diff --git a/README.md b/README.md
index 70a36e2e..bb2b53cc 100644
--- a/README.md
+++ b/README.md
@@ -59,7 +59,7 @@ You need the following permissions to run this module.
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3.0 |
+| [terraform](#requirement\_terraform) | >= 1.9.0 |
| [ibm](#requirement\_ibm) | >= 1.70.0, <2.0.0 |
| [null](#requirement\_null) | >= 3.2.1, < 4.0.0 |
| [time](#requirement\_time) | >= 0.9.1 |
diff --git a/examples/backup-restore/version.tf b/examples/backup-restore/version.tf
index 45c8d81f..6f39952e 100644
--- a/examples/backup-restore/version.tf
+++ b/examples/backup-restore/version.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3.0"
+ required_version = ">= 1.9.0"
required_providers {
# Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
# module's version.tf (basic example), and 1 example that will always use the latest provider version (complete example).
diff --git a/examples/basic/version.tf b/examples/basic/version.tf
index 77ab8c9f..509f9700 100644
--- a/examples/basic/version.tf
+++ b/examples/basic/version.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3.0"
+ required_version = ">= 1.9.0"
required_providers {
# Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
ibm = {
diff --git a/examples/complete/version.tf b/examples/complete/version.tf
index 27a03563..c07b9389 100644
--- a/examples/complete/version.tf
+++ b/examples/complete/version.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3.0"
+ required_version = ">= 1.9.0"
# Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works
required_providers {
ibm = {
diff --git a/examples/fscloud/version.tf b/examples/fscloud/version.tf
index 56d317dc..cdc76d38 100644
--- a/examples/fscloud/version.tf
+++ b/examples/fscloud/version.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3.0"
+ required_version = ">= 1.9.0"
required_providers {
# Use latest version of provider in non-basic examples to verify latest version works with module
ibm = {
diff --git a/main.tf b/main.tf
index 2c244fe9..6a870a48 100644
--- a/main.tf
+++ b/main.tf
@@ -5,21 +5,6 @@
# TODO: Replace with terraform cross variable validation: https://github.ibm.com/GoldenEye/issues/issues/10836
########################################################################################################################
-locals {
- # tflint-ignore: terraform_unused_declarations
- validate_kms_values = var.use_ibm_owned_encryption_key && (var.kms_key_crn != null || var.backup_encryption_key_crn != null) ? tobool("When passing values for 'kms_key_crn' or 'backup_encryption_key_crn', you must set 'use_ibm_owned_encryption_key' to false. Otherwise unset them to use default encryption.") : true
- # tflint-ignore: terraform_unused_declarations
- validate_kms_vars = !var.use_ibm_owned_encryption_key && var.kms_key_crn == null ? tobool("When setting 'use_ibm_owned_encryption_key' to false, a value must be passed for 'kms_key_crn'.") : true
- # tflint-ignore: terraform_unused_declarations
- validate_backup_key = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn != null && (var.use_default_backup_encryption_key || var.use_same_kms_key_for_backups) ? tobool("When passing a value for 'backup_encryption_key_crn' you cannot set 'use_default_backup_encryption_key' to true or 'use_ibm_owned_encryption_key' to false.") : true
- # tflint-ignore: terraform_unused_declarations
- validate_backup_key_2 = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn == null && !var.use_same_kms_key_for_backups ? tobool("When 'use_same_kms_key_for_backups' is set to false, a value needs to be passed for 'backup_encryption_key_crn'.") : true
- # tflint-ignore: terraform_unused_declarations
- validate_plan = var.enable_elser_model && var.plan != "platinum" ? tobool("When 'enable_elser_model' is set to true, the 'plan' must be set to 'platinum' in order to enable ELSER model.") : true
- # tflint-ignore: terraform_unused_declarations
- validate_es_user = var.enable_elser_model && !((length(var.service_credential_names) > 0 && length([for k, v in var.service_credential_names : k if v == "Administrator"]) > 0) || var.admin_pass != null) ? tobool("When 'enable_elser_model' is set to true, an Administrator role user must be created using the 'service_credential_names' input, or by passing a value for the 'admin_pass' input.") : true
-}
-
########################################################################################################################
# Locals
########################################################################################################################
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index 56bfced6..2e63b28f 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -13,7 +13,7 @@ The IBM Cloud Framework for Financial Services mandates the application of an in
