terraform-plugin-sdk icon indicating copy to clipboard operation
terraform-plugin-sdk copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

schema: Computed Value Hints for Downstream Validation

Open radeksimko opened this issue 9 years ago • 1 comments

Consider the following example:

resource "aws_cloudtrail" "foobar" {
    name = "tf-trail-foobar"
    s3_bucket_name = "${aws_s3_bucket.foo.arn}" # ARN instead of name
    s3_key_prefix = "/prefix"
    include_global_service_events = false
}

resource "aws_s3_bucket" "foo" {
    bucket = "tf-yada-test-trail"
    force_destroy = true
    policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck",
            "Effect": "Allow",
            "Principal": {
              "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::tf-yada-test-trail"
        },
        {
            "Sid": "AWSCloudTrailWrite",
            "Effect": "Allow",
            "Principal": {
              "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::tf-yada-test-trail/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}
POLICY
}

Even though it is obvious that ARN cannot be used in a parameter where we expect raw name, terraform isn't able to check this, because ARN is computed (put away the fact we don't have ValidateFunc on s3_bucket_name for the moment). Instead API error is returned at a point when S3 bucket has been already created.

Error applying plan:

1 error(s) occurred:

* aws_cloudtrail.foobar: InvalidS3BucketNameException: Bucket name should not contain ':': arn:aws:s3:::tf-yada-test-trail

Maybe this could be done by introducing something like example_value for each Computed field and output against which we could then validate?

radeksimko avatar Feb 07 '16 17:02 radeksimko

:+1: ran into this one today.

We have a module that generates standard names for all of our AWS resources and this can generate names with uppercase letters. AWS doesn't mind if there are uppercase letters but Terraform does and this creates a Unable to find errors.

Look at this apply

Remote state configured and pulled.
aws_db_parameter_group.default: Creating...
  arn:         "" => "<computed>"
  description: "" => "parameter group for generate-name database"
  family:      "" => "oracle-ee-11.2"
  name:        "" => "TEST-ENV-twb-oracle"
Error applying plan:

1 error(s) occurred:

* aws_db_parameter_group.default: Unable to find Parameter Group: []*rds.DBParameterGroup{{
  DBParameterGroupFamily: "oracle-ee-11.2",
  DBParameterGroupName: "test-env-twb-oracle",
  Description: "parameter group for generate-name database"
}}

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

bigkraig avatar Mar 03 '16 04:03 bigkraig