Terraform Variable Validation Based on Another Variable Value

Introduction
Step-by-Step Guide
Code Example
Additional Notes
Summary
Conclusion
References

Introduction

In Terraform, you might encounter situations where you need to validate one variable against another. However, Terraform's validation block has a limitation: it can only access the variable it's defined within. This means you can't directly use one variable to validate another inside a validation block.

Step-by-Step Guide

You can't directly use one variable to validate another in Terraform's validation block.

Let's say you have two variables:

variable "environment" {
  type = string
}

variable "instance_type" {
  type = string
}

You want to ensure that if environment is "production", then instance_type must be "t3.xlarge". You can't do this directly within the validation block:

# This will NOT work
variable "instance_type" {
  type = string
  validation {
    condition = var.environment == "production" && var.instance_type != "t3.xlarge"
    error_message = "Instance type must be t3.xlarge for production."
  }
}

Terraform's validation blocks only have access to the variable they are defined within.

Workaround:

Use a locals block to perform the validation and throw an error using the error() function:

locals {
  validate_instance_type = (
    var.environment == "production" && var.instance_type != "t3.xlarge" ?
    error("Instance type must be t3.xlarge for production.", 1) :
    null
  )
}

This code checks the condition and uses the error() function to halt Terraform with a message if the condition is met.

Code Example

This Terraform code defines variables for environment and instance type and performs validation using a locals block. It ensures that the instance type is "t3.xlarge" for the "production" environment. An example resource demonstrates using the validated instance type variable.

# Configure the Microsoft Azure Provider
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.0"
    }
  }
}

# Define variables
variable "environment" {
  type = string
}

variable "instance_type" {
  type = string
}

# Perform validation in a locals block
locals {
  validate_instance_type = (
    var.environment == "production" && var.instance_type != "t3.xlarge" ?
    error("Instance type must be t3.xlarge for production.", 1) :
    null
  )
}

# Example resource using the variables
resource "azurerm_linux_virtual_machine" "example" {
  # ... other resource configurations

  size = var.instance_type

  # ... other resource configurations
}

Explanation:

Variables: We define two variables, environment and instance_type, to represent the environment and the desired instance type.
Locals Block:
- We use a locals block to define a variable validate_instance_type.
- Inside this variable, we have a conditional expression (...?...: ...).
- Condition: var.environment == "production" && var.instance_type != "t3.xlarge" checks if the environment is "production" and the instance type is not "t3.xlarge".
- If True (Error): If the condition is true, it calls the error() function to halt Terraform execution and display the error message "Instance type must be t3.xlarge for production."
- If False (No Error): If the condition is false (meaning the validation passes), it returns null, allowing Terraform to proceed.
Resource Example:
- This code snippet includes an example of an Azure virtual machine resource (azurerm_linux_virtual_machine) to illustrate how you would use the instance_type variable.
- The size attribute of the virtual machine is set to var.instance_type.

How it Works:

Terraform evaluates the locals block during the validation phase.
If the validation condition in validate_instance_type is met (incorrect instance type for production), the error() function stops Terraform execution and displays the error message.
If the validation passes, Terraform continues processing the configuration, including creating the Azure virtual machine resource with the specified instance_type.

This approach effectively enforces the validation rule by leveraging the error() function within a locals block, working around the limitation of direct variable cross-referencing in validation blocks.

Additional Notes

Key Points:

Validation Limitation: Terraform's validation blocks are scoped to the individual variable they are defined within. They cannot directly access or validate against other variables.
Workaround: The primary workaround is to use a locals block. This allows you to write conditional logic that references multiple variables and throws an error using the error() function if validation fails.
Error Handling: The error() function is crucial in this workaround. It allows you to halt Terraform execution and provide a clear error message to the user, explaining why the configuration is invalid.
Terraform Version: While older versions of Terraform had even stricter limitations, newer versions (especially 1.9 and above) have introduced enhancements to variable validation. However, the core limitation of direct cross-variable validation within a validation block still persists.

Best Practices:

Centralized Validation: For complex validation scenarios involving multiple variables, consider creating a dedicated locals block or module to encapsulate your validation logic. This improves code organization and reusability.
Clear Error Messages: When using the error() function, provide informative and user-friendly error messages that clearly explain the validation rule that failed and how to correct the configuration.
Alternative Approaches: In some cases, you might be able to restructure your Terraform code or use different approaches like conditional resource creation based on variable values. However, the locals block with the error() function remains a common and effective solution for cross-variable validation.

