Merge pull request #33 from step-security/fix/update-validation

sailikhith-stepsecurity · web-flow · commit 43cee87fcc2f · 2025-12-09T01:15:27.000+05:30
Fix validation during plan stage for various resources
diff --git a/internal/provider/resource_github_supression_rule.go b/internal/provider/resource_github_supression_rule.go
@@ -152,61 +152,66 @@ func (r *githubSupressionRuleResource) ValidateConfig(ctx context.Context, req r
 
 	switch rule.Type.ValueString() {
 	case "source_code_overwritten":
-		if rule.File.IsNull() || rule.File.IsUnknown() || rule.FilePath.IsNull() || rule.FilePath.IsUnknown() {
+		if (!rule.File.IsUnknown() && rule.File.IsNull()) || (!rule.FilePath.IsUnknown() && rule.FilePath.IsNull()) {
 			resp.Diagnostics.AddError(
 				"File is required",
 				"File is required when type is source_code_overwritten",
 			)
 		}
-		if !rule.Process.IsNull() {
+		if !rule.Process.IsUnknown() && !rule.Process.IsNull() {
 			resp.Diagnostics.AddError(
 				"Process is not allowed",
 				"Process is not allowed when type is source_code_overwritten",
 			)
 		}
-		if !rule.Destination.IsNull() {
+		if !rule.Destination.IsUnknown() && !rule.Destination.IsNull() {
 			resp.Diagnostics.AddError(
 				"Destination is not allowed",
 				"Destination is not allowed when type is source_code_overwritten",
 			)
 		}
 	case "anomalous_outbound_network_call":
-		if !rule.File.IsNull() || !rule.FilePath.IsNull() {
+		if (!rule.File.IsUnknown() && !rule.File.IsNull()) || (!rule.FilePath.IsUnknown() && !rule.FilePath.IsNull()) {
 			resp.Diagnostics.AddError(
 				"File, File Path parameters are not allowed",
 				"File, File Path parameters are not allowed when type is anomalous_outbound_network_call",
 			)
 		}
-		if rule.Process.IsNull() || rule.Process.IsUnknown() {
+		if !rule.Process.IsUnknown() && rule.Process.IsNull() {
 			resp.Diagnostics.AddError(
 				"Process is required",
 				"Process is required when type is anomalous_outbound_network_call",
 			)
 		}
-		if rule.Destination.IsNull() || rule.Destination.IsUnknown() {
+		if !rule.Destination.IsUnknown() && rule.Destination.IsNull() {
 			resp.Diagnostics.AddError(
 				"Destination is required",
 				"Destination is required when type is anomalous_outbound_network_call",
 			)
 		}
-		var destination destinationModel
-		diags := rule.Destination.As(ctx, &destination, basetypes.ObjectAsOptions{})
-		resp.Diagnostics.Append(diags...)
-		if resp.Diagnostics.HasError() {
-			return
-		}
-		isIpEmpty := destination.IP.IsNull() || destination.IP.IsUnknown()
-		isDomainEmpty := destination.Domain.IsNull() || destination.Domain.IsUnknown()
-		if isIpEmpty && isDomainEmpty {
-			resp.Diagnostics.AddError(
-				"Destination is required",
-				"Destination is required when type is anomalous_outbound_network_call. please provide either ip or domain.",
-			)
-		} else if !isIpEmpty && !isDomainEmpty {
-			resp.Diagnostics.AddError(
-				"Cannot provide both ip and domain in destination",
-				"Destination can only have either ip or domain",
-			)
+		if !rule.Destination.IsUnknown() {
+			var destination destinationModel
+			diags := rule.Destination.As(ctx, &destination, basetypes.ObjectAsOptions{})
+			resp.Diagnostics.Append(diags...)
+			if resp.Diagnostics.HasError() {
+				return
+			}
+			// Skip validation if either field is unknown (from variables during plan)
+			if !destination.IP.IsUnknown() && !destination.Domain.IsUnknown() {
+				isIpEmpty := destination.IP.IsNull()
+				isDomainEmpty := destination.Domain.IsNull()
+				if isIpEmpty && isDomainEmpty {
+					resp.Diagnostics.AddError(
+						"Destination is required",
+						"Destination is required when type is anomalous_outbound_network_call. please provide either ip or domain.",
+					)
+				} else if !isIpEmpty && !isDomainEmpty {
+					resp.Diagnostics.AddError(
+						"Cannot provide both ip and domain in destination",
+						"Destination can only have either ip or domain",
+					)
+				}
+			}
 		}
 	}
 }
diff --git a/internal/provider/resource_policy_driven_pr.go b/internal/provider/resource_policy_driven_pr.go
@@ -414,7 +414,7 @@ func (r *policyDrivenPRResource) ValidateConfig(ctx context.Context, req resourc
 		return
 	}
 
-	if config.SelectedRepos.IsNull() || len(config.SelectedRepos.Elements()) == 0 {
+	if !config.SelectedRepos.IsUnknown() && (config.SelectedRepos.IsNull() || len(config.SelectedRepos.Elements()) == 0) {
 		resp.Diagnostics.AddError(
 			"Selected Repos is required",
 			"At least one repo is required in selected_repos",
@@ -424,14 +424,16 @@ func (r *policyDrivenPRResource) ValidateConfig(ctx context.Context, req resourc
 
 	// Get selected repos
 	var selectedRepos []string
-	elements := config.SelectedRepos.Elements()
-	for _, elem := range elements {
-		selectedRepos = append(selectedRepos, elem.(types.String).ValueString())
+	if !config.SelectedRepos.IsUnknown() {
+		elements := config.SelectedRepos.Elements()
+		for _, elem := range elements {
+			selectedRepos = append(selectedRepos, elem.(types.String).ValueString())
+		}
 	}
 
 	// Validate excluded_repos only makes sense with wildcard
 	hasWildcard := len(selectedRepos) == 1 && selectedRepos[0] == "*"
-	if !config.ExcludedRepos.IsNull() && len(config.ExcludedRepos.Elements()) > 0 {
+	if !config.ExcludedRepos.IsUnknown() && !config.ExcludedRepos.IsNull() && len(config.ExcludedRepos.Elements()) > 0 {
 		if !hasWildcard {
 			resp.Diagnostics.AddError(
 				"Invalid Configuration",
