docs: clarify retention_days_cross_valid logical equivalence

lgallard · lgallard · commit 05f2cb7d529c · 2025-10-24T03:02:44.000+02:00
Add inline comments explaining:
- Why we use positive logic form (both not null)
- Logical equivalence to the alternative form
- Clearer intent of the expression
- Prevents future confusion about this intentional transformation

This responds to feedback about the validation logic by documenting
that both forms are mathematically equivalent via De Morgan's Law,
but our form is clearer for maintenance.
diff --git a/README.md b/README.md
@@ -312,6 +312,36 @@ In case you get an error message similar to this one:
 error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
 ```
 
+Add the [required IAM permissions mentioned in the CreateBackupVault row](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#backup-api-permissions-ref) to the role or user creating the Vault (the one running Terraform CLI). In particular make sure `kms` and `backup-storage` permissions are added.
+<!-- END_TF_DOCS -->
+
+## Known Issues
+
+During the development of the module, the following issues were found:
+
+### Error creating Backup Vault
+
+In case you get an error message similar to this one:
+
+```
+error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
+```
+
+Add the [required IAM permissions mentioned in the CreateBackupVault row](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#backup-api-permissions-ref) to the role or user creating the Vault (the one running Terraform CLI). In particular make sure `kms` and `backup-storage` permissions are added.
+<!-- END_TF_DOCS -->
+
+## Known Issues
+
+During the development of the module, the following issues were found:
+
+### Error creating Backup Vault
+
+In case you get an error message similar to this one:
+
+```
+error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
+```
+
 Add the [required IAM permissions mentioned in the CreateBackupVault row](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#backup-api-permissions-ref) to the role or user creating the Vault (the one running Terraform CLI). In particular make sure `kms` and `backup-storage` permissions are added.
 
 ## Testing
diff --git a/main.tf b/main.tf
@@ -17,6 +17,9 @@ locals {
   airgapped_vault_requirements_met = var.vault_type != "logically_air_gapped" || (var.min_retention_days != null && var.max_retention_days != null)
 
   # Cross-validation for retention days (unified validation approach)
+  # Uses positive logic form (both not null) instead of negative (either null) for clarity.
+  # Logically equivalent to: (min == null || max == null) ? true : (min <= max)
+  # This form is clearer: "if both exist, compare them; otherwise, it's valid"
   retention_days_cross_valid = (var.min_retention_days != null && var.max_retention_days != null) ? (var.min_retention_days <= var.max_retention_days) : true
 
   # Vault reference helpers (dynamic based on vault type)
