feat: improved user experience for validating input variable values<br>* updated required terraform to be >= 1.9.0 (#162)

aatreyee2506 · web-flow · commit 1a72bc61cf5a · 2025-05-05T13:58:02.000+05:30
diff --git a/README.md b/README.md
@@ -96,7 +96,7 @@ You will also need `Administrator` access for any service which you are creating
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.76.1, < 2.0.0 |
 
 ### Modules
@@ -117,10 +117,10 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_trusted_profile_claim_rules"></a> [trusted\_profile\_claim\_rules](#input\_trusted\_profile\_claim\_rules) | A list of Trusted Profile Claim Rule objects that are applied to the Trusted Profile created by the module. | <pre>list(object({<br/>    # required arguments<br/>    conditions = list(object({<br/>      claim    = string<br/>      operator = string<br/>      value    = string<br/>    }))<br/><br/>    type = string<br/><br/>    # optional arguments<br/>    cr_type    = optional(string)<br/>    expiration = optional(number)<br/>    name       = optional(string)<br/>    realm_name = optional(string)<br/>  }))</pre> | `null` | no |
+| <a name="input_trusted_profile_claim_rules"></a> [trusted\_profile\_claim\_rules](#input\_trusted\_profile\_claim\_rules) | A list of Trusted Profile Claim Rule objects that are applied to the Trusted Profile created by the module. | <pre>list(object({<br/>    # required arguments<br/>    conditions = list(object({<br/>      claim    = string<br/>      operator = string<br/>      value    = string<br/>    }))<br/><br/>    type = string<br/><br/>    # optional arguments<br/>    cr_type    = optional(string)<br/>    expiration = optional(number)<br/>    name       = optional(string)<br/>    realm_name = optional(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_trusted_profile_description"></a> [trusted\_profile\_description](#input\_trusted\_profile\_description) | Description of the trusted profile. | `string` | `null` | no |
 | <a name="input_trusted_profile_identity"></a> [trusted\_profile\_identity](#input\_trusted\_profile\_identity) | The identity to trust (use only if needed) | <pre>object({<br/>    identifier    = string<br/>    identity_type = string<br/>    accounts      = optional(list(string))<br/>    description   = optional(string)<br/>  })</pre> | `null` | no |
-| <a name="input_trusted_profile_links"></a> [trusted\_profile\_links](#input\_trusted\_profile\_links) | A list of Trusted Profile Link objects that are applied to the Trusted Profile created by the module. | <pre>list(object({<br/>    # required arguments<br/>    cr_type = string<br/>    links = list(object({<br/>      crn       = string<br/>      namespace = optional(string)<br/>      name      = optional(string)<br/>    }))<br/><br/>    # optional arguments<br/>    name = optional(string)<br/>  }))</pre> | `null` | no |
+| <a name="input_trusted_profile_links"></a> [trusted\_profile\_links](#input\_trusted\_profile\_links) | A list of Trusted Profile Link objects that are applied to the Trusted Profile created by the module. | <pre>list(object({<br/>    # required arguments<br/>    cr_type = string<br/>    links = list(object({<br/>      crn       = string<br/>      namespace = optional(string)<br/>      name      = optional(string)<br/>    }))<br/><br/>    # optional arguments<br/>    name = optional(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_trusted_profile_name"></a> [trusted\_profile\_name](#input\_trusted\_profile\_name) | Name of the trusted profile. | `string` | n/a | yes |
 | <a name="input_trusted_profile_policies"></a> [trusted\_profile\_policies](#input\_trusted\_profile\_policies) | A list of Trusted Profile Policy objects that are applied to the Trusted Profile created by the module. | <pre>list(object({<br/>    roles              = list(string)<br/>    account_management = optional(bool)<br/>    description        = optional(string)<br/><br/>    resources = optional(list(object({<br/>      service              = optional(string)<br/>      service_type         = optional(string)<br/>      resource_instance_id = optional(string)<br/>      region               = optional(string)<br/>      resource_type        = optional(string)<br/>      resource             = optional(string)<br/>      resource_group_id    = optional(string)<br/>      service_group_id     = optional(string)<br/>      attributes           = optional(map(any))<br/>    })), null)<br/><br/>    resource_attributes = optional(list(object({<br/>      name     = string<br/>      value    = string<br/>      operator = optional(string)<br/>    })))<br/><br/>    resource_tags = optional(list(object({<br/>      name     = string<br/>      value    = string<br/>      operator = optional(string)<br/>    })))<br/><br/>    rule_conditions = optional(list(object({<br/>      key      = string<br/>      operator = string<br/>      value    = list(any)<br/>    })))<br/><br/>    rule_operator = optional(string)<br/>    pattern       = optional(string)<br/>  }))</pre> | n/a | yes |
 
