From 763137a503b5f2044c54e4836b1da955bb06fce8 Mon Sep 17 00:00:00 2001
From: Ayushmaan Singh <ayushmaan017+github@gmail.com>
Date: Tue, 28 Oct 2025 14:32:10 +0530
Subject: [PATCH] fix: added validation to allow 1 item in cbr_rules

---
 README.md    | 2 +-
 variables.tf | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 62cad7a2..acd516da 100644
--- a/README.md
+++ b/README.md
@@ -98,7 +98,7 @@ To create service credentials, access the Event Notifications service, and acces
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | A list of access tags to apply to the Event Notifications instance created by the module. [Learn more](https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial). | `list(string)` | `[]` | no |
-| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The list of context-based restrictions rules to create. | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
+| <a name="input_cbr_rules"></a> [cbr\_rules](#input\_cbr\_rules) | The context-based restrictions rule to create. Only one rule is allowed. | <pre>list(object({<br/>    description = string<br/>    account_id  = string<br/>    rule_contexts = list(object({<br/>      attributes = optional(list(object({<br/>        name  = string<br/>        value = string<br/>    }))) }))<br/>    enforcement_mode = string<br/>    operations = optional(list(object({<br/>      api_types = list(object({<br/>        api_type_id = string<br/>      }))<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_cos_bucket_name"></a> [cos\_bucket\_name](#input\_cos\_bucket\_name) | The name of an existing IBM Cloud Object Storage bucket to use for storing failed delivery events. Required if `cos_integration_enabled` is set to `true`. | `string` | `null` | no |
 | <a name="input_cos_endpoint"></a> [cos\_endpoint](#input\_cos\_endpoint) | The endpoint URL for your bucket region. Required if `cos_integration_enabled` is set to `true`. [Learn more](https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-endpoints). | `string` | `null` | no |
 | <a name="input_cos_instance_id"></a> [cos\_instance\_id](#input\_cos\_instance\_id) | The ID of an existing IBM Cloud Object Storage instance that contains the bucket to use for storing failed delivery events. Required if `cos_integration_enabled` is set to `true`. | `string` | `null` | no |
diff --git a/variables.tf b/variables.tf
index 24409190..35dd3914 100644
--- a/variables.tf
+++ b/variables.tf
@@ -101,8 +101,12 @@ variable "cbr_rules" {
       }))
     })))
   }))
-  description = "The list of context-based restrictions rules to create."
+  description = "The context-based restrictions rule to create. Only one rule is allowed."
   default     = []
+  validation {
+    condition     = length(var.cbr_rules) <= 1
+    error_message = "Only one CBR rule is allowed."
+  }
 }
 
 variable "skip_en_kms_auth_policy" {