Open jabielecki opened 6 days ago
Remove Validator because it is too much code for too little value.
We want the detection to happen as early as possible. The pipeline stages are:
terraform validate
) detects with Validator.terraform plan
) detects with Validator.terraform apply
) detects with Create/Update as well as Validator.Our primary module terraform-fmc-nac-fmc will not be able to feed the Validator in stage Validate or stage Plan with known values, which can be actually validated. The Validator will be mostly no-op. This is because that module has for_each clause like this:
resource "fmc_access_control_policy" "accesspolicy" {
for_each = { for p in local.policies : p.name => p }
...
rules = each.value.rules # unknown value in stages: Validate, Plan; known value in Apply
}
Since we cannot make terraform validate
detecting as early
as possible in a pipeline, we fall back to terraform apply
detecting a few stages later. This means we no longer need Validator and
we no longer need to handle unknown values delicately (values that we
care to validate are no longer unknown during terraform apply
).
We typically "expand" nested lists in the module, to explicitly define each individual attribute, which should also work around the error of unknown values.
For example: https://github.com/netascode/terraform-ise-nac-ise/blob/f681a5f8a5d9751984c5529b72354da5676607ec/ise_device_admin.tf#L29 .
Testing the behavior of #40 commit-id bfdf257c63f8 together with our module.
This is my YAML, where each.value.rules will be the rules key:
log.txt