From 0a59739eded25a1f52b5e870caeb0215f5399ac2 Mon Sep 17 00:00:00 2001 From: Aayush-Abhyarthi Date: Thu, 3 Apr 2025 13:33:41 +0530 Subject: [PATCH 1/5] use cross variable referencing --- README.md | 2 +- common-dev-assets | 2 +- examples/backup-restore/version.tf | 2 +- examples/basic/version.tf | 2 +- examples/complete/version.tf | 2 +- examples/fscloud/version.tf | 2 +- main.tf | 12 ------------ modules/fscloud/README.md | 2 +- modules/fscloud/version.tf | 2 +- solutions/standard/main.tf | 11 ----------- solutions/standard/variables.tf | 20 ++++++++++++++++++++ solutions/standard/version.tf | 2 +- variables.tf | 20 ++++++++++++++++++++ version.tf | 2 +- 14 files changed, 50 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 2c26c385..64504671 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ You need the following permissions to run this module. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.3.0 | +| [terraform](#requirement\_terraform) | >= 1.9.0 | | [ibm](#requirement\_ibm) | >= 1.70.0, <2.0.0 | | [time](#requirement\_time) | >= 0.9.1 | diff --git a/common-dev-assets b/common-dev-assets index 3c7573a5..6e39f79e 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 3c7573a5e79fd029d97ae69755183e58078a3050 +Subproject commit 6e39f79e1389a1ec3bbe57215573e7d4e6dd98f1 diff --git a/examples/backup-restore/version.tf b/examples/backup-restore/version.tf index 8ab45aae..b417a942 100644 --- a/examples/backup-restore/version.tf +++ b/examples/backup-restore/version.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.9.0" required_providers { # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works ibm = { diff --git a/examples/basic/version.tf b/examples/basic/version.tf index 9badb28b..3fe68a52 100644 --- a/examples/basic/version.tf +++ b/examples/basic/version.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.9.0" required_providers { # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works ibm = { diff --git a/examples/complete/version.tf b/examples/complete/version.tf index 8ab45aae..b417a942 100644 --- a/examples/complete/version.tf +++ b/examples/complete/version.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.9.0" required_providers { # Pin to the lowest provider version of the range defined in the main module's version.tf to ensure lowest version still works ibm = { diff --git a/examples/fscloud/version.tf b/examples/fscloud/version.tf index 05dee1cd..be412f48 100644 --- a/examples/fscloud/version.tf +++ b/examples/fscloud/version.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.9.0" required_providers { # Use latest version of provider in non-basic examples to verify latest version works with module ibm = { diff --git a/main.tf b/main.tf index 204112ac..a0c0751a 100644 --- a/main.tf +++ b/main.tf @@ -5,18 +5,6 @@ # TODO: Replace with terraform cross variable validation: https://github.ibm.com/GoldenEye/issues/issues/10836 ######################################################################################################################## -locals { - # Validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400) - # tflint-ignore: terraform_unused_declarations - validate_kms_values = var.use_ibm_owned_encryption_key && (var.kms_key_crn != null || var.backup_encryption_key_crn != null) ? tobool("When passing values for 'kms_key_crn' or 'backup_encryption_key_crn', you must set 'use_ibm_owned_encryption_key' to false. Otherwise unset them to use default encryption.") : true - # tflint-ignore: terraform_unused_declarations - validate_kms_vars = !var.use_ibm_owned_encryption_key && var.kms_key_crn == null ? tobool("When setting 'use_ibm_owned_encryption_key' to false, a value must be passed for 'kms_key_crn'.") : true - # tflint-ignore: terraform_unused_declarations - validate_backup_key = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn != null && (var.use_default_backup_encryption_key || var.use_same_kms_key_for_backups) ? tobool("When passing a value for 'backup_encryption_key_crn' you cannot set 'use_default_backup_encryption_key' to true or 'use_ibm_owned_encryption_key' to false.") : true - # tflint-ignore: terraform_unused_declarations - validate_backup_key_2 = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn == null && !var.use_same_kms_key_for_backups ? tobool("When 'use_same_kms_key_for_backups' is set to false, a value needs to be passed for 'backup_encryption_key_crn'.") : true -} - ######################################################################################################################## # Locals ######################################################################################################################## diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md index 8dd05ef0..00ed6104 100644 --- a/modules/fscloud/README.md +++ b/modules/fscloud/README.md @@ -13,7 +13,7 @@ The IBM Cloud Framework for Financial Services mandates the application of an in | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.3.0 | +| [terraform](#requirement\_terraform) | >= 1.9.0 | | [ibm](#requirement\_ibm) | >=1.70.0, <2.0.0 | ### Modules diff --git a/modules/fscloud/version.tf b/modules/fscloud/version.tf index 36ba5643..54b13cac 100644 --- a/modules/fscloud/version.tf +++ b/modules/fscloud/version.