Skip to content

feat(api-key): add custom_grants support for multi-NRN grants#276

Merged
gdrojas merged 1 commit intomainfrom
feat/api-key-custom-grants
Mar 31, 2026
Merged

feat(api-key): add custom_grants support for multi-NRN grants#276
gdrojas merged 1 commit intomainfrom
feat/api-key-custom-grants

Conversation

@gdrojas
Copy link
Copy Markdown
Collaborator

@gdrojas gdrojas commented Mar 31, 2026
edited
Loading

Summary

The api_key module previously only supported a single NRN for all grants, which didn't reflect how nullplatform actually works — a single API key can have permissions across multiple accounts or resources at different NRN levels.

This PR introduces custom_grants to support that pattern, while keeping the existing custom_role_slugs + nrn flow intact for the simple case.

  • Add custom_grants variable: explicit list of { nrn, role_slug } pairs
  • Make nrn optional when custom_grants is used (NRN is defined per grant)
  • Predefined types (agent, scope_notification, service_notification) still require nrn

Usage

Simple case (unchanged):

module "api_key" {
  source            = "nullplatform/api_key"
  type              = "custom"
  nrn               = "organization=123:account=456"
  custom_name       = "my-key"
  custom_role_slugs = ["developer"]
}

Multi-NRN grants:

module "api_key" {
  source      = "nullplatform/api_key"
  type        = "custom"
  custom_name = "my-key"
  custom_grants = [
    { nrn = "organization=123:account=111", role_slug = "developer" },
    { nrn = "organization=123:account=222", role_slug = "ops" },
  ]
}

Validations added

Condition Error
type = "custom" without custom_name custom_name is required
type = "custom" without roles or grants custom_role_slugs or custom_grants must have at least 1 entry
Predefined type without nrn nrn is required for predefined types
custom_grants + nrn set together when using custom_grants, do not set nrn

Test plan

  • Existing custom with custom_role_slugs + nrn — no changes, plan shows no diff
  • custom_grants without nrn — API key created with grants per NRN
  • All 4 preconditions triggered and validated

@gdrojas gdrojas force-pushed the feat/api-key-custom-grants branch 2 times, most recently from e9a119e to a80ef22 Compare March 31, 2026 15:10
@gdrojas
feat(api-key): add custom_grants support for multi-NRN grants
64ab255 
Add custom_grants variable for explicit NRN per grant entry.
Make nrn optional for custom type when using custom_grants.
Add preconditions: nrn required for predefined types,
nrn must not be set when custom_grants is used,
custom_role_slugs and custom_grants are mutually exclusive,
specification_slug required for scope/service notification types.
@gdrojas gdrojas force-pushed the feat/api-key-custom-grants branch from a80ef22 to 64ab255 Compare March 31, 2026 15:21
sebastiancorrea81
sebastiancorrea81 approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@sebastiancorrea81 sebastiancorrea81 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@gdrojas gdrojas merged commit ce70c59 into main Mar 31, 2026
42 checks passed
@gdrojas gdrojas deleted the feat/api-key-custom-grants branch March 31, 2026 15:47
@github-actions github-actions Bot mentioned this pull request Mar 31, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sebastiancorrea81 sebastiancorrea81 sebastiancorrea81 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gdrojas @sebastiancorrea81