trusted\_profile\_enterprise](#module\_config\_aggregator\_trusted\_profile\_enterprise) | terraform-ibm-modules/trusted-profile/ibm | 2.1.1 |
+| <a name="module_config_aggregator_trusted_profile"></a> [config\_aggregator\_trusted\_profile](#module\_config\_aggregator\_trusted\_profile) | terraform-ibm-modules/trusted-profile/ibm | 3.0.0 |
+| <a name="module_config_aggregator_trusted_profile_enterprise"></a> [config\_aggregator\_trusted\_profile\_enterprise](#module\_config\_aggregator\_trusted\_profile\_enterprise) | terraform-ibm-modules/trusted-profile/ibm | 3.0.0 |
 | <a name="module_config_aggregator_trusted_profile_template"></a> [config\_aggregator\_trusted\_profile\_template](#module\_config\_aggregator\_trusted\_profile\_template) | terraform-ibm-modules/trusted-profile/ibm//modules/trusted-profile-template | 2.2.0 |
 
 ### Resources
diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf
@@ -47,13 +47,14 @@ module "cbr_zone" {
 ########################################################################################################################
 
 module "app_config" {
-  source                   = "../.."
-  resource_group_id        = module.resource_group.resource_group_id
-  region                   = var.region
-  app_config_name          = "${var.prefix}-app-config"
-  app_config_tags          = var.resource_tags
-  enable_config_aggregator = true # See https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator
-  app_config_plan          = "standardv2"
+  source                                 = "../.."
+  resource_group_id                      = module.resource_group.resource_group_id
+  region                                 = var.region
+  app_config_name                        = "${var.prefix}-app-config"
+  app_config_tags                        = var.resource_tags
+  enable_config_aggregator               = true # See https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator
+  app_config_plan                        = "standardv2"
+  config_aggregator_trusted_profile_name = "${var.prefix}-config-aggregator-trusted-profile"
   app_config_collections = [
     {
       name          = "${var.prefix}-collection",
diff --git a/main.tf b/main.tf
@@ -40,21 +40,24 @@ resource "ibm_app_config_collection" "collections" {
 module "config_aggregator_trusted_profile" {
   count                       = var.enable_config_aggregator ? 1 : 0
   source                      = "terraform-ibm-modules/trusted-profile/ibm"
-  version                     = "2.1.1"
+  version                     = "3.0.0"
   trusted_profile_name        = var.config_aggregator_trusted_profile_name
   trusted_profile_description = "Trusted Profile for App Configuration instance ${ibm_resource_instance.app_config.guid} with required access for configuration aggregator"
   trusted_profile_identity = {
     identifier    = ibm_resource_instance.app_config.crn
     identity_type = "crn"
   }
+  # unique_identifier should not be updated as it will create a breaking change for trusted profile. For more information please check https://github.com/terraform-ibm-modules/terraform-ibm-trusted-profile/releases/tag/v3.0.0 .
   trusted_profile_policies = [
     {
+      unique_identifier  = "config-aggregator-trusted-profile-0"
       roles              = ["Viewer", "Service Configuration Reader"]
       account_management = true
       description        = "All Account Management Services"
     },
     {
-      roles = ["Viewer", "Service Configuration Reader", "Reader"]
+      unique_identifier = "config-aggregator-trusted-profile-1"
+      roles             = ["Viewer", "Service Configuration Reader", "Reader"]
       resource_attributes = [{
         name     = "serviceType"
         value    = "service"
@@ -64,7 +67,8 @@ module "config_aggregator_trusted_profile" {
     }
   ]
   trusted_profile_links = [{
-    cr_type = "VSI"
+    unique_identifier = "config-aggregator-trusted-profile-0"
+    cr_type           = "VSI"
     links = [{
       crn = ibm_resource_instance.app_config.crn
     }]
@@ -90,7 +94,7 @@ resource "ibm_iam_custom_role" "template_assignment_reader" {
 module "config_aggregator_trusted_profile_enterprise" {
   count                       = var.enable_config_aggregator && var.config_aggregator_enterprise_id != null ? 1 : 0
   source                      = "terraform-ibm-modules/trusted-profile/ibm"
-  version                     = "2.1.1"
+  version                     = "3.0.0"
   trusted_profile_name        = var.config_aggregator_enterprise_trusted_profile_name
   trusted_profile_description = "Trusted Profile for App Configuration instance ${ibm_resource_instance.app_config.guid} with required access for configuration aggregator for enterprise accounts"
 
