fix(deps) updated required terraform version to >=1.9.0 and updated variable validation logic (#286)

Author: kierramarie

README.md

@@ -156,7 +156,7 @@ You need the following permissions to run this module.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.70.0, <2.0.0 |
 
 ### Modules

examples/complete/main.tf

@@ -3,15 +3,7 @@
 ##############################################################################
 
 locals {
-  payload                = sensitive("secret-payload-example")
-  validate_sm_region_cnd = var.existing_sm_instance_guid != null && var.existing_sm_instance_region == null
-  validate_sm_region_msg = "existing_sm_instance_region must also be set when value given for existing_sm_instance_guid."
-  # tflint-ignore: terraform_unused_declarations
-  validate_sm_region_chk = regex(
-    "^${local.validate_sm_region_msg}$",
-    (!local.validate_sm_region_cnd
-      ? local.validate_sm_region_msg
-  : ""))
+  payload = sensitive("secret-payload-example")
 
   sm_guid   = var.existing_sm_instance_guid == null ? module.secrets_manager[0].secrets_manager_guid : var.existing_sm_instance_guid
   sm_region = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region

examples/complete/variables.tf

@@ -38,6 +38,11 @@ variable "existing_sm_instance_guid" {
   type        = string
   description = "Existing Secrets Manager GUID. If not provided an new instance will be provisioned"
   default     = null
+
+  validation {
+    condition     = var.existing_sm_instance_guid != null ? var.existing_sm_instance_region != null : true
+    error_message = "`existing_sm_instance_region` must also be set when value given for `existing_sm_instance_guid`."
+  }
 }
 
 variable "existing_sm_instance_region" {

examples/complete/version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"

examples/private/main.tf

@@ -5,17 +5,7 @@
 locals {
   payload       = sensitive("secret-payload-example")
   secret_labels = [var.prefix, var.region]
-
-  validate_sm_region_cnd = var.existing_sm_instance_crn != null && var.existing_sm_instance_region == null
-  validate_sm_region_msg = "existing_sm_instance_region must also be set when value given for existing_sm_instance_guid."
-  # tflint-ignore: terraform_unused_declarations
-  validate_sm_region_chk = regex(
-    "^${local.validate_sm_region_msg}$",
-    (!local.validate_sm_region_cnd
-      ? local.validate_sm_region_msg
-  : ""))
-
-  sm_region = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region
+  sm_region     = var.existing_sm_instance_region == null ? var.region : var.existing_sm_instance_region
 }
 
 ##############################################################################

examples/private/variables.tf

@@ -38,11 +38,16 @@ variable "existing_sm_instance_crn" {
   type        = string
   description = "An existing Secrets Manager instance CRN. If not provided an new instance will be provisioned."
   default     = null
+
+  validation {
+    condition     = var.existing_sm_instance_crn != null ? var.existing_sm_instance_region != null : true
+    error_message = "`existing_sm_instance_region` must also be set when value given for `existing_sm_instance_crn`."
+  }
 }
 
 variable "existing_sm_instance_region" {
   type        = string
-  description = "The region of the existing Secrets Manager instance. Only required if value is passed into var.existing_sm_instance_guid"
+  description = "The region of the existing Secrets Manager instance. Only required if value is passed into var.existing_sm_instance_crn"
   default     = null
 }
 

examples/private/version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"

main.tf

@@ -4,40 +4,8 @@
 # Creates Secret within existing Secret Manager instance and Secret Manager Group
 ##############################################################################
 
