feat: updated code to use cross-object referencing for validations

main.tf

@@ -3,16 +3,6 @@
 ##############################################################################
 
 locals {
-  # Validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
-  # tflint-ignore: terraform_unused_declarations
-  validate_kms_values = var.use_ibm_owned_encryption_key && (var.kms_key_crn != null || var.backup_encryption_key_crn != null) ? tobool("When passing values for 'kms_key_crn' or 'backup_encryption_key_crn', you must set 'use_ibm_owned_encryption_key' to false. Otherwise unset them to use default encryption.") : true
-  # tflint-ignore: terraform_unused_declarations
-  validate_kms_vars = !var.use_ibm_owned_encryption_key && var.kms_key_crn == null ? tobool("When setting 'use_ibm_owned_encryption_key' to false, a value must be passed for 'kms_key_crn'.") : true
-  # tflint-ignore: terraform_unused_declarations
-  validate_backup_key = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn != null && (var.use_default_backup_encryption_key || var.use_same_kms_key_for_backups) ? tobool("When passing a value for 'backup_encryption_key_crn' you cannot set 'use_default_backup_encryption_key' to true or 'use_ibm_owned_encryption_key' to false.") : true
-  # tflint-ignore: terraform_unused_declarations
-  validate_backup_key_2 = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn == null && !var.use_same_kms_key_for_backups ? tobool("When 'use_same_kms_key_for_backups' is set to false, a value needs to be passed for 'backup_encryption_key_crn'.") : true
-
   # If no value passed for 'backup_encryption_key_crn' use the value of 'kms_key_crn' and perform validation of 'kms_key_crn' to check if region is supported by backup encryption key.
 
   # If 'use_ibm_owned_encryption_key' is true or 'use_default_backup_encryption_key' is true, default to null.

solutions/standard/main.tf

@@ -9,20 +9,6 @@ module "resource_group" {
   existing_resource_group_name = var.use_existing_resource_group == true ? var.resource_group_name : null
 }
 
-#######################################################################################################################
-# KMS related variable validation
-# (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
-#
-# TODO: Replace with terraform cross variable validation: https://github.ibm.com/GoldenEye/issues/issues/10836
-#######################################################################################################################
-
-locals {
-  # tflint-ignore: terraform_unused_declarations
-  validate_kms_1 = var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) ? tobool("When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false.") : true
-  # tflint-ignore: terraform_unused_declarations
-  validate_kms_2 = !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value is required for either 'existing_kms_instance_crn' (to create a new key), or 'existing_kms_key_crn' to use an existing key.") : true
-}
-
 #######################################################################################################################
 # KMS encryption key
 #######################################################################################################################

solutions/standard/variables.tf

@@ -135,6 +135,15 @@ variable "use_ibm_owned_encryption_key" {
   type        = bool
   description = "IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for `existing_kms_instance_crn` to create a new key, or `existing_kms_key_crn` and/or `existing_backup_kms_key_crn` to use an existing key."
   default     = false
+
+  validation {
+    condition     = !(var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null))
+    error_message = "When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn', or 'existing_backup_kms_key_crn', 'use_ibm_owned_encryption_key' must be set to false."
+  }
+  validation {
+    condition     = var.use_ibm_owned_encryption_key || (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null)
+    error_message = "When 'use_ibm_owned_encryption_key' is false, you must provide either 'existing_kms_instance_crn' (to create a new key) or 'existing_kms_key_crn' (to use an existing key)."
+  }
 }
 
 variable "existing_kms_instance_crn" {

variables.tf

@@ -205,6 +205,14 @@ variable "kms_key_crn" {
     ])
     error_message = "Value must be the KMS key CRN from a Key Protect or Hyper Protect Crypto Services instance."
   }
+  validation {
+    condition     = !(var.use_ibm_owned_encryption_key && var.kms_key_crn != null)
+    error_message = "When passing a value for 'kms_key_crn', you must set 'use_ibm_owned_encryption_key' to false. Otherwise, unset 'kms_key_crn' to use default encryption."
+  }
+  validation {
+    condition     = !(var.use_ibm_owned_encryption_key == false && var.kms_key_crn == null)
+    error_message = "When setting 'use_ibm_owned_encryption_key' to false, a value must be passed for 'kms_key_crn'."
+  }
 }
 
 variable "use_same_kms_key_for_backups" {
@@ -226,6 +234,15 @@ variable "backup_encryption_key_crn" {
     ])
     error_message = "Value must be the KMS key CRN from a Key Protect or Hyper Protect Crypto Services instance in one of the supported backup regions."
   }
+  validation {
+    condition     = !(var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn != null)
+    error_message = "When passing a value for 'backup_encryption_key_crn', you must set 'use_ibm_owned_encryption_key' to false. Otherwise, unset 'backup_encryption_key_crn' to use default encryption."
+  }
+
+  validation {
+    condition     = !(!var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn != null && (var.use_default_backup_encryption_key || var.use_same_kms_key_for_backups))
+    error_message = "When passing a value for 'backup_encryption_key_crn', you cannot set 'use_default_backup_encryption_key' to true or 'use_same_kms_key_for_backups' to true."
+  }
 }
 
 variable "skip_iam_authorization_policy" {