@@ -101,7 +105,8 @@ module "config_aggregator_trusted_profile_enterprise" {
 
   trusted_profile_policies = [
     {
-      roles = ["Viewer", local.custom_role]
+      unique_identifier = "config-aggregator-trusted-profile-0"
+      roles             = ["Viewer", local.custom_role]
       resource_attributes = [{
         name     = "service_group_id"
         value    = "IAM"
@@ -110,7 +115,8 @@ module "config_aggregator_trusted_profile_enterprise" {
       description = "IAM access with custom role"
     },
     {
-      roles = ["Viewer"]
+      unique_identifier = "config-aggregator-trusted-profile-1"
+      roles             = ["Viewer"]
       resources = [{
         service = "enterprise"
       }]
@@ -119,7 +125,8 @@ module "config_aggregator_trusted_profile_enterprise" {
   ]
 
   trusted_profile_links = [{
-    cr_type = "VSI"
+    unique_identifier = "config-aggregator-trusted-profile-0"
+    cr_type           = "VSI"
     links = [{
       crn = ibm_resource_instance.app_config.crn
     }]
diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md
@@ -42,10 +42,10 @@ No resources.
 | <a name="input_app_config_tags"></a> [app\_config\_tags](#input\_app\_config\_tags) | Optional list of tags to be added to the App Config instance. | `list(string)` | `[]` | no |
 | <a name="input_config_aggregator_enterprise_account_group_ids_to_assign"></a> [config\_aggregator\_enterprise\_account\_group\_ids\_to\_assign](#input\_config\_aggregator\_enterprise\_account\_group\_ids\_to\_assign) | A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all account groups. Only applies if `enable_config_aggregator` is true and a value is being passed for `config_aggregator_enterprise_id`. | `list(string)` | <pre>[<br/>  "all"<br/>]</pre> | no |
 | <a name="input_config_aggregator_enterprise_id"></a> [config\_aggregator\_enterprise\_id](#input\_config\_aggregator\_enterprise\_id) | If the account is an enterprise account, this value should be set to the enterprise ID (NOTE: This is different to the account ID). | `string` | `null` | no |
-| <a name="input_config_aggregator_enterprise_trusted_profile_name"></a> [config\_aggregator\_enterprise\_trusted\_profile\_name](#input\_config\_aggregator\_enterprise\_trusted\_profile\_name) | The name to give the enterprise viewer trusted profile with that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. | `string` | `"config-aggregator-enterprise-trusted-profile"` | no |
-| <a name="input_config_aggregator_enterprise_trusted_profile_template_name"></a> [config\_aggregator\_enterprise\_trusted\_profile\_template\_name](#input\_config\_aggregator\_enterprise\_trusted\_profile\_template\_name) | The name to give the trusted profile template that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. | `string` | `"config-aggregator-trusted-profile-template"` | no |
+| <a name="input_config_aggregator_enterprise_trusted_profile_name"></a> [config\_aggregator\_enterprise\_trusted\_profile\_name](#input\_config\_aggregator\_enterprise\_trusted\_profile\_name) | The name to give the enterprise viewer trusted profile with that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format. | `string` | `"config-aggregator-enterprise-trusted-profile"` | no |
+| <a name="input_config_aggregator_enterprise_trusted_profile_template_name"></a> [config\_aggregator\_enterprise\_trusted\_profile\_template\_name](#input\_config\_aggregator\_enterprise\_trusted\_profile\_template\_name) | The name to give the trusted profile template that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format. | `string` | `"config-aggregator-trusted-profile-template"` | no |
 | <a name="input_config_aggregator_resource_collection_regions"></a> [config\_aggregator\_resource\_collection\_regions](#input\_config\_aggregator\_resource\_collection\_regions) | From which region do you want to collect configuration data? Only applies if `enable_config_aggregator` is set to true. | `list(string)` | <pre>[<br/>  "all"<br/>]</pre> | no |
