Skip to content

refactor: cross object reference for input variable validation #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

refactor: cross object reference for input variable validation #59

wants to merge 9 commits into from
+85 −155

Conversation

arya-girish-k
Copy link

Description

Used cross-object referencing for input variable validation and updated required terraform version to >= 1.9.0.
Git_issue

Release required?

  • No release
  • Patch release (x.x.X)
  • Minor release (x.X.x)
  • Major release (X.x.x)
Release notes content

Used cross-object referencing for input variable validation and updated required terraform version to >= 1.9.0.

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

  • If relevant, a test for the change is included or updated with this PR.
  • If relevant, documentation for the change is included or updated with this PR.

For mergers

  • Use a conventional commit message to set the release level. Follow the guidelines.
  • Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
  • Use the Squash and merge option.

@arya-girish-k
Copy link
Author

/run pipeline

@arya-girish-k
Copy link
Author

arya-girish-k commented Apr 22, 2025
edited
Loading

Validation Test

Module/DA/examples validation Postive Testcase Negative Testcase
examples/all-combined var.existing_sm_instance_guid != null ? var.existing_sm_instance_region != null : true 1.existing_sm_instance_guid =null
2.existing_sm_instance_guid !=null ,existing_sm_instance_region !=null		 1.existing_sm_instance_guid =”” and existing_sm_instance_region =nullimage
var.existing_sm_instance_guid != null && var.service_endpoints == "private" ? var.existing_sm_instance_crn != null : true 1.existing_sm_instance_guid = ““ & service_endpoints == "private" ,existing_sm_instance_crn != null
2.existing_sm_instance_guid = null & service_endpoints == "private" l
3.existing_sm_instance_guid = null & service_endpoints == "public"l
4.existing_sm_instance_guid = ““ &service_endpoints == "public"		 1.existing_sm_instance_guid = ““, service_endpoints == "private" existing_sm_instance_crn != nullimage
var.imported_certificate_sm_id != null ? var.imported_certificate_sm_region != null : true 1.imported_certificate_sm_id = ““ & var.imported_certificate_sm_region = ““
2.imported_certificate_sm_id = null		 1.var.imported_certificate_sm_id = ““ & var.imported_certificate_sm_region = nullimage
(var.imported_certificate_public_secret_id != null && var.imported_certificate_private_secret_id != null) && var.imported_certificate_sm_id == null ? false : true 1.var.imported_certificate_public_secret_id = null & var.imported_certificate_private_secret_id = null
2.var.imported_certificate_public_secret_id = ““ & var.imported_certificate_private_secret_id = null
3.var.imported_certificate_public_secret_id = null & var.imported_certificate_private_secret_id = ““
4.var.imported_certificate_public_secret_id = ““ & var.imported_certificate_private_secret_id = ““ & var.imported_certificate_sm_id = ““		 1.imported_certificate_public_secret_id !=””, imported_certificate_private_secret_id = ““, imported_certificate_sm_id = nullimage
examples/basic var.existing_sm_instance_guid != null ? var.existing_sm_instance_region != null : true 1.var.existing_sm_instance_guid = ““ & var.existing_sm_instance_region =””

2.var.existing_sm_instance_guid = null		 1.var.existing_sm_instance_guid = ““ & var.existing_sm_instance_region =nullimage
examples/trusted-profiles-authentication var.existing_sm_instance_guid != null ? var.existing_sm_instance_region != null : true 1.var.existing_sm_instance_guid != null & var.existing_sm_instance_region !=null

2.var.existing_sm_instance_guid = null		 1.var.existing_sm_instance_guid != null & var.existing_sm_instance_region =nullimage
var.existing_sm_instance_guid != null && var.service_endpoints == "private" ? var.existing_sm_instance_crn != null : true 1.var.existing_sm_instance_guid != null & var.service_endpoints == "private" ,var.existing_sm_instance_crn != null

2.var.existing_sm_instance_guid = null & var.service_endpoints == "private"

3.var.existing_sm_instance_guid = null & var.service_endpoints == "public"

