add validation for postgres, db name requirements and catch reserved 'admin' user

2025-07-15 16:13:14 +02:00 · 2025-07-15 16:13:14 +02:00 · 370b15a328
commit 370b15a328
parent 7345619f23
5 changed files with 115 additions and 71 deletions
--- a/postgres/providers.tf
+++ b/postgres/providers.tf
@ -3,7 +3,7 @@ terraform {
  required_providers {
    stackit = {
      source  = "stackitcloud/stackit"
-      version = "0.56.0"
+      version = "0.54.0"
    }
  }
 }
--- a/postgres/variables.tf
+++ b/postgres/variables.tf
@ -4,6 +4,21 @@ variable "project_id" {

 variable "name" {
  type = string
+
+  validation {
+    condition     = length(regexall("^[a-z]([-a-z0-9]*[a-z0-9])?$", var.name)) > 0
+    error_message = <<EOT
+      The name must be a valid DNS-1035 label:
+      - only lower-case letters, digits or '-'
+      - must start with a letter
+      - must end with a letter or digit
+      EOT
+  }
+}
+
+variable "instance_id" {
+  type    = string
+  default = ""
 }

 variable "ver" {
@ -38,19 +53,34 @@ variable "backup_schedule" {
 }

 variable "users" {
-  description = "List of users"
  type = list(object({
    username = string
    roles    = set(string)
  }))
  default = []
+  validation {
+    condition     = alltrue([
+      for user in var.users : user.username != "admin"
+    ])
+    error_message = "The username 'admin' is reserved and cannot be used."
+  }
 }

 variable "databases" {
-  description = "List of databases"
  type = list(object({
    name  = string
    owner = string
  }))
  default = []
+    validation {
+    condition = alltrue([
+      for db in var.databases : length(regexall("^[a-z]([-a-z0-9]*[a-z0-9])?$", db.name)) > 0
+    ])
+    error_message = <<EOT
+      The name must be a valid DNS-1035 label:
+      - only lower-case letters, digits or '-'
+      - must start with a letter
+      - must end with a letter or digit
+      EOT
+  }
 }