-| <a name="input_config_aggregator_trusted_profile_name"></a> [config\_aggregator\_trusted\_profile\_name](#input\_config\_aggregator\_trusted\_profile\_name) | The name to give the trusted profile that will be created if `enable_config_aggregator` is set to `true`. | `string` | `"config-aggregator-trusted-profile"` | no |
+| <a name="input_config_aggregator_trusted_profile_name"></a> [config\_aggregator\_trusted\_profile\_name](#input\_config\_aggregator\_trusted\_profile\_name) | The name to give the trusted profile that will be created if `enable_config_aggregator` is set to `true`. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format. | `string` | `"config-aggregator-trusted-profile"` | no |
 | <a name="input_enable_config_aggregator"></a> [enable\_config\_aggregator](#input\_enable\_config\_aggregator) | Set to true to enable configuration aggregator. By setting to true a trusted profile will be created with the required access to record configuration data from all resources across regions in your account. [Learn more](https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator). | `bool` | `false` | no |
 | <a name="input_existing_resource_group_name"></a> [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of an existing resource group to provision resource in. | `string` | `"Default"` | no |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key used to provision resources. | `string` | n/a | yes |
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
@@ -24,11 +24,11 @@ module "app_config" {
   app_config_tags                                            = var.app_config_tags
   app_config_collections                                     = var.app_config_collections
   enable_config_aggregator                                   = var.enable_config_aggregator
-  config_aggregator_trusted_profile_name                     = var.config_aggregator_trusted_profile_name
+  config_aggregator_trusted_profile_name                     = "${local.prefix}${var.config_aggregator_trusted_profile_name}"
   config_aggregator_resource_collection_regions              = var.config_aggregator_resource_collection_regions
   config_aggregator_enterprise_id                            = var.config_aggregator_enterprise_id
-  config_aggregator_enterprise_trusted_profile_name          = var.config_aggregator_enterprise_trusted_profile_name
-  config_aggregator_enterprise_trusted_profile_template_name = var.config_aggregator_enterprise_trusted_profile_template_name
+  config_aggregator_enterprise_trusted_profile_name          = "${local.prefix}${var.config_aggregator_enterprise_trusted_profile_name}"
+  config_aggregator_enterprise_trusted_profile_template_name = "${local.prefix}${var.config_aggregator_enterprise_trusted_profile_template_name}"
   config_aggregator_enterprise_account_group_ids_to_assign   = var.config_aggregator_enterprise_account_group_ids_to_assign
   cbr_rules                                                  = var.app_config_cbr_rules
 }
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
@@ -90,6 +90,14 @@ variable "app_config_collections" {
     tags          = optional(string, null)
   }))
   default = []
+
+  validation {
+    condition = (
+      var.app_config_plan != "lite" ||
+      length(var.app_config_collections) <= 1
+    )
+    error_message = "When using the 'lite' plan, you can define at most 1 App Configuration collection."
+  }
 }
 
 variable "app_config_tags" {
@@ -103,12 +111,23 @@ variable "enable_config_aggregator" {
   type        = bool
   default     = false
   nullable    = false
+
+  # Lite plan does not support enabling Config Aggregator as mention in doc : https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator
+  validation {
+    condition     = !(var.enable_config_aggregator && var.app_config_plan == "lite")
+    error_message = "The configuration aggregator cannot be enabled when the app_config_plan is set to 'lite'. Please use a different plan (e.g., 'basic', 'standardv2', or 'enterprise')."
+  }
 }
 
