diff --git a/modules/ha-hot-hot/aws/variables.tf b/modules/ha-hot-hot/aws/variables.tf index 3ebdeda..746256c 100644 --- a/modules/ha-hot-hot/aws/variables.tf +++ b/modules/ha-hot-hot/aws/variables.tf @@ -35,6 +35,10 @@ variable "private_subnet_ids" { variable "allowed_cidrs" { description = "CIDR blocks permitted to reach the ALB on port 443." type = list(string) + validation { + condition = alltrue([for c in var.allowed_cidrs : can(cidrhost(c, 0))]) + error_message = "Each entry in allowed_cidrs must be a valid CIDR block (e.g. 10.0.0.0/8)." + } } variable "acm_certificate_arn" { diff --git a/modules/ha-hot-hot/azure/variables.tf b/modules/ha-hot-hot/azure/variables.tf index 0f85355..159aa48 100644 --- a/modules/ha-hot-hot/azure/variables.tf +++ b/modules/ha-hot-hot/azure/variables.tf @@ -37,7 +37,12 @@ variable "lb_subnet_id" { } variable "allowed_cidrs" { - type = list(string) + description = "CIDR blocks permitted to reach the load balancer on port 443." + type = list(string) + validation { + condition = alltrue([for c in var.allowed_cidrs : can(cidrhost(c, 0))]) + error_message = "Each entry in allowed_cidrs must be a valid CIDR block (e.g. 10.0.0.0/8)." + } } variable "admin_username" { diff --git a/modules/single-vm/aws/variables.tf b/modules/single-vm/aws/variables.tf index 3360b4d..df13f43 100644 --- a/modules/single-vm/aws/variables.tf +++ b/modules/single-vm/aws/variables.tf @@ -22,6 +22,10 @@ variable "subnet_id" { variable "allowed_cidrs" { description = "CIDR blocks permitted to reach the VM on port 443. Use private CIDRs unless you also set allow_internet_ingress = true." type = list(string) + validation { + condition = alltrue([for c in var.allowed_cidrs : can(cidrhost(c, 0))]) + error_message = "Each entry in allowed_cidrs must be a valid CIDR block (e.g. 10.0.0.0/8)." + } } # ----- Optional ----- diff --git a/modules/single-vm/azure/variables.tf b/modules/single-vm/azure/variables.tf index bdf914c..ee1beb8 100644 --- a/modules/single-vm/azure/variables.tf +++ b/modules/single-vm/azure/variables.tf @@ -27,6 +27,10 @@ variable "subnet_id" { variable "allowed_cidrs" { description = "CIDR blocks permitted to reach the VM on port 443." type = list(string) + validation { + condition = alltrue([for c in var.allowed_cidrs : can(cidrhost(c, 0))]) + error_message = "Each entry in allowed_cidrs must be a valid CIDR block (e.g. 10.0.0.0/8)." + } } variable "admin_username" { diff --git a/modules/unlimited-scale/aws/variables.tf b/modules/unlimited-scale/aws/variables.tf index f31f0a5..74232a9 100644 --- a/modules/unlimited-scale/aws/variables.tf +++ b/modules/unlimited-scale/aws/variables.tf @@ -29,7 +29,12 @@ variable "private_subnet_ids" { } variable "allowed_cidrs" { - type = list(string) + description = "CIDR blocks permitted to reach the ALB on port 443." + type = list(string) + validation { + condition = alltrue([for c in var.allowed_cidrs : can(cidrhost(c, 0))]) + error_message = "Each entry in allowed_cidrs must be a valid CIDR block (e.g. 10.0.0.0/8)." + } } variable "acm_certificate_arn" { diff --git a/modules/unlimited-scale/azure/variables.tf b/modules/unlimited-scale/azure/variables.tf index 613792c..06f0b7f 100644 --- a/modules/unlimited-scale/azure/variables.tf +++ b/modules/unlimited-scale/azure/variables.tf @@ -13,7 +13,14 @@ variable "location" { type = string } variable "vm_subnet_id" { type = string } variable "db_delegated_subnet_id" { type = string } variable "private_dns_zone_id" { type = string } -variable "allowed_cidrs" { type = list(string) } +variable "allowed_cidrs" { + description = "CIDR blocks permitted to reach the load balancer on port 443." + type = list(string) + validation { + condition = alltrue([for c in var.allowed_cidrs : can(cidrhost(c, 0))]) + error_message = "Each entry in allowed_cidrs must be a valid CIDR block (e.g. 10.0.0.0/8)." + } +} variable "admin_username" { type = string } variable "ssh_public_key" { type = string }