fix: add validation block to prevent multiple protocols in security group rule (#1096)

vburckhardt · web-flow · commit e6eb5edc9f80 · 2025-12-09T11:36:04.000Z
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-10-28T06:31:36Z",
+  "generated_at": "2025-12-08T13:33:25Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
diff --git a/README.md b/README.md
@@ -43,14 +43,14 @@ Expected network connectivity downtime of typically around 20 seconds.
     * [management-vpc](./modules/management-vpc)
     * [workload-vpc](./modules/workload-vpc)
 * [Examples](./examples)
-    * [Basic Example](./examples/basic)
-    * [Existing networking resources Example](./examples/existing_vpc)
-    * [Hub and Spoke VPC Example](./examples/hub-spoke-delegated-resolver)
-    * [Hub and Spoke VPC with manual DNS resolver Example](./examples/hub-spoke-manual-resolver)
-    * [Landing Zone example](./examples/landing_zone)
-    * [Specific Zone Only Example](./examples/specific-zone-only)
-    * [VPC with DNS example](./examples/vpc-with-dns)
-    * [VPC with Flow Logs stored in COS Example](./examples/vpc-flow-logs)
+    * <div style="display: inline-block;"><a href="./examples/basic">Basic Example</a></div> <div style="display: inline-block; vertical-align: middle;"><a href="https://cloud.ibm.com/schematics/workspaces/create?workspace_name=lzv-basic-example&repository=https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/tree/main/examples/basic" target="_blank"><img src="https://cloud.ibm.com/media/docs/images/icons/Deploy_to_cloud.svg" alt="Deploy to IBM Cloud button"></a></div>
+    * <div style="display: inline-block;"><a href="./examples/existing_vpc">Existing networking resources Example</a></div> <div style="display: inline-block; vertical-align: middle;"><a href="https://cloud.ibm.com/schematics/workspaces/create?workspace_name=lzv-existing_vpc-example&repository=https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/tree/main/examples/existing_vpc" target="_blank"><img src="https://cloud.ibm.com/media/docs/images/icons/Deploy_to_cloud.svg" alt="Deploy to IBM Cloud button"></a></div>
+    * <div style="display: inline-block;"><a href="./examples/hub-spoke-delegated-resolver">Hub and Spoke VPC Example</a></div> <div style="display: inline-block; vertical-align: middle;"><a href="https://cloud.ibm.com/schematics/workspaces/create?workspace_name=lzv-hub-spoke-delegated-resolver-example&repository=https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/tree/main/examples/hub-spoke-delegated-resolver" target="_blank"><img src="https://cloud.ibm.com/media/docs/images/icons/Deploy_to_cloud.svg" alt="Deploy to IBM Cloud button"></a></div>
+    * <div style="display: inline-block;"><a href="./examples/hub-spoke-manual-resolver">Hub and Spoke VPC with manual DNS resolver Example</a></div> <div style="display: inline-block; vertical-align: middle;"><a href="https://cloud.ibm.com/schematics/workspaces/create?workspace_name=lzv-hub-spoke-manual-resolver-example&repository=https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/tree/main/examples/hub-spoke-manual-resolver" target="_blank"><img src="https://cloud.ibm.com/media/docs/images/icons/Deploy_to_cloud.svg" alt="Deploy to IBM Cloud button"></a></div>
+    * <div style="display: inline-block;"><a href="./examples/landing_zone">Landing Zone example</a></div> <div style="display: inline-block; vertical-align: middle;"><a href="https://cloud.ibm.com/schematics/workspaces/create?workspace_name=lzv-landing_zone-example&repository=https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/tree/main/examples/landing_zone" target="_blank"><img src="https://cloud.ibm.com/media/docs/images/icons/Deploy_to_cloud.svg" alt="Deploy to IBM Cloud button"></a></div>
+    * <div style="display: inline-block;"><a href="./examples/specific-zone-only">Specific Zone Only Example</a></div> <div style="display: inline-block; vertical-align: middle;"><a href="https://cloud.ibm.com/schematics/workspaces/create?workspace_name=lzv-specific-zone-only-example&repository=https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/tree/main/examples/specific-zone-only" target="_blank"><img src="https://cloud.ibm.com/media/docs/images/icons/Deploy_to_cloud.svg" alt="Deploy to IBM Cloud button"></a></div>
+    * <div style="display: inline-block;"><a href="./examples/vpc-flow-logs">VPC with Flow Logs stored in COS Example</a></div> <div style="display: inline-block; vertical-align: middle;"><a href="https://cloud.ibm.com/schematics/workspaces/create?workspace_name=lzv-vpc-flow-logs-example&repository=https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/tree/main/examples/vpc-flow-logs" target="_blank"><img src="https://cloud.ibm.com/media/docs/images/icons/Deploy_to_cloud.svg" alt="Deploy to IBM Cloud button"></a></div>
+    * <div style="display: inline-block;"><a href="./examples/vpc-with-dns">VPC with DNS example</a></div> <div style="display: inline-block; vertical-align: middle;"><a href="https://cloud.ibm.com/schematics/workspaces/create?workspace_name=lzv-vpc-with-dns-example&repository=https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/tree/main/examples/vpc-with-dns" target="_blank"><img src="https://cloud.ibm.com/media/docs/images/icons/Deploy_to_cloud.svg" alt="Deploy to IBM Cloud button"></a></div>
 * [Contributing](#contributing)
 <!-- END OVERVIEW HOOK -->
 
diff --git a/common-dev-assets b/common-dev-assets
@@ -1 +1 @@
-Subproject commit c4328778ce1a62bc85f641d9249adaac0493cfc9
+Subproject commit 56a3cfddb4a1ef2599b100ae698ab2f6400e1bf8
diff --git a/variables.tf b/variables.tf
@@ -479,6 +479,21 @@ variable "security_group_rules" {
     condition     = !(var.clean_default_sg_acl && var.security_group_rules != null && length(var.security_group_rules) > 0)
     error_message = "var.clean_default_sg_acl is true and var.security_group_rules are not empty, which are in direct conflict. If you want to clean the default VPC Security Group, you must not pass security_group_rules."
   }
+
+  validation {
+    error_message = "Each security group rule must specify at most one protocol (tcp, udp, or icmp), or omit all protocol blocks to allow all protocols. Found a rule with multiple protocols defined. To allow multiple protocols, create separate rules - one for each protocol. For example, instead of one rule with both tcp and udp blocks, create two rules: one with tcp only and another with udp only."
+    condition = (var.security_group_rules == null || length(var.security_group_rules) == 0) ? true : length(distinct(
+      flatten([
+        for rule in var.security_group_rules :
+        # Count how many protocols are specified (non-null)
+        # Return false if more than one protocol is specified
+        false if length([
+          for protocol in [rule.tcp, rule.udp, rule.icmp] :
+          protocol if protocol != null
+        ]) > 1
+      ])
+    )) == 0
+  }
 }
 
 variable "clean_default_sg_acl" {

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`"files": "go.sum\|^.secrets.baseline$",`
`4`	`4`	`"lines": null`
`5`	`5`	`},`
`6`		`- "generated_at": "2025-10-28T06:31:36Z",`
	`6`	`+ "generated_at": "2025-12-08T13:33:25Z",`
`7`	`7`	`"plugins_used": [`
`8`	`8`	`{`
`9`	`9`	`"name": "AWSKeyDetector"`