kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
hunfabric/modules/folder/variables-iam.tf
kovagoadam 1907c38e22 Add IAM deny policies support (#3970) 
* Added IAM denial policies

* Moved default to empty, removed trys, added condition vars to expression

* remove redundant null checks

* reduce line length

* boilerplate and principal context expansion

* update readmes

* add explicit validation against null values

* add context tests

* Add missing license headers to examples

---------

Co-authored-by: Julio Castillo <jccb@google.com>
2026-05-21 02:38:06 +00:00

133 lines
4.3 KiB
HCL
Raw Permalink Blame History

/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "iam" {
description = "IAM bindings in {ROLE => [MEMBERS]} format."
type = map(list(string))
default = {}
nullable = false
}
variable "iam_bindings" {
description = "Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary."
type = map(object({
members = list(string)
role = string
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
}))
nullable = false
default = {}
}
variable "iam_bindings_additive" {
description = "Individual additive IAM bindings. Keys are arbitrary."
type = map(object({
member = string
role = string
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
}))
nullable = false
default = {}
}
variable "iam_by_principals_additive" {
description = "Additive IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid errors. Merged internally with the `iam_bindings_additive` variable."
type = map(list(string))
default = {}
nullable = false
}
variable "iam_by_principals" {
description = "Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid errors. Merged internally with the `iam` variable."
type = map(list(string))
default = {}
nullable = false
}
variable "iam_by_principals_conditional" {
description = "Authoritative IAM binding in {PRINCIPAL => {roles = [roles], condition = {cond}}} format. Principals need to be statically defined to avoid errors. Condition is required."
type = map(object({
roles = list(string)
condition = object({
expression = string
title = string
description = optional(string)
})
}))
default = {}
nullable = false
validation {
condition = alltrue([
for k, v in var.iam_by_principals_conditional : v.condition != null
])
error_message = "The `condition` attribute is required. Use `iam_by_principals` for non-conditional bindings."
}
validation {
condition = alltrue([
for title, conditions in {
for k, v in var.iam_by_principals_conditional :
v.condition.title => v.condition...
} :
length(distinct(conditions)) == 1
])
error_message = "IAM bindings with the same condition title must have identical expressions and descriptions."
}
}
variable "iam_deny_policies" {
description = "IAM Deny policies to be applied to the folder."
type = map(object({
display_name = optional(string)
rules = list(object({
description = optional(string)
denied_principals = list(string)
denied_permissions = list(string)
denial_condition = optional(object({
expression = string
title = optional(string)
description = optional(string)
location = optional(string)
}))
exception_principals = optional(list(string), [])
exception_permissions = optional(list(string), [])
}))
}))
default = {}
nullable = false
validation {
# Ensure denied_principals and denied_permissions are explicitly not null
# (to prevent HCL evaluation errors in loops) and contain at least one
# element (required by the GCP API).
condition = alltrue(flatten([
for k, v in var.iam_deny_policies : [
for r in v.rules : (
try(length(r.denied_principals) > 0, false) &&
try(length(r.denied_permissions) > 0, false)
)
]
]))
error_message = "Each rule in iam_deny_policies must have at least one denied principal and one denied permission."
}
}
Reference in New Issue View Git Blame Copy Permalink