use cross object referencing

README.md

@@ -67,7 +67,7 @@ You need the following permissions to run this module.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= v1.0.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= v1.9.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.76.0, <2.0.0 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1, < 1.0.0 |
 

examples/basic/version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= v1.0.0"
+  required_version = ">= v1.9.0"
 
   # Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
   # module's version.tf (this example), and 1 example that will always use the latest provider version (complete example).

examples/complete/README.md

@@ -7,7 +7,7 @@ This examples handles the provisioning of a new Secrets Manager instance.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= v1.0.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= v1.9.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >=1.76.0 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | 0.12.1 |
 

examples/complete/version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= v1.0.0"
+  required_version = ">= v1.9.0"
   required_providers {
     ibm = {
       source  = "IBM-Cloud/ibm"

examples/fscloud/version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
   required_providers {
     # Use latest version of provider in non-basic examples to verify latest version works with module
     ibm = {

main.tf

@@ -6,18 +6,6 @@
 locals {
   # Validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400)
   # tflint-ignore: terraform_unused_declarations
-  validate_kms_values = (!var.kms_encryption_enabled && var.kms_key_crn != null && var.existing_sm_instance_crn == null) ? tobool("When passing values for var.kms_key_crn, you must set 'kms_encryption_enabled' to true. Otherwise set 'kms_encryption_enabled' to false to use default encryption") : true
-  # tflint-ignore: terraform_unused_declarations
-  validate_kms_vars = var.kms_encryption_enabled && var.kms_key_crn == null && var.existing_sm_instance_crn == null ? tobool("When setting var.kms_encryption_enabled to true, a value must be passed for var.kms_key_crn") : true
-  # tflint-ignore: terraform_unused_declarations
-  validate_auth_policy = var.kms_encryption_enabled && var.skip_kms_iam_authorization_policy == false && var.kms_key_crn == null && var.existing_sm_instance_crn == null ? tobool("When var.skip_kms_iam_authorization_policy is set to false, and var.kms_encryption_enabled to true, a value must be passed for var.kms_key_crn in order to create the auth policy.") : true
-  # tflint-ignore: terraform_unused_declarations
-  validate_event_notification = var.enable_event_notification && var.existing_en_instance_crn == null ? tobool("When setting var.enable_event_notification to true, a value must be passed for var.existing_en_instance_crn") : true
-  # tflint-ignore: terraform_unused_declarations
-  validate_endpoint = var.endpoint_type == "public" && var.allowed_network == "private-only" && var.existing_sm_instance_crn == null ? tobool("It is not allowed to have conflicting var.endpoint_type and var.allowed_network values.") : true
-  # tflint-ignore: terraform_unused_declarations
-  validate_region = var.existing_sm_instance_crn == null && var.region == null ? tobool("When existing_sm_instance_crn is null, a value must be passed for var.region") : true
-  # tflint-ignore: terraform_unused_declarations
   validate_is_hpcs_key = var.is_hpcs_key && local.kms_service_name != "hs-crypto" ? tobool("When is_hpcs_key is set to true then the key provided through kms_key_crn must be a Hyper Protect Crypto Services key") : true
 }
 

variables.tf

@@ -65,6 +65,16 @@ variable "kms_key_crn" {
   type        = string
   description = "The root key CRN of a Key Management Service like Key Protect or Hyper Protect Crypto Services (HPCS) that you want to use for encryption. Only used if `kms_encryption_enabled` is set to true."
   default     = null
+
+  validation {
+    condition     = var.kms_key_crn != null && var.kms_encryption_enabled == false ? false : true
+    error_message = "When passing values for var.kms_key_crn, you must set 'kms_encryption_enabled' to true. Otherwise set 'kms_encryption_enabled' to false to use default encryption."
+  }
+
+  validation {
+    condition     = var.kms_encryption_enabled == true && var.kms_key_crn == null ? false : true
+    error_message = "When setting var.kms_encryption_enabled to true, a value must be passed for var.kms_key_crn."
+  }
 }
 
 variable "is_hpcs_key" {
@@ -77,6 +87,11 @@ variable "existing_sm_instance_crn" {
   type        = string
   description = "An existing Secrets Manager instance CRN. If not provided an new instance will be provisioned."
   default     = null
+
+  validation {
+    condition     = var.existing_sm_instance_crn == null && var.region == null ? false : true
+    error_message = "When existing_sm_instance_crn is null, a value must be passed for var.region"
+  }
 }
 
 ##############################################################
@@ -118,6 +133,11 @@ variable "enable_event_notification" {
   type        = bool
   default     = false
   description = "Set this to true to enable lifecycle notifications for your Secrets Manager instance by connecting an Event Notifications service. When setting this to true, a value must be passed for `existing_en_instance_crn` and `existing_sm_instance_crn` must be null."
+
+  validation {
+    condition     = var.enable_event_notification == true && var.existing_en_instance_crn == null ? false : true
+    error_message = "When setting var.enable_event_notification to true, a value must be passed for var.existing_en_instance_crn"
+  }
 }
 
 variable "existing_en_instance_crn" {
@@ -134,6 +154,11 @@ variable "endpoint_type" {
     condition     = contains(["public", "private"], var.endpoint_type)
     error_message = "The specified endpoint_type is not a valid selection!"
   }
+
+  validation {
+    condition     = var.endpoint_type == "public" && var.allowed_network == "private-only" ? false : true
+    error_message = "It is not allowed to have conflicting `var.endpoint_type` and `var.allowed_network values`."
+  }
 }
 
 ##############################################################

version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= v1.0.0"
+  required_version = ">= v1.9.0"
   required_providers {
     # Use "greater than or equal to" range in modules
     ibm = {