diff --git a/README.md b/README.md index 5411b8b..2d4f61f 100644 --- a/README.md +++ b/README.md @@ -86,8 +86,8 @@ For more information on access and permissions, see [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.28.0 | -| [config\_aggregator\_trusted\_profile](#module\_config\_aggregator\_trusted\_profile) | terraform-ibm-modules/trusted-profile/ibm | 2.1.1 | -| [config\_aggregator\_trusted\_profile\_enterprise](#module\_config\_aggregator\_trusted\_profile\_enterprise) | terraform-ibm-modules/trusted-profile/ibm | 2.1.1 | +| [config\_aggregator\_trusted\_profile](#module\_config\_aggregator\_trusted\_profile) | terraform-ibm-modules/trusted-profile/ibm | 3.0.0 | +| [config\_aggregator\_trusted\_profile\_enterprise](#module\_config\_aggregator\_trusted\_profile\_enterprise) | terraform-ibm-modules/trusted-profile/ibm | 3.0.0 | | [config\_aggregator\_trusted\_profile\_template](#module\_config\_aggregator\_trusted\_profile\_template) | terraform-ibm-modules/trusted-profile/ibm//modules/trusted-profile-template | 2.2.0 | ### Resources diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf index 3d7b3da..84e8831 100644 --- a/examples/advanced/main.tf +++ b/examples/advanced/main.tf @@ -47,13 +47,14 @@ module "cbr_zone" { ######################################################################################################################## module "app_config" { - source = "../.." - resource_group_id = module.resource_group.resource_group_id - region = var.region - app_config_name = "${var.prefix}-app-config" - app_config_tags = var.resource_tags - enable_config_aggregator = true # See https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator - app_config_plan = "standardv2" + source = "../.." + resource_group_id = module.resource_group.resource_group_id + region = var.region + app_config_name = "${var.prefix}-app-config" + app_config_tags = var.resource_tags + enable_config_aggregator = true # See https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator + app_config_plan = "standardv2" + config_aggregator_trusted_profile_name = "${var.prefix}-config-aggregator-trusted-profile" app_config_collections = [ { name = "${var.prefix}-collection", diff --git a/main.tf b/main.tf index c624f28..3bf22a1 100644 --- a/main.tf +++ b/main.tf @@ -40,21 +40,24 @@ resource "ibm_app_config_collection" "collections" { module "config_aggregator_trusted_profile" { count = var.enable_config_aggregator ? 1 : 0 source = "terraform-ibm-modules/trusted-profile/ibm" - version = "2.1.1" + version = "3.0.0" trusted_profile_name = var.config_aggregator_trusted_profile_name trusted_profile_description = "Trusted Profile for App Configuration instance ${ibm_resource_instance.app_config.guid} with required access for configuration aggregator" trusted_profile_identity = { identifier = ibm_resource_instance.app_config.crn identity_type = "crn" } + # unique_identifier should not be updated as it will create a breaking change for trusted profile. For more information please check https://github.com/terraform-ibm-modules/terraform-ibm-trusted-profile/releases/tag/v3.0.0 . trusted_profile_policies = [ { + unique_identifier = "config-aggregator-trusted-profile-0" roles = ["Viewer", "Service Configuration Reader"] account_management = true description = "All Account Management Services" }, { - roles = ["Viewer", "Service Configuration Reader", "Reader"] + unique_identifier = "config-aggregator-trusted-profile-1" + roles = ["Viewer", "Service Configuration Reader", "Reader"] resource_attributes = [{ name = "serviceType" value = "service" @@ -64,7 +67,8 @@ module "config_aggregator_trusted_profile" { } ] trusted_profile_links = [{ - cr_type = "VSI" + unique_identifier = "config-aggregator-trusted-profile-0" + cr_type = "VSI" links = [{ crn = ibm_resource_instance.app_config.crn }] @@ -90,7 +94,7 @@ resource "ibm_iam_custom_role" "template_assignment_reader" { module "config_aggregator_trusted_profile_enterprise" { count = var.enable_config_aggregator && var.config_aggregator_enterprise_id != null ? 1 : 0 source = "terraform-ibm-modules/trusted-profile/ibm" - version = "2.1.1" + version = "3.0.0" trusted_profile_name = var.config_aggregator_enterprise_trusted_profile_name trusted_profile_description = "Trusted Profile for App Configuration instance ${ibm_resource_instance.app_config.guid} with required access for configuration aggregator for enterprise accounts" @@ -101,7 +105,8 @@ module "config_aggregator_trusted_profile_enterprise" { trusted_profile_policies = [ { - roles = ["Viewer", local.custom_role] + unique_identifier = "config-aggregator-trusted-profile-0" + roles = ["Viewer", local.custom_role] resource_attributes = [{ name = "service_group_id" value = "IAM" @@ -110,7 +115,8 @@ module "config_aggregator_trusted_profile_enterprise" { description = "IAM access with custom role" }, { - roles = ["Viewer"] + unique_identifier = "config-aggregator-trusted-profile-1" + roles = ["Viewer"] resources = [{ service = "enterprise" }] @@ -119,7 +125,8 @@ module "config_aggregator_trusted_profile_enterprise" { ] trusted_profile_links = [{ - cr_type = "VSI" + unique_identifier = "config-aggregator-trusted-profile-0" + cr_type = "VSI" links = [{ crn = ibm_resource_instance.app_config.crn }] diff --git a/solutions/fully-configurable/README.md b/solutions/fully-configurable/README.md index 16c284a..626836f 100644 --- a/solutions/fully-configurable/README.md +++ b/solutions/fully-configurable/README.md @@ -42,10 +42,10 @@ No resources. | [app\_config\_tags](#input\_app\_config\_tags) | Optional list of tags to be added to the App Config instance. | `list(string)` | `[]` | no | | [config\_aggregator\_enterprise\_account\_group\_ids\_to\_assign](#input\_config\_aggregator\_enterprise\_account\_group\_ids\_to\_assign) | A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all account groups. Only applies if `enable_config_aggregator` is true and a value is being passed for `config_aggregator_enterprise_id`. | `list(string)` | 
