From 4d3d8c161c1ebf613584c3175febd4f155fe1a00 Mon Sep 17 00:00:00 2001
From: "Matthew.Lemmond@ibm.com" <Matthew.Lemmond@ibm.com>
Date: Tue, 29 Jul 2025 15:04:54 -0400
Subject: [PATCH 1/3] fix: update the default kube-audit image tag and digest

---
 modules/kube-audit/README.md              | 2 +-
 modules/kube-audit/variables.tf           | 2 +-
 solutions/fully-configurable/variables.tf | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/kube-audit/README.md b/modules/kube-audit/README.md
index da3dbc4d..dc7546c9 100644
--- a/modules/kube-audit/README.md
+++ b/modules/kube-audit/README.md
@@ -84,7 +84,7 @@ No modules.
 | <a name="input_audit_log_policy"></a> [audit\_log\_policy](#input\_audit\_log\_policy) | Specify the amount of information that is logged to the API server audit logs by choosing the audit log policy profile to use. Supported values are `default` and `WriteRequestBodies`. | `string` | `"default"` | no |
 | <a name="input_audit_namespace"></a> [audit\_namespace](#input\_audit\_namespace) | The name of the namespace where log collection service and a deployment will be created. | `string` | `"ibm-kube-audit"` | no |
 | <a name="input_audit_webhook_listener_image"></a> [audit\_webhook\_listener\_image](#input\_audit\_webhook\_listener\_image) | The audit webhook listener image reference in the format of `[registry-url]/[namespace]/[image]`.The sub-module uses the `icr.io/ibm/ibmcloud-kube-audit-to-ibm-cloud-logs` image to forward logs to IBM Cloud Logs. This image is for demonstration purposes only. For a production solution, configure and maintain your own log forwarding image. | `string` | `"icr.io/ibm/ibmcloud-kube-audit-to-ibm-cloud-logs"` | no |
-| <a name="input_audit_webhook_listener_image_tag_digest"></a> [audit\_webhook\_listener\_image\_tag\_digest](#input\_audit\_webhook\_listener\_image\_tag\_digest) | The tag or digest for the audit webhook listener image to deploy. If changing the value, ensure it is compatible with `audit_webhook_listener_image`. | `string` | `"deaabcb8225e800385413ba420cf3f819d3b0671@sha256:acf123f4dba63534cbc104c6886abedff9d25a22a34ab7b549ede988ed6e7144"` | no |
+| <a name="input_audit_webhook_listener_image_tag_digest"></a> [audit\_webhook\_listener\_image\_tag\_digest](#input\_audit\_webhook\_listener\_image\_tag\_digest) | The tag or digest for the audit webhook listener image to deploy. If changing the value, ensure it is compatible with `audit_webhook_listener_image`. | `string` | `"b119cab4729c4f92213a7a125d73adea14916a75@sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"` | no |
 | <a name="input_cluster_config_endpoint_type"></a> [cluster\_config\_endpoint\_type](#input\_cluster\_config\_endpoint\_type) | Specify which type of endpoint to use for for cluster config access: 'default', 'private', 'vpe', 'link'. 'default' value will use the default endpoint of the cluster. | `string` | `"default"` | no |
 | <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | The ID of the cluster to deploy the log collection service in. | `string` | n/a | yes |
 | <a name="input_cluster_resource_group_id"></a> [cluster\_resource\_group\_id](#input\_cluster\_resource\_group\_id) | The resource group ID of the cluster. | `string` | n/a | yes |
diff --git a/modules/kube-audit/variables.tf b/modules/kube-audit/variables.tf
index a9e5a7f1..8c11a0df 100644
--- a/modules/kube-audit/variables.tf
+++ b/modules/kube-audit/variables.tf
@@ -95,7 +95,7 @@ variable "audit_webhook_listener_image_tag_digest" {
   type        = string
   description = "The tag or digest for the audit webhook listener image to deploy. If changing the value, ensure it is compatible with `audit_webhook_listener_image`."
   nullable    = false
-  default     = "deaabcb8225e800385413ba420cf3f819d3b0671@sha256:acf123f4dba63534cbc104c6886abedff9d25a22a34ab7b549ede988ed6e7144"
+  default     = "b119cab4729c4f92213a7a125d73adea14916a75@sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
 
   validation {
     condition     = can(regex("^[a-f0-9]{40}@sha256:[a-f0-9]{64}$", var.audit_webhook_listener_image_tag_digest))
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index 09052890..d0031afe 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -599,7 +599,7 @@ variable "audit_webhook_listener_image" {
 variable "audit_webhook_listener_image_tag_digest" {
   type        = string
   description = "The tag or digest for the audit webhook listener image to deploy. If changing the value, ensure it is compatible with `audit_webhook_listener_image`."
-  default     = "deaabcb8225e800385413ba420cf3f819d3b0671@sha256:acf123f4dba63534cbc104c6886abedff9d25a22a34ab7b549ede988ed6e7144"
+  default     = "b119cab4729c4f92213a7a125d73adea14916a75@sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
 
   validation {
     condition     = can(regex("^[a-f0-9]{40}@sha256:[a-f0-9]{64}$", var.audit_webhook_listener_image_tag_digest))