 variable "config_aggregator_trusted_profile_name" {
-  description = "The name to give the trusted profile that will be created if `enable_config_aggregator` is set to `true`."
+  description = "The name to give the trusted profile that will be created if `enable_config_aggregator` is set to `true`. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
   type        = string
   default     = "config-aggregator-trusted-profile"
+
+  validation {
+    condition     = var.enable_config_aggregator ? var.config_aggregator_trusted_profile_name != null : true
+    error_message = "'config_aggregator_trusted_profile_name' cannot be null if 'enable_config_aggregator' is true."
+  }
 }
 
 variable "config_aggregator_resource_collection_regions" {
@@ -121,25 +140,45 @@ variable "config_aggregator_enterprise_id" {
   type        = string
   description = "If the account is an enterprise account, this value should be set to the enterprise ID (NOTE: This is different to the account ID). "
   default     = null
+
+  validation {
+    condition     = !var.enable_config_aggregator ? var.config_aggregator_enterprise_id == null : true
+    error_message = "A value can only be passed for 'config_aggregator_enterprise_id' if 'enable_config_aggregator' is true."
+  }
 }
 
 variable "config_aggregator_enterprise_trusted_profile_name" {
-  description = "The name to give the enterprise viewer trusted profile with that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`."
+  description = "The name to give the enterprise viewer trusted profile with that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
   type        = string
   default     = "config-aggregator-enterprise-trusted-profile"
+
+  validation {
+    condition     = var.enable_config_aggregator && var.config_aggregator_enterprise_id != null ? var.config_aggregator_enterprise_trusted_profile_name != null : true
+    error_message = "'config_aggregator_enterprise_trusted_profile_name' cannot be null if 'enable_config_aggregator' is true and a value is being passed for 'config_aggregator_enterprise_id'."
+  }
 }
 
 variable "config_aggregator_enterprise_trusted_profile_template_name" {
-  description = "The name to give the trusted profile template that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`."
+  description = "The name to give the trusted profile template that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. If a prefix input variable is specified, the prefix is added to the name in the `<prefix>-<name>` format."
   type        = string
   default     = "config-aggregator-trusted-profile-template"
+
+  validation {
+    condition     = var.enable_config_aggregator && var.config_aggregator_enterprise_id != null ? var.config_aggregator_enterprise_trusted_profile_template_name != null : true
+    error_message = "'config_aggregator_enterprise_trusted_profile_template_name' cannot be null if 'enable_config_aggregator' is true and a value is being passed for 'config_aggregator_enterprise_id'."
+  }
 }
 
 variable "config_aggregator_enterprise_account_group_ids_to_assign" {
   type        = list(string)
   default     = ["all"]
   description = "A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all account groups. Only applies if `enable_config_aggregator` is true and a value is being passed for `config_aggregator_enterprise_id`."
   nullable    = false
+
+  validation {
+    condition     = contains(var.config_aggregator_enterprise_account_group_ids_to_assign, "all") ? length(var.config_aggregator_enterprise_account_group_ids_to_assign) == 1 : true
+    error_message = "When specifying 'all' in the list, you cannot add any other values to the list"
+  }
 }
 
 ##############################################################
diff --git a/tests/pr_test.go b/tests/pr_test.go
@@ -59,18 +59,6 @@ func TestRunCompleteExample(t *testing.T) {
 	assert.NotNil(t, output, "Expected some output")
 }
 
-func TestRunUpgradeExample(t *testing.T) {
-	t.Parallel()
-
-	options := setupOptions(t, "app-conf-upg", advancedExampleDir)
-
-	output, err := options.RunTestUpgrade()
-	if !options.UpgradeTestSkipped {
-		assert.Nil(t, err, "This should not have errored")
-		assert.NotNil(t, output, "Expected some output")
-	}
-}
-
 func TestFullyConfigurable(t *testing.T) {
 	t.Parallel()
 	// Verify ibmcloud_api_key variable is set
