From f5813571aae45173f246ab96f8c81a5a2bd1ce2a Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 7 Jun 2026 14:46:50 +0000
Subject: [PATCH] feat: validate CIDR format on allowed_cidrs across all tier
 modules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a validation block to the allowed_cidrs variable in all six core
tier modules (single-vm, ha-hot-hot, unlimited-scale × AWS + Azure).
The check uses can(cidrhost(cidr, 0)) which is the idiomatic Terraform
approach and catches malformed CIDRs at plan time rather than at apply.

No breaking change — any value that was valid before is still valid; the
validation only rejects input that would have failed downstream anyway.

https://claude.ai/code/session_01RMbrNRRsPYTr3SbUBbvJrM
---
 modules/ha-hot-hot/aws/variables.tf        | 4 ++++
 modules/ha-hot-hot/azure/variables.tf      | 4 ++++
 modules/single-vm/aws/variables.tf         | 4 ++++
 modules/single-vm/azure/variables.tf       | 4 ++++
 modules/unlimited-scale/aws/variables.tf   | 4 ++++
 modules/unlimited-scale/azure/variables.tf | 8 +++++++-
 6 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/modules/ha-hot-hot/aws/variables.tf b/modules/ha-hot-hot/aws/variables.tf
index 3ebdeda..d54404c 100644
--- a/modules/ha-hot-hot/aws/variables.tf
+++ b/modules/ha-hot-hot/aws/variables.tf
@@ -35,6 +35,10 @@ variable "private_subnet_ids" {
 variable "allowed_cidrs" {
   description = "CIDR blocks permitted to reach the ALB on port 443."
   type        = list(string)
+  validation {
+    condition     = alltrue([for cidr in var.allowed_cidrs : can(cidrhost(cidr, 0))])
+    error_message = "Every entry in allowed_cidrs must be a valid CIDR notation (e.g. 10.0.0.0/8)."
+  }
 }
 
 variable "acm_certificate_arn" {
diff --git a/modules/ha-hot-hot/azure/variables.tf b/modules/ha-hot-hot/azure/variables.tf
index 0f85355..d063a8d 100644
--- a/modules/ha-hot-hot/azure/variables.tf
+++ b/modules/ha-hot-hot/azure/variables.tf
@@ -38,6 +38,10 @@ variable "lb_subnet_id" {
 
 variable "allowed_cidrs" {
   type = list(string)
+  validation {
+    condition     = alltrue([for cidr in var.allowed_cidrs : can(cidrhost(cidr, 0))])
+    error_message = "Every entry in allowed_cidrs must be a valid CIDR notation (e.g. 10.0.0.0/8)."
+  }
 }
 
 variable "admin_username" {
diff --git a/modules/single-vm/aws/variables.tf b/modules/single-vm/aws/variables.tf
index 3360b4d..48ef09c 100644
--- a/modules/single-vm/aws/variables.tf
+++ b/modules/single-vm/aws/variables.tf
@@ -22,6 +22,10 @@ variable "subnet_id" {
 variable "allowed_cidrs" {
   description = "CIDR blocks permitted to reach the VM on port 443. Use private CIDRs unless you also set allow_internet_ingress = true."
   type        = list(string)
+  validation {
+    condition     = alltrue([for cidr in var.allowed_cidrs : can(cidrhost(cidr, 0))])
+    error_message = "Every entry in allowed_cidrs must be a valid CIDR notation (e.g. 10.0.0.0/8)."
+  }
 }
 
 # ----- Optional -----
diff --git a/modules/single-vm/azure/variables.tf b/modules/single-vm/azure/variables.tf
index bdf914c..7ecaa06 100644
--- a/modules/single-vm/azure/variables.tf
+++ b/modules/single-vm/azure/variables.tf
@@ -27,6 +27,10 @@ variable "subnet_id" {
 variable "allowed_cidrs" {
   description = "CIDR blocks permitted to reach the VM on port 443."
   type        = list(string)
+  validation {
+    condition     = alltrue([for cidr in var.allowed_cidrs : can(cidrhost(cidr, 0))])
+    error_message = "Every entry in allowed_cidrs must be a valid CIDR notation (e.g. 10.0.0.0/8)."
+  }
 }
 
 variable "admin_username" {
diff --git a/modules/unlimited-scale/aws/variables.tf b/modules/unlimited-scale/aws/variables.tf
index f31f0a5..90403b2 100644
--- a/modules/unlimited-scale/aws/variables.tf
+++ b/modules/unlimited-scale/aws/variables.tf
@@ -30,6 +30,10 @@ variable "private_subnet_ids" {
 
 variable "allowed_cidrs" {
   type = list(string)
+  validation {
+    condition     = alltrue([for cidr in var.allowed_cidrs : can(cidrhost(cidr, 0))])
+    error_message = "Every entry in allowed_cidrs must be a valid CIDR notation (e.g. 10.0.0.0/8)."
+  }
 }
 
 variable "acm_certificate_arn" {
diff --git a/modules/unlimited-scale/azure/variables.tf b/modules/unlimited-scale/azure/variables.tf
index 613792c..697e697 100644
--- a/modules/unlimited-scale/azure/variables.tf
+++ b/modules/unlimited-scale/azure/variables.tf
@@ -13,7 +13,13 @@ variable "location" { type = string }
 variable "vm_subnet_id" { type = string }
 variable "db_delegated_subnet_id" { type = string }
 variable "private_dns_zone_id" { type = string }
-variable "allowed_cidrs" { type = list(string) }
+variable "allowed_cidrs" {
+  type = list(string)
+  validation {
+    condition     = alltrue([for cidr in var.allowed_cidrs : can(cidrhost(cidr, 0))])
+    error_message = "Every entry in allowed_cidrs must be a valid CIDR notation (e.g. 10.0.0.0/8)."
+  }
+}
 variable "admin_username" { type = string }
 variable "ssh_public_key" { type = string }