🛡️ Enhancement: Add validation rules to variables

[oldmanbendobot]

Summary

Add validation rules to module variables to catch common user mistakes before Terraform apply, providing better error messages and fail-fast behavior.

Variables That Need Validation

1. memory_size (numeric range)

• Current: Any number accepted
• Should be: 128-10240 MB, in 1 MB increments
• Validation:

validation {
  condition     = var.memory_size >= 128 && var.memory_size <= 10240
  error_message = "memory_size must be between 128 and 10240 MB."
}

2. timeout (numeric range)

• Current: Any number accepted
• Should be: 1-900 seconds (15 minutes max)
• Validation:

validation {
  condition     = var.timeout >= 1 && var.timeout <= 900
  error_message = "timeout must be between 1 and 900 seconds."
}

3. runtime (enum-like)

• Current: Any string accepted
• Should be: Valid AWS Lambda runtime identifier
• Validation:

validation {
  condition = can(regex("^(python3\\.(8|9|10|11|12)|nodejs(18|20|22)\\.x|java(8|11|17|21)|dotnet(6|8)|go1\\.x|ruby3\\.2|provided\\.al2(023)?)$", var.runtime))
  error_message = "runtime must be a valid AWS Lambda runtime identifier (e.g., python3.12, nodejs20.x, java21)."
}

4. architectures (enum-like)

• Current: Any list of strings
• Should be: Only "x86_64" or "arm64"
• Validation:

validation {
  condition = alltrue([
    for arch in var.architectures : contains(["x86_64", "arm64"], arch)
  ])
  error_message = "architectures must only contain 'x86_64' or 'arm64'."
}

5. layers (ARN pattern)

• Current: Any list of strings
• Should be: Valid Lambda layer ARNs
• Validation:

validation {
  condition = alltrue([
    for layer in var.layers : can(regex("^arn:aws:lambda:[a-z0-9-]+:[0-9]{12}:layer:[a-zA-Z0-9-_]+:[0-9]+$", layer))
  ])
  error_message = "layers must be valid Lambda layer ARNs (e.g., arn:aws:lambda:us-east-1:123456789012:layer:my-layer:1)."
}

6. tracing_mode (enum)

• Current: Any string
• Should be: "PassThrough" or "Active"
• Validation:

validation {
  condition     = contains(["PassThrough", "Active"], var.tracing_mode)
  error_message = "tracing_mode must be either 'PassThrough' or 'Active'."
}

7. cloudwatch_retention_in_days (enum)

• Current: Any number
• Should be: Valid CloudWatch Logs retention values
• Validation:

validation {
  condition = contains([
    0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, 3653
  ], var.cloudwatch_retention_in_days)
  error_message = "cloudwatch_retention_in_days must be a valid CloudWatch Logs retention value (0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, or 3653)."
}

8. env_kms_key_arn and cloudwatch_kms_key_arn (ARN pattern)

• Current: Any string or null
• Should be: Valid KMS key ARN when provided
• Validation:

validation {
  condition     = var.env_kms_key_arn == null || can(regex("^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$", var.env_kms_key_arn))
  error_message = "env_kms_key_arn must be a valid KMS key ARN or null."
}

Benefits

• ✅ Better error messages - Users see clear, actionable errors instead of cryptic AWS API failures
• ✅ Fail-fast - Validation happens during terraform plan, not apply
• ✅ Documentation - Validation messages serve as inline documentation
• ✅ Prevent mistakes - Catch typos, wrong regions, invalid formats before deployment
• ✅ Improved DX - Faster feedback loop for module users

References

• Terraform Variable Validation
• AWS Lambda Quotas
• AWS Lambda Runtimes