LowFile-scope Plug & play

Validate Terraform variables with types and constraints

All variables must declare a type, default (when sensible), and validation blocks; mark sensitive inputs with sensitive=true.

Add to Mesrai Open workspace

Why this matters

Strongly-typed, validated inputs prevent unsafe applies and secrets leakage.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

variable "instance_type" {}

Prefer

variable "instance_type" {
 type = string
 validation {
 condition = contains(["t3.medium","t3.large"], var.instance_type)
 error_message = "instance_type must be an approved size."
 }
}
variable "db_password" {
 type = string
 sensitive = true
}

More snippets

Good

variable "db_password" { type = string, sensitive = true }

Bad

variable "db_password" {}

Related rules

From the same buckets as this rule.

Critical
Disallow public ingress without explicit allowlist
For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.
infra-as-codesecurity-hardening+1
Critical
Pods must run as non-root with read-only root filesystem
Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.
infra-as-codesecurity-hardening+1
Critical
Pulumi TS: secrets must use Config.requireSecret
In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.
infra-as-codesecrets-credentials+1

Why this matters

Bad vs. good

More snippets

Related rules

Disallow public ingress without explicit allowlist

Pods must run as non-root with read-only root filesystem

Pulumi TS: secrets must use Config.requireSecret

Why this matters

Bad vs. good

More snippets

Related rules

Disallow public ingress without explicit allowlist

Pods must run as non-root with read-only root filesystem

Pulumi TS: secrets must use Config.requireSecret