From f5de98acba5701cb1056d799b6dc1cda19bfedda Mon Sep 17 00:00:00 2001
From: Aashiq Jacob <122446118+Aashiq-J@users.noreply.github.com>
Date: Tue, 9 Sep 2025 15:52:52 +0530
Subject: [PATCH 2/3] Update variables.tf

---
 solutions/fully-configurable/variables.tf | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index 003d0042..5a666195 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -600,9 +600,4 @@ variable "audit_webhook_listener_image_tag_digest" {
   type        = string
   description = "The tag or digest for the audit webhook listener image to deploy. If changing the value, ensure it is compatible with `audit_webhook_listener_image`."
   default     = "b119cab4729c4f92213a7a125d73adea14916a75@sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
-
-  validation {
-    condition     = can(regex("^[a-f0-9]{40}@sha256:[a-f0-9]{64}$", var.audit_webhook_listener_image_tag_digest))
-    error_message = "The value of the audit webhook listener image version must match the tag and sha256 image digest format"
-  }
 }

From c10078ab08acbf140d0ad22b79664f4acb949d2c Mon Sep 17 00:00:00 2001
From: "aashiq.jacob@ibm.com" <aashiq.jacob@ibm.com>
Date: Wed, 10 Sep 2025 14:44:10 +0530
Subject: [PATCH 3/3] fix(deps): update dependencies

---
 .secrets.baseline |  4 ++--
 tests/pr_test.go  | 17 ++++++++++++-----
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/.secrets.baseline b/.secrets.baseline
index 8905b89e..3e093879 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-09-05T15:37:15Z",
+  "generated_at": "2025-09-10T09:13:52Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -82,7 +82,7 @@
         "hashed_secret": "8196b86ede820e665b2b8af9c648f4996be99838",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 91,
+        "line_number": 95,
         "type": "Secret Keyword",
         "verified_result": null
       }
diff --git a/tests/pr_test.go b/tests/pr_test.go
index 550156d4..601ba32b 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -42,6 +42,10 @@ var (
 	permanentResources map[string]interface{}
 )
 
+var IgnoreUpdates = []string{
+	"module.kube_audit[0].helm_release.kube_audit",
+}
+
 // TestMain will be run before any parallel tests, used to set up a shared InfoService object to track region usage
 // for multiple tests
 func TestMain(m *testing.M) {
@@ -171,11 +175,14 @@ func TestRunUpgradeFullyConfigurable(t *testing.T) {
 	existingTerraformOptions := setupTerraform(t, prefix, "./existing-resources")
 
 	options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{
-		Testing:               t,
-		Prefix:                "fc-upg",
-		TarIncludePatterns:    []string{"*.tf", fullyConfigurableTerraformDir + "/*.*", fullyConfigurableTerraformDir + "/scripts/*.*", "scripts/*.sh", "kubeconfig/README.md", "modules/kube-audit/*.*", "modules/kube-audit/kubeconfig/README.md", "modules/kube-audit/scripts/*.sh", fullyConfigurableTerraformDir + "/kubeconfig/README.md", "modules/kube-audit/helm-charts/kube-audit/*.*", "modules/kube-audit/helm-charts/kube-audit/templates/*.*"},
-		TemplateFolder:        fullyConfigurableTerraformDir,
-		Tags:                  []string{"test-schematic"},
+		Testing:            t,
+		Prefix:             "fc-upg",
+		TarIncludePatterns: []string{"*.tf", fullyConfigurableTerraformDir + "/*.*", fullyConfigurableTerraformDir + "/scripts/*.*", "scripts/*.sh", "kubeconfig/README.md", "modules/kube-audit/*.*", "modules/kube-audit/kubeconfig/README.md", "modules/kube-audit/scripts/*.sh", fullyConfigurableTerraformDir + "/kubeconfig/README.md", "modules/kube-audit/helm-charts/kube-audit/*.*", "modules/kube-audit/helm-charts/kube-audit/templates/*.*"},
+		TemplateFolder:     fullyConfigurableTerraformDir,
+		Tags:               []string{"test-schematic"},
+		IgnoreUpdates: testhelper.Exemptions{ // Ignore for consistency check
+			List: IgnoreUpdates,
+		},
 		DeleteWorkspaceOnFail: false,
 	})