feat: add cross-region-resiliency service plan support (#662) <br> - …

…Add support for the cross-region-resiliency service plan, for more information regarding this plan see: https://cloud.ibm.com/docs/key-protect?topic=key-protect-pricing-plan

* feat: add cross-region-resiliency service plan

* refactor: apply -> plan in other_test.go

* refactor: PR feedback

* refactor: format output of plan validation tests

* refactor: switch to using testhelper to use its features

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-02-12T01:01:08Z",
+  "generated_at": "2025-01-17T23:34:38Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

README.md

@@ -62,7 +62,7 @@ To attach access management tags to resources in this module, you need the follo
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.70.0, < 2.0.0 |
 
 ### Modules
@@ -91,7 +91,7 @@ To attach access management tags to resources in this module, you need the follo
 | <a name="input_key_create_import_access_settings"></a> [key\_create\_import\_access\_settings](#input\_key\_create\_import\_access\_settings) | Key create import access policy settings to configure if var.enable\_key\_create\_import\_access\_policy is true. For more info see https://cloud.ibm.com/docs/key-protect?topic=key-protect-manage-keyCreateImportAccess | <pre>object({<br/>    create_root_key     = optional(bool, true)<br/>    create_standard_key = optional(bool, true)<br/>    import_root_key     = optional(bool, true)<br/>    import_standard_key = optional(bool, true)<br/>    enforce_token       = optional(bool, false)<br/>  })</pre> | `{}` | no |
 | <a name="input_key_protect_name"></a> [key\_protect\_name](#input\_key\_protect\_name) | The name to give the Key Protect instance that will be provisioned | `string` | n/a | yes |
 | <a name="input_metrics_enabled"></a> [metrics\_enabled](#input\_metrics\_enabled) | If set to true, Key Protect enables metrics on the Key Protect instance. In order to view metrics, you will need a Monitoring (Sysdig) instance that is located in the same region as the Key Protect instance. Once you provision the Monitoring instance, you will need to enable platform metrics. | `bool` | `true` | no |
-| <a name="input_plan"></a> [plan](#input\_plan) | Plan for the Key Protect instance. Currently only 'tiered-pricing' is supported | `string` | `"tiered-pricing"` | no |
+| <a name="input_plan"></a> [plan](#input\_plan) | Plan for the Key Protect instance. Valid plans are 'tiered-pricing' and 'cross-region-resiliency', for more information on these plans see [Key Protect pricing plan](https://cloud.ibm.com/docs/key-protect?topic=key-protect-pricing-plan). | `string` | `"tiered-pricing"` | no |
 | <a name="input_region"></a> [region](#input\_region) | Region where the Key Protect instance will be provisioned | `string` | n/a | yes |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | Resource Group ID where the Key Protect instance will be provisioned | `string` | n/a | yes |
 | <a name="input_rotation_enabled"></a> [rotation\_enabled](#input\_rotation\_enabled) | If set to true, Key Protect enables a rotation policy on the Key Protect instance. | `bool` | `true` | no |

examples/basic/main.tf

@@ -18,6 +18,7 @@ module "key_protect_module" {
   source            = "../.."
   key_protect_name  = "${var.prefix}-kp"
   resource_group_id = module.resource_group.resource_group_id
+  plan              = var.plan
   region            = var.region
   tags              = var.resource_tags
   access_tags       = var.access_tags

examples/basic/variables.tf

@@ -14,6 +14,12 @@ variable "prefix" {
   description = "Prefix to append to all resources created by this example"
 }
 
+variable "plan" {
+  type        = string
+  description = "Service plan of the Key Protect instance"
+  default     = "tiered-pricing"
+}
+
 variable "resource_group" {
   type        = string
   description = "An existing resource group name to use for this example. If unset a new resource group will be created"

tests/pr_test.go

@@ -2,10 +2,13 @@
 package test
 
 import (
+	"fmt"
 	"log"
 	"os"
 	"testing"
 
