fix: Correct privilege validation for db_users

jamesiarmes · jamesiarmes · commit d48ebd4d8845 · 2026-03-12T15:11:45.000-04:00
diff --git a/README.md b/README.md
@@ -250,10 +250,10 @@ database(s). The user will be assigned a randomly generated password, and their
 credentials will be stored in AWS Secrets Manager. The ARN of the secret for
 each user is available in the `db_user_secret_arns` output.
 
-| Name       | Description                                                                                                   | Type           | Default      | Required |
-| ---------- | ------------------------------------------------------------------------------------------------------------- | -------------- | ------------ | -------- |
-| databases  | List of databases to grant the user access to. If left empty, the user will not have access to any databases. | `list(string)` | `[]`         | no       |
-| privileges | Privileges to grant on the databases for the user. The only valid value is `"readonly"`.                      | `string`       | `"readonly"` | no       |
+| Name       | Description                                                                              | Type           | Default      | Required |
+| ---------- | ---------------------------------------------------------------------------------------- | -------------- | ------------ | -------- |
+| databases  | List of databases to grant the user access to.                                           | `list(string)` | n/a          | yes      |
+| privileges | Privileges to grant on the databases for the user. The only valid value is `"readonly"`. | `string`       | `"readonly"` | no       |
 
 ### iam_db_users
 
diff --git a/variables.tf b/variables.tf
@@ -144,9 +144,9 @@ variable "db_users" {
   validation {
     condition = alltrue([
       for _, user in var.db_users :
-      contains(["all", "readonly"], user.privileges)
+      user.privileges == "readonly"
     ])
-    error_message = "Database user privileges must be \"all\" or \"readonly\"."
+    error_message = "Database user privileges must be \"readonly\"; only read-only access is supported for db_users."
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -144,9 +144,9 @@ variable "db_users" {`
`144`	`144`	`validation {`
`145`	`145`	`condition = alltrue([`
`146`	`146`	`for _, user in var.db_users :`
`147`		`- contains(["all", "readonly"], user.privileges)`
	`147`	`+ user.privileges == "readonly"`
`148`	`148`	`])`
`149`		`- error_message = "Database user privileges must be \"all\" or \"readonly\"."`
	`149`	`+ error_message = "Database user privileges must be \"readonly\"; only read-only access is supported for db_users."`
`150`	`150`	`}`
`151`	`151`	`}`
`152`	`152`