Skip to content

bug: variables.tf:567 validation fails in OpenTofu — contains() rejects null even with short-circuit #99

Description

@Musthaq101

Problem

The validation block in variables.tf:567 for proxy_client_password_auth_type fails on tofu plan even though the variable's default is null:

variable "proxy_client_password_auth_type" {
  type        = string
  default     = null
  description = "..."

  validation {
    condition     = var.proxy_client_password_auth_type == null || contains(["MYSQL_NATIVE_PASSWORD", "POSTGRES_SCRAM_SHA_256", "POSTGRES_MD5", "SQL_SERVER_AUTHENTICATION"], var.proxy_client_password_auth_type)
    error_message = "..."
  }
}

Error

│ Error: Invalid function argument
│
│   on variables.tf line 567, in variable "proxy_client_password_auth_type":
│  567:     condition     = var.proxy_client_password_auth_type == null || contains([...], var.proxy_client_password_auth_type)
│     ├────────────────
│     │ while calling contains(list, value)
│     │ var.proxy_client_password_auth_type is null
│
│ Invalid value for "value" parameter: argument must not be null.

Cause

OpenTofu evaluates both sides of the || expression for validation blocks (not short-circuited), so contains() receives null and rejects it.

Affected Versions

  • v2.0.0 (introduced)
  • v2.1.0 (still present)

v1.537.0 did not have this validation.

Reproduce

  1. atmos terraform plan aurora-postgres -s <any-stack>
  2. Without setting proxy_client_password_auth_type (i.e. using the default null)
  3. Plan fails with the error above

Suggested Fix

Coalesce to a known-valid value so contains() never sees null:

validation {
  condition     = contains(["MYSQL_NATIVE_PASSWORD", "POSTGRES_SCRAM_SHA_256", "POSTGRES_MD5", "SQL_SERVER_AUTHENTICATION"], coalesce(var.proxy_client_password_auth_type, "MYSQL_NATIVE_PASSWORD"))
  error_message = "..."
}

Or use anytrue:

validation {
  condition     = anytrue([
    var.proxy_client_password_auth_type == null,
    contains(["MYSQL_NATIVE_PASSWORD", "POSTGRES_SCRAM_SHA_256", "POSTGRES_MD5", "SQL_SERVER_AUTHENTICATION"], var.proxy_client_password_auth_type)
  ])
  error_message = "..."
}

Related

Same pattern reported in aws-iam-role#63 — variable validation with cross-variable references that fail in OpenTofu.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions