Merge pull request #27 from ministryofjustice/feature/refactor-nuke-o…

…utputs-for-multiple-access-blocks Refactoring nuke-related local definitions to account for one, many or no defined access blocks.
ministryofjustice · Dec 12, 2022 · a25929f · a25929f
2 parents cc592ca + 7924e2d
commit a25929f
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 15 deletions.
diff --git a/main.tf b/main.tf
@@ -26,27 +26,31 @@ locals {
       ]
     ])
 
-    nuke_accounts = flatten([
+    nuke_accts = flatten([
       for application in local.definitions : [
-        for environment in application.environments : {
-          name = "${application.name}-${environment.name}"
-        } if application.account-type == "member" && environment.name == "development" && try(environment.access[0].level, "undefined") == "sandbox" && try(environment.access[0].nuke, "include") != "exclude"
-      ]
-    ])
+        for environment in application.environments : [
+          for a in try(environment.access, []) :
+          "${application.name}-${environment.name}"
+          if application.account-type == "member" && environment.name == "development" && try(a.level, "undefined") == "sandbox" && !contains([for acc in environment.access : try(acc.nuke, "include") if try(acc.level, "undefined") == "sandbox"], "exclude")
+        ]
+    ]])
+
 
     rebuild_after_nuke_accounts = flatten([
       for application in local.definitions : [
-        for environment in application.environments : {
-          name = "${application.name}-${environment.name}"
-        } if application.account-type == "member" && environment.name == "development" && try(environment.access[0].level, "undefined") == "sandbox" && try(environment.access[0].nuke, "include") == "rebuild"
+        for environment in application.environments : [
+          for a in try(environment.access, []) :
+          "${application.name}-${environment.name}"
+          if application.account-type == "member" && environment.name == "development" && try(a.level, "undefined") == "sandbox" && try(a.nuke, "include") == "rebuild" && !contains([for acc in environment.access : try(acc.nuke, "include") if try(acc.level, "undefined") == "sandbox"], "exclude")
+        ]
       ]
     ])
 
     blocklist_nuke_accounts = flatten([
       for application in local.definitions : [
-        for environment in application.environments : {
-          name = "${application.name}-${environment.name}"
-        } if environment.name == "production" || environment.name == "preproduction" || startswith(application.name, "core")
+        for environment in application.environments :
+        "${application.name}-${environment.name}"
+        if environment.name == "production" || environment.name == "preproduction" || startswith(application.name, "core")
       ]
     ])
   }

diff --git a/outputs.tf b/outputs.tf
@@ -9,19 +9,19 @@ output "environment_account_ids" {
 
 output "environment_nuke_accounts" {
   sensitive   = true
-  value       = local.applications.nuke_accounts[*].name
+  value       = distinct(local.applications.nuke_accounts)
   description = "List of autonuke account names."
 }
 
 output "environment_rebuild_after_nuke_accounts" {
   sensitive   = true
-  value       = local.applications.rebuild_after_nuke_accounts[*].name
+  value       = distinct(local.applications.rebuild_after_nuke_accounts)
   description = "List of rebuild-after-autonuke account names."
 }
 
 output "environment_nuke_blocklist_accounts" {
   sensitive   = true
-  value       = local.applications.blocklist_nuke_accounts[*].name
+  value       = local.applications.blocklist_nuke_accounts
   description = "List of account names blocklisted from autonuke."
 }