4.var.existing_sm_instance_guid != null & var.service_endpoints == "public"		 1.var.existing_sm_instance_guid = ““ && var.service_endpoints == "private" ,var.existing_sm_instance_crn = nullimage
modules/eso-clusterstore var.eso_authentication == "api_key" ? var.clusterstore_secret_apikey != null : true 1.var.eso_authentication == "api_key" & var.clusterstore_secret_apikey != null

2.var.eso_authentication != "api_key”		 1.var.eso_authentication == "api_key" & var.clusterstore_secret_apikey = nullimage
var.eso_authentication == "trusted_profile" ? var.clusterstore_trusted_profile_name != null : true 1.var.eso_authentication == "trusted_profile" var.clusterstore_trusted_profile_name = ““

2.var.eso_authentication != "trusted_profile"		 1.var.eso_authentication == "trusted_profile" var.clusterstore_trusted_profile_name = nullimage
var.clusterstore_secret_apikey != null || var.clusterstore_trusted_profile_name != null 1.var.clusterstore_secret_apikey != null & var.clusterstore_trusted_profile_name != null

2.var.clusterstore_secret_apikey != null & var.clusterstore_trusted_profile_name == null

3.var.clusterstore_secret_apikey = null & var.clusterstore_trusted_profile_name != null		 1.var.clusterstore_secret_apikey = null, var.clusterstore_trusted_profile_name = nullimage
modules/eso-external-secret (local.is_kv && var.es_kubernetes_secret_type != "opaque" )? false : true 1.local.is_kv = true,var.es_kubernetes_secret_type == "opaque”

2.local.is_kv = false		 1.local.is_kv = true,var.es_kubernetes_secret_type != "opaque"image
var.es_kubernetes_secret_data_key == null && (var.es_kubernetes_secret_type == "opaque" && (var.sm_secret_type == "arbitrary" || var.sm_secret_type == "iam_credentials"))? false : true 1.var.es_kubernetes_secret_type == "opaque" & var.sm_secret_type == "arbitrary" ,var.es_kubernetes_secret_data_key != null

2.var.es_kubernetes_secret_type == "opaque" & var.sm_secret_type = "iam_credentials", var.es_kubernetes_secret_data_key != null

3.var.es_kubernetes_secret_type != "opaque" & var.sm_secret_type = "iam_credentials" or “arbitrary

4.var.es_kubernetes_secret_type == "opaque" & var.sm_secret_type != "iam_credentials" or “arbitrary		 1.var.es_kubernetes_secret_type == "opaque" & var.sm_secret_type == "arbitrary" ,var.es_kubernetes_secret_data_key = null

2.var.es_kubernetes_secret_type == "opaque" & var.sm_secret_type == "iam_credentials" ,var.es_kubernetes_secret_data_key = nullimage
(can(regex("^kv$", var.sm_secret_type)) && var.sm_kv_keyid != null && var.sm_kv_keypath != null)? false : true 1.sm_secret_type != “kv”

2.sm_secret_type != “kv”,var.sm_kv_keyid != null ,var.sm_kv_keypath == null

3.sm_secret_type != “kv”,var.sm_kv_keyid == null ,var.sm_kv_keypath != null

4.sm_secret_type != “kv”,var.sm_kv_keyid = null ,var.sm_kv_keypath = null		 1.sm_secret_type = kv ,var.sm_kv_keyid = ““ & var.sm_kv_keypath =”” image
(var.sm_secret_id == null && local.is_dockerjsonconfig_chain == false) ? false : true 1.local.is_dockerjsonconfig_chain = true,var.sm_secret_id = null

2.local.is_dockerjsonconfig_chain = false		 1.local.is_dockerjsonconfig_chain = false,sm_secret_id = nullimage
local.is_dockerjsonconfig_chain == true && (var.es_kubernetes_secret_type != "dockerconfigjson" || var.sm_secret_type != "iam_credentials") ? false : true 1.local.is_dockerjsonconfig_chain = true,var.es_kubernetes_secret_type == "dockerconfigjson" & var.sm_secret_type == "iam_credentials”

2.local.is_dockerjsonconfig_chain = false		 1.local.is_dockerjsonconfig_chain = true,var.es_kubernetes_secret_type == "dockerconfigjson" & var.sm_secret_type != "iam_credentials"

2.local.is_dockerjsonconfig_chain = true,var.es_kubernetes_secret_type != "dockerconfigjson" & var.sm_secret_type = "iam_credentials"