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.9.0" required_providers { # The below tflint-ignore is required because although the below provider is not directly required by this submodule, # it is required by consuming modules, and if not set here, the top level module calling this module will not be diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index f18be7d2..e4b64569 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -16,13 +16,6 @@ module "resource_group" { # TODO: Replace with terraform cross variable validation: https://github.ibm.com/GoldenEye/issues/issues/10836 ####################################################################################################################### -locals { - # tflint-ignore: terraform_unused_declarations - validate_kms_1 = var.existing_rabbitmq_instance_crn != null ? true : var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) ? tobool("When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false.") : true - # tflint-ignore: terraform_unused_declarations - validate_kms_2 = var.existing_rabbitmq_instance_crn != null ? true : !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null) ? tobool("When 'use_ibm_owned_encryption_key' is false, a value is required for either 'existing_kms_instance_crn' (to create a new key), or 'existing_kms_key_crn' to use an existing key.") : true -} - ####################################################################################################################### # KMS encryption key ####################################################################################################################### @@ -330,10 +323,6 @@ locals { ## Variable validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400) # tflint-ignore: terraform_unused_declarations validate_sm_crn = length(local.service_credential_secrets) > 0 && var.existing_secrets_manager_instance_crn == null ? tobool("`existing_secrets_manager_instance_crn` is required when adding service credentials to a secrets manager secret.") : false - # tflint-ignore: terraform_unused_declarations - validate_sm_sg = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_group == null ? tobool("`admin_pass_secrets_manager_secret_group` is required when `existing_secrets_manager_instance_crn` is set.") : false - # tflint-ignore: terraform_unused_declarations - validate_sm_sn = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_name == null ? tobool("`admin_pass_secrets_manager_secret_name` is required when `existing_secrets_manager_instance_crn` is set.") : false create_sm_auth_policy = var.skip_rabbitmq_sm_auth_policy || var.existing_secrets_manager_instance_crn == null ? 0 : 1 } diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 777fbb8b..e21b77a9 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -46,6 +46,16 @@ variable "existing_rabbitmq_instance_crn" { type = string default = null description = "The CRN of an existing Messages for RabbitMQ instance. If no value is specified, a new instance is created." + + validation { + condition = var.existing_rabbitmq_instance_crn != null ? true : var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) ? false : true + error_message = "When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false." + } + + validation { + condition = var.existing_rabbitmq_instance_crn != null ? true : !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null) ? false : true + error_message = "When 'use_ibm_owned_encryption_key' is false, a value is required for either 'existing_kms_instance_crn' (to create a new key), or 'existing_kms_key_crn' to use an existing key." + } } ############################################################################## @@ -251,6 +261,16 @@ variable "existing_secrets_manager_instance_crn" { type = string default = null description = "The CRN of existing secrets manager to use to create service credential secrets for Databases for RabbitMQ instance." + + validation { + condition = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_group == null ? false : true + error_message = "`admin_pass_secrets_manager_secret_group` is required when `existing_secrets_manager_instance_crn` is set." + } + + validation { + condition = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_name == null ? false : true + error_message = "`admin_pass_secrets_manager_secret_name` is required when `existing_secrets_manager_instance_crn` is set." + } } variable "existing_secrets_manager_endpoint_type" { diff --git a/solutions/standard/version.tf b/solutions/standard/version.tf index 633cd836..10efe8f5 100644 --- a/solutions/standard/version.tf +++ b/solutions/standard/version.