diff --git a/examples/basic/version.tf b/examples/basic/version.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
 
   # Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
   # module's version.tf (usually a basic example), and 1 example that will always use the latest provider version.
diff --git a/examples/complete/version.tf b/examples/complete/version.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
 
   # Ensure that there is always 1 example locked into the lowest provider version of the range defined in the main
   # module's version.tf (usually a basic example), and 1 example that will always use the latest provider version.
diff --git a/main.tf b/main.tf
@@ -8,18 +8,6 @@ resource "ibm_iam_trusted_profile" "profile" {
 }
 
 locals {
-  # Validation of variables
-  # tflint-ignore: terraform_unused_declarations
-  validate_policies_one_and_only_one = [
-    for i, policy in var.trusted_profile_policies : (
-      (lookup(policy, "account_management", null) != null && lookup(policy, "resources", null) == null && lookup(policy, "resource_attributes", null) == null) ||
-      (lookup(policy, "account_management", null) == null && lookup(policy, "resources", null) != null && lookup(policy, "resource_attributes", null) == null) ||
-      (lookup(policy, "account_management", null) == null && lookup(policy, "resources", null) == null && lookup(policy, "resource_attributes", null) != null)
-    ) && (policy.account_management != null || policy.resources != null || policy.resource_attributes != null) ? true :
-    tobool("Values for `var.trusted_profile_policies[${i}].account_management`, `var.trusted_profile_policies[${i}].resource_attributes`, and `var.trusted_profile_policies[${i}].resources` are mutually exclusive.")
-  ]
-
-  # Transformation of maps
   policy_map = {
     for i, obj in var.trusted_profile_policies :
     "${var.trusted_profile_name}-${i}" => {
@@ -106,49 +94,6 @@ resource "ibm_iam_trusted_profile_policy" "policy" {
 }
 
