fix: added cbr_rule validation to only allow one item (#257)

aamadeuss · web-flow · commit 3232aeb5d60a · 2025-10-23T08:34:05.000+01:00
diff --git a/README.md b/README.md
@@ -158,7 +158,7 @@ No resources.
 | <a name="input_apps"></a> [apps](#input\_apps) | A map of code engine apps to be created. | <pre>map(object({<br/>    image_reference = string<br/>    image_secret    = optional(string)<br/>    run_env_variables = optional(list(object({<br/>      type      = optional(string)<br/>      name      = optional(string)<br/>      value     = optional(string)<br/>      prefix    = optional(string)<br/>      key       = optional(string)<br/>      reference = optional(string)<br/>    })))<br/>    run_volume_mounts = optional(list(object({<br/>      mount_path = string<br/>      reference  = string<br/>      name       = optional(string)<br/>      type       = string<br/>    })))<br/>    image_port                    = optional(number)<br/>    managed_domain_mappings       = optional(string)<br/>    run_arguments                 = optional(list(string))<br/>    run_as_user                   = optional(number)<br/>    run_commands                  = optional(list(string))<br/>    run_service_account           = optional(string)<br/>    scale_concurrency             = optional(number)<br/>    scale_concurrency_target      = optional(number)<br/>    scale_cpu_limit               = optional(string)<br/>    scale_ephemeral_storage_limit = optional(string)<br/>    scale_initial_instances       = optional(number)<br/>    scale_max_instances           = optional(number)<br/>    scale_memory_limit            = optional(string)<br/>    scale_min_instances           = optional(number)<br/>    scale_request_timeout         = optional(number)<br/>    scale_down_delay              = optional(number)<br/>  }))</pre> | `{}` | no |
 | <a name="input_bindings"></a> [bindings](#input\_bindings) | A map of code engine bindings to be created. | <pre>map(object({<br/>    secret_name = string<br/>    components = list(object({<br/>      name          = string<br/>      resource_type = string<br/>    }))<br/>  }))</pre> | `{}` | no |
 | <a name="input_builds"></a> [builds](#input\_builds) | A map of code engine builds to be created. Requires 'ibmcloud\_api\_key' to be set for authentication and execution. | <pre>map(object({<br/>    output_image       = string<br/>    output_secret      = string # pragma: allowlist secret<br/>    source_url         = string<br/>    strategy_type      = string<br/>    source_context_dir = optional(string)<br/>    source_revision    = optional(string)<br/>    source_secret      = optional(string)<br/>    source_type        = optional(string)<br/>    strategy_size      = optional(string)<br/>    strategy_spec_file = optional(string)<br/>    timeout            = optional(number)<br/>  }))</pre> | `{}` | no |
-| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The list of context-based restrictions rules to create. | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
+| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The context-based restrictions rule to create. Only one rule is allowed. | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_config_maps"></a> [config\_maps](#input\_config\_maps) | A map of code engine config maps to be created. | <pre>map(object({<br/>    data = map(string)<br/>  }))</pre> | `{}` | no |
 | <a name="input_domain_mappings"></a> [domain\_mappings](#input\_domain\_mappings) | A map of code engine domain mappings to be created. | <pre>map(object({<br/>    tls_secret = string # pragma: allowlist secret<br/>    components = list(object({<br/>      name          = string<br/>      resource_type = string<br/>    }))<br/>  }))</pre> | `{}` | no |
 | <a name="input_existing_project_id"></a> [existing\_project\_id](#input\_existing\_project\_id) | The ID of the existing project to which code engine resources will be added. It is required if var.project\_name is null. | `string` | `null` | no |
diff --git a/modules/build/scripts/build-run.sh b/modules/build/scripts/build-run.sh
@@ -45,7 +45,7 @@ fi
 # ibm cloud login
 ibmcloud_login
 
-# selecet the right code engine project
+# select the right code engine project
 ibmcloud ce project select -n "${CE_PROJECT_NAME}"
 
 # check the image build status
diff --git a/variables.tf b/variables.tf
@@ -200,6 +200,10 @@ variable "cbr_rules" {
       }))
     })))
   }))
-  description = "The list of context-based restrictions rules to create."
+  description = "The context-based restrictions rule to create. Only one rule is allowed."
   default     = []
+  validation {
+    condition     = length(var.cbr_rules) <= 1
+    error_message = "Only one CBR rule is allowed."
+  }
 }