-# Validation
-# Approach based on https://stackoverflow.com/a/66682419
 locals {
-  # validate username_password or arbitrary secret has a password payload
-  userpass_validate_condition = (var.secret_type == "username_password" || var.secret_type == "arbitrary") && var.secret_payload_password == "" #checkov:skip=CKV_SECRET_6
-  userpass_validate_msg       = "When creating a username_password or arbitrary secret, a value for `secret_payload_password` is required."
-  # tflint-ignore: terraform_unused_declarations
-  userpass_validate_check = regex("^${local.userpass_validate_msg}$", (!local.userpass_validate_condition ? local.userpass_validate_msg : ""))
-
-  # validate imported certificate has a TLS certificate
-  imported_cert_validate_condition = var.secret_type == "imported_cert" && var.imported_cert_certificate == null #checkov:skip=CKV_SECRET_6
-  imported_cert_validate_msg       = "When creating an imported_cert secret, value for `imported_cert_certificate` cannot be null."
-  # tflint-ignore: terraform_unused_declarations
-  imported_cert_validate_check = regex("^${local.imported_cert_validate_msg}$", (!local.imported_cert_validate_condition ? local.imported_cert_validate_msg : ""))
-
-  # validate service credentials has source service information
-  service_credentials_validate_condition = (var.secret_type == "service_credentials" && var.service_credentials_source_service_crn == null) || (var.secret_type == "service_credentials" && var.service_credentials_source_service_role_crn == null) #checkov:skip=CKV_SECRET_6
-  service_credentials_validate_msg       = "When creating a service_credentials secret, values for `service_credentials_source_service_crn` and `service_credentials_source_service_role_crn` are required."
-  # tflint-ignore: terraform_unused_declarations
-  service_credentials_validate_check = regex("^${local.service_credentials_validate_msg}$", (!local.service_credentials_validate_condition ? local.service_credentials_validate_msg : ""))
-
-  # validate auto rotation format
-  auto_rotation_validate_condition = var.secret_auto_rotation == true && var.secret_auto_rotation_unit != "month" && var.secret_auto_rotation == true && var.secret_auto_rotation_unit != "day" || var.secret_auto_rotation == true && var.secret_auto_rotation_interval == 0
-  auto_rotation_validate_msg       = "Value for `secret_auto_rotation_unit' must be either `day` or `month` and value for `secret_auto_rotation_interval` must be higher than 0"
-  # tflint-ignore: terraform_unused_declarations
-  auto_rotation_validate_check = regex("^${local.auto_rotation_validate_msg}$", (!local.auto_rotation_validate_condition ? local.auto_rotation_validate_msg : ""))
-
   auto_rotation_enabled = var.secret_auto_rotation == true ? [1] : []
-
-  # Prevent user from inputting a custom set of service credential parameters while also enabling specific parameter inputs
-  custom_parameters_validate_condition = var.service_credentials_parameters != null && (var.service_credentials_source_service_hmac == true || var.service_credentials_existing_serviceid_crn != null)
-  custom_parameters_validate_msg       = "You are passing in a custom set of service credential parameters while also using variables that auto-set parameters."
-  # tflint-ignore: terraform_unused_declarations
-  custom_parameters_validate_check = regex("^${local.custom_parameters_validate_msg}$", (!local.custom_parameters_validate_condition ? local.custom_parameters_validate_msg : ""))
 }
 