+	"github.com/gruntwork-io/terratest/modules/logger"
+	"github.com/gruntwork-io/terratest/modules/terraform"
 	"github.com/stretchr/testify/assert"
 	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common"
 	"github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper"
@@ -94,3 +97,48 @@ func TestRunUpgrade(t *testing.T) {
 		assert.NotNil(t, output, "Expected some output")
 	}
 }
+
+func TestPlanValidation(t *testing.T) {
+	// Regions that support Cross Region Resiliency plan
+	validCrossRegionPlanLocations := []string{"us-south", "eu-de", "jp-tok"}
+	// Regions that don't support Cross Region Resiliency plan
+	invalidCrossRegionPlanLocations := []string{"au-syd", "jp-osa", "eu-es", "eu-gb", "ca-tor", "us-east", "br-sao"}
+
+	options := testhelper.TestOptionsDefault(&testhelper.TestOptions{
+		Testing:       t,
+		TerraformDir:  terraformDir,
+		Prefix:        "validate-plan",
+		ResourceGroup: resourceGroup,
+		Region:        "us-south", // skip VPC region picker
+	})
+	options.TestSetup()
+	options.TerraformOptions.NoColor = true
+	options.TerraformOptions.Logger = logger.Discard
+	options.TerraformOptions.Vars = map[string]interface{}{
+		"prefix":         options.Prefix,
+		"plan":           "cross-region-resiliency",
+		"resource_group": options.ResourceGroup,
+	}
+
+	_, initErr := terraform.InitE(t, options.TerraformOptions)
+	if assert.Nil(t, initErr, "This should not have errored") {
+		for _, validRegion := range validCrossRegionPlanLocations {
+			options.TerraformOptions.Vars["region"] = validRegion
+			t.Run(validRegion, func(t *testing.T) {
+				output, err := terraform.PlanE(t, options.TerraformOptions)
+				assert.Nil(t, err, fmt.Sprintf("This should not have errored\nRegion: %s\n", validRegion))
+				assert.NotNil(t, output, "Expected some output")
+			})
+		}
+
+		for _, invalidRegion := range invalidCrossRegionPlanLocations {
+			options.TerraformOptions.Vars["region"] = invalidRegion
+			t.Run(invalidRegion, func(t *testing.T) {
+				fmt.Print("\n#################### THIS IS EXPECTED TO ERROR ####################\n\n")
+				_, err := terraform.PlanE(t, options.TerraformOptions)
+				fmt.Print("\n#################### END EXPECTED ERROR ####################\n\n")
+				assert.NotNil(t, err, fmt.Sprintf("This should have errored\nRegion: %s", invalidRegion))
+			})
+		}
+	}
+}

variables.tf

@@ -36,12 +36,17 @@ variable "allowed_network" {
 
 variable "plan" {
   type        = string
-  description = "Plan for the Key Protect instance. Currently only 'tiered-pricing' is supported"
+  description = "Plan for the Key Protect instance. Valid plans are 'tiered-pricing' and 'cross-region-resiliency', for more information on these plans see [Key Protect pricing plan](https://cloud.ibm.com/docs/key-protect?topic=key-protect-pricing-plan)."
   default     = "tiered-pricing"
 
   validation {
-    condition     = can(regex("^tiered-pricing$", var.plan))
-    error_message = "Currently the only supported value for plan is 'tiered-pricing'."
+    condition     = contains(["tiered-pricing", "cross-region-resiliency"], var.plan)
+    error_message = "`plan` must be one of: 'tiered-pricing', 'cross-region-resiliency'."
+  }
+
+  validation {
+    condition     = var.plan == "tiered-pricing" ? true : (var.plan == "cross-region-resiliency" && contains(["us-south", "eu-de", "jp-tok"], var.region))
+    error_message = "'cross-region-resiliency' is only available for the following regions: 'us-south', 'eu-de', 'jp-tok'."
   }
 }
 

version.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.0.0"
+  required_version = ">= 1.9.0"
   required_providers {
     # Use "greater than or equal to" range in modules
     ibm = {