lgallard · lgallard · Nov 19, 2025 · Nov 19, 2025 · Nov 19, 2025 · Nov 19, 2025
diff --git a/main.tf b/main.tf
@@ -1,8 +1,12 @@
 
 # Organized locals for better maintainability and code clarity
 locals {
+  # Vault name validation (moved from variables.tf to support bypass logic)
+  vault_name_has_restricted_words = var.vault_name != null ? can(regex("(?i)(test|temp|delete|remove|default)", var.vault_name)) : false
+  vault_name_validation_failed    = local.vault_name_has_restricted_words && !var.vault_name_validation_bypass
+
   # Resource creation conditions
-  should_create_vault           = var.enabled && var.vault_name != null
+  should_create_vault           = var.enabled && var.vault_name != null && !local.vault_name_validation_failed
   should_create_standard_vault  = local.should_create_vault && var.vault_type == "standard"
   should_create_airgapped_vault = local.should_create_vault && var.vault_type == "logically_air_gapped"
   should_create_lock            = local.should_create_standard_vault && var.locked
@@ -81,6 +85,29 @@ locals {
   ])
 }
 
+# Validation check for vault name with restricted words (moved from variables.tf to enable bypass functionality)
+resource "null_resource" "vault_name_validation" {
+  count = local.vault_name_validation_failed ? 1 : 0
+
+  provisioner "local-exec" {
+    command = <<-EOF
+      echo "ERROR: Vault name validation failed!"
+      echo "The vault name '${var.vault_name}' contains restricted words (test, temp, delete, remove, default)."
+      echo "These words are not recommended for security reasons."
+      echo ""
+      echo "Solutions:"
+      echo "1. Change the vault name to avoid these words"
+      echo "2. For existing vaults, set: vault_name_validation_bypass = true"
+      echo ""
+      exit 1
+    EOF
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
 # AWS Backup vault (standard) with optimized timeouts
 resource "aws_backup_vault" "ab_vault" {
   count = local.should_create_standard_vault ? 1 : 0

diff --git a/variables.tf b/variables.tf
@@ -7,11 +7,8 @@ variable "vault_name" {
   default     = null
 
   validation {
-    condition = var.vault_name == null ? true : (
-      can(regex("^[0-9A-Za-z-_]{2,50}$", var.vault_name)) &&
-      (var.vault_name_validation_bypass || !can(regex("(?i)(test|temp|delete|remove|default)", var.vault_name))) # Prevent insecure naming patterns unless bypassed
-    )
-    error_message = "The vault_name must be between 2 and 50 characters, contain only alphanumeric characters, hyphens, and underscores. Avoid using 'test', 'temp', 'delete', 'remove', or 'default' in names for security reasons. Set vault_name_validation_bypass = true to disable this word validation for existing vaults."
+    condition     = var.vault_name == null ? true : can(regex("^[0-9A-Za-z-_]{2,50}$", var.vault_name))
+    error_message = "The vault_name must be between 2 and 50 characters, contain only alphanumeric characters, hyphens, and underscores."
   }
 }
 

diff --git a/versions.tf b/versions.tf
@@ -19,5 +19,9 @@ terraform {
       source  = "hashicorp/random"
       version = ">= 3.1"
     }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.0"
+    }
   }
 }