Merge pull request #243 from cisagov/improvement/add-workspace-tfvars…

…-check Validate that workspace name aligns with `var.assessment_account_name` value
cisagov · May 21, 2024 · c050ca8 · c050ca8
2 parents 26dd13b + c963777
commit c050ca8
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -417,6 +417,7 @@ the COOL environment.
 | [aws_vpc_endpoint_subnet_association.ssmmessages](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_subnet_association) | resource |
 | [aws_vpc_endpoint_subnet_association.sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_subnet_association) | resource |
 | [null_resource.break_association_with_default_route_table](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.validate_assessment_account_name_matches_workspace](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.validate_assessment_artifact_export_map](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.validate_assessment_id](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.validate_assessment_type](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
@@ -517,7 +518,7 @@ the COOL environment.
 | provisionassessment\_policy\_name | The name to assign the IAM policy that allows provisioning of the resources required in the assessment account. | `string` | `"ProvisionAssessment"` | no |
 | provisionssmsessionmanager\_policy\_description | The description to associate with the IAM policy that allows sufficient permissions to provision the SSM Document resource and set up SSM session logging in this assessment account. | `string` | `"Allows sufficient permissions to provision the SSM Document resource and set up SSM session logging in this assessment account."` | no |
 | provisionssmsessionmanager\_policy\_name | The name to assign the IAM policy that allows sufficient permissions to provision the SSM Document resource and set up SSM session logging in this assessment account. | `string` | `"ProvisionSSMSessionManager"` | no |
-| publish\_egress\_ip\_addresses | A boolean value that specifies whether EC2 instances in the operations subnet should be tagged to indicate that their public IP addresses may be published.  This is useful for deconfliction purposes.  IP address publishing can be done via the code in cisagov/publish-egress-ip-lambda and cisagov/publish-egress-ip-terraform. | `bool` | `false` | no |
+| publish\_egress\_ip\_addresses | A boolean value that specifies whether EC2 instances in the operations subnet should be tagged to indicate that their public IP addresses may be published.  This is useful for deconfliction purposes.  Publishing these addresses can be done via the code in cisagov/publish-egress-ip-lambda and cisagov/publish-egress-ip-terraform. | `bool` | `false` | no |
 | read\_terraform\_state\_role\_name | The name to assign the IAM role (as well as the corresponding policy) that allows read-only access to the cool-assessment-terraform state in the S3 bucket where Terraform state is stored.  The %s in this name will be replaced by the value of the assessment\_account\_name variable. | `string` | `"ReadCoolAssessmentTerraformTerraformState-%s"` | no |
 | session\_cloudwatch\_log\_group\_name | The name of the log group into which session logs are to be uploaded. | `string` | `"/ssm/session-logs"` | no |
 | ssm\_key\_artifact\_export\_access\_key\_id | The AWS SSM Parameter Store parameter that contains the AWS access key of the IAM user that can write to the assessment artifact export bucket (e.g. "/assessment\_artifact\_export/access\_key\_id"). | `string` | `"/assessment_artifact_export/access_key_id"` | no |

diff --git a/assessment_validation.tf b/assessment_validation.tf
@@ -1,5 +1,5 @@
 # This file contains a semi-hacky way of validating user-provided assessment
-# information.  As of Terraform v1.3.x, there is no built-in way to validate
+# information.  As of Terraform v1.5.x, there is no built-in way to validate
 # one variable against another, as we need to do here.  Terraform input variable
 # validation expressions can only refer to the variable being validated and no
 # others.  For more, see
@@ -9,6 +9,18 @@
 # that contains a precondition.  The precondition is evaluated at plan time, and
 # if it fails, the plan will fail with the error message provided.
 
+# NOTE: When adding new validation checks, be sure to include them to the
+# initial apply in the terraform_apply.sh script.
+
+resource "null_resource" "validate_assessment_account_name_matches_workspace" {
+  lifecycle {
+    precondition {
+      condition     = replace(replace(lower(var.assessment_account_name), "/[()]/", ""), " ", "-") == terraform.workspace
+      error_message = "Assessment account name (${var.assessment_account_name}) does not agree with the currently-selected workspace (${terraform.workspace}).  Are you sure that you are using the correct tfvars file?"
+    }
+  }
+}
+
 resource "null_resource" "validate_assessment_artifact_export_map" {
   lifecycle {
     precondition {

diff --git a/terraform_apply.sh b/terraform_apply.sh
@@ -34,17 +34,23 @@ export AWS_DEFAULT_REGION
 # cool-sharedservices-networking, which is probably the correct
 # long-term solution here.
 #
+# 0. Perform a targeted apply to validate user-provided assessment information.
 # 1. Perform a targeted apply to attach a policy that gives the
 # permissions necessary to create the other resources.
 # 2. Perform a targeted apply to create the networking-related
 # resources that the EC2 instances will need when they start up.
 # 3. Perform a targeted apply to create the EC2 instances.
 # 4. Perform an untargeted apply to create everything else.
 terraform apply "${@}" \
-  -target=aws_iam_policy.provisionassessment_policy \
-  -target=aws_iam_policy.provisionssmsessionmanager_policy \
-  -target=aws_iam_role_policy_attachment.provisionassessment_policy_attachment \
-  -target=aws_iam_role_policy_attachment.provisionssmsessionmanager_policy_attachment \
+  -target=null_resource.validate_assessment_account_name_matches_workspace \
+  -target=null_resource.validate_assessment_artifact_export_map \
+  -target=null_resource.validate_assessment_id \
+  -target=null_resource.validate_assessment_type \
+  && terraform apply "${@}" \
+    -target=aws_iam_policy.provisionassessment_policy \
+    -target=aws_iam_policy.provisionssmsessionmanager_policy \
+    -target=aws_iam_role_policy_attachment.provisionassessment_policy_attachment \
+    -target=aws_iam_role_policy_attachment.provisionssmsessionmanager_policy_attachment \
   && terraform apply "${@}" \
     -target=aws_default_route_table.operations \
     -target=aws_efs_access_point.access_point \