Merge pull request #99 from lgallard/fix/retention-days-validations

fix: retention days validations

Author: lgallard

main.tf

@@ -6,23 +6,16 @@ resource "aws_backup_vault" "ab_vault" {
   kms_key_arn   = var.vault_kms_key_arn
   force_destroy = var.vault_force_destroy
   tags          = var.tags
-
-  lifecycle {
-    precondition {
-      condition     = !var.locked || (var.min_retention_days != null && var.max_retention_days != null && var.min_retention_days <= var.max_retention_days)
-      error_message = "When vault locking is enabled, min_retention_days and max_retention_days must be provided and min_retention_days must be less than or equal to max_retention_days."
-    }
-  }
 }
 
 # AWS Backup vault lock configuration
 resource "aws_backup_vault_lock_configuration" "ab_vault_lock_configuration" {
-  count = var.locked && var.vault_name != null ? 1 : 0
+  count = var.enabled && var.vault_name != null && var.locked ? 1 : 0
 
   backup_vault_name   = aws_backup_vault.ab_vault[0].name
-  changeable_for_days = var.changeable_for_days
-  max_retention_days  = var.max_retention_days
   min_retention_days  = var.min_retention_days
+  max_retention_days  = var.max_retention_days
+  changeable_for_days = var.changeable_for_days
 }
 
 # AWS Backup plan

variables.tf

@@ -42,6 +42,11 @@ variable "locked" {
   description = "Change to true to add a lock configuration for the backup vault"
   type        = bool
   default     = false
+
+  validation {
+    condition     = !var.locked || (var.min_retention_days != null && var.max_retention_days != null && var.min_retention_days <= var.max_retention_days)
+    error_message = "When vault locking is enabled (locked = true), min_retention_days and max_retention_days must be provided and min_retention_days must be less than or equal to max_retention_days."
+  }
 }
 
 variable "changeable_for_days" {