Terraform allows you to validate variable input in using validation blocks using custom condition and yielding a custom error_message. Below are some examples:
Note: Please share your common validation rules you've written and I'll update here
Update: Please check out this awesome project by @bschaatsbergen that provides built in functions for assertions: https://github.com/bschaatsbergen/terraform-provider-assert
Strings
String may not contain character
Scenario: String may not contain a /.
variable "string_may_not_contain" {
type = string
default = "test"
validation {
error_message = "Value cannot contain a \"/\"."
condition = !can(regex("/", var.string_may_not_contain))
}
}
String with valid options
Scenario: Here we have a string and we only allow to values "approved" or "disapproved". I show 2 examples of the same check using different methods:
variable "string_only_valid_options" {
type = string
default = "approved"
# using regex
validation {
condition = can(regex("^(approved|disapproved)$", var.string_only_valid_options))
error_message = "Invalid input, options: \"approved\", \"disapproved\"."
}
# using contains()
validation {
condition = contains(["approved", "disapproved"], var.string_only_valid_options)
error_message = "Invalid input, options: \"approved\", \"disapproved\"."
}
}
Valid AWS Region Name
Scenario: string must be like AWS region
variable "string_like_aws_region" {
type = string
default = "us-east-1"
validation {
condition = can(regex("[a-z][a-z]-[a-z]+-[1-9]", var.string_like_aws_region))
error_message = "Must be valid AWS Region names."
}
Valid IAM Role Name
Scenario: Your string must be a valid IAM role name
variable "string_valid_iam_role_name" {
type = string
default = "MyCoolRole"
# arn example: "arn:aws:iam::123456789012:role/MyCoolRole"
validation {
condition = can(regex("^[a-zA-Z][a-zA-Z\\-\\_0-9]{1,64}$", var.string_valid_iam_role_name))
error_message = "IAM role name must start with letter, only contain letters, numbers, dashes, or underscores and must be between 1 and 64 characters."
}
}
Valid IPv4 CIDR
Scenario: Your string input needs to look like a IPv4 CIDR. Thank you @entscheidungsproblem for reporting and providing a fix for /32.
variable "string_like_valid_ipv4_cidr" {
type = string
default = "10.0.0.0/16"
validation {
condition = can(cidrhost(var.string_like_valid_ipv4_cidr, 0))
error_message = "Must be valid IPv4 CIDR."
}
}
Semantic Version
variable "semv1" {
default = "10.57.123"
validation {
error_message = "Must be valid semantic version."
condition = can(regex("^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", var.semv1))
}
}
Maps
Map with optional conflicting keys
Scenario: You have a map variable and 2 keys conflict, in this case, you can only set either cidr or netmask.
variable "only_one_optional_key" {
type = object({
name = optional(string)
cidrs = optional(list(string))
netmask = optional(number)
})
default = {
cidr = "10.0.0.0/16"
name = "test"
}
validation {
error_message = "Can only specify either \"cidrs\", or \"netmask\"."
condition = length(setintersection(keys(var.only_one_optional_key), ["cidrs", "netmask"])) == 1
}
}
Numbers
Number within a range
Scenario: number must be between 1-16.
Thanks: @tlindsay42
variable "num_in_range" {
type = number
default = 1
validation {
condition = var.num_in_range >= 1 && var.num_in_range <= 16 && floor(var.num_in_range) == var.num_in_range
error_message = "Accepted values: 1-16."
}
}
If you liked this post, please like. If you think it would be helpful in the future as a reference, please bookmark!
Top comments (4)
This is a great article, thanks!
I've found that the IPV4 method fails for /32 ips:
But by replacing 32 with 0 as the second argument, it works:
This also works for IPv6:
oh man that is a great find! thank you for reporting. cited you as well! :cheers:
Valid IAM ARN example throws "illegal escape sequence".
fixed! thank you