TFNFR21 - Discourage Nullability by Default
nullable = true
MUST be avoided.
nullable = true
MUST be avoided.
sensitive = false
MUST be avoided.
A default value MUST NOT be set for a sensitive input - e.g., a default password.
Sometimes we will find names for some variable
are not suitable anymore, or a change SHOULD be made to the data type. We want to ensure forward compatibility within a major version, so direct changes are strictly forbidden. The right way to do this is move this variable
to an independent deprecated_variables.tf
file, then redefine the new parameter in variable.tf
and make sure it’s compatible everywhere else.
The terraform.tf
file MUST only contain one terraform
block.
The first line of the terraform
block MUST define a required_version
property for the Terraform CLI.
The required_version
property MUST include a constraint on the minimum version of the Terraform CLI. Previous releases of the Terraform CLI can have unexpected behavior.
The terraform
block in terraform.tf
MUST contain the required_providers
block.
Each provider used directly in the module MUST be specified with the source
and version
properties. Providers in the required_providers
block SHOULD be sorted in alphabetical order.
By rules
, in the module code provider
MUST NOT be declared. The only exception is when the module indeed need different instances of the same kind of provider
(Eg. manipulating resources across different location
s or accounts), you MUST declare configuration_aliases
in terraform.required_providers
. See details in this
document
.
An output
block that contains confidential data MUST be declared with sensitive = true
.
Module owners MUST set a branch protection policy on their GitHub Repositories for AVM modules against their default branch, typically main
, to do the following:
If you use the template repository as mentioned in the contribution guide, the above will automatically be set.
Sometimes we notice that the name of certain output
is not appropriate anymore, however, since we have to ensure forward compatibility in the same major version, its name MUST NOT be changed directly. It MUST be moved to an independent deprecated_outputs.tf
file, then redefine a new output in output.tf
and make sure it’s compatible everywhere else in the module.