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.3.0 |
+| [terraform](#requirement\_terraform) | >= 1.9.0 |
| [ibm](#requirement\_ibm) | >= 1.70.0, <2.0.0 |
### Modules
diff --git a/modules/fscloud/version.tf b/modules/fscloud/version.tf
index ffce2a6e..bf6a3a62 100644
--- a/modules/fscloud/version.tf
+++ b/modules/fscloud/version.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3.0"
+ required_version = ">= 1.9.0"
required_providers {
# The below tflint-ignore is required because although the below provider is not directly required by this submodule,
# it is required by consuming modules, and if not set here, the top level module calling this module will not be
diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf
index 974e35ac..173a3f73 100644
--- a/solutions/standard/main.tf
+++ b/solutions/standard/main.tf
@@ -16,13 +16,6 @@ module "resource_group" {
# TODO: Replace with terraform cross variable validation: https://github.ibm.com/GoldenEye/issues/issues/10836
#######################################################################################################################
-locals {
- # tflint-ignore: terraform_unused_declarations
- validate_kms_1 = var.existing_elasticsearch_instance_crn != null ? true : var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) ? tobool("When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false.") : true
- # tflint-ignore: terraform_unused_declarations
- validate_kms_2 = var.existing_elasticsearch_instance_crn != null ? true : !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value is required for either 'existing_kms_instance_crn' (to create a new key), or 'existing_kms_key_crn' to use an existing key.") : true
-}
-
#######################################################################################################################
# KMS encryption key
#######################################################################################################################
@@ -254,10 +247,6 @@ module "es_instance_crn_parser" {
locals {
existing_elasticsearch_guid = var.existing_elasticsearch_instance_crn != null ? module.es_instance_crn_parser[0].service_instance : null
existing_elasticsearch_region = var.existing_elasticsearch_instance_crn != null ? module.es_instance_crn_parser[0].region : null
-
- # Validate the region input matches region detected in existing instance CRN (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
- # tflint-ignore: terraform_unused_declarations
- validate_existing_instance_region = var.existing_elasticsearch_instance_crn != null && var.region != local.existing_elasticsearch_region ? tobool("The region detected in the 'existing_elasticsearch_instance_crn' value must match the value of the 'region' input variable when passing an existing instance.") : true
}
# Do a data lookup on the resource GUID to get more info that is needed for the 'ibm_database' data lookup below
@@ -333,14 +322,6 @@ locals {
#######################################################################################################################
locals {
- ## Variable validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
- # tflint-ignore: terraform_unused_declarations
- validate_sm_crn = length(local.service_credential_secrets) > 0 && var.existing_secrets_manager_instance_crn == null ? tobool("`existing_secrets_manager_instance_crn` is required when adding service credentials to a secrets manager secret.") : false
- # tflint-ignore: terraform_unused_declarations
- validate_sm_sg = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_group == null ? tobool("`admin_pass_secrets_manager_secret_group` is required when `existing_secrets_manager_instance_crn` is set.") : false
- # tflint-ignore: terraform_unused_declarations
- validate_sm_sn = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_name == null ? tobool("`admin_pass_secrets_manager_secret_name` is required when `existing_secrets_manager_instance_crn` is set.") : false
-
create_sm_auth_policy = var.skip_elasticsearch_to_secrets_manager_auth_policy || var.existing_secrets_manager_instance_crn == null ? 0 : 1
}
diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf
index 6c7f985e..8657adfe 100644
--- a/solutions/standard/variables.tf
+++ b/solutions/standard/variables.tf
@@ -56,12 +56,25 @@ variable "backup_crn" {
type = string
description = "The CRN of a backup resource to restore from. The backup is created by a database deployment with the same service ID. The backup is loaded after provisioning and the new deployment starts up that uses that data. A backup CRN is in the format crn:v1:<…>:backup:. If omitted, the database is provisioned empty."
