Skip to content

fix: add extra validation for kms #371

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Dec 17, 2024
Merged

fix: add extra validation for kms #371

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
aef3ff8
fix: add extra validation for kms
Dec 17, 2024
82927f6
fix: add extra validation for kms
Dec 17, 2024
74de4a4
fix: add extra validation for kms
Dec 17, 2024
a5459ae
fix: add extra validation for kms
Dec 17, 2024
2503c2a
fix: add extra validation for kms
Dec 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions solutions/standard/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,14 +21,16 @@ locals {
validate_kms_1 = var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) ? tobool("When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false.") : true
# tflint-ignore: terraform_unused_declarations
validate_kms_2 = !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value is required for either 'existing_kms_instance_crn' (to create a new key), or 'existing_kms_key_crn' to use an existing key.") : true
# tflint-ignore: terraform_unused_declarations
validate_kms_3 = local.create_new_kms_key && var.existing_kms_instance_crn == null ? tobool("If a value is not provided for 'existing_db_instance_crn' or 'existing_kms_key_crn', and 'use_ibm_owned_encryption_key' is not set to true, you must provide a value for 'existing_kms_instance_crn'.") : true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to overlap with validate_kms_2. I think all we need to do is add update the current logic to check if var.existing_db_instance_crn == null (both validate_kms_1 and validate_kms_2)

}

#######################################################################################################################
# KMS encryption key
#######################################################################################################################

locals {
create_new_kms_key = var.existing_db_instance_crn == null && !var.use_ibm_owned_encryption_key && var.existing_kms_key_crn == null ? 1 : 0 # no need to create any KMS resources if using existing Elasticsearch, passing an existing key, or using IBM owned keys
create_new_kms_key = var.existing_db_instance_crn == null && !var.use_ibm_owned_encryption_key && var.existing_kms_key_crn == null ? true : false # no need to create any KMS resources if using existing Elasticsearch, passing an existing key, or using IBM owned keys
elasticsearch_key_name = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_name}" : var.elasticsearch_key_name
elasticsearch_key_ring_name = var.prefix != null ? "${var.prefix}-${var.elasticsearch_key_ring_name}" : var.elasticsearch_key_ring_name
}
Expand All @@ -37,7 +39,7 @@ module "kms" {
providers = {
ibm = ibm.kms
}
count = local.create_new_kms_key
count = local.create_new_kms_key ? 1 : 0
source = "terraform-ibm-modules/kms-all-inclusive/ibm"
version = "4.18.1"
create_key_protect_instance = false
Expand Down