Workspace and Validation Guards
A safety mechanism prevents applying the wrong tfvars file against the wrong
workspace. Each tfvars file includes a workspace_name
variable, and a precondition on a terraform_data resource
checks that this value matches the current
terraform.workspace at plan/apply time.
Note
If workspace_name is left empty (""), the guardrail is
bypassed and no workspace validation occurs.
If the current workspace does not match the
workspace_name in the tfvars file, Terraform will fail
with an error:
text
WORKSPACE MISMATCH - EXECUTION BLOCKED
Current workspace: 'default'
tfvars workspace: 'secondary'
Fix: terraform workspace select secondary
OR use the correct tfvars file for 'default' workspace
Additional validation checks (validation.tf enforces):
| Check | Condition | Error if violated |
|---|---|---|
dr_routing_requires_dr_mode
|
dr_use_dedicated_routing=false requires dr to be
non-empty
| Non-DR clusters always use dedicated routing |
standby_requires_remote_state
|
dr="standby" requires
primary_remote_state_config to be set
| Remote state config needed to sync encryption keys |
traffic_manager_requires_active_mode
|
manage_traffic_manager=true requires
dr="active"
| Only the active cluster should manage Traffic Manager |
traffic_manager_requires_zone_config
|
manage_traffic_manager=true requires
traffic_manager_dns_zone_name to be non-empty
| Zone name needed for Traffic Manager host header |
traffic_manager_dns_record_requires_resource_group
|
traffic_manager_create_dns_record=true requires
traffic_manager_dns_zone_resource_group
| Resource group needed to create Azure DNS CNAME |
kubeapi_no_wildcard
|
Warns if ip_ranges_allowed_to_kubeapi contains
0.0.0.0/0
| Kubernetes API exposed to the internet |
Hard validation locals (locals.tf) — blocking
errors at plan time:
| Local | Condition | Error if violated |
|---|---|---|
validate_standby_encryption_key
|
dr="standby" requires primary encryption key available
|
Standby deployment requires primary encryption key via remote state
or existing_storage_encryption_key variable
|
validate_standby_storage_account_key
|
dr="standby" requires primary storage account key
available
|
Standby deployment requires primary storage account key via remote
state or azure_recover_from_accountkey variable
|