default = null
+
+ validation {
+ condition = anytrue([
+ var.backup_crn == null,
+ can(regex("^crn:.*:backup:", var.backup_crn))
+ ])
+ error_message = "backup_crn must be null OR starts with 'crn:' and contains ':backup:'"
+ }
}
variable "region" {
type = string
description = "The region where you want to deploy your instance, or the region in which your existing instance is in."
default = "us-south"
+
+ validation {
+ condition = var.existing_elasticsearch_instance_crn != null && var.region != local.existing_elasticsearch_region ? false : true
+ error_message = "The region detected in the 'existing_elasticsearch_instance_crn' value must match the value of the 'region' input variable when passing an existing instance."
+ }
}
variable "plan" {
@@ -209,6 +222,30 @@ variable "use_ibm_owned_encryption_key" {
type = bool
description = "IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for `existing_kms_instance_crn` to create a new key, or `existing_kms_key_crn` and/or `existing_backup_kms_key_crn` to use an existing key."
default = false
+
+ # this validation ensures IBM-owned key is not used when KMS details are provided
+ validation {
+ condition = (
+ var.existing_elasticsearch_instance_crn != null ||
+ !(var.use_ibm_owned_encryption_key && (
+ var.existing_kms_instance_crn != null ||
+ var.existing_kms_key_crn != null ||
+ var.existing_backup_kms_key_crn != null
+ ))
+ )
+ error_message = "When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false."
+ }
+
+ # this validation ensures key info is provided when IBM-owned key is disabled and no Elasticsearch instance is given
+ validation {
+ condition = !(
+ var.existing_elasticsearch_instance_crn == null &&
+ var.use_ibm_owned_encryption_key == false &&
+ var.existing_kms_instance_crn == null &&
+ var.existing_kms_key_crn == null
+ )
+ error_message = "When 'use_ibm_owned_encryption_key' is false, you must provide either 'existing_kms_instance_crn' (to create a new key) or 'existing_kms_key_crn' (to use an existing key)."
+ }
}
variable "existing_kms_instance_crn" {
@@ -320,6 +357,14 @@ variable "service_credential_secrets" {
])
error_message = "service_credentials_source_service_role_crn must be a serviceRole CRN. See https://cloud.ibm.com/iam/roles"
}
+
+ validation {
+ condition = (
+ length(var.service_credential_secrets) == 0 ||
+ var.existing_secrets_manager_instance_crn != null
+ )
+ error_message = "`existing_secrets_manager_instance_crn` is required when adding service credentials to a secrets manager secret."
+ }
}
variable "skip_elasticsearch_to_secrets_manager_auth_policy" {
@@ -332,6 +377,14 @@ variable "admin_pass_secrets_manager_secret_group" {
type = string
description = "The name of a new or existing secrets manager secret group for admin password. To use existing secret group, `use_existing_admin_pass_secrets_manager_secret_group` must be set to `true`. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
default = "elasticsearch-secrets"
+
+ validation {
+ condition = (
+ var.existing_secrets_manager_instance_crn == null ||
+ var.admin_pass_secrets_manager_secret_group != null
+ )
+ error_message = "`admin_pass_secrets_manager_secret_group` is required when `existing_secrets_manager_instance_crn` is set."
+ }
}
variable "use_existing_admin_pass_secrets_manager_secret_group" {
@@ -344,6 +397,14 @@ variable "admin_pass_secrets_manager_secret_name" {
type = string
description = "The name of a new elasticsearch administrator secret. If a prefix input variable is specified, the prefix is added to the name in the `-` format."
default = "elasticsearch-admin-password"
+
+ validation {
+ condition = (
+ var.existing_secrets_manager_instance_crn == null ||
+ var.admin_pass_secrets_manager_secret_name != null
+ )
+ error_message = "`admin_pass_secrets_manager_secret_name` is required when `existing_secrets_manager_instance_crn` is set."