3.local.is_dockerjsonconfig_chain = true,var.es_kubernetes_secret_type != "dockerconfigjson" & var.sm_secret_type != "iam_credentials" image
modules/eso-secretstore var.eso_authentication == "api_key" ? var.sstore_secret_apikey != null : true 1.var.eso_authentication == "api_key" & var.sstore_secret_apikey != null

2.var.eso_authentication != "api_key		 1.var.eso_authentication == "api_key" & var.sstore_secret_apikey = nullimage
var.eso_authentication == "trusted_profile" ? var.sstore_trusted_profile_name != null : true 1.var.eso_authentication == "trusted_profile" & var.sstore_trusted_profile_name != null

2.var.eso_authentication != "trusted_profile"		 1.var.eso_authentication = "trusted_profile" ? var.sstore_trusted_profile_name = null image
var.sstore_secret_apikey != null || var.sstore_trusted_profile_name != null 1.var.sstore_secret_apikey != null , var.sstore_trusted_profile_name = null

2.var.sstore_secret_apikey = null , var.sstore_trusted_profile_name != null

3.var.sstore_secret_apikey != null , var.sstore_trusted_profile_name != null		 1.var.sstore_secret_apikey = null , var.sstore_trusted_profile_name = nullimage

@arya-girish-k
Copy link
Author

/run pipeline

Khuzaima05
Khuzaima05 previously approved these changes Apr 28, 2025
View reviewed changes
Copy link
Member

@Khuzaima05 Khuzaima05 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@arya-girish-k
Copy link
Author

/run pipeline

@arya-girish-k
Copy link
Author

Updated the validation in the module eso-external-secret:

(local.is_dockerjsonconfig_chain == true && (var.es_kubernetes_secret_type != "dockerconfigjson" || (var.sm_secret_type != "iam_credentials" && var.sm_secret_type != "trusted_profile"))) ? false : true

Negative testcases:

  1. local.is_dockerjsonconfig_chain = true, var.es_kubernetes_secret_type == "dockerconfigjson", var.sm_secret_type != "iam_credentials" or "trusted_profile

  2. local.is_dockerjsonconfig_chain = true, var.es_kubernetes_secret_type != "dockerconfigjson" ,var.sm_secret_type = "iam_credentials" or "trusted_profile

  3. local.is_dockerjsonconfig_chain = true,var.es_kubernetes_secret_type != "dockerconfigjson", var.sm_secret_type != "iam_credentials" or "trusted_profile

Positive testcases:

  1. local.is_dockerjsonconfig_chain = true,var.es_kubernetes_secret_type == "dockerconfigjson" & var.sm_secret_type == "iam_credentials” or "trusted_profile"

  2. local.is_dockerjsonconfig_chain = false
    image

@arya-girish-k
Copy link
Author

/run pipeline

Khuzaima05
Khuzaima05 approved these changes May 2, 2025
View reviewed changes
Copy link
Member

@Khuzaima05 Khuzaima05 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

vbontempi
vbontempi requested changes May 2, 2025
View reviewed changes
Copy link
Member

@vbontempi vbontempi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

found only a message not clear in the original code in master that could be fixed
The rest is ok

modules/eso-external-secret/variables.tf
}

variable "sm_secret_id" {
description = "Secrets-Manager secret ID where source data will be synchronized with Kubernetes secret. It can be null only in the case of a dockerjsonconfig secrets chain"
type = string
validation {
condition = (var.sm_secret_id == null && local.is_dockerjsonconfig_chain == false) ? false : true
error_message = "The input variable sm_secret_id can be null only a dockerjsonconfig secrets chain is going to be created"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the original message had a typo and maybe it was also not clear enough, please change with
The input variable sm_secret_id cannot be null unless the secret to create is a dockerjsonconfig secrets chain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vbontempi vbontempi vbontempi requested changes

@Khuzaima05 Khuzaima05 Khuzaima05 approved these changes

@daniel-butler-irl daniel-butler-irl Awaiting requested review from daniel-butler-irl daniel-butler-irl is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@arya-girish-k arya-girish-k

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@arya-girish-k @vbontempi @Khuzaima05