Skip to content

Fix destroy environment workflow failure due to missing variable #4355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gurevichdmitry merged 2 commits into from
Apr 12, 2026
Merged

Fix destroy environment workflow failure due to missing variable #4355

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
469dc79
update tf var
gurevichdmitry Apr 12, 2026
ea2c41e
add exit status handling
gurevichdmitry Apr 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 28 additions & 12 deletions deploy/test-environments/manage_infrastructure.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,10 @@
run_terraform() {
local dir=$1
local operation=$2
local terraform_rc

echo "Running Terraform $operation in $dir..."
cd "$dir" || exit
cd "$dir" || exit 1

case $operation in
"apply")
Expand All @@ -20,6 +21,10 @@ run_terraform() {
echo "Removing aws_auth resource from state in cis..."
terraform state rm "$(terraform state list | grep "kubernetes_config_map_v1_data.aws_auth")"
fi
# Destroy still evaluates module variable validation; CDR apply sets TF_VAR_* in CI, generic destroy does not.
Copy link
Copy Markdown
Collaborator

@uri-weisman uri-weisman Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please explain why this is needed?

Copy link
Copy Markdown
Collaborator Author

@gurevichdmitry gurevichdmitry Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CDR stack passes var.windows_elastic_defend_winrm_ingress_cidr into modules/aws/ec2-windows, which rejects an empty string (and 0.0.0.0/0)
Destroy process did not set that env var, so the variable stayed at its default ""
As a result Destroy then failed variable validation (winrm_ingress_cidr must be set…) even though you only wanted to tear resources down.

╷
│ Error: Invalid value for variable
│ 
│   on main.tf line 103, in module "aws_ec2_elastic_defend_windows":
│  103:   winrm_ingress_cidr    = var.windows_elastic_defend_winrm_ingress_cidr
│     ├────────────────
│     │ var.winrm_ingress_cidr is ""
│ 
│ winrm_ingress_cidr must be set to a restrictive CIDR and must not be
│ 0.0.0.0/0, as this would expose WinRM to the public internet.
│ 
│ This was checked by the validation rule at
│ ../modules/aws/ec2-windows/variables.tf:35,3-13.
╵

if [ "$dir" == "cdr" ] && [ -z "${TF_VAR_windows_elastic_defend_winrm_ingress_cidr:-}" ]; then
export TF_VAR_windows_elastic_defend_winrm_ingress_cidr="127.0.0.1/32"
fi
terraform destroy -auto-approve && rm terraform.tfstate
;;
"output")
Expand All @@ -29,12 +34,14 @@ run_terraform() {
../upload_state.sh "$dir"
;;
*)
echo "Invalid operation. Use 'apply', 'destroy', 'output', or 'upload-state'."
cd - >/dev/null || exit 1
echo "Invalid operation. Use 'apply', 'destroy', 'output', or 'upload-state'." >&2
false
;;
esac

cd - >/dev/null || exit
terraform_rc=$?
cd - >/dev/null || exit 1
return "$terraform_rc"
}

# Check for valid input
Expand All @@ -49,24 +56,33 @@ action=$2
case $1 in
elk-stack)
run_terraform "elk-stack" "$action"
overall_rc=$?
;;
cis)
run_terraform "elk-stack" "$action"
run_terraform "cis" "$action"
overall_rc=0
run_terraform "elk-stack" "$action" || overall_rc=1
run_terraform "cis" "$action" || overall_rc=1
;;
cdr)
run_terraform "elk-stack" "$action"
run_terraform "cdr" "$action"
overall_rc=0
run_terraform "elk-stack" "$action" || overall_rc=1
run_terraform "cdr" "$action" || overall_rc=1
;;
all)
run_terraform "elk-stack" "$action"
run_terraform "cdr" "$action"
run_terraform "cis" "$action"
overall_rc=0
run_terraform "elk-stack" "$action" || overall_rc=1
run_terraform "cdr" "$action" || overall_rc=1
run_terraform "cis" "$action" || overall_rc=1
;;
*)
echo "Usage: $0 {elk-stack|cis|cdr|all} {apply|destroy|output|upload-state}"
exit 1
;;
esac

echo "Terraform $action operation completed."
if [ "$overall_rc" -eq 0 ]; then
echo "Terraform $action operation completed."
else
echo "Terraform $action completed with errors (one or more stacks failed)." >&2
fi
exit "$overall_rc"
Loading