 locals {
-  # tflint-ignore: terraform_unused_declarations
-  validate_claim_type = var.trusted_profile_claim_rules == null ? [] : [
-    for i, claim in var.trusted_profile_claim_rules : (
-      contains(["Profile-SAML", "Profile-CR"], claim.type) ? true : tobool("Value for `var.trusted_profile_claim_rules[${i}].type must be either `Profile-SAML` or `Profile-CR`.")
-    )
-  ]
-  # tflint-ignore: terraform_unused_declarations
-  validate_claim_condition_operator = var.trusted_profile_claim_rules == null ? [] : [
-    for i, claim in var.trusted_profile_claim_rules : [
-      for j, condition in claim.conditions : (
-        contains(["EQUALS", "NOT_EQUALS", "EQUALS_IGNORE_CASE", "NOT_EQUALS_IGNORE_CASE", "CONTAINS", "IN"], condition.operator) ?
-        true : tobool("Value for `var.trusted_profile_claim_rules[${i}].conditions[${j}].operator` must be one of the following: `EQUALS`, `NOT_EQUALS`, `EQUALS_IGNORE_CASE`, `NOT_EQUALS_IGNORE_CASE`, `CONTAINS`, `IN`.")
-      )
-    ]
-  ]
-  # tflint-ignore: terraform_unused_declarations
-  validate_claim_cr_type = var.trusted_profile_claim_rules == null ? [] : [
-    for i, claim in var.trusted_profile_claim_rules :
-    lookup(claim, "cr_type", null) == null ? true : (
-      claim.type == "Profile-CR" ? true : tobool("Value for `var.trusted_profile_claim_rules[${i}].cr_type` should only be provided when `var.trusted_profile_claim_rules[${i}].type` is `Profile-CR`.")
-    )
-  ]
-  # tflint-ignore: terraform_unused_declarations
-  validate_claim_cr_type_matches = var.trusted_profile_claim_rules == null ? [] : [
-    for i, claim in var.trusted_profile_claim_rules :
-    lookup(claim, "cr_type", null) == null ? true : (
-      contains(["VSI", "IKS_SA", "ROKS_SA"], claim.cr_type) ? true : tobool("Value for `var.trusted_profile_claim_rules[${i}].cr_type` must be one of the following: `VSI`, `IKS_SA`, `ROKS_SA`.")
-    )
-  ]
-  # tflint-ignore: terraform_unused_declarations
-  validate_claim_expiration = var.trusted_profile_claim_rules == null ? [] : [
-    for i, claim in var.trusted_profile_claim_rules :
-    lookup(claim, "expiration", null) == null ? true : (
-      claim.type == "Profile-SAML" ? true : tobool("Value for `var.trusted_profile_claim_rules[${i}].expiration` should only be provided when `var.trusted_profile_claim_rules[${i}].type` is `Profile-SAML`.")
-    )
-  ]
-  # tflint-ignore: terraform_unused_declarations
-  validate_claim_realm_name = var.trusted_profile_claim_rules == null ? [] : [
-    for i, claim in var.trusted_profile_claim_rules :
-    lookup(claim, "realm_name", null) == null ? true : (
-      claim.type == "Profile-SAML" ? true : tobool("Value for `var.trusted_profile_claim_rules[${i}].realm_name` should only be provided when `var.trusted_profile_claim_rules[${i}].type` is `Profile-SAML`.")
-    )
-  ]
   claim_map = var.trusted_profile_claim_rules == null ? {} : {
     for i, obj in var.trusted_profile_claim_rules :
     "${var.trusted_profile_name}-${i}" => {
@@ -186,29 +131,6 @@ resource "ibm_iam_trusted_profile_claim_rule" "claim_rule" {
 }
 
