feat: validate CIDR format on allowed_cidrs in all tier modules

[dmchaledev]

Problem

allowed_cidrs is a security-critical input — it directly controls which source ranges reach ALBs and VMs on port 443. However the variable had no format validation in any of the six core tier modules. A typo like 10.0.0.999/8 or not-a-cidr would only surface as an obscure AWS/Azure API error at terraform apply, not at terraform validate or terraform plan.

Fix

Add a validation block to allowed_cidrs in all six tier modules:

modules/single-vm/aws/variables.tf
modules/single-vm/azure/variables.tf
modules/ha-hot-hot/aws/variables.tf
modules/ha-hot-hot/azure/variables.tf
modules/unlimited-scale/aws/variables.tf
modules/unlimited-scale/azure/variables.tf

The check uses the idiomatic Terraform pattern:

validation {
  condition     = alltrue([for cidr in var.allowed_cidrs : can(cidrhost(cidr, 0))])
  error_message = "Every entry in allowed_cidrs must be a valid CIDR notation (e.g. 10.0.0.0/8)."
}

can(cidrhost(cidr, 0)) handles both IPv4 and IPv6, rejects malformed input immediately, and is zero-dependency (pure HCL).

Impact

• Non-breaking: any value accepted before is still accepted; only genuinely invalid CIDRs are now rejected early.
• Affects all 12 product wrappers through the shared tier modules (no wrapper changes needed).
• No resource modifications: validation-only change, safe to apply against existing deployments.

Test plan

• terraform validate passes in each of the six changed modules
• tflint passes with no new findings
• CI checkov / trivy green (no new policy findings)
• Confirm a bad CIDR ("not-a-cidr") is rejected at plan time with the new error message

https://claude.ai/code/session_01RMbrNRRsPYTr3SbUBbvJrM

---

Generated by Claude Code