From aef3ff8dbb2a30da61aa81e437b1934fe93932d1 Mon Sep 17 00:00:00 2001
From: Jordan-Williams2 <Jordan.Williams2@ibm.com>
Date: Tue, 17 Dec 2024 11:13:51 +0000
Subject: [PATCH 1/5] fix: add extra validation for kms

---
 solutions/standard/main.tf | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
index c66561c3..754b0229 100644
--- a/solutions/standard/main.tf
+++ b/solutions/standard/main.tf
@@ -21,6 +21,8 @@ locals {
   validate_kms_1 = var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) ? tobool("When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false.") : true
   # tflint-ignore: terraform_unused_declarations
   validate_kms_2 = !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value is required for either 'existing_kms_instance_crn' (to create a new key), or 'existing_kms_key_crn' to use an existing key.") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_kms_3 = local.create_new_kms_key && var.existing_kms_instance_crn == null ? tobool("If a value is not provided for 'existing_db_instance_crn' or 'existing_kms_key_crn', and 'use_ibm_owned_encryption_key' is not set to true, you must provide a value for 'existing_kms_instance_crn'.") : true
 }
 
 #######################################################################################################################
@@ -28,7 +30,7 @@ locals {
 #######################################################################################################################
 
 locals {
-  create_new_kms_key          = var.existing_db_instance_crn == null && !var.use_ibm_owned_encryption_key && var.existing_kms_key_crn == null ? 1 : 0 # no need to create any KMS resources if using existing Elasticsearch, passing an existing key, or using IBM owned keys
+  create_new_kms_key          = var.existing_db_instance_crn == null && !var.use_ibm_owned_encryption_key && var.existing_kms_key_crn == null ? true : false # no need to create any KMS resources if using existing Elasticsearch, passing an existing key, or using IBM owned keys
   elasticsearch_key_name      = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_name}" : var.elasticsearch_key_name
   elasticsearch_key_ring_name = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_ring_name}" : var.elasticsearch_key_ring_name
 }
@@ -37,7 +39,7 @@ module "kms" {
   providers = {
     ibm = ibm.kms
   }
-  count                       = local.create_new_kms_key
+  count                       = local.create_new_kms_key ? 1 : 0
   source                      = "terraform-ibm-modules/kms-all-inclusive/ibm"
   version                     = "4.18.1"
   create_key_protect_instance = false

From 82927f6069668c1ca80edb3078b66b4531e7c93a Mon Sep 17 00:00:00 2001
From: Jordan-Williams2 <Jordan.Williams2@ibm.com>
Date: Tue, 17 Dec 2024 11:47:15 +0000
Subject: [PATCH 2/5] fix: add extra validation for kms

---
 solutions/standard/main.tf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
index 754b0229..7cb4a7a6 100644
--- a/solutions/standard/main.tf
+++ b/solutions/standard/main.tf
@@ -18,11 +18,11 @@ module "resource_group" {
 
 locals {
   # tflint-ignore: terraform_unused_declarations
-  validate_kms_1 = var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) ? tobool("When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false.") : true
+  validate_kms_1 = var.existing_db_instance_crn != null ? true : var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) ? tobool("When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false.") : true
   # tflint-ignore: terraform_unused_declarations
-  validate_kms_2 = !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value is required for either 'existing_kms_instance_crn' (to create a new key), or 'existing_kms_key_crn' to use an existing key.") : true
+  validate_kms_2 = var.existing_db_instance_crn != null ? true : !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value is required for either 'existing_kms_instance_crn' (to create a new key), or 'existing_kms_key_crn' to use an existing key.") : true
   # tflint-ignore: terraform_unused_declarations
-  validate_kms_3 = local.create_new_kms_key && var.existing_kms_instance_crn == null ? tobool("If a value is not provided for 'existing_db_instance_crn' or 'existing_kms_key_crn', and 'use_ibm_owned_encryption_key' is not set to true, you must provide a value for 'existing_kms_instance_crn'.") : true
+  validate_kms_3 = var.existing_db_instance_crn != null ? true : !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null && var.existing_kms_key_crn != null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value cannot be passed for both 'existing_kms_instance_crn' (to create a new key), and 'existing_kms_key_crn' to use an existing key.") : true
 }
 
 #######################################################################################################################
@@ -30,7 +30,7 @@ locals {
 #######################################################################################################################
 
 locals {
-  create_new_kms_key          = var.existing_db_instance_crn == null && !var.use_ibm_owned_encryption_key && var.existing_kms_key_crn == null ? true : false # no need to create any KMS resources if using existing Elasticsearch, passing an existing key, or using IBM owned keys
+  create_new_kms_key          = var.existing_db_instance_crn == null && !var.use_ibm_owned_encryption_key && var.existing_kms_key_crn == null && var.existing_kms_instance_crn != null ? true : false # no need to create any KMS resources if using existing Elasticsearch, passing an existing key, or using IBM owned keys
   elasticsearch_key_name      = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_name}" : var.elasticsearch_key_name
   elasticsearch_key_ring_name = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_ring_name}" : var.elasticsearch_key_ring_name
 }