[
  "all"
]
| no | | [config\_aggregator\_enterprise\_id](#input\_config\_aggregator\_enterprise\_id) | If the account is an enterprise account, this value should be set to the enterprise ID (NOTE: This is different to the account ID). | `string` | `null` | no | -| [config\_aggregator\_enterprise\_trusted\_profile\_name](#input\_config\_aggregator\_enterprise\_trusted\_profile\_name) | The name to give the enterprise viewer trusted profile with that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. | `string` | `"config-aggregator-enterprise-trusted-profile"` | no | -| [config\_aggregator\_enterprise\_trusted\_profile\_template\_name](#input\_config\_aggregator\_enterprise\_trusted\_profile\_template\_name) | The name to give the trusted profile template that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. | `string` | `"config-aggregator-trusted-profile-template"` | no | +| [config\_aggregator\_enterprise\_trusted\_profile\_name](#input\_config\_aggregator\_enterprise\_trusted\_profile\_name) | The name to give the enterprise viewer trusted profile with that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"config-aggregator-enterprise-trusted-profile"` | no | +| [config\_aggregator\_enterprise\_trusted\_profile\_template\_name](#input\_config\_aggregator\_enterprise\_trusted\_profile\_template\_name) | The name to give the trusted profile template that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"config-aggregator-trusted-profile-template"` | no | | [config\_aggregator\_resource\_collection\_regions](#input\_config\_aggregator\_resource\_collection\_regions) | From which region do you want to collect configuration data? Only applies if `enable_config_aggregator` is set to true. | `list(string)` | 
[
  "all"
]
| no | -| [config\_aggregator\_trusted\_profile\_name](#input\_config\_aggregator\_trusted\_profile\_name) | The name to give the trusted profile that will be created if `enable_config_aggregator` is set to `true`. | `string` | `"config-aggregator-trusted-profile"` | no | +| [config\_aggregator\_trusted\_profile\_name](#input\_config\_aggregator\_trusted\_profile\_name) | The name to give the trusted profile that will be created if `enable_config_aggregator` is set to `true`. If a prefix input variable is specified, the prefix is added to the name in the `-` format. | `string` | `"config-aggregator-trusted-profile"` | no | | [enable\_config\_aggregator](#input\_enable\_config\_aggregator) | Set to true to enable configuration aggregator. By setting to true a trusted profile will be created with the required access to record configuration data from all resources across regions in your account. [Learn more](https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator). | `bool` | `false` | no | | [existing\_resource\_group\_name](#input\_existing\_resource\_group\_name) | The name of an existing resource group to provision resource in. | `string` | `"Default"` | no | | [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key used to provision resources. | `string` | n/a | yes | diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 95f0ce5..170bae7 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -24,11 +24,11 @@ module "app_config" { app_config_tags = var.app_config_tags app_config_collections = var.app_config_collections enable_config_aggregator = var.enable_config_aggregator - config_aggregator_trusted_profile_name = var.config_aggregator_trusted_profile_name + config_aggregator_trusted_profile_name = "${local.prefix}${var.config_aggregator_trusted_profile_name}" config_aggregator_resource_collection_regions = var.config_aggregator_resource_collection_regions config_aggregator_enterprise_id = var.config_aggregator_enterprise_id - config_aggregator_enterprise_trusted_profile_name = var.config_aggregator_enterprise_trusted_profile_name - config_aggregator_enterprise_trusted_profile_template_name = var.config_aggregator_enterprise_trusted_profile_template_name + config_aggregator_enterprise_trusted_profile_name = "${local.prefix}${var.config_aggregator_enterprise_trusted_profile_name}" + config_aggregator_enterprise_trusted_profile_template_name = "${local.prefix}${var.config_aggregator_enterprise_trusted_profile_template_name}" config_aggregator_enterprise_account_group_ids_to_assign = var.config_aggregator_enterprise_account_group_ids_to_assign cbr_rules = var.app_config_cbr_rules } diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 59e2bc3..6767f37 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -90,6 +90,14 @@ variable "app_config_collections" { tags = optional(string, null) })) default = [] + + validation { + condition = ( + var.app_config_plan != "lite" || + length(var.app_config_collections) <= 1 + ) + error_message = "When using the 'lite' plan, you can define at most 1 App Configuration collection." + } } variable "app_config_tags" { @@ -103,12 +111,23 @@ variable "enable_config_aggregator" { type = bool default = false nullable = false + + # Lite plan does not support enabling Config Aggregator as mention in doc : https://cloud.ibm.com/docs/app-configuration?topic=app-configuration-ac-configuration-aggregator + validation { + condition = !