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.9.0" # Lock DA into an exact provider version - renovate automation will keep it updated required_providers { ibm = { diff --git a/variables.tf b/variables.tf index d9c9e904..409cd629 100644 --- a/variables.tf +++ b/variables.tf @@ -184,6 +184,26 @@ variable "use_ibm_owned_encryption_key" { type = bool description = "IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for the `kms_key_crn` input." default = true + + validation { + condition = var.use_ibm_owned_encryption_key && (var.kms_key_crn != null || var.backup_encryption_key_crn != null) ? false : true + error_message = "When passing values for 'kms_key_crn' or 'backup_encryption_key_crn', you must set 'use_ibm_owned_encryption_key' to false. Otherwise unset them to use default encryption." + } + + validation { + condition = !var.use_ibm_owned_encryption_key && var.kms_key_crn == null ? false : true + error_message = "When setting 'use_ibm_owned_encryption_key' to false, a value must be passed for 'kms_key_crn'." + } + + validation { + condition = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn != null && (var.use_default_backup_encryption_key || var.use_same_kms_key_for_backups) ? false : true + error_message = "When passing a value for 'backup_encryption_key_crn' you cannot set 'use_default_backup_encryption_key' to true or 'use_ibm_owned_encryption_key' to false." + } + + validation { + condition = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn == null && !var.use_same_kms_key_for_backups ? false : true + error_message = "When 'use_same_kms_key_for_backups' is set to false, a value needs to be passed for 'backup_encryption_key_crn'." + } } variable "use_default_backup_encryption_key" { diff --git a/version.tf b/version.tf index 5925e1af..5bd3dcf1 100644 --- a/version.tf +++ b/version.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.3.0" + required_version = ">= 1.9.0" # Add any required providers below and uncomment required_providers { ibm = { From 1f1d6ad7c7ae6cb9229efa3100b7700033ae778c Mon Sep 17 00:00:00 2001 From: Aayush-Abhyarthi Date: Fri, 11 Apr 2025 10:18:18 +0530 Subject: [PATCH 2/5] fix: validation --- common-dev-assets | 2 +- solutions/standard/main.tf | 4 ---- solutions/standard/variables.tf | 7 +++++++ 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/common-dev-assets b/common-dev-assets index 34d851c4..2a2281ec 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 34d851c430194cd9431aced7aa2bae758b35b705 +Subproject commit 2a2281eca386901262a1d0c7b617dc07476d5944 diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index f9ec241d..c978d61c 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -246,10 +246,6 @@ module "rabbitmq_instance_crn_parser" { locals { existing_rabbitmq_guid = var.existing_rabbitmq_instance_crn != null ? module.rabbitmq_instance_crn_parser[0].service_instance : null existing_rabbitmq_region = var.existing_rabbitmq_instance_crn != null ? module.rabbitmq_instance_crn_parser[0].region : null - - # Validate the region input matches region detected in existing instance CRN (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400) - # tflint-ignore: terraform_unused_declarations - validate_existing_instance_region = var.existing_rabbitmq_instance_crn != null && var.region != local.existing_rabbitmq_region ? tobool("The region detected in the 'existing_rabbitmq_instance_crn' value must match the value of the 'region' input variable when passing an existing instance.") : true } # Do a data lookup on the resource GUID to get more info that is needed for the 'ibm_database' data lookup below diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index e21b77a9..da75790b 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -34,6 +34,11 @@ variable "region" { description = "The region where you want to deploy your instance." type = string default = "us-south" + + validation { + condition = var.existing_rabbitmq_instance_crn != null && var.region != local.existing_rabbitmq_region ? false : true + error_message = "The region detected in the 'existing_rabbitmq_instance_crn' value must match the value of the 'region' input variable when passing an existing instance." + } } variable "rabbitmq_version" { @@ -56,6 +61,8 @@ variable "existing_rabbitmq_instance_crn" { condition = var.existing_rabbitmq_instance_crn != null ? true : !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null) ? false : true error_message = "When 'use_ibm_owned_encryption_key' is false, a value is required for either 'existing_kms_instance_crn' (to create a new key), or 'existing_kms_key_crn' to use an existing key." } + + } ############################################################################## From a3ef7df71ab09b876eac8888ede4fa6273ce521a Mon Sep 17 00:00:00 2001 From: Aayush-Abhyarthi Date: Mon, 14 Apr 2025 01:12:39 +0530 Subject: [PATCH 3/5] fix: add validation --- common-dev-assets | 2 +- solutions/standard/main.tf | 3 --- solutions/standard/variables.tf | 5 +++++ 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/common-dev-assets b/common-dev-assets index 2a2281ec..bca142c8 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 2a2281eca386901262a1d0c7b617dc07476d5944 +Subproject commit bca142c8223bce6df1908aa20447eb18956db2db diff --git a/solutions/standard/main.tf b/solutions/standard/main.tf index c978d61c..1bde6f2e 100644 --- a/solutions/standard/main.tf +++ b/solutions/standard/main.tf @@ -317,9 +317,6 @@ locals { locals { ## Variable validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400) - # tflint-ignore: terraform_unused_declarations - validate_sm_crn = length(local.service_credential_secrets) > 0 && var.existing_secrets_manager_instance_crn == null ? tobool("`existing_secrets_manager_instance_crn` is required when adding service credentials to a secrets manager secret.") : false - create_sm_auth_policy = var.skip_rabbitmq_sm_auth_policy || var.existing_secrets_manager_instance_crn == null ? 