Support for Lookahead with Regular Expressions

[scotttyso]

Terraform Version

Terraform v1.9.5
on linux_amd64

Use Cases

Need to validate that the variable meets the following parameters:

• One lower case letter
• One upper case letter
• One integer
• One Special character of =!&#$%+^@_*-`.
• Be between 8 and 32 characters

variable "drive_security_current_security_key_passphrase" {
  default     = ""
  description = "Drive Security Current Security Key Passphrase for Manual or Remote Key Management."
  sensitive   = true
  type        = string
  validation {
    condition = length(regexall("[a-z]", var.drive_security_current_security_key_passphrase)
      ) > 0 && length(regexall("[A-Z]", var.drive_security_current_security_key_passphrase)
      ) > 0 && length(regexall("[\\d]", var.drive_security_current_security_key_passphrase)
      ) > 0 && length(regexall("[=!&#$%+^@_*-]", var.drive_security_current_security_key_passphrase)
    ) > 0 && length(regexall("^$|^[a-zA-Z0-9=!&#$%+^@_*-]{8,32}$", var.drive_security_current_security_key_passphrase)) > 0
    error_message = "Should be at least 8 characters long and should include at least one uppercase letter, one lowercase letter, one number, and one special character in the group `=!&#$%+^@_*-`."
  }
}

Attempted Solutions

variable "drive_security_current_security_key_passphrase" {
  default     = ""
  description = "Drive Security Current Security Key Passphrase for Manual or Remote Key Management."
  sensitive   = true
  type        = string
  validation {
    condition = length(regexall("^$|^((?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[=!&#$%+^@_*-])[a-zA-Z0-9=!&#$%+^@_*-]{8,32})$", var.drive_security_current_security_key_passphrase)) > 0
    error_message = "Should be at least 8 characters long and should include at least one uppercase letter, one lowercase letter, one number, and one special character in the group `=!&#$%+^@_*-`."
  }
}

Proposal

Add support for Lookahead in Regex

References

• Support for lookaheads in the regex parser #30433

[apparentlymart]

One alternative way to write the original configuration would be a separate validation block for each check, which would have the advantage of producing a more specialized error message indicating which of the conditions failed. When multiple validation blocks are present they behave as if their conditions were combined with && for the purpose of deciding whether the value is valid, but Terraform can then produce multiple error messages if more than one condition fails.

variable "drive_security_current_security_key_passphrase" {
  description = "Drive Security Current Security Key Passphrase for Manual or Remote Key Management."
  sensitive   = true
  type        = string
  nullable    = false

  validation {
    condition     = length(var.drive_security_current_security_key_passphrase)) >= 8
    error_message = "Must be at least eight characters long."
  }

  validation {
    condition     = length(var.drive_security_current_security_key_passphrase)) <= 32
    error_message = "Must be no more than 32 characters long."
  }

  validation {
    condition     = length(regexall("[a-z]", var.drive_security_current_security_key_passphrase)) > 0
    error_message = "Must contain at least one lowercase letter."
  }

  validation {
    condition     = length(regexall("[A-Z]", var.drive_security_current_security_key_passphrase)) > 0
    error_message = "Must contain at least one uppercase letter."
  }

  validation {
    condition     = length(regexall("[0-9]", var.drive_security_current_security_key_passphrase)) > 0
    error_message = "Must contain at least one numeric digit."
  }

  validation {
    condition     = length(regexall("[=!&#$%+^@_*-]", var.drive_security_current_security_key_passphrase)) > 0
    error_message = "Must contain at least one of the following characters: =!&#$%+^@_*-"
  }
}

[jbardin]

Thank you @apparentlymart!

This request doesn't appear to differ from the duplicate #30433, so we can use that issue to track any changes. I would note that it's unlikely that Terraform will adopt a different regex engine, but new functions can be added through provider plugins where a PCRE library could be used instead.