 resource "ibm_sm_arbitrary_secret" "arbitrary_secret" {

variables.tf

@@ -6,57 +6,78 @@ variable "region" {
   type        = string
   description = "The region where the Secrets Manager instance is deployed."
 }
+
 variable "secrets_manager_guid" {
   type        = string
   description = "The instance ID of the Secrets Manager instance where the secret will be added."
 }
+
 variable "secret_group_id" {
   type        = string
   description = "The ID of the secret group for the secret. If `null`, the `default` secret group is used."
   default     = "default"
 }
+
 variable "secret_type" {
   type        = string
   description = "Type of secret to create, must be one of: arbitrary, username_password, imported_cert, service_credentials"
+
   validation {
-    condition = anytrue([
-      var.secret_type == "arbitrary",           #checkov:skip=CKV_SECRET_6
-      var.secret_type == "username_password",   #checkov:skip=CKV_SECRET_6
-      var.secret_type == "imported_cert",       #checkov:skip=CKV_SECRET_6
-      var.secret_type == "service_credentials", #checkov:skip=CKV_SECRET_6
-    ])
+    condition     = contains(["arbitrary", "username_password", "imported_cert", "service_credentials"], var.secret_type) #checkov:skip=CKV_SECRET_6
     error_message = "Only supported secrets types are arbitrary, username_password, imported_cert, or service_credentials"
   }
+
+  validation {
+    condition     = (var.secret_type == "username_password" || var.secret_type == "arbitrary") ? var.secret_payload_password != "" : true
+    error_message = "When creating a username_password or arbitrary secret, a value for `secret_payload_password` is required."
+  }
+
+  validation {
+    condition     = var.secret_type == "imported_cert" ? var.imported_cert_certificate != null : true
+    error_message = "When creating an imported_cert secret, value for `imported_cert_certificate` cannot be null."
+  }
+
+  validation {
+    condition     = var.secret_type == "service_credentials" ? var.service_credentials_source_service_crn != null && var.service_credentials_source_service_role_crn != null : true
+    error_message = "When creating a service_credentials secret, values for `service_credentials_source_service_crn` and `service_credentials_source_service_role_crn` are required."
+  }
 }
+
 variable "imported_cert_certificate" {
   type        = string
   description = "The TLS certificate to import."
   default     = null
 }
+
 variable "imported_cert_private_key" {
   type        = string
   description = "(optional) The private key for the TLS certificate to import."
   default     = null
   sensitive   = true
 }
+
 variable "imported_cert_intermediate" {
   type        = string
   description = "(optional) The intermediate certificate for the TLS certificate to import."
   default     = null
 }
+
 variable "secret_name" {
   type        = string
   description = "Name of the secret to create."
 }
+
 variable "secret_description" {
   type        = string
   description = "Description of the secret to create."
 }
+
 variable "secret_username" {
   type        = string
   description = "Username of the secret to create. Applies only to `username_password` secret types. When `null`, an `arbitrary` secret is created."
   default     = null
 }
+
 variable "secret_labels" {
   type        = list(string)
   description = "Labels of the secret to create. Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|)."
@@ -67,26 +88,40 @@ variable "secret_labels" {
     error_message = "Up to 30 labels can be created. Labels can be 2 - 30 characters, including spaces. Special characters that are not permitted include the angled brackets (<>), comma (,), colon (:), ampersand (&), and vertical pipe character (|)."
   }
 }
+
 variable "secret_payload_password" {
   type        = string
   description = "The payload (for arbitrary secrets) or password (for username and password credentials) of the secret."
   sensitive   = true
   default     = "" #tfsec:ignore:general-secrets-no-plaintext-exposure
 }
+
 variable "secret_auto_rotation" {
   type        = bool
   description = "Whether to configure automatic rotation. Applies only to the `username_password` and `service_credentials` secret types."
   default     = true
 }
+
 variable "secret_auto_rotation_unit" {
   type        = string
   description = "Specifies the unit of time for rotation of a username_password secret. Acceptable values are `day` or `month`."
   default     = "day" #tfsec:ignore:general-secrets-no-plaintext-exposure
+
+  validation {
+    condition     = contains(["day", "month"], var.secret_auto_rotation_unit)
+    error_message = "Value for `secret_auto_rotation_unit' must be either `day` or `month`."
+  }
 }
+
 variable "secret_auto_rotation_interval" {
   type        = number
   description = "Specifies the rotation interval for the rotation unit."
   default     = 89
+
+  validation {
+    condition     = var.secret_auto_rotation_interval > 0
+    error_message = "Value for `secret_auto_rotation_interval` must be higher than 0."
+  }
 }
 
 variable "service_credentials_ttl" {
@@ -116,6 +151,11 @@ variable "service_credentials_parameters" {
   type        = map(string)
   description = "List of all custom parameters for service credential."
   default     = null
+
+  validation {
+    condition     = var.service_credentials_parameters != null ? !(var.service_credentials_source_service_hmac == true || var.service_credentials_existing_serviceid_crn != null) : true
+    error_message = "You are passing in a custom set of service credential parameters while also using variables that auto-set parameters."
+  }
 }
 
 variable "service_credentials_source_service_hmac" {

version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
   required_providers {
     # Use "greater than or equal to" range in modules
     ibm = {