feat: improved user experience for validating input variable values <br> - updated required terraform to be >= 1.9.0 (#59)

* refactor: cross object reference for input variable validation

* Modified validation

* fix: Resolved conflicts and updated validation

* fix :Update description

---------

Co-authored-by: Arya Girish K <[email protected]>

Author: arya-girish-k

README.md

@@ -494,7 +494,7 @@ module "es_kubernetes_secret" {
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.11.0, < 3.0.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.16.1, < 3.0.0 |
 

examples/all-combined/importedcertificate.tf

@@ -2,28 +2,6 @@
 # imported certificate for secrets manager
 ##################################################################
 
-locals {
-
-  # validation for secrets manager region to be set for existing secrets manager instance
-  validate_imported_sm_region_cnd = var.imported_certificate_sm_id != null && var.imported_certificate_sm_region == null
-  validate_imported_sm_region_msg = "imported_certificate_sm_region must also be set when value given for imported_certificate_sm_id"
-  # tflint-ignore: terraform_unused_declarations
-  validate_imported_sm_region_chk = regex(
-    "^${local.validate_imported_sm_region_msg}$",
-    (!local.validate_imported_sm_region_cnd
-      ? local.validate_imported_sm_region_msg
-  : ""))
-
-  validate_imported_sm_cnd = (var.imported_certificate_public_secret_id != null && var.imported_certificate_private_secret_id != null) && var.imported_certificate_sm_id == null
-  validate_imported_sm_msg = "If imported_certificate_public_secret_id and imported_certificate_private_secret_id to create an imported certificate also imported_certificate_sm_id must be set"
-  # tflint-ignore: terraform_unused_declarations
-  validate_imported_sm_chk = regex(
-    "^${local.validate_imported_sm_msg}$",
-    (!local.validate_imported_sm_cnd
-      ? local.validate_imported_sm_msg
-  : ""))
-}
-
 # loading from Secrets Manager the three components (private key, intermediate and public cert) composing the imported certificate
 data "ibm_sm_arbitrary_secret" "imported_certificate_intermediate" {
   count       = var.imported_certificate_intermediate_secret_id != null ? 1 : 0

examples/all-combined/secretsmanager.tf

@@ -3,27 +3,6 @@
 ##############################################################################
 
 locals {
-
-  # validation for secrets manager region to be set for existing secrets manager instance
-  validate_sm_region_cnd = var.existing_sm_instance_guid != null && var.existing_sm_instance_region == null
-  validate_sm_region_msg = "existing_sm_instance_region must also be set when value given for existing_sm_instance_guid."
-  # tflint-ignore: terraform_unused_declarations
-  validate_sm_region_chk = regex(
-    "^${local.validate_sm_region_msg}$",
-    (!local.validate_sm_region_cnd
-      ? local.validate_sm_region_msg
-  : ""))
-
-  # validation for secrets manager crn to be set for existing secrets manager instance if using private service endpoints
-  validate_sm_crn_cnd = var.existing_sm_instance_guid != null && var.existing_sm_instance_crn == null && var.service_endpoints == "private"
-  validate_sm_crn_msg = "existing_sm_instance_crn must also be set when value given for existing_sm_instance_guid if service_endpoints is private."
-  # tflint-ignore: terraform_unused_declarations
-  validate_sm_crn_chk = regex(
-    "^${local.validate_sm_crn_msg}$",
-    (!local.validate_sm_crn_cnd
-      ? local.validate_sm_crn_msg
-  : ""))
-
   # setting the secrets manager resource id to use
   sm_guid = var.existing_sm_instance_guid == null ? ibm_resource_instance.secrets_manager[0].guid : var.existing_sm_instance_guid
 

examples/all-combined/variables.tf

@@ -207,6 +207,14 @@ variable "existing_sm_instance_guid" {
   type        = string
   description = "Existing Secrets Manager GUID. If not provided a new instance will be provisioned"
   default     = null
+  validation {
+    condition     = var.existing_sm_instance_guid != null ? var.existing_sm_instance_region != null : true
+    error_message = "existing_sm_instance_region must also be set when value given for existing_sm_instance_guid."
+  }
+  validation {
+    condition     = var.existing_sm_instance_guid != null && var.service_endpoints == "private" ? var.existing_sm_instance_crn != null : true
+    error_message = "existing_sm_instance_crn must also be set when value given for existing_sm_instance_guid if service_endpoints is private."
+  }
 }
 