 locals {
-  # tflint-ignore: terraform_unused_declarations
-  validate_link_cr_type = var.trusted_profile_links == null ? [] : [
-    for i, link in var.trusted_profile_links :
-    contains(["VSI", "IKS_SA", "ROKS_SA"], link.cr_type) ? true :
-    tobool("Value for `var.trusted_profile_links[${i}].cr_type must be one of the following: `VSI`, `IKS_SA`, `ROKS_SA`.")
-  ]
-  # tflint-ignore: terraform_unused_declarations
-  validate_link_namespace = var.trusted_profile_links == null ? [] : [
-    for i, link in var.trusted_profile_links : [
-      for j, obj in link.links : (
-        (lookup(obj, "namespace", null) == null && link.cr_type == "VSI") || link.cr_type == "ROKS_SA" || link.cr_type == "IKS_SA" ? true :
-        tobool("Value for `var.trusted_profile_links[${i}].link[${j}].namespace` should only be provided if `var.trusted_profile_links[${i}].cr_type` is `IKS_SA` or `ROKS_SA`.")
-      )
-    ]
-  ]
-  # tflint-ignore: terraform_unused_declarations
-  validate_link_name = var.trusted_profile_links == null ? [] : [
-    for i, link in var.trusted_profile_links : [
-      for j, obj in link.links :
-      (lookup(obj, "name", null) == null && link.cr_type == "VSI") || link.cr_type == "ROKS_SA" || link.cr_type == "IKS_SA" ? true :
-      tobool("Value for `var.trusted_profile_links[${i}].link[${j}].name` should only be provided if `var.trusted_profile_links[${i}].cr_type` is `IKS_SA` or `ROKS_SA`.")
-    ]
-  ]
   link_map = var.trusted_profile_links == null ? {} : merge([
     for i, obj in var.trusted_profile_links : {
       for j, link in obj.links :
diff --git a/tests/other_test.go b/tests/other_test.go
@@ -29,3 +29,21 @@ func TestRunBasicExample(t *testing.T) {
 	assert.Nil(t, err, "This should not have errored")
 	assert.NotNil(t, output, "Expected some output")
 }
+
+func TestRunTemplateExample(t *testing.T) {
+
+	options := setupTemplateOptions(t, "tp-template", templateExampleDir)
+	output, err := options.RunTestConsistency()
+	assert.Nil(t, err, "This should not have errored")
+	assert.NotNil(t, output, "Expected some output")
+}
+
+func TestRunTemplateUpgrade(t *testing.T) {
+
+	options := setupTemplateOptions(t, "tp-template-upg", templateExampleDir)
+	output, err := options.RunTestUpgrade()
+	if !options.UpgradeTestSkipped {
+		assert.Nil(t, err, "This should not have errored")
+		assert.NotNil(t, output, "Expected some output")
+	}
+}
diff --git a/tests/pr_test.go b/tests/pr_test.go
@@ -57,21 +57,3 @@ func TestRunUpgradeExample(t *testing.T) {
 		assert.NotNil(t, output, "Expected some output")
 	}
 }
-
-func TestRunTemplateExample(t *testing.T) {
-
-	options := setupTemplateOptions(t, "tp-template", templateExampleDir)
-	output, err := options.RunTestConsistency()
-	assert.Nil(t, err, "This should not have errored")
-	assert.NotNil(t, output, "Expected some output")
-}
-
-func TestRunTemplateUpgrade(t *testing.T) {
-
-	options := setupTemplateOptions(t, "tp-template-upg", templateExampleDir)
-	output, err := options.RunTestUpgrade()
-	if !options.UpgradeTestSkipped {
-		assert.Nil(t, err, "This should not have errored")
-		assert.NotNil(t, output, "Expected some output")
-	}
-}
diff --git a/variables.tf b/variables.tf
@@ -82,6 +82,22 @@ variable "trusted_profile_policies" {
     pattern       = optional(string)
   }))
   description = "A list of Trusted Profile Policy objects that are applied to the Trusted Profile created by the module."
+
+
+  validation {
+    condition = alltrue([
+      for i, policy in var.trusted_profile_policies : (
+        length(compact([
+          (lookup(policy, "account_management", null) != null ? "account_management" : null),
+          (lookup(policy, "resources", null) != null ? "resources" : null),
+          (lookup(policy, "resource_attributes", null) != null ? "resource_attributes" : null)
+        ])) == 1
+      )
+    ])
+    error_message = "Each trusted_profile_policy must have exactly one of `account_management`, `resources`, or `resource_attributes` set and non-null. These are mutually exclusive."
+  }
+
+
 }
 
 variable "trusted_profile_claim_rules" {
@@ -104,7 +120,77 @@ variable "trusted_profile_claim_rules" {
 
   description = "A list of Trusted Profile Claim Rule objects that are applied to the Trusted Profile created by the module."
 
