feat: improved user experience for validating input variable values <br> - updated required terraform to be >= 1.9.0 (#419)

* add: cross-object referencing for input variable validation

* reverted validations

* Update solutions/standard/variables.tf

Co-authored-by: Akash Kumar <Ak-sky@users.noreply.github.com>

* fix: resolved pre-commit error

---------

Co-authored-by: Arya Girish K <arya.girish.k@ibm.com>
Co-authored-by: Akash Kumar <Ak-sky@users.noreply.github.com>

Author: 3 people

README.md

@@ -68,7 +68,7 @@ To create service credentials, access the Event Notifications service, and acces
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.76.0, < 2.0.0 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1 |
 

examples/basic/version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
 
   # Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
   # module's version.tf (usually a basic example), and 1 example that will always use the latest provider version.

examples/complete/version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
 
   # Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
   # module's version.tf (usually a basic example), and 1 example that will always use the latest provider version.

main.tf

@@ -2,8 +2,6 @@
 # This file creates an event notificaiton resource instance
 ###########################################################
 locals {
-  # tflint-ignore: terraform_unused_declarations
-  validate_kms_plan = var.kms_encryption_enabled && var.plan != "standard" ? tobool("kms encryption is only supported for standard plan") : true
   # tflint-ignore: terraform_unused_declarations
   validate_kms_values = !var.kms_encryption_enabled && (var.existing_kms_instance_crn != null || var.root_key_id != null || var.kms_endpoint_url != null) ? tobool("When passing values for var.existing_kms_instance_crn or/and var.root_key_id or/and var.kms_endpoint_url, you must set var.kms_encryption_enabled to true. Otherwise unset them to use default encryption") : true
   # tflint-ignore: terraform_unused_declarations
@@ -12,7 +10,6 @@ locals {
   validate_cos_values = !var.cos_integration_enabled && (var.cos_instance_id != null || var.cos_bucket_name != null || var.cos_endpoint != null) ? tobool("When passing values for var.cos_instance_id or/and var.cos_bucket_name or/and var.cos_endpoint, you must set var.cos_integration_enabled to true. Otherwise unset them to disable collection of failed delivery events") : true
   # tflint-ignore: terraform_unused_declarations
   validate_cos_vars = var.cos_integration_enabled && (var.cos_instance_id == null || var.cos_bucket_name == null || var.cos_endpoint == null) ? tobool("When setting var.cos_integration_enabled to true, a value must be passed for var.cos_instance_id, var.cos_bucket_name and var.cos_endpoint") : true
-
   # Determine what KMS service is being used for encryption
   kms_service = var.existing_kms_instance_crn != null ? (
     can(regex(".*kms.*", var.existing_kms_instance_crn)) ? "kms" : (

modules/fscloud/README.md

@@ -63,7 +63,7 @@ module "event_notification" {
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.76.0, <2.0.0 |
 
 ### Modules

modules/fscloud/version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
   required_providers {
     # The below tflint-ignore is required because although the below provider is not directly required by this submodule,
     # it is required by consuming modules, and if not set here, the top level module calling this module will not be

solutions/standard/main.tf

@@ -17,10 +17,7 @@ module "resource_group" {
 
 # Input variable validation
 locals {
-  # Validate that a value has been passed for 'existing_kms_instance_crn' and 'kms_endpoint_url' if not using existing EN instance
-  # tflint-ignore: terraform_unused_declarations
-  validate_kms_input = (var.existing_kms_instance_crn == null || var.kms_endpoint_url == null) && var.existing_en_instance_crn == null ? tobool("A value for 'existing_kms_instance_crn' and 'kms_endpoint_url' must be passed when no value is passed for 'existing_en_instance_crn'.") : true
-  prefix             = var.prefix != null ? (var.prefix != "" ? var.prefix : null) : null
+  prefix = var.prefix != null ? (var.prefix != "" ? var.prefix : null) : null
 }
 
 # If existing KMS root key CRN passed, parse details from it
@@ -222,14 +219,6 @@ module "cos_instance_crn_parser" {
 }
 
 locals {
-  # Validate mutually exclusive inputs
-  # tflint-ignore: terraform_unused_declarations
-  validate_cos_regions = var.cos_bucket_region != null && var.cross_region_location != null ? tobool("Cannot provide values for 'cos_bucket_region' and 'cross_region_location'. Pick one or the other, or alternatively pass no values for either and allow it to default to the 'region' input.") : true
-
-  # Validate cos inputs when using existing bucket
-  # tflint-ignore: terraform_unused_declarations
-  validate_cos_bucket = var.existing_cos_bucket_name != null && (var.existing_cos_instance_crn == null || var.existing_cos_endpoint == null) ? tobool("When passing a value for 'existing_cos_bucket_name', you must also pass values for 'existing_cos_instance_crn' and 'existing_cos_endpoint'.") : true
-
   # If a bucket name is passed, or an existing EN CRN is passed; do not create COS resources
   create_cos_bucket = var.existing_cos_bucket_name != null || var.existing_en_instance_crn != null ? false : true
   # determine COS details
@@ -340,9 +329,6 @@ module "existing_sm_crn_parser" {
 }
 
