It would be beneficial to have detailed variable types for the variables egress_policies, egress_policies_dry_run, ingress_policies and ingress_policies_dry_run in the regular_service_perimeter module.
With the optional type attribute generally available since Terraform version 1.3, the module users will find it very convenient to reference a concrete type for the above variables directly, rather than having to rely on referring the module code to understand what input structure for policy rules are expected by the module.
The current type for these variables only define a rough skeleton:
list(object({
from = any
to = any
}))
The type design can use the ingress & egress rule references from links [1] and [2] to potentially create something like:
variable "ingress_policies" {
default = []
type = list(object({
from = object({
identity_type = optional(string)
identities = optional(list(string))
sources = object({
access_levels = optional(list(string), [])
resources = optional(list(string), [])
})
})
to = object({
resources = optional(list(string), ["*"])
operations = map(object({
methods = optional(list(string), [])
permissions = optional(list(string), [])
}))
})
}))
validation {
# identity_type XOR identities
condition = alltrue([
for ingress_rule in var.ingress_policies: (
(ingress_rule.from.identity_type == null && ingress_rule.from.identities != null)
||
(ingress_rule.from.identity_type != null && ingress_rule.from.identities == null)
)
])
error_message = "Exactly one of from.identity_type OR from.identities must be configured."
}
}
variable "egress_policies" {
default = []
type = list(object({
to = object({
resources = optional(list(string), ["*"])
operations = map(object({
methods = optional(list(string), [])
permissions = optional(list(string), [])
}))
})
from = object({
identity_type = optional(string)
identities = optional(list(string))
})
}))
validation {
# identity_type XOR identities
condition = alltrue([
for egress_rule in var.egress_policies : (
(egress_rule.from.identity_type != null && egress_rule.from.identities == null)
||
(egress_rule.from.identity_type == null && egress_rule.from.identities != null)
)
])
error_message = "Exactly one of from.identity_type OR from.identities must be configured."
}
}
Similar types can be reused for egress_policies_dry_run & ingress_policies_dry_run. This should provide module users a good context on the general structure of the expected values!
TL;DR
It would be beneficial to have detailed variable types for the variables
egress_policies
,egress_policies_dry_run
,ingress_policies
andingress_policies_dry_run
in theregular_service_perimeter
module.Terraform Resources
Detailed design
No response
Additional information
With the
optional
type attribute generally available since Terraform version1.3
, the module users will find it very convenient to reference a concrete type for the above variables directly, rather than having to rely on referring the module code to understand what input structure for policy rules are expected by the module.The current type for these variables only define a rough skeleton:
The type design can use the ingress & egress rule references from links [1] and [2] to potentially create something like:
Similar types can be reused for
egress_policies_dry_run
&ingress_policies_dry_run
. This should provide module users a good context on the general structure of the expected values!