-  default = null
+  default = []
+
+  validation {
+    condition = var.trusted_profile_claim_rules == null ? true : (
+      length([
+        for i, claim in var.trusted_profile_claim_rules : (
+          contains(["Profile-SAML", "Profile-CR"], claim.type)
+        )
+      ]) == length(var.trusted_profile_claim_rules)
+    )
+    error_message = "Each value in `var.trusted_profile_claim_rules.type` must be either `Profile-SAML` or `Profile-CR`."
+  }
+
+  validation {
+    condition = (
+      alltrue(flatten([
+        for claim in var.trusted_profile_claim_rules : [
+          for condition in claim.conditions :
+          contains(["EQUALS", "NOT_EQUALS", "EQUALS_IGNORE_CASE", "NOT_EQUALS_IGNORE_CASE", "CONTAINS", "IN"], condition.operator)
+        ]
+      ]))
+    )
+    error_message = "Each item in `var.trusted_profile_claim_rules.conditions.operator` must be one of the following: `EQUALS`, `NOT_EQUALS`, `EQUALS_IGNORE_CASE`, `NOT_EQUALS_IGNORE_CASE`, `CONTAINS`, `IN`."
+  }
+
+  validation {
+    condition = (
+      var.trusted_profile_claim_rules == null ? true :
+      alltrue([
+        for i, claim in var.trusted_profile_claim_rules :
+        !(try(claim.cr_type != null && claim.type != "Profile-CR", false))
+      ])
+    )
+    error_message = "Field `cr_type` should only be set when `type` is `Profile-CR`."
+  }
+
+  validation {
+    condition = (
+      var.trusted_profile_claim_rules == null ? true :
+      alltrue([
+        for claim in var.trusted_profile_claim_rules :
+        claim.cr_type == null || try(contains(["VSI", "IKS_SA", "ROKS_SA"], claim.cr_type), false)
+      ])
+    )
+    error_message = "If `cr_type` is provided, it must be one of: `VSI`, `IKS_SA`, `ROKS_SA`."
+  }
+
+  validation {
+    condition = (
+      var.trusted_profile_claim_rules == null ? true :
+      alltrue([
+        for claim in var.trusted_profile_claim_rules :
+        (
+          claim.expiration == null || claim.type == "Profile-SAML"
+        )
+      ])
+    )
+    error_message = "If `expiration` is provided, then `type` must be `Profile-SAML`."
+  }
+
+
+  validation {
+    condition = (
+      var.trusted_profile_claim_rules == null ? true :
+      alltrue([
+        for claim in var.trusted_profile_claim_rules :
+        claim.realm_name == null || claim.type == "Profile-SAML"
+      ])
+    )
+    error_message = "If `realm_name` is provided, then `type` must be `Profile-SAML`."
+  }
 }
 
 variable "trusted_profile_links" {
@@ -123,5 +209,45 @@ variable "trusted_profile_links" {
 
   description = "A list of Trusted Profile Link objects that are applied to the Trusted Profile created by the module."
 
-  default = null
+  default = []
+
+  validation {
+    condition = (
+      var.trusted_profile_links == null || alltrue([
+        for link in var.trusted_profile_links :
+        contains(["VSI", "IKS_SA", "ROKS_SA"], link.cr_type)
+      ])
+    )
+    error_message = "Each `cr_type` in `trusted_profile_links` must be one of the following: `VSI`, `IKS_SA`, `ROKS_SA`."
+  }
+
+  validation {
+    condition = (
+      var.trusted_profile_links == null || alltrue(flatten([
+        for link in var.trusted_profile_links : [
+          for obj in link.links :
+          (
+            (lookup(obj, "namespace", null) == null && link.cr_type == "VSI") ||
+            (link.cr_type == "ROKS_SA" || link.cr_type == "IKS_SA")
+          )
+        ]
+      ]))
+    )
+    error_message = "A `namespace` in `links` should only be provided if `cr_type` is `IKS_SA` or `ROKS_SA`."
+  }
+
+
+  validation {
+    condition = (
+      var.trusted_profile_links == null || alltrue(flatten([
+        for i, link in var.trusted_profile_links : [
+          for j, obj in link.links :
+          (lookup(obj, "name", null) == null && link.cr_type == "VSI") || link.cr_type == "ROKS_SA" || link.cr_type == "IKS_SA"
+        ]
+      ]))
+    )
+    error_message = "A `name` in `links` should only be provided if `cr_type` is `IKS_SA` or `ROKS_SA`."
+  }
+
+
 }
diff --git a/version.tf b/version.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.9.0"
   # If your module requires any terraform providers, uncomment the "required_providers" section below and add all required providers.
   # Each required provider's version should be a flexible range to future proof the module's usage with upcoming minor and patch versions.
 
