From 50bc6457151576ec694d99ec0a5e2b80d00ed713 Mon Sep 17 00:00:00 2001 From: Adrian Eib Date: Mon, 31 Jul 2023 17:14:04 +0200 Subject: [PATCH] Add variable validation rule to make sure there isn't subnet with a route for 0.0.0.0/0 CIDR and connect_to_public_natgw set to true --- variables.tf | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/variables.tf b/variables.tf index 263bd99..6b106f0 100644 --- a/variables.tf +++ b/variables.tf @@ -257,6 +257,24 @@ EOF error_message = "Any subnet type `name_prefix` must not contain \"/\"." condition = alltrue([for _, v in var.subnets : !can(regex("/", try(v.name_prefix, "")))]) } + + # We check here if there exists at least one subnet that meets the following criteria: + # a. The subnet has a route with the destination CIDR block of "0.0.0.0/0". + # b. The subnet has the 'connect_to_public_natgw' attribute set to true. + validation { + error_message = "Route with CIDR '0.0.0.0/0' is mutually exclusive with 'connect_to_public_natgw'." + condition = !anytrue( + [ + for name, subnet in var.subnets : + anytrue( + [ + for route in lookup(subnet, "routes", []) : + lookup(route, "destination_cidr_block", "") == "0.0.0.0/0" + ] + ) && lookup(subnet, "connect_to_public_natgw", false) + ] + ) + } } variable "tags" {