chore: add validations for iam and policy_bindings

mineiros-io · Jan 3, 2022 · 4fe95aa · 4fe95aa
1 parent 244d9b5
commit 4fe95aa
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/iam.tf b/iam.tf
@@ -11,8 +11,8 @@ module "iam" {
   module_depends_on = var.module_depends_on
 
   bucket        = try(google_storage_bucket.bucket[0].name, null)
-  role          = try(each.value.role, null)
-  members       = try(each.value.members, null)
+  role          = each.value.role
+  members       = each.value.members
   authoritative = try(each.value.authoritative, true)
 }
 

diff --git a/variables.tf b/variables.tf
@@ -138,12 +138,36 @@ variable "iam" {
   description = "(Optional) A list of IAM access."
   type        = any
   default     = []
+
+  # validate required keys in each object
+  validation {
+    condition     = alltrue([for x in var.iam : length(setintersection(keys(x), ["role", "members"])) == 2])
+    error_message = "Each object in var.iam must specify a role and a set of members."
+  }
+
+  # validate no invalid keys are in each object
+  validation {
+    condition     = alltrue([for x in var.iam : length(setsubtract(keys(x), ["role", "members", "authoritative"])) == 0])
+    error_message = "Each object in var.iam does only support role, members and authoritative attributes."
+  }
 }
 
 variable "policy_bindings" {
   description = "(Optional) A list of IAM policy bindings."
   type        = any
   default     = null
+
+  # validate required keys in each object
+  validation {
+    condition     = var.policy_bindings == null ? true : alltrue([for x in var.policy_bindings : length(setintersection(keys(x), ["role", "members"])) == 2])
+    error_message = "Each object in var.policy_bindings must specify a role and a set of members."
+  }
+
+  # validate no invalid keys are in each object
+  validation {
+    condition     = var.policy_bindings == null ? true : alltrue([for x in var.policy_bindings : length(setsubtract(keys(x), ["role", "members", "condition"])) == 0])
+    error_message = "Each object in var.policy_bindings does only support role, members and condition attributes."
+  }
 }
 
 # ------------------------------------------------------------------------------