From 8ad04d4ce5fdbf80015b8b43e3ef49f4ad241777 Mon Sep 17 00:00:00 2001 From: Aditya-ranjan-16 Date: Sat, 20 Sep 2025 19:01:23 +0530 Subject: [PATCH 1/7] fix: hide admin password in TF apply logs --- solutions/fully-configurable/main.tf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index e902ed30..541cd226 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -452,8 +452,11 @@ locals { } data "http" "es_metadata" { - count = var.enable_kibana_dashboard ? 1 : 0 - url = "https://${local.elasticsearch_username}:${local.admin_pass}@${local.elasticsearch_hostname}:${local.elasticsearch_port}" + count = var.enable_kibana_dashboard ? 1 : 0 + url = "https://${local.elasticsearch_hostname}:${local.elasticsearch_port}" + request_headers = { + Authorization = "Basic ${base64encode("${local.elasticsearch_username}:${local.admin_pass}")}" + } ca_cert_pem = base64decode(local.elasticsearch_cert) } From 84d3908b2badd52e66174c3102946e8c490265c4 Mon Sep 17 00:00:00 2001 From: Aditya-ranjan-16 Date: Mon, 22 Sep 2025 12:23:09 +0530 Subject: [PATCH 2/7] fix: pre-commit --- common-dev-assets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common-dev-assets b/common-dev-assets index a4e4a683..84e744a2 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit a4e4a683410392c39f62583b1fe64b3861e058d8 +Subproject commit 84e744a27f774dac276e9381db01b6fe378c0af3 From eb537253bd12cbf7f4ffd8bfc5bc4fb69acd305a Mon Sep 17 00:00:00 2001 From: Aditya-ranjan-16 Date: Tue, 30 Sep 2025 10:03:08 +0530 Subject: [PATCH 3/7] fix --- examples/basic/main.tf | 35 +++++++++++++++++++---------------- examples/basic/version.tf | 9 +++++---- 2 files changed, 24 insertions(+), 20 deletions(-) diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 38baa314..2da6b98b 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -38,21 +38,24 @@ module "database" { # wait 60 secs to allow IAM credential access to kick in before configuring instance # without the wait, you can intermittently get "Error 401 (Unauthorized)" -resource "time_sleep" "wait" { - depends_on = [module.database] - create_duration = "60s" -} -resource "elasticsearch_index" "test" { - depends_on = [time_sleep.wait] - name = "terraform-test" - number_of_shards = 1 - number_of_replicas = 1 - force_destroy = true -} +# Temporarily disabling index creation due to an know issue blocking the pipeline : https://github.ibm.com/GoldenEye/issues/issues/16245. -resource "elasticsearch_cluster_settings" "global" { - depends_on = [time_sleep.wait] - cluster_max_shards_per_node = 10 - action_auto_create_index = "my-index-000001,index10,-index1*,+ind*" -} +# resource "time_sleep" "wait" { +# depends_on = [module.database] +# create_duration = "60s" +# } + +# resource "elasticsearch_index" "test" { +# depends_on = [time_sleep.wait] +# name = "terraform-test" +# number_of_shards = 1 +# number_of_replicas = 1 +# force_destroy = true +# } + +# resource "elasticsearch_cluster_settings" "global" { +# depends_on = [time_sleep.wait] +# cluster_max_shards_per_node = 10 +# action_auto_create_index = "my-index-000001,index10,-index1*,+ind*" +# } diff --git a/examples/basic/version.tf b/examples/basic/version.tf index c6967d0e..69d4481d 100644 --- a/examples/basic/version.tf +++ b/examples/basic/version.tf @@ -12,9 +12,10 @@ terraform { version = ">= 2.0.7" } # The time provider is not actually required by the module itself, just this example, so OK to use ">=" here instead of locking into a version - time = { - source = "hashicorp/time" - version = ">= 0.9.1" - } + + # time = { + # source = "hashicorp/time" + # version = ">= 0.9.1" + # } } } From b8bebb2fd1b23618262c725eed1aec22267750f1 Mon Sep 17 00:00:00 2001 From: Aditya-ranjan-16 Date: Fri, 10 Oct 2025 18:56:28 +0530 Subject: [PATCH 4/7] fix: added external data block --- solutions/fully-configurable/main.tf | 18 ++++---- .../fully-configurable/scripts/es_metadata.sh | 42 +++++++++++++++++++ 2 files changed, 52 insertions(+), 8 deletions(-) create mode 100755 solutions/fully-configurable/scripts/es_metadata.sh diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index e3a3771c..926f7d4e 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -446,18 +446,20 @@ locals { code_engine_project_id = var.existing_code_engine_project_id != null ? var.existing_code_engine_project_id : null code_engine_project_name = local.code_engine_project_id != null ? null : (var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.kibana_code_engine_new_project_name}" : var.kibana_code_engine_new_project_name code_engine_app_name = (var.prefix != null && var.prefix != "") ? "${var.prefix}-${var.kibana_code_engine_new_app_name}" : var.kibana_code_engine_new_app_name - kibana_version = var.enable_kibana_dashboard ? jsondecode(data.http.es_metadata[0].response_body).version.number : null + kibana_version = var.enable_kibana_dashboard ? try(data.external.es_metadata[0].result.version_number, null) : null kibana_system_password = var.enable_kibana_dashboard ? startswith(random_password.kibana_system_password[0].result, "-") ? "J${substr(random_password.kibana_system_password[0].result, 1, -1)}" : startswith(random_password.kibana_system_password[0].result, "_") ? "K${substr(random_password.kibana_system_password[0].result, 1, -1)}" : random_password.kibana_system_password[0].result : null kibana_app_login_password = var.enable_kibana_dashboard ? startswith(random_password.kibana_app_login_password[0].result, "-") ? "J${substr(random_password.kibana_app_login_password[0].result, 1, -1)}" : startswith(random_password.kibana_app_login_password[0].result, "_") ? "K${substr(random_password.kibana_app_login_password[0].result, 1, -1)}" : random_password.kibana_app_login_password[0].result : null } -data "http" "es_metadata" { - count = var.enable_kibana_dashboard ? 1 : 0 - url = "https://${local.elasticsearch_hostname}:${local.elasticsearch_port}" - request_headers = { - Authorization = "Basic ${base64encode("${local.elasticsearch_username}:${local.admin_pass}")}" - } - ca_cert_pem = base64decode(local.elasticsearch_cert) +data "external" "es_metadata" { +count = var.enable_kibana_dashboard ? 1 : 0 +program = ["bash", "${path.module}/scripts/es_metadata.sh"] +query = { + url = "https://${local.elasticsearch_hostname}:${local.elasticsearch_port}" + username = local.elasticsearch_username + password = local.admin_pass + ca_cert_b64 = local.elasticsearch_cert +} } module "code_engine_kibana" { diff --git a/solutions/fully-configurable/scripts/es_metadata.sh b/solutions/fully-configurable/scripts/es_metadata.sh new file mode 100755 index 00000000..fb0703ee --- /dev/null +++ b/solutions/fully-configurable/scripts/es_metadata.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Read JSON from stdin +INPUT_JSON="$(cat)" + +# Extract fields using jq +URL="$(echo "$INPUT_JSON" | jq -r '.url')" +USERNAME="$(echo "$INPUT_JSON" | jq -r '.username')" +PASSWORD="$(echo "$INPUT_JSON" | jq -r '.password')" +CA_CERT_B64="$(echo "$INPUT_JSON" | jq -r '.ca_cert_b64')" + +# Create a temporary directory for the CA cert +TMPDIR="$(mktemp -d)" +trap 'rm -rf "$TMPDIR"' EXIT + +CA_PEM="$TMPDIR/ca.pem" +# Decode the base64 CA cert to a PEM file +echo "$CA_CERT_B64" | base64 -d > "$CA_PEM" + +# Build Basic Auth header value +BASIC_AUTH="$(printf '%s:%s' "$USERNAME" "$PASSWORD" | base64)" + +# Fetch ES root endpoint, which returns cluster metadata including version +# -s silent, -S show errors, --fail for HTTP errors +# --cacert to trust the provided CA +RESP="$(curl -sS --fail \ + -H "Authorization: Basic $BASIC_AUTH" \ + --cacert "$CA_PEM" \ + "$URL")" + +# Parse version.number using jq +VERSION_NUMBER="$(echo "$RESP" | jq -r '.version.number // empty')" + +# The external data source expects a flat JSON object on stdout. +# If version_number is empty, still return valid JSON but with null. +if [[ -z "$VERSION_NUMBER" ]]; then + echo '{"version_number":null}' +else + # You can include more fields if desired, but keep it flat. + echo "{\"version_number\":\"$VERSION_NUMBER\"}" +fi \ No newline at end of file From fe994a1d42a5e550885bf79a2d8304f9666f7396 Mon Sep 17 00:00:00 2001 From: Aditya-ranjan-16 Date: Fri, 10 Oct 2025 19:00:21 +0530 Subject: [PATCH 5/7] fix --- solutions/fully-configurable/scripts/es_metadata.