0 : 1 } diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index da75790b..2a4a8009 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -278,6 +278,11 @@ variable "existing_secrets_manager_instance_crn" { condition = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_name == null ? false : true error_message = "`admin_pass_secrets_manager_secret_name` is required when `existing_secrets_manager_instance_crn` is set." } + + validation { + condition = length(var.service_credential_secrets) > 0 && var.existing_secrets_manager_instance_crn == null ? false : true + error_message = "`existing_secrets_manager_instance_crn` is required when adding service credentials to a secrets manager secret." + } } variable "existing_secrets_manager_endpoint_type" { From 8f88396cb1d3456385d99641f80938afa933fed8 Mon Sep 17 00:00:00 2001 From: Aayush-Abhyarthi Date: Tue, 15 Apr 2025 14:23:11 +0530 Subject: [PATCH 4/5] update: description --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 409cd629..bacc7d6d 100644 --- a/variables.tf +++ b/variables.tf @@ -197,7 +197,7 @@ variable "use_ibm_owned_encryption_key" { validation { condition = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn != null && (var.use_default_backup_encryption_key || var.use_same_kms_key_for_backups) ? false : true - error_message = "When passing a value for 'backup_encryption_key_crn' you cannot set 'use_default_backup_encryption_key' to true or 'use_ibm_owned_encryption_key' to false." + error_message = "When passing a value for backup_encryption_key_crn, you should set use_same_kms_key_for_backups to false, use_default_backup_encryption_key to false and use_ibm_owned_encryption_key to false." } validation { From e217fdfc2a1d3068bcb6e39e0e6e82548c364f18 Mon Sep 17 00:00:00 2001 From: Aayush-Abhyarthi Date: Fri, 18 Apr 2025 01:11:52 +0530 Subject: [PATCH 5/5] consistent with redis --- solutions/standard/variables.tf | 75 +++++++++++++++++++++------------ variables.tf | 16 +++++-- 2 files changed, 60 insertions(+), 31 deletions(-) diff --git a/solutions/standard/variables.tf b/solutions/standard/variables.tf index 2a4a8009..7e6e492e 100644 --- a/solutions/standard/variables.tf +++ b/solutions/standard/variables.tf @@ -51,18 +51,6 @@ variable "existing_rabbitmq_instance_crn" { type = string default = null description = "The CRN of an existing Messages for RabbitMQ instance. If no value is specified, a new instance is created." - - validation { - condition = var.existing_rabbitmq_instance_crn != null ? true : var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn != null || var.existing_kms_key_crn != null || var.existing_backup_kms_key_crn != null) ? false : true - error_message = "When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false." - } - - validation { - condition = var.existing_rabbitmq_instance_crn != null ? true : !var.use_ibm_owned_encryption_key && (var.existing_kms_instance_crn == null && var.existing_kms_key_crn == null) ? false : true - error_message = "When 'use_ibm_owned_encryption_key' is false, a value is required for either 'existing_kms_instance_crn' (to create a new key), or 'existing_kms_key_crn' to use an existing key." - } - - } ############################################################################## @@ -144,6 +132,30 @@ variable "use_ibm_owned_encryption_key" { type = bool description = "IBM Cloud Databases will secure your deployment's data at rest automatically with an encryption key that IBM hold. Alternatively, you may select your own Key Management System instance and encryption key (Key Protect or Hyper Protect Crypto Services) by setting this to false. If setting to false, a value must be passed for `existing_kms_instance_crn` to create a new key, or `existing_kms_key_crn` and/or `existing_backup_kms_key_crn` to use an existing key." default = false + + # this validation ensures IBM-owned key is not used when KMS details are provided + validation { + condition = ( + var.existing_rabbitmq_instance_crn != null || + !(var.use_ibm_owned_encryption_key && ( + var.existing_kms_instance_crn != null || + var.existing_kms_key_crn != null || + var.existing_backup_kms_key_crn != null + )) + ) + error_message = "When setting values for 'existing_kms_instance_crn', 'existing_kms_key_crn' or 'existing_backup_kms_key_crn', the 'use_ibm_owned_encryption_key' input must be set to false." + } + + # this validation ensures key info is provided when IBM-owned key is disabled and no RabbitMQ instance is given + validation { + condition = !