fix: added variable validation to var.rotation_interval_month (#103)

Author: ocofaigh

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2022-10-25T23:10:16Z",
+  "generated_at": "2022-12-22T12:29:53Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -76,7 +76,18 @@
       "name": "TwilioKeyDetector"
     }
   ],
-  "results": {},
+  "results": {
+    "README.md": [
+      {
+        "hashed_secret": "ff9ee043d85595eb255c05dfe32ece02a53efbb2",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 16,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ]
+  },
   "version": "0.13.1+ibm.55.dss",
   "word_list": {
     "file": null,

README.md

@@ -1,35 +1,39 @@
-<!-- BEGIN MODULE HOOK -->
-
-<!-- Update the title to match the module name and add a description -->
 # Key Protect key module
-<!-- UPDATE BADGE: Update the link for the following badge-->
+
 [![Stable (With quality checks)](https://img.shields.io/badge/Status-Stable%20(With%20quality%20checks)-green?style=plastic)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
 [![Build status](https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-key/actions/workflows/ci.yml/badge.svg)](https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-key/actions/workflows/ci.yml)
 [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
 [![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-key-protect-key?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-key/releases/latest)
+[![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)
 
-This module creates a key in an existing key ring and Key Protect instance. You can specify rotation and deletion policies.
+This module supports creating a standard or root key in an existing key ring and Key Protect instance. You can specify rotation and deletion policies.
 
 ## Usage
 
 ```hcl
-##############################################################################
-# Key Protect Key
-##############################################################################
+provider "ibm" {
+  ibmcloud_api_key = "XXXXXXXXXX"
+  # Must be the same region the Key Protect instance is in
+  region           = "us-south"
+}
 
-# Replace "main" with a GIT release version to lock into a specific release
-module "key_protect_key" {
+# Key Protect root key
+module "key_protect_root_key" {
+  # Replace "main" with a GIT release version to lock into a specific release
   source                   = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-key.git?ref=main"
-  kms_instance_id          = var.kms_instance_id
-  key_name                 = var.key_name
-  kms_key_ring_id          = var.kms_key_ring_id
-  standard_key             = var.standard_key
-  endpoint_type            = var.endpoint_type
-  rotation_interval_month  = var.rotation_interval_month
-  dual_auth_delete_enabled = var.dual_auth_delete_enabled
+  key_protect_instance_id = ibm_resource_instance.key_protect_instance.guid
+  key_name                = "my-root-key"
 }
 
+# Key Protect standard key
+module "key_protect_standard_key" {
+  # Replace "main" with a GIT release version to lock into a specific release
+  source                   = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-key.git?ref=main"
+  key_protect_instance_id = ibm_resource_instance.key_protect_instance.guid
+  key_name                = "my-standard-key"
+  standard_key            = true
+}
 ```
 
 ## Required IAM access policies
@@ -43,9 +47,6 @@ You need the following permissions to run this module.
         - `Viewer` platform access
         - `Manager` service access
 
-For more information about the access you need to run all the GoldenEye modules, see [GoldenEye IAM permissions](https://github.ibm.com/GoldenEye/documentation/blob/master/goldeneye-iam-permissions.md).
-
-<!-- END MODULE HOOK -->
 <!-- BEGIN EXAMPLES HOOK -->
 ## Examples
 