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/solutions/fully-configurable/scripts/es_metadata.sh b/solutions/fully-configurable/scripts/es_metadata.sh index fb0703ee..86189fdf 100755 --- a/solutions/fully-configurable/scripts/es_metadata.sh +++ b/solutions/fully-configurable/scripts/es_metadata.sh @@ -37,6 +37,5 @@ VERSION_NUMBER="$(echo "$RESP" | jq -r '.version.number // empty')" if [[ -z "$VERSION_NUMBER" ]]; then echo '{"version_number":null}' else - # You can include more fields if desired, but keep it flat. echo "{\"version_number\":\"$VERSION_NUMBER\"}" fi \ No newline at end of file From ae50e9ce307014a9368fe6753b13e15d29c4c90f Mon Sep 17 00:00:00 2001 From: Aditya-ranjan-16 Date: Wed, 15 Oct 2025 11:28:25 +0530 Subject: [PATCH 6/7] fix --- solutions/fully-configurable/main.tf | 16 ++++++++-------- .../fully-configurable/scripts/es_metadata.sh | 6 +++--- solutions/fully-configurable/version.tf | 6 +++--- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 2eb19026..c01ade14 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -456,14 +456,14 @@ locals { } data "external" "es_metadata" { -count = var.enable_kibana_dashboard ? 1 : 0 -program = ["bash", "${path.module}/scripts/es_metadata.sh"] -query = { - url = "https://${local.elasticsearch_hostname}:${local.elasticsearch_port}" - username = local.elasticsearch_username - password = local.admin_pass - ca_cert_b64 = local.elasticsearch_cert -} + count = var.enable_kibana_dashboard ? 1 : 0 + program = ["bash", "${path.module}/scripts/es_metadata.sh"] + query = { + url = "https://${local.elasticsearch_hostname}:${local.elasticsearch_port}" + username = local.elasticsearch_username + password = local.admin_pass + ca_cert_b64 = local.elasticsearch_cert + } } module "code_engine_kibana" { diff --git a/solutions/fully-configurable/scripts/es_metadata.sh b/solutions/fully-configurable/scripts/es_metadata.sh index 86189fdf..1f9bac6e 100755 --- a/solutions/fully-configurable/scripts/es_metadata.sh +++ b/solutions/fully-configurable/scripts/es_metadata.sh @@ -7,7 +7,7 @@ INPUT_JSON="$(cat)" # Extract fields using jq URL="$(echo "$INPUT_JSON" | jq -r '.url')" USERNAME="$(echo "$INPUT_JSON" | jq -r '.username')" -PASSWORD="$(echo "$INPUT_JSON" | jq -r '.password')" +PASSWORD="$(echo "$INPUT_JSON" | jq -r '.password')" # pragma: allowlist secret CA_CERT_B64="$(echo "$INPUT_JSON" | jq -r '.ca_cert_b64')" # Create a temporary directory for the CA cert @@ -19,7 +19,7 @@ CA_PEM="$TMPDIR/ca.pem" echo "$CA_CERT_B64" | base64 -d > "$CA_PEM" # Build Basic Auth header value -BASIC_AUTH="$(printf '%s:%s' "$USERNAME" "$PASSWORD" | base64)" +BASIC_AUTH="$(printf '%s:%s' "$USERNAME" "$PASSWORD" | base64)" # pragma: allowlist secret # Fetch ES root endpoint, which returns cluster metadata including version # -s silent, -S show errors, --fail for HTTP errors @@ -38,4 +38,4 @@ if [[ -z "$VERSION_NUMBER" ]]; then echo '{"version_number":null}' else echo "{\"version_number\":\"$VERSION_NUMBER\"}" -fi \ No newline at end of file +fi diff --git a/solutions/fully-configurable/version.tf b/solutions/fully-configurable/version.tf index 4d357974..1ef905e6 100644 --- a/solutions/fully-configurable/version.tf +++ b/solutions/fully-configurable/version.tf @@ -14,9 +14,9 @@ terraform { source = "hashicorp/random" version = "3.7.2" } - http = { - source = "hashicorp/http" - version = "3.5.0" + external = { + source = "hashicorp/external" + version = "~> 2.3" } } } From 9f99c3c04e30d0d66dd926360870c3034d5e4aa6 Mon Sep 17 00:00:00 2001 From: Aditya-ranjan-16 Date: Wed, 15 Oct 2025 20:01:32 +0530 Subject: [PATCH 7/7] fix: tests --- .secrets.baseline | 4 ++-- tests/pr_test.go | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 8085ebd9..53021726 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-10-11T11:57:05Z", + "generated_at": "2025-10-15T14:30:02Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -110,7 +110,7 @@ "hashed_secret": "8c7c51db5075ebd0369c51e9f14737d9b4c1c21d", "is_secret": false, "is_verified": false, - "line_number": 413, + "line_number": 415, "type": "Base64 High Entropy String", "verified_result": null } diff --git a/tests/pr_test.go b/tests/pr_test.go index 474972b7..a0bafe32 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -69,6 +69,7 @@ func TestRunFullyConfigurableSolutionSchematics(t *testing.T) { TarIncludePatterns: []string{ "*.tf", fmt.Sprintf("%s/*.tf", fullyConfigurableSolutionTerraformDir), + fmt.Sprintf("%s/scripts/*.sh", fullyConfigurableSolutionTerraformDir), fmt.Sprintf("%s/*.sh", "scripts"), }, TemplateFolder: fullyConfigurableSolutionTerraformDir, @@ -201,6 +202,7 @@ func TestRunSecurityEnforcedSolutionSchematics(t *testing.T) { "*.tf", fmt.Sprintf("%s/*.tf", fullyConfigurableSolutionTerraformDir), fmt.Sprintf("%s/*.tf", securityEnforcedSolutionTerraformDir), + fmt.Sprintf("%s/scripts/*.sh", fullyConfigurableSolutionTerraformDir), fmt.Sprintf("%s/*.sh", "scripts"), }, TemplateFolder: securityEnforcedSolutionTerraformDir,