( + var.existing_rabbitmq_instance_crn == null && + var.use_ibm_owned_encryption_key == false && + var.existing_kms_instance_crn == null && + var.existing_kms_key_crn == null + ) + error_message = "When 'use_ibm_owned_encryption_key' is false, you must provide either 'existing_kms_instance_crn' (to create a new key) or 'existing_kms_key_crn' (to use an existing key)." + } } variable "existing_kms_instance_crn" { @@ -268,21 +280,6 @@ variable "existing_secrets_manager_instance_crn" { type = string default = null description = "The CRN of existing secrets manager to use to create service credential secrets for Databases for RabbitMQ instance." - - validation { - condition = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_group == null ? false : true - error_message = "`admin_pass_secrets_manager_secret_group` is required when `existing_secrets_manager_instance_crn` is set." - } - - validation { - condition = var.existing_secrets_manager_instance_crn != null && var.admin_pass_secrets_manager_secret_name == null ? false : true - error_message = "`admin_pass_secrets_manager_secret_name` is required when `existing_secrets_manager_instance_crn` is set." - } - - validation { - condition = length(var.service_credential_secrets) > 0 && var.existing_secrets_manager_instance_crn == null ? false : true - error_message = "`existing_secrets_manager_instance_crn` is required when adding service credentials to a secrets manager secret." - } } variable "existing_secrets_manager_endpoint_type" { @@ -325,6 +322,14 @@ variable "service_credential_secrets" { ]) error_message = "service_credentials_source_service_role_crn must be a serviceRole CRN. See https://cloud.ibm.com/iam/roles" } + + validation { + condition = ( + length(var.service_credential_secrets) == 0 || + var.existing_secrets_manager_instance_crn != null + ) + error_message = "`existing_secrets_manager_instance_crn` is required when adding service credentials to a secrets manager secret." + } } variable "skip_rabbitmq_sm_auth_policy" { @@ -337,6 +342,14 @@ variable "admin_pass_secrets_manager_secret_group" { type = string description = "The name of a new or existing secrets manager secret group for admin password. To use existing secret group, `use_existing_admin_pass_secrets_manager_secret_group` must be set to `true`. If a prefix input variable is specified, the prefix is added to the name in the `-` format." default = "rabbitmq-secrets" + + validation { + condition = ( + var.existing_secrets_manager_instance_crn == null || + var.admin_pass_secrets_manager_secret_group != null + ) + error_message = "`admin_pass_secrets_manager_secret_group` is required when `existing_secrets_manager_instance_crn` is set." + } } variable "use_existing_admin_pass_secrets_manager_secret_group" { @@ -349,6 +362,14 @@ variable "admin_pass_secrets_manager_secret_name" { type = string description = "The name of a new rabbitmq administrator secret. If a prefix input variable is specified, the prefix is added to the name in the `-` format." default = "rabbitmq-admin-password" + + validation { + condition = ( + var.existing_secrets_manager_instance_crn == null || + var.admin_pass_secrets_manager_secret_name != null + ) + error_message = "`admin_pass_secrets_manager_secret_name` is required when `existing_secrets_manager_instance_crn` is set." + } } ############################################################## diff --git a/variables.tf b/variables.tf index bacc7d6d..26e14b4a 100644 --- a/variables.tf +++ b/variables.tf @@ -187,21 +187,29 @@ variable "use_ibm_owned_encryption_key" { validation { condition = var.use_ibm_owned_encryption_key && (var.kms_key_crn != null || var.backup_encryption_key_crn != null) ? false : true - error_message = "When passing values for 'kms_key_crn' or 'backup_encryption_key_crn', you must set 'use_ibm_owned_encryption_key' to false. Otherwise unset them to use default encryption." + error_message = "When 'use_ibm_owned_encryption_key' is true, 'kms_key_crn' and 'backup_encryption_key_crn' must both be null." } validation { - condition = !var.use_ibm_owned_encryption_key && var.kms_key_crn == null ? false : true + condition = var.use_ibm_owned_encryption_key || var.kms_key_crn != null error_message = "When setting 'use_ibm_owned_encryption_key' to false, a value must be passed for 'kms_key_crn'." } validation { - condition = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn != null && (var.use_default_backup_encryption_key || var.use_same_kms_key_for_backups) ? false : true + condition = ( + var.use_ibm_owned_encryption_key || + var.backup_encryption_key_crn == null || + (!var.use_default_backup_encryption_key && !var.use_same_kms_key_for_backups) + ) error_message = "When passing a value for backup_encryption_key_crn, you should set use_same_kms_key_for_backups to false, use_default_backup_encryption_key to false and use_ibm_owned_encryption_key to false." } validation { - condition = !var.use_ibm_owned_encryption_key && var.backup_encryption_key_crn == null && !var.use_same_kms_key_for_backups ? false : true + condition = ( + var.use_ibm_owned_encryption_key || + var.backup_encryption_key_crn != null || + var.use_same_kms_key_for_backups + ) error_message = "When 'use_same_kms_key_for_backups' is set to false, a value needs to be passed for 'backup_encryption_key_crn'." } }