Add variable validation rule to make sure there isn't subnet with a r…

…oute for 0.0.0.0/0 CIDR and connect_to_public_natgw set to true
aws-ia · Jul 31, 2023 · aa33a01 · aa33a01
1 parent a3818e8
commit aa33a01
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/variables.tf b/variables.tf
@@ -257,6 +257,24 @@ EOF
     error_message = "Any subnet type `name_prefix` must not contain \"/\"."
     condition     = alltrue([for _, v in var.subnets : !can(regex("/", try(v.name_prefix, "")))])
   }
+
+  # We check here if there exists at least one subnet that meets the following criteria:
+  # a. The subnet has a route with the destination CIDR block of "0.0.0.0/0".
+  # b. The subnet has the 'connect_to_public_natgw' attribute set to true.
+  validation {
+    error_message = "Route with CIDR '0.0.0.0/0' is mutually exclusive with 'connect_to_public_natgw'."
+    condition     = !anytrue(
+      [
+        for name, subnet in var.subnets:
+          anytrue(
+            [
+              for route in lookup(subnet, "routes", []):
+              lookup(route, "destination_cidr_block", "") == "0.0.0.0/0"
+            ]
+          ) && lookup(subnet, "connect_to_public_natgw", false)
+      ]
+    )
+  }
 }
 
 variable "tags" {