From 74de4a410a8517686bdc8fdf5e7a19f9c179794b Mon Sep 17 00:00:00 2001
From: Jordan-Williams2 <Jordan.Williams2@ibm.com>
Date: Tue, 17 Dec 2024 11:48:19 +0000
Subject: [PATCH 3/5] fix: add extra validation for kms

---
 solutions/standard/main.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
index 7cb4a7a6..e31537cf 100644
--- a/solutions/standard/main.tf
+++ b/solutions/standard/main.tf
@@ -30,7 +30,7 @@ locals {
 #######################################################################################################################
 
 locals {
-  create_new_kms_key          = var.existing_db_instance_crn == null && !var.use_ibm_owned_encryption_key && var.existing_kms_key_crn == null && var.existing_kms_instance_crn != null ? true : false # no need to create any KMS resources if using existing Elasticsearch, passing an existing key, or using IBM owned keys
+  create_new_kms_key          = var.existing_db_instance_crn == null && !var.use_ibm_owned_encryption_key && var.existing_kms_key_crn == null && var.existing_kms_instance_crn != null ? 1 : 0 # no need to create any KMS resources if using existing Elasticsearch, passing an existing key, or using IBM owned keys
   elasticsearch_key_name      = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_name}" : var.elasticsearch_key_name
   elasticsearch_key_ring_name = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_ring_name}" : var.elasticsearch_key_ring_name
 }
@@ -39,7 +39,7 @@ module "kms" {
   providers = {
     ibm = ibm.kms
   }
-  count                       = local.create_new_kms_key ? 1 : 0
+  count                       = local.create_new_kms_key
   source                      = "terraform-ibm-modules/kms-all-inclusive/ibm"
   version                     = "4.18.1"
   create_key_protect_instance = false

From a5459ae9851319d1417f40c7d2f50af8051d55ec Mon Sep 17 00:00:00 2001
From: Jordan-Williams2 <Jordan.Williams2@ibm.com>
Date: Tue, 17 Dec 2024 11:49:45 +0000
Subject: [PATCH 4/5] fix: add extra validation for kms

---
 solutions/standard/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
index e31537cf..7b95f92f 100644
--- a/solutions/standard/main.tf
+++ b/solutions/standard/main.tf
@@ -22,7 +22,7 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   validate_kms_2 = var.existing_db_instance_crn != null ? true : !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value is required for either 'existing_kms_instance_crn' (to create a new key), or 'existing_kms_key_crn' to use an existing key.") : true
   # tflint-ignore: terraform_unused_declarations
-  validate_kms_3 = var.existing_db_instance_crn != null ? true : !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null && var.existing_kms_key_crn != null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value cannot be passed for both 'existing_kms_instance_crn' (to create a new key), and 'existing_kms_key_crn' to use an existing key.") : true
+  validate_kms_3 = var.existing_db_instance_crn != null ? true : !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null && var.existing_kms_key_crn != null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value cannot be passed for both 'existing_kms_instance_crn' (to create a new key), and 'existing_kms_key_crn' (to use an existing key).") : true
 }
 
 #######################################################################################################################

From 2503c2a8a81d7cc6bcc6f0f629fb907439487061 Mon Sep 17 00:00:00 2001
From: Jordan-Williams2 <Jordan.Williams2@ibm.com>
Date: Tue, 17 Dec 2024 12:05:15 +0000
Subject: [PATCH 5/5] fix: add extra validation for kms

---
 solutions/standard/main.tf | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
index 7b95f92f..e6d65b3e 100644
--- a/solutions/standard/main.tf
+++ b/solutions/standard/main.tf
@@ -21,8 +21,6 @@ locals {
   validate_kms_1 = var.existing_db_instance_crn != null ? true : var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) ? tobool("When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false.") : true
   # tflint-ignore: terraform_unused_declarations
   validate_kms_2 = var.existing_db_instance_crn != null ? true : !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value is required for either 'existing_kms_instance_crn' (to create a new key), or 'existing_kms_key_crn' to use an existing key.") : true
-  # tflint-ignore: terraform_unused_declarations
-  validate_kms_3 = var.existing_db_instance_crn != null ? true : !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null && var.existing_kms_key_crn != null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value cannot be passed for both 'existing_kms_instance_crn' (to create a new key), and 'existing_kms_key_crn' (to use an existing key).") : true
 }
 
 #######################################################################################################################
@@ -30,7 +28,7 @@ locals {
 #######################################################################################################################
 
 locals {
-  create_new_kms_key          = var.existing_db_instance_crn == null && !var.use_ibm_owned_encryption_key && var.existing_kms_key_crn == null && var.existing_kms_instance_crn != null ? 1 : 0 # no need to create any KMS resources if using existing Elasticsearch, passing an existing key, or using IBM owned keys
+  create_new_kms_key          = var.existing_db_instance_crn == null && !var.use_ibm_owned_encryption_key && var.existing_kms_key_crn == null ? 1 : 0 # no need to create any KMS resources if using existing Elasticsearch, passing an existing key, or using IBM owned keys
   elasticsearch_key_name      = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_name}" : var.elasticsearch_key_name
   elasticsearch_key_ring_name = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_ring_name}" : var.elasticsearch_key_ring_name
 }