fix: add input validation for security group creation (#538)

terraform-ibm-modules · Sep 21, 2023 · d8ddd05 · d8ddd05
1 parent 808965c
commit d8ddd05
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -164,7 +164,7 @@ No modules.
 | <a name="input_secondary_security_groups"></a> [secondary\_security\_groups](#input\_secondary\_security\_groups) | IDs of additional security groups to be added to VSI deployment secondary interfaces. A VSI interface can have a maximum of 5 security groups. | <pre>list(<br>    object({<br>      security_group_id = string<br>      interface_name    = string<br>    })<br>  )</pre> | `[]` | no |
 | <a name="input_secondary_subnets"></a> [secondary\_subnets](#input\_secondary\_subnets) | List of secondary network interfaces to add to vsi secondary subnets must be in the same zone as VSI. This is only recommended for use with a deployment of 1 VSI. | <pre>list(<br>    object({<br>      name = string<br>      id   = string<br>      zone = string<br>      cidr = string<br>    })<br>  )</pre> | `[]` | no |
 | <a name="input_secondary_use_vsi_security_group"></a> [secondary\_use\_vsi\_security\_group](#input\_secondary\_use\_vsi\_security\_group) | Use the security group created by this module in the secondary interface | `bool` | `false` | no |
-| <a name="input_security_group"></a> [security\_group](#input\_security\_group) | Security group created for VSI | <pre>object({<br>    name = string<br>    rules = list(<br>      object({<br>        name      = string<br>        direction = string<br>        source    = string<br>        tcp = optional(<br>          object({<br>            port_max = number<br>            port_min = number<br>          })<br>        )<br>        udp = optional(<br>          object({<br>            port_max = number<br>            port_min = number<br>          })<br>        )<br>        icmp = optional(<br>          object({<br>            type = number<br>            code = number<br>          })<br>        )<br>      })<br>    )<br>  })</pre> | n/a | yes |
+| <a name="input_security_group"></a> [security\_group](#input\_security\_group) | Security group created for VSI | <pre>object({<br>    name = string<br>    rules = list(<br>      object({<br>        name      = string<br>        direction = string<br>        source    = string<br>        tcp = optional(<br>          object({<br>            port_max = number<br>            port_min = number<br>          })<br>        )<br>        udp = optional(<br>          object({<br>            port_max = number<br>            port_min = number<br>          })<br>        )<br>        icmp = optional(<br>          object({<br>            type = number<br>            code = number<br>          })<br>        )<br>      })<br>    )<br>  })</pre> | `null` | no |
 | <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | IDs of additional security groups to be added to VSI deployment primary interface. A VSI interface can have a maximum of 5 security groups. | `list(string)` | `[]` | no |
 | <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Storage Blocks to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing\_kms\_instance\_guid variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no |
 | <a name="input_ssh_key_ids"></a> [ssh\_key\_ids](#input\_ssh\_key\_ids) | ssh key ids to use in creating vsi | `list(string)` | n/a | yes |

diff --git a/module-metadata.json b/module-metadata.json
@@ -236,7 +236,6 @@
       "name": "security_group",
       "type": "object({\n    name = string\n    rules = list(\n      object({\n        name      = string\n        direction = string\n        source    = string\n        tcp = optional(\n          object({\n            port_max = number\n            port_min = number\n          })\n        )\n        udp = optional(\n          object({\n            port_max = number\n            port_min = number\n          })\n        )\n        icmp = optional(\n          object({\n            type = number\n            code = number\n          })\n        )\n      })\n    )\n  })",
       "description": "Security group created for VSI",
-      "required": true,
       "pos": {
         "filename": "variables.tf",
         "line": 124
@@ -572,7 +571,7 @@
       },
       "pos": {
         "filename": "security_group.tf",
-        "line": 26
+        "line": 32
       }
     },
     "ibm_is_security_group_rule.security_group_rules": {
@@ -584,7 +583,7 @@
       },
       "pos": {
         "filename": "security_group.tf",
-        "line": 63
+        "line": 67
       }
     },
     "ibm_is_volume.volume": {

diff --git a/outputs.tf b/outputs.tf
@@ -12,7 +12,7 @@ output "ids" {
 
 output "vsi_security_group" {
   description = "Security group for the VSI"
-  value       = var.security_group == null ? null : ibm_is_security_group.security_group[var.security_group.name]
+  value       = var.security_group != null && var.create_security_group == true ? ibm_is_security_group.security_group[var.security_group.name] : null
 }
 
 output "list" {

diff --git a/security_group.tf b/security_group.tf
@@ -21,6 +21,12 @@ locals {
     for group in local.security_groups :
     (group.name) => group
   }
+
+  # input variable validation
+  # tflint-ignore: terraform_unused_declarations
+  validate_security_group = var.create_security_group == false && var.security_group != null ? tobool("var.security_group should be null when var.create_security_group is false. Use var.security_group_ids to add security groups to VSI deployment primary interface.") : true
+  # tflint-ignore: terraform_unused_declarations
+  validate_security_group_2 = var.create_security_group == true && var.security_group == null ? tobool("var.security_group cannot be null when var.create_security_group is true.") : true
 }
 
 resource "ibm_is_security_group" "security_group" {
@@ -58,8 +64,6 @@ locals {
   }
 }
 
-
-
 resource "ibm_is_security_group_rule" "security_group_rules" {
   for_each  = local.security_group_rules
   group     = ibm_is_security_group.security_group[each.value.sg_name].id

diff --git a/variables.tf b/variables.tf
@@ -172,7 +172,7 @@ variable "security_group" {
       )
     ) == 0
   }
-
+  default = null
 }
 
 variable "security_group_ids" {