refactor: improve retention_days_cross_valid clarity and add version compatibility docs

lgallard · lgallard · commit bd37b641e02e · 2025-10-24T02:46:26.000+02:00
This commit builds on the fix from PR #283 with two improvements: 1. Clarify validation logic in main.tf:20 - Change from: (var.min_retention_days == null || var.max_retention_days == null) ? true : ... - Change to: (var.min_retention_days != null && var.max_retention_days != null) ? (...) : true - This explicit ternary pattern makes intent clearer: "compare only when both non-null" - Improves code readability and maintainability for future developers - Logically equivalent to original fix, with improved clarity 2. Document version compatibility in versions.tf - Add comments explaining tested Terraform versions (1.3.0 - 1.11.4+) - Add comments explaining tested OpenTofu versions (1.6.0 - 1.9.3+) - Document the null handling issue fixed in main.tf - Help users understand version support boundaries These improvements maintain all existing functionality while enhancing code clarity and providing better documentation for future maintainers.
diff --git a/README.md b/README.md
@@ -290,6 +290,21 @@ In case you get an error message similar to this one:
 error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
 ```
 
+Add the [required IAM permissions mentioned in the CreateBackupVault row](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#backup-api-permissions-ref) to the role or user creating the Vault (the one running Terraform CLI). In particular make sure `kms` and `backup-storage` permissions are added.
+<!-- END_TF_DOCS -->
+
+## Known Issues
+
+During the development of the module, the following issues were found:
+
+### Error creating Backup Vault
+
+In case you get an error message similar to this one:
+
+```
+error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
+```
+
 Add the [required IAM permissions mentioned in the CreateBackupVault row](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#backup-api-permissions-ref) to the role or user creating the Vault (the one running Terraform CLI). In particular make sure `kms` and `backup-storage` permissions are added.
 
 ## Testing
diff --git a/main.tf b/main.tf
@@ -17,7 +17,7 @@ locals {
   airgapped_vault_requirements_met = var.vault_type != "logically_air_gapped" || (var.min_retention_days != null && var.max_retention_days != null)
 
   # Cross-validation for retention days (unified validation approach)
-  retention_days_cross_valid = (var.min_retention_days == null || var.max_retention_days == null) ? true : var.min_retention_days <= var.max_retention_days
+  retention_days_cross_valid = (var.min_retention_days != null && var.max_retention_days != null) ? (var.min_retention_days <= var.max_retention_days) : true
 
   # Vault reference helpers (dynamic based on vault type)
   vault_name = local.should_create_standard_vault ? try(aws_backup_vault.ab_vault[0].name, null) : (
diff --git a/versions.tf b/versions.tf
@@ -1,3 +1,12 @@
+# Version compatibility requirements
+# Terraform: >= 1.3.0 (tested on 1.3.0 - 1.11.4+)
+# OpenTofu: >= 1.6.0 (tested on 1.6.0 - 1.9.3+)
+#
+# Note: Terraform 1.0-1.2 and OpenTofu < 1.6 may experience "argument must not be null" errors
+# when using vault lock features due to null value handling in boolean expressions.
+# This module includes fixes in main.tf (retention_days_cross_valid) to ensure compatibility
+# with newer versions while maintaining correct validation logic.
+
 terraform {
   required_version = ">= 1.3.0"
 
