Stop wrapping yamldecode with try() (#1812)

blueprints/data-solutions/shielded-folder/data/firewall-policies/cidrs.yaml

@@ -1,4 +1,7 @@
 # skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
 
 healthchecks:
   - 35.191.0.0/16
@@ -12,4 +15,4 @@ rfc1918:
   - 192.168.0.0/16
 
 onprem_probes:
-  - 10.255.255.254/32
+  - 10.255.255.254/32

blueprints/data-solutions/shielded-folder/data/firewall-policies/hierarchical-ingress-rules.yaml

@@ -1,4 +1,7 @@
 # skip boilerplate check
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
 
 allow-admins:
   description: Access from the admin subnet to all subnets
@@ -14,8 +17,8 @@ allow-healthchecks:
     source_ranges:
       - healthchecks
   layer4_configs:
-  - protocol: tcp
-    ports: ["80", "443"]
+    - protocol: tcp
+      ports: ["80", "443"]
 
 allow-ssh-from-iap:
   description: Enable SSH from IAP
@@ -24,8 +27,8 @@ allow-ssh-from-iap:
     source_ranges:
       - 35.235.240.0/20
   layer4_configs:
-  - protocol: tcp
-    ports: ["22"]
+    - protocol: tcp
+      ports: ["22"]
 
 allow-icmp:
   description: Enable ICMP
@@ -34,4 +37,4 @@ allow-icmp:
     source_ranges:
       - 0.0.0.0/0
   layer4_configs:
-  - protocol: icmp
+    - protocol: icmp

blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml

@@ -2,30 +2,32 @@
 #
 # sample subset of useful organization policies, edit to suit requirements
 
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 compute.disableGuestAttributesAccess:
   rules:
-  - enforce: true
+    - enforce: true
 
 compute.requireOsLogin:
   rules:
-  - enforce: true
+    - enforce: true
 
 compute.restrictLoadBalancerCreationForTypes:
   rules:
-  - allow:
-      values:
-      - in:INTERNAL
+    - allow:
+        values:
+          - in:INTERNAL
 
 compute.skipDefaultNetworkCreation:
   rules:
-  - enforce: true
+    - enforce: true
 
 compute.vmExternalIpAccess:
   rules:
-  - deny:
-      all: true
-
-
+    - deny:
+        all: true
 # compute.disableInternetNetworkEndpointGroup:
 #   rules:
 #   - enforce: true

blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml

@@ -2,14 +2,18 @@
 #
 # sample subset of useful organization policies, edit to suit requirements
 
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 iam.automaticIamGrantsForDefaultServiceAccounts:
   rules:
-  - enforce: true
+    - enforce: true
 
 iam.disableServiceAccountKeyCreation:
   rules:
-  - enforce: true
+    - enforce: true
 
 iam.disableServiceAccountKeyUpload:
   rules:
-  - enforce: true
+    - enforce: true

blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml

@@ -2,30 +2,33 @@
 #
 # sample subset of useful organization policies, edit to suit requirements
 
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 run.allowedIngress:
   rules:
-  - allow:
-      values:
-      - is:internal
-
+    - allow:
+        values:
+          - is:internal
 # run.allowedVPCEgress:
 #   rules:
-#   - allow:
-#       values:
-#       - is:private-ranges-only
+#     - allow:
+#         values:
+#           - is:private-ranges-only
 
 # cloudfunctions.allowedIngressSettings:
 #   rules:
-#   - allow:
-#       values:
-#       - is:ALLOW_INTERNAL_ONLY
+#     - allow:
+#         values:
+#           - is:ALLOW_INTERNAL_ONLY
 
 # cloudfunctions.allowedVpcConnectorEgressSettings:
 #   rules:
-#   - allow:
-#       values:
-#       - is:PRIVATE_RANGES_ONLY
+#     - allow:
+#         values:
+#           - is:PRIVATE_RANGES_ONLY
 
 # cloudfunctions.requireVPCConnector:
 #   rules:
-#   - enforce: true
+#     - enforce: true

blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml

@@ -2,10 +2,14 @@
 #
 # sample subset of useful organization policies, edit to suit requirements
 
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 sql.restrictAuthorizedNetworks:
   rules:
-  - enforce: true
+    - enforce: true
 
 sql.restrictPublicIp:
   rules:
-  - enforce: true
+    - enforce: true

blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml

@@ -2,6 +2,10 @@
 #
 # sample subset of useful organization policies, edit to suit requirements
 