@@ -75,13 +76,13 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_dual_auth_delete_enabled"></a> [dual\_auth\_delete\_enabled](#input\_dual\_auth\_delete\_enabled) | Set as true to enable Dual Auth Delete | `bool` | `false` | no |
+| <a name="input_dual_auth_delete_enabled"></a> [dual\_auth\_delete\_enabled](#input\_dual\_auth\_delete\_enabled) | If set to true, Key Protect enables a dual authorization policy on a single key. Note: Once the dual authorization policy is set on the key, it cannot be reverted. A key with dual authorization policy enabled cannot be destroyed by using Terraform. | `bool` | `false` | no |
 | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | Endpoint to use when creating the Key | `string` | `"public"` | no |
 | <a name="input_force_delete"></a> [force\_delete](#input\_force\_delete) | Set as true to enable forcing deletion even if key is in use | `bool` | `false` | no |
 | <a name="input_key_name"></a> [key\_name](#input\_key\_name) | Name to give the key | `string` | n/a | yes |
-| <a name="input_key_protect_instance_id"></a> [key\_protect\_instance\_id](#input\_key\_protect\_instance\_id) | ID of Key Protect Instance | `string` | n/a | yes |
-| <a name="input_key_protect_key_ring_id"></a> [key\_protect\_key\_ring\_id](#input\_key\_protect\_key\_ring\_id) | ID of Key Ring where key is assigned | `string` | `"default"` | no |
-| <a name="input_rotation_interval_month"></a> [rotation\_interval\_month](#input\_rotation\_interval\_month) | Interval in months to rotate the Key | `number` | `1` | no |
+| <a name="input_key_protect_instance_id"></a> [key\_protect\_instance\_id](#input\_key\_protect\_instance\_id) | ID or GUID of Key Protect Instance | `string` | n/a | yes |
+| <a name="input_key_protect_key_ring_id"></a> [key\_protect\_key\_ring\_id](#input\_key\_protect\_key\_ring\_id) | The ID of the key ring where you want to add your Key Protect key | `string` | `"default"` | no |
+| <a name="input_rotation_interval_month"></a> [rotation\_interval\_month](#input\_rotation\_interval\_month) | The key rotation time interval in months. Rotation policy cannot be set for standard key, so value is ignored if var.standard\_key is true | `number` | `1` | no |
 | <a name="input_standard_key"></a> [standard\_key](#input\_standard\_key) | Set as true for Standard Key, false for Root Key | `bool` | `false` | no |
 
 ## Outputs

catalogValidationValues.json.template

@@ -1,10 +1,8 @@
 # End to end example with default values
 
 An end-to-end example that uses the module's default variable values.
-This example uses the IBM Cloud terraform provider to:
- - Create a new resource group if one is not passed in.
- - Create a new Key Protect instance in the Resource Group.
+This example will:
+ - Create a new resource group (if existing one is not passed in).
+ - Create a new Key Protect instance in the region and resource group provided.
  - Create a new Root Key in the Key Protect instance.
  - Create a new Standard Key in the Key Protect instance.
-
-<!-- Add your example and link to it from the module's main readme file. -->

examples/default/README.md

@@ -10,26 +10,35 @@ module "resource_group" {
 }
 
 ##############################################################################
-# Key Protect module
+# Key Protect instance
 ##############################################################################
 
-module "key_protect_module" {
-  source            = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect.git?ref=v1.2.0"
-  key_protect_name  = "${var.prefix}-key-protect"
+resource "ibm_resource_instance" "key_protect_instance" {
+  name              = "${var.prefix}-key-protect"
   resource_group_id = module.resource_group.resource_group_id
-  region            = var.region
+  service           = "kms"
+  plan              = "tiered-pricing"
+  location          = var.region
   tags              = var.resource_tags
 }
 
+##############################################################################
+# Key Protect root key
+##############################################################################
+
 module "key_protect_root_key" {
   source                  = "../.."
-  key_protect_instance_id = module.key_protect_module.key_protect_guid
+  key_protect_instance_id = ibm_resource_instance.key_protect_instance.guid
   key_name                = "${var.prefix}-root-key"
 }
 
+##############################################################################
+# Key Protect standard key
+##############################################################################
+
 module "key_protect_standard_key" {
   source                  = "../.."
-  key_protect_instance_id = module.key_protect_module.key_protect_guid
+  key_protect_instance_id = ibm_resource_instance.key_protect_instance.guid
   key_name                = "${var.prefix}-standard-key"
   standard_key            = true
 }

examples/default/main.tf

@@ -4,7 +4,12 @@
 
 output "instance_id" {
   description = "Key Protect Instance ID"
-  value       = module.key_protect_module.key_protect_guid
+  value       = ibm_resource_instance.key_protect_instance.id
+}
+
+output "instance_guid" {
+  description = "Key Protect Instance GUID"
+  value       = ibm_resource_instance.key_protect_instance.guid
 }
 