 locals {
-  # Validate that a value has been passed for 'existing_secrets_manager_instance_crn' if creating credentials using the 'service_credential_secrets' input
-  # tflint-ignore: terraform_unused_declarations
-  validate_sm_crn = length(var.service_credential_secrets) > 0 && var.existing_secrets_manager_instance_crn == null ? tobool("'existing_secrets_manager_instance_crn' is required when adding service credentials with the 'service_credential_secrets' input.") : false
   # parse SM GUID from CRN
   existing_secrets_manager_instance_guid = var.existing_secrets_manager_instance_crn != null ? module.existing_sm_crn_parser[0].service_instance : null
   # parse SM region from CRN

solutions/standard/variables.tf

@@ -118,6 +118,10 @@ variable "existing_kms_instance_crn" {
   type        = string
   description = "The CRN of the KMS instance (Hyper Protect Crypto Services or Key Protect instance). If the KMS instance is in different account you must also provide a value for `ibmcloud_kms_api_key`."
   default     = null
+  validation {
+    condition     = var.existing_en_instance_crn == null ? (var.existing_kms_instance_crn != null && var.kms_endpoint_url != null) : true
+    error_message = ("A value for 'existing_kms_instance_crn' and 'kms_endpoint_url' must be passed when no value is passed for 'existing_en_instance_crn'.")
+  }
 }
 
 variable "existing_kms_root_key_crn" {
@@ -195,6 +199,12 @@ variable "existing_cos_bucket_name" {
   nullable    = true
   default     = null
   description = "The name of an existing bucket inside the existing Object Storage instance. If not supplied, a new bucket is created."
+
+  validation {
+    condition     = var.existing_cos_bucket_name != null ? (var.existing_cos_instance_crn != null && var.existing_cos_endpoint != null) : true
+    error_message = "When passing a value for 'existing_cos_bucket_name', you must also pass values for 'existing_cos_instance_crn' and 'existing_cos_endpoint'."
+  }
+
 }
 
 variable "cos_bucket_name" {
@@ -264,6 +274,11 @@ variable "cos_bucket_region" {
   type        = string
   description = "The COS bucket region. If you pass a value for this variable, you must set the value of `cross_region_location` to null. If `cross_region_location` and `cos_bucket_region` are both set to null, then `region` will be used."
   default     = null
+
+  validation {
+    condition     = var.cos_bucket_region == null || var.cross_region_location == null
+    error_message = "Cannot provide values for both 'cos_bucket_region' and 'cross_region_location'. Pick one or the other, or alternatively, pass no value for either and allow it to default to the 'region' input."
+  }
 }
 
 variable "archive_days" {
@@ -356,6 +371,11 @@ variable "service_credential_secrets" {
     ])
     error_message = "service_credentials_source_service_role_crn must be a serviceRole CRN. See https://cloud.ibm.com/iam/roles"
   }
+  validation {
+    condition     = length(var.service_credential_secrets) > 0 ? var.existing_secrets_manager_instance_crn != null : true
+    error_message = "'existing_secrets_manager_instance_crn' is required when adding service credentials with the 'service_credential_secrets' input."
+  }
+
 }
 
 variable "skip_en_sm_auth_policy" {

solutions/standard/version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
   # Lock DA into an exact provider version - renovate automation will keep it updated
   required_providers {
     ibm = {

variables.tf

@@ -114,6 +114,10 @@ variable "kms_encryption_enabled" {
   type        = bool
   description = "Set to `true` to control the encryption keys that are used to encrypt the data that you store in the Event Notifications instance. If set to `false`, the data is encrypted by using randomly generated keys. For more information, see [Managing encryption](https://cloud.ibm.com/docs/event-notifications?topic=event-notifications-en-managing-encryption)."
   default     = false
+  validation {
+    condition     = var.kms_encryption_enabled == false || var.plan == "standard"
+    error_message = "kms encryption is only supported for standard plan"
+  }
 }
 
 variable "skip_en_cos_auth_policy" {

version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
 
   # Use a flexible range in modules that future proofs the module's usage with upcoming minor and patch versions
   required_providers {