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 storage.uniformBucketLevelAccess:
   rules:
-  - enforce: true
+    - enforce: true

blueprints/factories/net-vpc-firewall-yaml/README.md

@@ -41,6 +41,11 @@ module "dev-firewall" {
 
 ```yaml
 # tftest-file id=common path=firewall/common/common.yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 # allow ingress from GCLB to all instances in the network
 lb-health-checks:
   allow:
@@ -65,6 +70,11 @@ deny-all:
 
 ```yaml
 # tftest-file id=dev path=firewall/dev/app.yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 # Myapp egress
 web-app-dev-egress:
   allow:
@@ -89,6 +99,11 @@ web-app-dev-ingress:
 
 ```yaml
 # tftest-file id=prod path=firewall/prod/app.yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 # Myapp egress
 web-app-prod-egress:
   allow:
@@ -111,7 +126,6 @@ web-app-prod-ingress:
     - [email protected]
 ```
 
-
 ### Configuration Structure
 
 ```bash
@@ -140,6 +154,11 @@ web-app-prod-ingress:
 Firewall rules configuration should be placed in a set of yaml files in a folder/s. Firewall rule entry structure is following:
 
 ```yaml
+
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 rule-name: # descriptive name, naming convention is adjusted by the module
   allow:  # `allow` or `deny`
   - ports: ['443', '80'] # ports for a specific protocol, keep empty list `[]` for all ports

blueprints/factories/net-vpc-firewall-yaml/main.tf

@@ -31,7 +31,7 @@ locals {
   firewall_rules = merge(
     [
       for config_file in local.firewall_rule_files :
-      try(yamldecode(file(config_file)), {})
+      yamldecode(file(config_file))
     ]...
   )
 }

blueprints/networking/decentralized-firewall/firewall/common/common-egress.yaml

@@ -12,6 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 # Deny all egress (egress traffic is allowed by default)
 deny-all:
   deny:

blueprints/networking/decentralized-firewall/firewall/common/iap-access.yaml

@@ -12,6 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 # Access via SSH from IAP to all instancess https://cloud.google.com/iap/docs/using-tcp-forwarding#create-firewall-rule
 iap-ssh-access:
   allow:

blueprints/networking/decentralized-firewall/firewall/common/lb-access.yaml

@@ -12,6 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 # Access from GCP LBs https://cloud.google.com/load-balancing/docs/https/#firewall_rules
 lb-health-checks:
   allow:

blueprints/networking/decentralized-firewall/firewall/dev/app-1/app1-rules.yaml

@@ -12,6 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 # Allow traffic from the frontend VMs
 app1-backend:
   allow:

blueprints/networking/decentralized-firewall/firewall/dev/app-2/app2-rules.yaml

@@ -12,6 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 # Allow traffic from app1 frontend
 app2-backend:
   allow:

blueprints/networking/decentralized-firewall/firewall/prod/app-1/app1-rules.yaml

@@ -12,6 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 # Allow traffic from the frontend VMs
 app1-backend:
   allow:

fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml

@@ -2,30 +2,32 @@
 #
 # sample subset of useful organization policies, edit to suit requirements
 
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 compute.disableGuestAttributesAccess:
   rules:
-  - enforce: true
+    - enforce: true
 
 compute.requireOsLogin:
   rules:
-  - enforce: true
+    - enforce: true
 
 compute.restrictLoadBalancerCreationForTypes:
   rules:
-  - allow:
-      values:
-      - in:INTERNAL
+    - allow:
+        values:
+          - in:INTERNAL
 
 compute.skipDefaultNetworkCreation:
   rules:
-  - enforce: true
+    - enforce: true
 
 compute.vmExternalIpAccess:
   rules:
-  - deny:
-      all: true
-
-
+    - deny:
+        all: true
 # compute.disableInternetNetworkEndpointGroup:
 #   rules:
 #   - enforce: true

fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml

@@ -2,14 +2,18 @@
 #
 # sample subset of useful organization policies, edit to suit requirements
 
+---
+# Terraform will be unable to decode this file if it does not contain valid YAML
+# You can retain `---` (start of the document) to indicate an empty document.
+
 iam.automaticIamGrantsForDefaultServiceAccounts:
   rules:
-  - enforce: true
+    - enforce: true
 
 iam.disableServiceAccountKeyCreation:
   rules:
-  - enforce: true
+    - enforce: true
 
 iam.disableServiceAccountKeyUpload:
   rules:
-  - enforce: true
+    - enforce: true