(var.enable_config_aggregator && var.app_config_plan == "lite") + error_message = "The configuration aggregator cannot be enabled when the app_config_plan is set to 'lite'. Please use a different plan (e.g., 'basic', 'standardv2', or 'enterprise')." + } } variable "config_aggregator_trusted_profile_name" { - description = "The name to give the trusted profile that will be created if `enable_config_aggregator` is set to `true`." + description = "The name to give the trusted profile that will be created if `enable_config_aggregator` is set to `true`. If a prefix input variable is specified, the prefix is added to the name in the `-` format." type = string default = "config-aggregator-trusted-profile" + + validation { + condition = var.enable_config_aggregator ? var.config_aggregator_trusted_profile_name != null : true + error_message = "'config_aggregator_trusted_profile_name' cannot be null if 'enable_config_aggregator' is true." + } } variable "config_aggregator_resource_collection_regions" { @@ -121,18 +140,33 @@ variable "config_aggregator_enterprise_id" { type = string description = "If the account is an enterprise account, this value should be set to the enterprise ID (NOTE: This is different to the account ID). " default = null + + validation { + condition = !var.enable_config_aggregator ? var.config_aggregator_enterprise_id == null : true + error_message = "A value can only be passed for 'config_aggregator_enterprise_id' if 'enable_config_aggregator' is true." + } } variable "config_aggregator_enterprise_trusted_profile_name" { - description = "The name to give the enterprise viewer trusted profile with that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`." + description = "The name to give the enterprise viewer trusted profile with that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. If a prefix input variable is specified, the prefix is added to the name in the `-` format." type = string default = "config-aggregator-enterprise-trusted-profile" + + validation { + condition = var.enable_config_aggregator && var.config_aggregator_enterprise_id != null ? var.config_aggregator_enterprise_trusted_profile_name != null : true + error_message = "'config_aggregator_enterprise_trusted_profile_name' cannot be null if 'enable_config_aggregator' is true and a value is being passed for 'config_aggregator_enterprise_id'." + } } variable "config_aggregator_enterprise_trusted_profile_template_name" { - description = "The name to give the trusted profile template that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`." + description = "The name to give the trusted profile template that will be created if `enable_config_aggregator` is set to `true` and a value is passed for `config_aggregator_enterprise_id`. If a prefix input variable is specified, the prefix is added to the name in the `-` format." type = string default = "config-aggregator-trusted-profile-template" + + validation { + condition = var.enable_config_aggregator && var.config_aggregator_enterprise_id != null ? var.config_aggregator_enterprise_trusted_profile_template_name != null : true + error_message = "'config_aggregator_enterprise_trusted_profile_template_name' cannot be null if 'enable_config_aggregator' is true and a value is being passed for 'config_aggregator_enterprise_id'." + } } variable "config_aggregator_enterprise_account_group_ids_to_assign" { @@ -140,6 +174,11 @@ variable "config_aggregator_enterprise_account_group_ids_to_assign" { default = ["all"] description = "A list of enterprise account group IDs to assign the trusted profile template to in order for the accounts to be scanned. Supports passing the string 'all' in the list to assign to all account groups. Only applies if `enable_config_aggregator` is true and a value is being passed for `config_aggregator_enterprise_id`." nullable = false + + validation { + condition = contains(var.config_aggregator_enterprise_account_group_ids_to_assign, "all") ? length(var.config_aggregator_enterprise_account_group_ids_to_assign) == 1 : true + error_message = "When specifying 'all' in the list, you cannot add any other values to the list" + } } ############################################################## diff --git a/tests/pr_test.go b/tests/pr_test.go index 92d254a..a38801d 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -59,18 +59,6 @@ func TestRunCompleteExample(t *testing.T) { assert.NotNil(t, output, "Expected some output") } -func TestRunUpgradeExample(t *testing.T) { - t.Parallel() - - options := setupOptions(t, "app-conf-upg", advancedExampleDir) - - output, err := options.RunTestUpgrade() - if !options.UpgradeTestSkipped { - assert.Nil(t, err, "This should not have errored") - assert.NotNil(t, output, "Expected some output") - } -} - func TestFullyConfigurable(t *testing.T) { t.Parallel() // Verify ibmcloud_api_key variable is set