Skip to content

fix(cert_manager,external_dns): move cross-variable validations to terraform_data preconditions#315

Merged
davidf-null merged 6 commits into
mainfrom
fix/certmanager
Apr 30, 2026
Merged

fix(cert_manager,external_dns): move cross-variable validations to terraform_data preconditions#315
davidf-null merged 6 commits into
mainfrom
fix/certmanager

Conversation

@davidf-null

Copy link
Copy Markdown
Collaborator

Summary

Terraform/OpenTofu validation blocks inside a variable can only reference the variable being validated itself (var.<name>). Cross-variable conditions — such as checking var.cloud_provider inside the validation of var.gcp_sa_email — cause the following plan-time error:

Error: Invalid reference in variable validation
The condition for variable "gcp_sa_email" can only refer to the variable itself, using var.gcp_sa_email.

This PR fixes the issue in both affected modules by migrating cross-variable validations to lifecycle.precondition blocks on a terraform_data resource (the same pattern introduced in external_dns via #310).

cert_manager

  • Removed all cross-variable validation blocks from variables.tf (10 blocks across GCP, AWS, Azure, Cloudflare, and OCI variables).
  • Created validation.tf with a terraform_data "provider_validation" resource containing the equivalent precondition checks.
  • Updated test files to use expect_failures = [terraform_data.provider_validation] instead of the previous expect_failures = [var.X].

external_dns

  • Changed provider-specific variable defaults from null to "" (cloudflare_token, aws_region, aws_iam_role_arn, azure_client_id, azure_subscription_id, azure_resource_group, azure_tenant_id). The null defaults caused eager evaluation failures in locals.tf when any provider config was instantiated with null values.
  • Fixed a latent bug: oci_compartment_ocid had default = " " (a space), which silently bypassed the != "" precondition check. Changed to default = "".
  • Updated validation.tf preconditions from != null to length(...) > 0. The cloudflare_token precondition uses != null && length(...) > 0 to handle tests that explicitly pass null.
  • Uncommented 5 previously disabled tests in external_dns_cross_provider.tftest.hcl (rejects_invalid_policy, rejects_invalid_type, private_type_in_release_name, base_config_consistency, all_providers_in_config_map) that were blocked by the null eager-evaluation bug.

Test plan

  • tofu test passes for infrastructure/commons/cert_manager — 19 passed, 0 failed
  • tofu test passes for infrastructure/commons/external_dns — 37 passed, 0 failed
  • All pre-commit hooks pass (tofu fmt, tofu validate, tofu test)

🤖 Generated with Claude Code

David Fernandez and others added 6 commits April 9, 2026 15:55
…rraform_data preconditions

Terraform/OpenTofu variable validation blocks can only reference the
variable being validated itself. Cross-variable conditions (e.g. checking
cloud_provider inside another variable's validation) cause a plan-time
error. Fixes the same pattern in two modules:

- cert_manager: removed all cross-variable validation blocks and introduced
  a new validation.tf with a terraform_data precondition resource. Updated
  tests to use expect_failures = [terraform_data.provider_validation].
- external_dns: updated validation.tf preconditions from != null to
  length() > 0 (variables defaults changed from null to ""), fixed
  oci_compartment_ocid default from " " (space) to "", and uncommented
  5 previously disabled tests in external_dns_cross_provider.tftest.hcl
  that were blocked by the null eager-evaluation bug in locals.tf.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@davidf-null davidf-null merged commit a213e35 into main Apr 30, 2026
42 checks passed
@davidf-null davidf-null deleted the fix/certmanager branch April 30, 2026 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants