fix: retention_days validation logic for backward compatibility

README.md

@@ -312,6 +312,36 @@ In case you get an error message similar to this one:
 error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
 ```
 
+Add the [required IAM permissions mentioned in the CreateBackupVault row](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#backup-api-permissions-ref) to the role or user creating the Vault (the one running Terraform CLI). In particular make sure `kms` and `backup-storage` permissions are added.
+<!-- END_TF_DOCS -->
+
+## Known Issues
+
+During the development of the module, the following issues were found:
+
+### Error creating Backup Vault
+
+In case you get an error message similar to this one:
+
+```
+error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
+```
+
+Add the [required IAM permissions mentioned in the CreateBackupVault row](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#backup-api-permissions-ref) to the role or user creating the Vault (the one running Terraform CLI). In particular make sure `kms` and `backup-storage` permissions are added.
+<!-- END_TF_DOCS -->
+
+## Known Issues
+
+During the development of the module, the following issues were found:
+
+### Error creating Backup Vault
+
+In case you get an error message similar to this one:
+
+```
+error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
+```
+
 Add the [required IAM permissions mentioned in the CreateBackupVault row](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#backup-api-permissions-ref) to the role or user creating the Vault (the one running Terraform CLI). In particular make sure `kms` and `backup-storage` permissions are added.
 
 ## Testing

main.tf

@@ -17,7 +17,10 @@ locals {
   airgapped_vault_requirements_met = var.vault_type != "logically_air_gapped" || (var.min_retention_days != null && var.max_retention_days != null)
 
   # Cross-validation for retention days (unified validation approach)
-  retention_days_cross_valid = (var.min_retention_days == null || var.max_retention_days == null) || var.min_retention_days <= var.max_retention_days
+  # Uses positive logic form (both not null) instead of negative (either null) for clarity.
+  # Logically equivalent to: (min == null || max == null) ? true : (min <= max)
+  # This form is clearer: "if both exist, compare them; otherwise, it's valid"
+  retention_days_cross_valid = (var.min_retention_days != null && var.max_retention_days != null) ? (var.min_retention_days <= var.max_retention_days) : true
 
   # Vault reference helpers (dynamic based on vault type)
   vault_name = local.should_create_standard_vault ? try(aws_backup_vault.ab_vault[0].name, null) : (

versions.tf

@@ -1,3 +1,12 @@
+# Version compatibility requirements
+# Terraform: >= 1.3.0 (tested on 1.3.0 - 1.11.4+)
+# OpenTofu: >= 1.6.0 (tested on 1.6.0 - 1.9.3+)
+#
+# Note: Terraform 1.0-1.2 and OpenTofu < 1.6 may experience "argument must not be null" errors
+# when using vault lock features due to null value handling in boolean expressions.
+# This module includes fixes in main.tf (retention_days_cross_valid) to ensure compatibility
+# with newer versions while maintaining correct validation logic.
+
 terraform {
   required_version = ">= 1.3.0"