 variable "existing_sm_instance_crn" {
@@ -287,6 +295,14 @@ variable "imported_certificate_sm_id" {
   type        = string
   default     = null
   description = "Secrets Manager instance id where the components for the intermediate certificate are stored"
+  validation {
+    condition     = var.imported_certificate_sm_id != null ? var.imported_certificate_sm_region != null : true
+    error_message = "imported_certificate_sm_region must also be set when value given for imported_certificate_sm_id"
+  }
+  validation {
+    condition     = (var.imported_certificate_public_secret_id != null && var.imported_certificate_private_secret_id != null) && var.imported_certificate_sm_id == null ? false : true
+    error_message = "If imported_certificate_public_secret_id and imported_certificate_private_secret_id to create an imported certificate also imported_certificate_sm_id must be set"
+  }
 }
 
 variable "imported_certificate_sm_region" {

examples/all-combined/version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.1.0"
+  required_version = ">= 1.9.0"
   required_providers {
     kubernetes = {
       source  = "hashicorp/kubernetes"

examples/basic/main.tf

@@ -4,16 +4,6 @@
 
 locals {
 
-  # general
-  validate_sm_region_cnd = var.existing_sm_instance_guid != null && var.existing_sm_instance_region == null
-  validate_sm_region_msg = "existing_sm_instance_region must also be set when value given for existing_sm_instance_guid."
-  # tflint-ignore: terraform_unused_declarations
-  validate_sm_region_chk = regex(
-    "^${local.validate_sm_region_msg}$",
-    (!local.validate_sm_region_cnd
-      ? local.validate_sm_region_msg
-  : ""))
-
   sm_guid = var.existing_sm_instance_guid == null ? ibm_resource_instance.secrets_manager[0].guid : var.existing_sm_instance_guid
 
 

examples/basic/variables.tf

@@ -51,6 +51,10 @@ variable "existing_sm_instance_guid" {
   type        = string
   description = "Existing Secrets Manager GUID. If not provided a new instance will be provisioned"
   default     = null
+  validation {
+    condition     = var.existing_sm_instance_guid != null ? var.existing_sm_instance_region != null : true
+    error_message = "existing_sm_instance_region must also be set when value given for existing_sm_instance_guid."
+  }
 }
 
 variable "existing_sm_instance_region" {

examples/basic/version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.0.0"
+  required_version = ">= 1.9.0"
   required_providers {
     kubernetes = {
       source  = "hashicorp/kubernetes"

examples/trusted-profiles-authentication/main.tf

@@ -13,25 +13,6 @@ locals {
   secret_group_name            = "${var.prefix}-sm-secret-group"                        #checkov:skip=CKV_SECRET_6
   es_kubernetes_namespaces     = ["${var.prefix}-tp-test-1", "${var.prefix}-tp-test-2"] # namespace to create the externalsecrets resources for secrets sync
 
-  validate_sm_region_cnd = var.existing_sm_instance_guid != null && var.existing_sm_instance_region == null
-  validate_sm_region_msg = "existing_sm_instance_region must also be set when value given for existing_sm_instance_guid."
-  # tflint-ignore: terraform_unused_declarations
-  validate_sm_region_chk = regex(
-    "^${local.validate_sm_region_msg}$",
-    (!local.validate_sm_region_cnd
-      ? local.validate_sm_region_msg
-  : ""))
-
-  # validation for secrets manager crn to be set for existing secrets manager instance if using private service endpoints
-  validate_sm_crn_cnd = var.existing_sm_instance_guid != null && var.existing_sm_instance_crn == null && var.service_endpoints == "private"
-  validate_sm_crn_msg = "existing_sm_instance_crn must also be set when value given for existing_sm_instance_guid if service_endpoints is private."
-  # tflint-ignore: terraform_unused_declarations
-  validate_sm_crn_chk = regex(
-    "^${local.validate_sm_crn_msg}$",
-    (!local.validate_sm_crn_cnd
-      ? local.validate_sm_crn_msg
-  : ""))
-
   sm_guid = var.existing_sm_instance_guid == null ? ibm_resource_instance.secrets_manager[0].guid : var.existing_sm_instance_guid
   # if service_endpoints is not private the crn for SM is not needed because of VPE creation is not needed
   sm_crn = var.existing_sm_instance_crn == null ? (var.service_endpoints == "private" ? ibm_resource_instance.secrets_manager[0].crn : "") : var.existing_sm_instance_crn

examples/trusted-profiles-authentication/variables.tf

@@ -38,6 +38,14 @@ variable "existing_sm_instance_guid" {
   type        = string
   description = "Existing Secrets Manager GUID. If not provided a new instance will be provisioned"
   default     = null
+  validation {
+    condition     = var.existing_sm_instance_guid != null ? var.existing_sm_instance_region != null : true
+    error_message = "existing_sm_instance_region must also be set when value given for existing_sm_instance_guid."
+  }
+  validation {
+    condition     = var.existing_sm_instance_guid != null && var.service_endpoints == "private" ? var.existing_sm_instance_crn != null : true
+    error_message = "existing_sm_instance_crn must also be set when value given for existing_sm_instance_guid if service_endpoints is private."
+  }
 }
 
 variable "existing_sm_instance_crn" {