-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
53 lines (48 loc) · 2.16 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
/**
* Copyright 2018 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/******************************************
Locals configuration for module logic
*****************************************/
locals {
organization = var.policy_for == "organization"
folder = var.policy_for == "folder"
project = var.policy_for == "project"
boolean_policy = var.policy_type == "boolean"
list_policy = var.policy_type == "list" && !local.invalid_config
// If allow/deny list empty and enforce is not set, enforce is set to true
enforce = var.allow_list_length > 0 || var.deny_list_length > 0 ? null : var.enforce != false
invalid_config_case_1 = var.deny_list_length > 0 && var.allow_list_length > 0
// We use var.enforce here because allow/deny lists can not be used together with enforce flag
invalid_config_case_2 = var.allow_list_length + var.deny_list_length > 0 && var.enforce != null
invalid_config = var.policy_type == "list" && local.invalid_config_case_1 || local.invalid_config_case_2
}
/******************************************
Checks a valid configuration for list constraint
*****************************************/
resource "null_resource" "config_check" {
/*
This resource shows the user a message intentionally
If user sets two (or more) of following variables when policy type is "list":
- allow
- deny
- enforce ("true" or "false")
the configuration is invalid and the message below is shown
*/
count = local.invalid_config ? 1 : 0
provisioner "local-exec" {
command = "echo 'For list constraints only one of enforce, allow, and deny may be included.'; false"
}
}