feat: add engine_version validation to prevent invalid formats

dalekurt · dalekurt · commit e71eb78398fa · 2025-08-26T10:44:39.000-04:00
- Add comprehensive input validation for engine_version variable
- Prevent software service versions (e.g., OpenSearch_2_19_R20250630-P5)
- Enforce correct AWS engine version format (OpenSearch_X.Y)
- Add length validation (≤18 chars) to catch overly long versions
- Include clear error messages with examples of valid formats
- Add pre-commit hook for engine version validation
- Prevents accidental domain destruction from invalid version changes

Fixes issue where users mistakenly use software service versions instead
of engine versions, causing domain recreation failures.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -23,9 +23,43 @@ repos:
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
       - id: terraform_validate
+      - id: terraform_tfsec
+        args:
+          - '--args=--soft-fail'
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer
       - id: trailing-whitespace
+      - id: check-yaml
+  - repo: local
+    hooks:
+      - id: validate-opensearch-version
+        name: Validate OpenSearch Engine Version
+        entry: bash -c
+        args:
+          - |
+            # Check for engine_version in Terraform files
+            if grep -r "engine_version.*=" . --include="*.tf" | grep -v "null" | grep -v "variables.tf" | grep -v "#"; then
+              echo "Found engine_version configurations:"
+              grep -r "engine_version.*=" . --include="*.tf" | grep -v "null" | grep -v "variables.tf" | grep -v "#"
+              echo ""
+              echo "⚠️  VALIDATION: Please ensure engine_version follows format 'OpenSearch_X.Y'"
+              echo "❌ BAD:  OpenSearch_2_19_R20250630-P5 (software service version)"
+              echo "✅ GOOD: OpenSearch_2.19 (engine version)"
+              echo ""
+              # Extract and validate versions
+              versions=$(grep -r "engine_version.*=" . --include="*.tf" | grep -v "null" | grep -v "variables.tf" | grep -v "#" | sed 's/.*engine_version.*=.*"\([^"]*\)".*/\1/' | sort | uniq)
+              for version in $versions; do
+                if [[ $version =~ ^OpenSearch_[0-9]{1,2}\.[0-9]{1,2}$ ]] || [[ $version =~ ^Elasticsearch_[0-9]{1}\.[0-9]{1,2}$ ]]; then
+                  echo "✅ Valid version: $version"
+                else
+                  echo "❌ Invalid version: $version"
+                  echo "   Must match pattern: OpenSearch_X.Y or Elasticsearch_X.Y"
+                  exit 1
+                fi
+              done
+            fi
+        language: system
+        pass_filenames: false
diff --git a/variables.tf b/variables.tf
@@ -86,9 +86,28 @@ variable "encrypt_at_rest" {
 }
 
 variable "engine_version" {
-  description = "Version of the OpenSearch engine to use"
+  description = "Version of the OpenSearch engine to use. Must follow format 'OpenSearch_X.Y' (e.g., 'OpenSearch_2.11')"
   type        = string
   default     = null
+
+  validation {
+    condition = var.engine_version == null || can(regex("^(Elasticsearch_[0-9]{1}\\.[0-9]{1,2}|OpenSearch_[0-9]{1,2}\\.[0-9]{1,2})$", var.engine_version))
+    error_message = <<-EOT
+      The engine_version must be in the format:
+      - 'OpenSearch_X.Y' where X is 1-2 digits and Y is 1-2 digits (e.g., 'OpenSearch_2.11', 'OpenSearch_1.3')
+      - 'Elasticsearch_X.Y' where X is 1 digit and Y is 1-2 digits (e.g., 'Elasticsearch_7.10')
+      
+      Your provided value appears to be a software service version (with release dates/patches).
+      Please use only the engine version format. Common valid versions include:
+      - OpenSearch_1.0, OpenSearch_1.1, OpenSearch_1.2, OpenSearch_1.3
+      - OpenSearch_2.0, OpenSearch_2.3, OpenSearch_2.5, OpenSearch_2.7, OpenSearch_2.9, OpenSearch_2.11
+    EOT
+  }
+
+  validation {
+    condition = var.engine_version == null || length(var.engine_version) <= 18
+    error_message = "The engine_version must be 18 characters or less. Software service versions with dates/patches are not valid here."
+  }
 }
 
 variable "ip_address_type" {