+ }
}
##############################################################
diff --git a/variables.tf b/variables.tf
index da3d2aac..5762f1ec 100644
--- a/variables.tf
+++ b/variables.tf
@@ -139,6 +139,13 @@ variable "access_tags" {
type = list(string)
description = "A list of access tags to apply to the Databases for Elasticsearch instance created by the module. [Learn more](https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial)."
default = []
+
+ validation {
+ condition = alltrue([
+ for tag in var.access_tags : can(regex("[\\w\\-_\\.]+:[\\w\\-_\\.]+", tag)) && length(tag) <= 128
+ ])
+ error_message = "Tags must match the regular expression \"[\\w\\-_\\.]+:[\\w\\-_\\.]+\", see https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits for more details"
+ }
}
##############################################################
@@ -180,6 +187,34 @@ variable "use_ibm_owned_encryption_key" {
type = bool
description = "IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for the `kms_key_crn` input."
default = true
+
+ validation {
+ condition = var.use_ibm_owned_encryption_key && (var.kms_key_crn != null || var.backup_encryption_key_crn != null) ? false : true
+ error_message = "When 'use_ibm_owned_encryption_key' is true, 'kms_key_crn' and 'backup_encryption_key_crn' must both be null."
+ }
+
+ validation {
+ condition = var.use_ibm_owned_encryption_key || var.kms_key_crn != null
+ error_message = "When setting 'use_ibm_owned_encryption_key' to false, a value must be passed for 'kms_key_crn'."
+ }
+
+ validation {
+ condition = (
+ var.use_ibm_owned_encryption_key ||
+ var.backup_encryption_key_crn == null ||
+ (!var.use_default_backup_encryption_key && !var.use_same_kms_key_for_backups)
+ )
+ error_message = "When passing a value for backup_encryption_key_crn, you should set use_same_kms_key_for_backups to false, use_default_backup_encryption_key to false and use_ibm_owned_encryption_key to false."
+ }
+
+ validation {
+ condition = (
+ var.use_ibm_owned_encryption_key ||
+ var.backup_encryption_key_crn != null ||
+ var.use_same_kms_key_for_backups
+ )
+ error_message = "When 'use_same_kms_key_for_backups' is set to false, a value needs to be passed for 'backup_encryption_key_crn'."
+ }
}
variable "kms_key_crn" {
@@ -277,6 +312,24 @@ variable "enable_elser_model" {
type = bool
description = "Set it to true to install and start the Elastic's Natural Language Processing model. Applies only if also 'plan' is set to 'platinum'. [Learn more](https://cloud.ibm.com/docs/databases-for-elasticsearch?topic=databases-for-elasticsearch-elser-embeddings-elasticsearch)"
default = false
+
+ validation {
+ condition = !(var.enable_elser_model && var.plan != "platinum")
+ error_message = "When 'enable_elser_model' is set to true, the 'plan' must be set to 'platinum' in order to enable ELSER model."
+ }
+
+ validation {
+ condition = !(
+ var.enable_elser_model &&
+ !(
+ (length(var.service_credential_names) > 0 &&
+ length([for k, v in var.service_credential_names : k if v == "Administrator"]) > 0) ||
+ var.admin_pass != null
+ )
+ )
+ error_message = "When 'enable_elser_model' is set to true, an Administrator role user must be created using the 'service_credential_names' input, or by passing a value for the 'admin_pass' input."
+ }
+
}
variable "elser_model_type" {
diff --git a/version.tf b/version.tf
index cfc75949..0f6877bf 100644
--- a/version.tf
+++ b/version.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 1.3.0"
+ required_version = ">= 1.9.0"
# Use "greater than or equal to" range in modules
required_providers {
ibm = {