Add validation to ensure xaccount role trust has AWS backup service

Signed-off-by: Jim Enright <jenright@cloudera.com>
cloudera-labs · Jan 24, 2025 · 2debb76 · 2debb76
1 parent 4f8e156
commit 2debb76
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/modules/terraform-aws-cml-permissions/README.md b/modules/terraform-aws-cml-permissions/README.md
@@ -16,14 +16,16 @@ An example `terraform.tfvars.sample` values file is included to show input varia
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_assert"></a> [assert](#requirement\_assert) | >= 0.15.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~>5.30 |
+| <a name="requirement_http"></a> [http](#requirement\_http) | >= 3.2.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | ~>5.30 |
-| <a name="provider_http"></a> [http](#provider\_http) | n/a |
+| <a name="provider_http"></a> [http](#provider\_http) | >= 3.2.1 |
 
 ## Modules
 

diff --git a/modules/terraform-aws-cml-permissions/data.tf b/modules/terraform-aws-cml-permissions/data.tf
@@ -15,6 +15,13 @@
 data "aws_iam_role" "xaccount_role" {
 
   name = var.xaccount_role_name
+
+  lifecycle {
+    postcondition {
+      condition     = provider::assert::regex(".*backup.amazonaws.com.*", self.assume_role_policy)
+      error_message = "${var.xaccount_role_name} role must have AWS backup.amazonaws.com "
+    }
+  }
 }
 
 # HTTP get request to download policy documents

diff --git a/modules/terraform-aws-cml-permissions/provider.tf b/modules/terraform-aws-cml-permissions/provider.tf
@@ -22,6 +22,10 @@ terraform {
       source  = "hashicorp/http"
       version = ">= 3.2.1"
     }
+    assert = {
+      source  = "hashicorp/assert"
+      version = ">= 0.15.0"
+    }
   }
 
   required_version = ">= 1.3.0"