fix: handles null COS instance CRN in locals to prevent parsing errors

[aatreyee257]

Description

Refactor to use the crn-parser module for existing_cos_instance_crn and handling the case when it is set to null.

Release required?

• No release
• Patch release (x.x.X)
• Minor release (x.X.x)
• Major release (X.x.x)

Release notes content

Refactor to use the crn-parser module for existing_cos_instance_crn and handling the case when it is set to null.

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

• If relevant, a test for the change is included or updated with this PR.
• If relevant, documentation for the change is included or updated with this PR.

For mergers

• Use a conventional commit message to set the release level. Follow the guidelines.
• Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
• Use the Squash and merge option.

[aatreyee257]

/run pipeline

[aatreyee257]

/run pipeline

[aatreyee257]

/run pipeline

[iamar7]

LGTM

[aatreyee257]

/run pipeline

[ocofaigh]

trying to track where this is used to ensure this doesn't cause an issue if it gets set to null. What I found is this:

• local.cos_instance_guid is only used by the ibm_iam_authorization_policy.policy resource in the DA
• The count around the ibm_iam_authorization_policy.policy resource is using local.create_cross_account_auth_policy to determine if the auth policy should be created or not
• local.create_cross_account_auth_policy is only getting set to true if !var.skip_cos_kms_auth_policy && var.ibmcloud_kms_api_key != null. This is NOT correct for the COS auth policy. The COS auth policy needs to use ibmcloud_cos_api_key in its logic to determine if the cross account COS policy should be created, NOT ibmcloud_kms_api_key.

I suggest to create two different locals: local.create_kms_cross_account_auth_policy and local.create_cos_cross_account_auth_policy

[ocofaigh]

See https://github.com/terraform-ibm-modules/terraform-ibm-activity-tracker/pull/143/files#r2571769001

[ocofaigh]

I just did a test with the following inputs:

TF_VAR_ibmcloud_api_key=XXX
TF_VAR_prefix=dd
TF_VAR_ibmcloud_kms_api_key=XXX
TF_VAR_provider_visibility=public
TF_VAR_enable_activity_tracker_event_routing_to_cos_bucket=false
TF_VAR_enable_activity_tracker_event_routing_to_cloud_logs=true
TF_VAR_existing_cloud_logs_instance_crn=crn:v1:bluemix:public:logs:us-east:a/abac0df06b644a9cabc6e44f55b3880e:6e931667-0f47-4c59-be2e-fa9b9f13f1a4::

And I got this error:

│ Error: Invalid template interpolation value
│ 
│   on main.tf line 213, in resource "ibm_iam_authorization_policy" "policy":
│  213:   description                 = "Allow the COS instance ${local.cos_instance_guid} to read the ${local.kms_service} key ${local.cos_kms_key_id} from the instance ${local.existing_kms_guid}"
│     ├────────────────
│     │ local.cos_instance_guid is null
│ 
│ The expression result is null. Cannot include a null value in a string template.

The count around the ibm_iam_authorization_policy.policy resource is not smart enough to take into consideration the use case where user is not passing a COS instance CRN