 output "root_key_id" {

examples/default/outputs.tf

@@ -2,18 +2,3 @@ provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.region
 }
-
-data "ibm_iam_auth_token" "token_data" {
-}
-
-provider "restapi" {
-  uri                   = "https:"
-  write_returns_object  = false
-  create_returns_object = false
-  debug                 = false # set to true to show detailed logs, but use carefully as it might print sensitive values.
-  headers = {
-    Authorization    = data.ibm_iam_auth_token.token_data.iam_access_token
-    Bluemix-Instance = module.key_protect_module.key_protect_guid
-    Content-Type     = "application/vnd.ibm.kms.policy+json"
-  }
-}

examples/default/provider.tf

@@ -6,9 +6,5 @@ terraform {
       source  = "IBM-Cloud/ibm"
       version = "1.48.0"
     }
-    restapi = {
-      source  = "Mastercard/restapi"
-      version = "1.18.0"
-    }
   }
 }

examples/default/version.tf

@@ -4,11 +4,11 @@
     "dual_auth_delete_enabled": {
       "name": "dual_auth_delete_enabled",
       "type": "bool",
-      "description": "Set as true to enable Dual Auth Delete",
+      "description": "If set to true, Key Protect enables a dual authorization policy on a single key. Note: Once the dual authorization policy is set on the key, it cannot be reverted. A key with dual authorization policy enabled cannot be destroyed by using Terraform.",
       "default": false,
       "pos": {
         "filename": "variables.tf",
-        "line": 44
+        "line": 48
       }
     },
     "endpoint_type": {
@@ -38,7 +38,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 50
+        "line": 54
       }
     },
     "key_name": {
@@ -58,7 +58,7 @@
     "key_protect_instance_id": {
       "name": "key_protect_instance_id",
       "type": "string",
-      "description": "ID of Key Protect Instance",
+      "description": "ID or GUID of Key Protect Instance",
       "required": true,
       "source": [
         "ibm_kms_key.key.instance_id",
@@ -78,7 +78,7 @@
     "key_protect_key_ring_id": {
       "name": "key_protect_key_ring_id",
       "type": "string",
-      "description": "ID of Key Ring where key is assigned",
+      "description": "The ID of the key ring where you want to add your Key Protect key",
       "default": "default",
       "source": [
         "ibm_kms_key.key.key_ring_id"
@@ -92,7 +92,7 @@
     "rotation_interval_month": {
       "name": "rotation_interval_month",
       "type": "number",
-      "description": "Interval in months to rotate the Key",
+      "description": "The key rotation time interval in months. Rotation policy cannot be set for standard key, so value is ignored if var.standard_key is true",
       "default": 1,
       "pos": {
         "filename": "variables.tf",

module-metadata.json

@@ -8,34 +8,34 @@ import (
 	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
 )
 
+// Use existing resource group for tests
 const resourceGroup = "geretain-test-key-protect-key"
-const defaultExampleTerraformDir = "examples/default"
-
-func TestRunDefaultExample(t *testing.T) {
-	t.Parallel()
+const terraformDir = "examples/default"
 
+func setupOptions(t *testing.T, prefix string) *testhelper.TestOptions {
 	options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
 		Testing:       t,
-		TerraformDir:  defaultExampleTerraformDir,
-		Prefix:        "kp-key",
+		TerraformDir:  terraformDir,
+		Prefix:        prefix,
 		ResourceGroup: resourceGroup,
 	})
 
+	return options
+}
+
+func TestRunDefaultExample(t *testing.T) {
+	t.Parallel()
+
+	options := setupOptions(t, "kp-key")
 	output, err := options.RunTestConsistency()
 	assert.Nil(t, err, "This should not have errored")
 	assert.NotNil(t, output, "Expected some output")
 }
 
-func TestRunUpgradeExample(t *testing.T) {
+func TestRunUpgrade(t *testing.T) {
 	t.Parallel()
 
-	options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
-		Testing:       t,
-		TerraformDir:  defaultExampleTerraformDir,
-		Prefix:        "kp-key-upg",
-		ResourceGroup: resourceGroup,
-	})
-
+	options := setupOptions(t, "kp-key-upg")
 	output, err := options.RunTestUpgrade()
 	if !options.UpgradeTestSkipped {
 		assert.Nil(t, err, "This should not have errored")