From 3f5ddbd9c88042ae40048a45522f3ed1cb5f94e7 Mon Sep 17 00:00:00 2001
From: "claude[bot]" <209825114+claude[bot]@users.noreply.github.com>
Date: Mon, 3 Nov 2025 09:22:43 +0000
Subject: [PATCH] feat: add vault_name_validation_bypass variable to relax
 validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add new boolean variable vault_name_validation_bypass to allow users
with existing vaults containing restricted words (test, temp, delete,
remove, default) to upgrade without validation errors.

- Maintains all existing format validation (2-50 chars, alphanumeric + hyphens/underscores)
- Only bypasses the word-based validation when explicitly enabled
- Defaults to false for backward compatibility
- Addresses issue #292 where users cannot upgrade due to existing vault names

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Luis M. Gallardo D. <lgallard@users.noreply.github.com>
---
 variables.tf | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/variables.tf b/variables.tf
index 1ce40bd..64eddd1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -9,12 +9,18 @@ variable "vault_name" {
   validation {
     condition = var.vault_name == null ? true : (
       can(regex("^[0-9A-Za-z-_]{2,50}$", var.vault_name)) &&
-      !can(regex("(?i)(test|temp|delete|remove|default)", var.vault_name)) # Prevent insecure naming patterns
+      (var.vault_name_validation_bypass || !can(regex("(?i)(test|temp|delete|remove|default)", var.vault_name))) # Prevent insecure naming patterns unless bypassed
     )
-    error_message = "The vault_name must be between 2 and 50 characters, contain only alphanumeric characters, hyphens, and underscores. Avoid using 'test', 'temp', 'delete', 'remove', or 'default' in names for security reasons."
+    error_message = "The vault_name must be between 2 and 50 characters, contain only alphanumeric characters, hyphens, and underscores. Avoid using 'test', 'temp', 'delete', 'remove', or 'default' in names for security reasons. Set vault_name_validation_bypass = true to disable this word validation for existing vaults."
   }
 }
 
+variable "vault_name_validation_bypass" {
+  description = "Bypass the vault name word validation (test, temp, delete, remove, default). Set to true for existing vaults with these words. Only disables word validation, format validation remains active."
+  type        = bool
+  default     = false
+}
+
 variable "vault_kms_key_arn" {
   description = "The server-side encryption key that is used to protect your backups"
   type        = string