Regex for variable validation

Dev0psPleb · October 4, 2022, 2:09pm

Hello,

I am trying to write a variable validation for a password variable. The validation should validate that the password matches the complexity requirements for the password. I’ve included the variable with current validation rules below:

variable "console_password" {
  type        = string
  description = <<EOT
  (Required) The password for the firewall management console.
  EOT
  validation {
    condition = can(regex("^(?=.*[0-9])(?=.*[^A-Za-z0-9])(?=.*[a-z])(?=.*[A-Z])(?=(.*)).{10,60}$", var.console_password))
    error_message = <<EOT
    ERROR: Must be at least 10 characters. At least 1 lowercase and 1 uppercase letter. At least one numeric character. At least one special character.
    EOT
  }
}

However, when I provide a value for the variable that should match the regex pattern, I still get an error about the value not passing the validation rule.

apparentlymart · October 4, 2022, 3:16pm

Hi @Dev0psPleb,

Can you share the test cases you are using to represent both the valid and invalid cases? I’d like to try to reproduce what you are trying as a first step.

Dev0psPleb · October 5, 2022, 2:26pm

After some fiddling, I have it working with the following regex:

condition = can(regex("^(.*[0-9])(.*[^A-Za-z0-9])(.*[a-z])(.*[A-Z])((.*)).{10,60}$", var.console_password))

My test cases that work with the above regex are:

password_validation_test_1: "!@83lvsos4mw7f!f*aPLms9HD#TqSb"
password_validation_test_2: "@v7gG5af&*6Fz!aB@d^nVetz5ML2Y1"
password_validation_test_3: "Rj&T6Xann628^BgtTg%0pp#XVddeTE"

However, testing with something like the following doesn’t work.

password_validation_test_4: "P@ssword!1234"

I’m happy with the current validation as it ultimately requires good password complexity, however, my error message output is going to be confusing for consumers of the module as the requirements stated are:

At least 10 characters
At least one upper case letter
At least one lower case letter
At least one special character
At least one numerical character

apparentlymart · October 5, 2022, 10:42pm

Seeing your list of several independent rules here makes me think it might be better to write several rules that each test only one of these conditions, rather than trying to pack them all together into a single rule:


variable "console_password" {
  type    = string
  default = "Boop1111111111111111111111111111!"

  validation {
    condition = length(var.console_password) >= 10
    error_message = "Password must have at least 10 characters."
  }

  validation {
    condition = can(regex("[A-Z]", var.console_password))
    error_message = "Password must contain at least one uppercase letter."
  }

  validation {
    condition = can(regex("[a-z]", var.console_password))
    error_message = "Password must contain at least one lowercase letter."
  }

  validation {
    condition = can(regex("[^a-zA-Z0-9]", var.console_password))
    error_message = "Password must contain at least one character that isn't a letter or a digit."
  }

  validation {
    condition = can(regex("[0-9]", var.console_password))
    error_message = "Password must contain at least one digit."
  }
}

This means that if someone provides a password that violates only one of the rules they will only see the error message for that case. But conversely it means that if they violate many of the rules then Terraform will report many separate error messages, which is quite verbose:

╷
│ Error: Invalid value for variable
│ 
│   on password-validation.tf line 2:
│    2: variable "console_password" {
│     ├────────────────
│     │ var.console_password is "beep"
│ 
│ Password must have at least 10 characters.
│ 
│ This was checked by the validation rule at password-validation.tf:6,3-13.
╵
╷
│ Error: Invalid value for variable
│ 
│   on password-validation.tf line 2:
│    2: variable "console_password" {
│     ├────────────────
│     │ var.console_password is "beep"
│ 
│ Password must contain at least one uppercase letter.
│ 
│ This was checked by the validation rule at password-validation.tf:11,3-13.
╵
╷
│ Error: Invalid value for variable
│ 
│   on password-validation.tf line 2:
│    2: variable "console_password" {
│     ├────────────────
│     │ var.console_password is "beep"
│ 
│ Password must contain at least one character that isn't a letter or a digit.
│ 
│ This was checked by the validation rule at password-validation.tf:21,3-13.
╵
╷
│ Error: Invalid value for variable
│ 
│   on password-validation.tf line 2:
│    2: variable "console_password" {
│     ├────────────────
│     │ var.console_password is "beep"
│ 
│ Password must contain at least one digit.
│ 
│ This was checked by the validation rule at password-validation.tf:26,3-13.
╵

On the plus side, this one does seem to accept your previously-failing case "P@ssword!1234".

Topic		Replies	Views
Validating input variables using JSON syntax Terraform	3	2245	February 24, 2022
Unexpected regex issue Terraform	1	787	June 12, 2021
Validation on complex input variable Terraform	2	43	April 22, 2025
Variable validation error message requirements relaxed? Terraform	4	1445	November 13, 2023
Validating Map Variables Terraform	1	2551	March 5, 2021

Regex for variable validation

Related topics