Event Notification DA Fully configurable #395
Conversation
whoffler
force-pushed
the
flexibleVariation
branch
4 times, most recently
from
fd9cef1 to
5c55830
Compare
whoffler
changed the title
| @@ -0,0 +1,14 @@ | |||
| terraform { | |||
| required_version = ">= 1.3.0" | |||
There was a problem hiding this comment.
I suggest you update to >= 1.9.0 so we can use the terraform 1.9 cross variable validation feature.
We will need to use it in many input variables in variables.tf. For an idea of how to use it, see my branch (WIP): https://github.com/terraform-ibm-modules/terraform-ibm-scc/blob/DA/solutions/fully-configurable/variables.tf
solutions/fully-configurable/catalogValidationValues.json.template
Outdated
Show resolved
Hide resolved
solutions/fully-configurable/catalogValidationValues.json.template
Outdated
Show resolved
Hide resolved
whoffler
force-pushed
the
flexibleVariation
branch
2 times, most recently
from
abeb33c to
dcf9464
Compare
whoffler
force-pushed
the
flexibleVariation
branch
from
29995b7 to
8d7f1f9
Compare
There was a problem hiding this comment.
@whoffler still a lot of things to address here. Its not consistent at all with the SCC DA. Please review your variable descriptions, variable validation and other logic to ensure consistency. Some other things that stand out:
- security-enforced variation needs to be a striaght wrapper around fully-configurable. See https://github.com/terraform-ibm-modules/terraform-ibm-scc/tree/main/solutions/security-enforced as a reference
- It seems we are supporting creation of cross regional buckets. We are not doing that anywhere else right now, so I think remove it so its less confusing for consumers
There was a problem hiding this comment.
@whoffler Also take a look at terraform-ibm-modules/terraform-ibm-secrets-manager#309 - we will need something similar in this PR
was going to do that in a separate PR but will add here instead |
|
@whoffler A separate Pr is fine if you want - but just remove the |
whoffler
force-pushed
the
flexibleVariation
branch
2 times, most recently
from
71ea249 to
b3f69cf
Compare
|
/run pipeline |
4 similar comments
|
/run pipeline |
|
/run pipeline |
|
/run pipeline |
|
/run pipeline |
|
/run pipeline |
whoffler
force-pushed
the
flexibleVariation
branch
from
248f729 to
fab02f3
Compare
|
/run pipeline |
whoffler
force-pushed
the
flexibleVariation
branch
from
fab02f3 to
2448f91
Compare
|
/run pipeline |
1 similar comment
|
/run pipeline |
whoffler
force-pushed
the
flexibleVariation
branch
from
2448f91 to
f8e1e47
Compare
|
/run pipeline |
2 similar comments
|
/run pipeline |
|
/run pipeline |
whoffler
force-pushed
the
flexibleVariation
branch
from
f8e1e47 to
09fd83d
Compare
|
/run pipeline |
1 similar comment
|
/run pipeline |
There was a problem hiding this comment.
in main variables.tf we have
variable "kms_encryption_enabled" {
type = bool
description = "Set to `true` to control the encryption keys that are used to encrypt the data that you store in the Event Notifications instance. If set to `false`, the data is encrypted by using randomly generated keys. For more information, see [Managing encryption](https://cloud.ibm.com/docs/event-notifications?topic=event-notifications-en-managing-encryption)."
default = false
validation {
condition = var.kms_encryption_enabled == false || var.plan == "standard"
error_message = "kms encryption is only supported for standard plan"
}
}
var.plan == "standard"is not included in description- variable description, validation is not in sync what we have in
|
|
||
| When `existing_en_instance_crn` is not passed, this solution configures the following infrastructure: | ||
|
|
||
| - optionally a KMS key ring |
There was a problem hiding this comment.
what defines optionally (what inputs define if it is optional or not)?
There was a problem hiding this comment.
if a user sets kms_encryption_enabled to true and provides an existing KMS instance then a KMS key ring will be created
|
|
||
| When `existing_en_instance_crn` is passed, this solution ignores ALL other inputs and sets the outputs based on the CRN. | ||
|
|
||
| - required inputs MUST still be set, but will be ignored. |
There was a problem hiding this comment.
what is the purpose of setting required inputs if they are ignored?
There was a problem hiding this comment.
think this is no longer true, will remove
| create_cross_account_en_kms_auth_policy = var.existing_en_instance_crn == null && !var.skip_en_kms_auth_policy && var.ibmcloud_kms_api_key != null | ||
| # Create cross account COS / KMS auth policy if not using existing EN instance, if not using existing bucket, if 'skip_cos_kms_auth_policy' is false, and if a value is passed for 'ibmcloud_kms_api_key' | ||
| create_cross_account_cos_kms_auth_policy = var.existing_en_instance_crn == null && var.existing_cos_bucket_name == null && !var.skip_cos_kms_auth_policy && var.ibmcloud_kms_api_key != null | ||
| kms_region = var.kms_encryption_enabled ? var.existing_kms_instance_crn != null ? module.existing_kms_crn_parser[0].region : var.existing_kms_root_key_crn != null ? module.existing_kms_key_crn_parser[0].region : null : null |
There was a problem hiding this comment.
these are quite difficult to read.
could we improve it as the following (must be tested out)
kms_crn_parser = var.kms_encryption_enabled && (
var.existing_kms_instance_crn != null ? module.existing_kms_crn_parser[0] :
var.existing_kms_root_key_crn != null ? module.existing_kms_key_crn_parser[0] :
null
)
kms_region = local.kms_crn_parser != null ? local.kms_crn_parser.region : null
existing_kms_guid = local.kms_crn_parser != null ? local.kms_crn_parser.service_instance : null
kms_service_name = local.kms_crn_parser != null ? local.kms_crn_parser.service_name : null
kms_account_id = local.kms_crn_parser != null ? local.kms_crn_parser.account_id : null
en_kms_key_id = local.create_kms_keys ? module.kms[0].keys[format("%s.%s", local.en_key_ring_name, local.en_key_name)].key_id :
var.existing_kms_root_key_crn != null ? module.existing_kms_key_crn_parser[0].resource : null
existing_kms_instance_crn = var.kms_encryption_enabled ?
(var.existing_kms_instance_crn != null ? var.existing_kms_instance_crn :
format("crn:v1:bluemix:%s:%s:%s:%s:%s::",
module.existing_kms_key_crn_parser[0].ctype,
module.existing_kms_key_crn_parser[0].service_name,
module.existing_kms_key_crn_parser[0].region,
module.existing_kms_key_crn_parser[0].scope,
module.existing_kms_key_crn_parser[0].service_instance)) :
null
| } | ||
|
|
||
| # If existing KMS root key CRN passed, parse details from it | ||
| module "kms_root_key_crn_parser" { | ||
| module "existing_kms_key_crn_parser" { |
There was a problem hiding this comment.
should we check if var.kms_encryption_enabled is true as well, since we did it for existing_kms_crn_parser
on the other hand, do we even need to check for this?
There was a problem hiding this comment.
No we no longer need to check for this, removing
| default = null | ||
| description = "The CRN of an IBM Cloud Monitoring instance used to monitor the IBM Cloud Object Storage bucket that is used for storing failed events. If no value passed, metrics are sent to the instance associated to the container's location unless otherwise specified in the Metrics Router service configuration. Ignored if using existing Object Storage bucket." | ||
| } | ||
|
|
||
| variable "prefix" { | ||
| type = string |
There was a problem hiding this comment.
I think we decided prefix definition. Please take a look
https://github.ibm.com/GoldenEye/issues/issues/13592#issuecomment-112076767
There was a problem hiding this comment.
prefix definition already in place?
| condition = alltrue([ | ||
| for tag in var.event_notifications_access_tags : can(regex("[\\w\\-_\\.]+:[\\w\\-_\\.]+", tag)) && length(tag) <= 128 | ||
| ]) | ||
| error_message = "Tags must match the regular expression \"[\\w\\-_\\.]+:[\\w\\-_\\.]+\", see https://cloud.ibm.com/docs/account?topic=account-tag&interface=ui#limits for more details" |
There was a problem hiding this comment.
should we add explanation what regex mean? not sure if every consumer would understand regex.
| } | ||
|
|
||
| variable "kms_endpoint_url" { | ||
| variable "existing_kms_root_key_crn" { |
There was a problem hiding this comment.
can existing_kms_root_key_crn be passed (is taken into account) in a case that kms_encryption_enabled is disabled? should we add this into input validation?
There was a problem hiding this comment.
added input validation in the kms_encryption_enabled variable
| } | ||
| } | ||
|
|
||
| variable "existing_kms_root_key_crn" { | ||
| variable "kms_endpoint_url" { |
There was a problem hiding this comment.
can kms_endpoint_url be passed (is taken into account) in a case that kms_encryption_enabled is disabled? should we add this into input validation?
There was a problem hiding this comment.
added input validation in the kms_encryption_enabled variable
|
/run pipeline |
3 similar comments
|
/run pipeline |
|
/run pipeline |
|
/run pipeline |
|
@whoffler Can you share the error your getting before re-running the pipeline each time so we can track the failures? |
|
Sure, always getting the same error on different tests
|
|
/run pipeline |
|
🎉 This PR is included in version 2.0.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Description
for issue - https://github.ibm.com/GoldenEye/issues/issues/12573
Event Notification DA Fully configurable flavor
Release required?
x.x.X)x.X.x)X.x.x)Release notes content
Run the pipeline
If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.
Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:
Checklist for reviewers
For mergers