Additional Considerations:

Performance: While the locals block workaround is effective, be mindful of potential performance implications if you have very complex validation logic that needs to be evaluated.
Maintainability: As your Terraform codebase grows, ensure that your validation logic remains clear, concise, and well-documented to avoid confusion and maintainability issues.

Summary

Issue	Description	Solution
Direct cross-variable validation within `validation` block	You cannot directly use one variable to validate another inside a `validation` block. Terraform's `validation` blocks only have access to the variable they are defined within.	Use a `locals` block: Perform the validation logic within a `locals` block. Leverage the `error()` function to halt Terraform execution and display a custom error message if the validation fails.

Example:

Instead of this (incorrect):

# This will NOT work
variable "instance_type" {
  type = string
  validation {
    condition = var.environment == "production" && var.instance_type != "t3.xlarge"
    error_message = "Instance type must be t3.xlarge for production."
  }
}

Do this:

locals {
  validate_instance_type = (
    var.environment == "production" && var.instance_type != "t3.xlarge" ?
    error("Instance type must be t3.xlarge for production.", 1) :
    null
  )
}

This workaround allows you to enforce dependencies between variables and ensure data consistency during Terraform deployments.

Conclusion

While Terraform provides a robust way to manage infrastructure as code, it has limitations when it comes to cross-variable validation within the validation block. You cannot directly use one variable to validate another within the same validation block. However, you can work around this limitation by using a locals block. This approach allows you to define conditional logic that references multiple variables and leverages the error() function to halt Terraform execution if validation fails. By using this workaround, you can enforce dependencies between variables and ensure data consistency during your Terraform deployments. Remember to write clear and informative error messages to help users understand and resolve validation issues.

References

Trying to use another variable in validation block - Terraform ... | I am trying to use a variable validation in terraform, i am trying to deny role editor and owner while creating new project, however want to keep excpetions for some project. below is my terraform code. i am getting errors in the validation block for using another variable can some one help me with this ? variable "iam_role_member" { type = map(list(string)) validation { condition = length(setintersection(toset(keys(var.iam_role_member)),toset["roles/owner","roles/editor"]))) == 0 ||...
Terraform 1.9 enhances input variable validations | Jun 26, 2024 ... With Terraform 1.9, conditions can now refer to other input variables and even to other objects, such as data sources and local values, greatly ...
Variable Validation : Cross-referential inputs - Terraform ... | Terraform version: v0.13.0 I am trying to leverage the new variable validation functionality to validate an input variable based on another input variable, ‘amount’ which represents what the reserved count variable gets set to universally across all modules called in my particular deployment implementation: variable "amount"{ default = 1 } variable "domain-mappings" { type = list(object({ http_c2_domain = string })) default = [ { http_c2_domain ="awesomedomain.com" }...
Validation condition of a variable based on another variable · Issue ... | Terraform Version terraform version Terraform v1.3.2 on darwin_arm64 Use Cases Validation of a variable based on another variable. Currently, while declaring a variable there is a variable "somevar...
Validate one field only if another field matches a value : r/Terraform | Posted by u/fumfofeefi - 2 votes and 4 comments
Allow variable validation conditions to refer to other variables · Issue ... | Current Terraform Version Terraform v0.13.0-beta3 Use-cases I want to be able to have conditional validation on variables - the condition being the value of other variables. Currently, I'm trying t...
Make input variable required if another one is set : r/Terraform | Posted by u/eschulma2020 - 5 votes and 3 comments
Custom Conditions - Configuration Language | Terraform ... | Before Terraform v1.9.0, validation rules can refer only to the variable being validated, and not to any other variables. Add one or more validation blocks ...
Use variables per branch in gitlab - GitLab CI/CD - GitLab Forum | I have set up my GitLab pipeline and I’m using GitLab CI variables to generate my configuration file during the build phase. Now we’ve set up a couple new environments, with each having its own database and other credentials, so I need to generate my configuration file using each environment’s variables based on branch. I’ve already seen: Some users suggested sourcing environment variables from files but that isn’t really a solution because we want to limit access to these variables. Is...