fix: use can(index()) to handle null proxy_client_password_auth_type

[wavemoran]

Summary

• contains() throws Invalid function argument when passed a null value, even when short-circuit evaluation with == null || is expected — Terraform evaluates both sides of || before applying the condition
• Replace contains(list, var) with can(index(list, var)) so null (or unset) values return false cleanly without erroring
• Fixes the regression introduced in feat: add optional RDS DB Proxy support #72 for users who do not set proxy_client_password_auth_type

Problem

When proxy_client_password_auth_type is not set (default null), Terraform raises:

Error: Invalid function argument
  on variables.tf line 541, in variable "proxy_client_password_auth_type":
  condition = var.proxy_client_password_auth_type == null || contains([...], var.proxy_client_password_auth_type)
Invalid value for "value" parameter: argument must not be null.

Fix

# Before
condition = var.proxy_client_password_auth_type == null || contains([...], var.proxy_client_password_auth_type)

# After
condition = var.proxy_client_password_auth_type == null || can(index([...], var.proxy_client_password_auth_type))

Per the Terraform can function docs: can evaluates the given expression and returns true if it succeeds, or false if it returns any error — including the error index raises when the value is not found or is null. This is the recommended pattern for validation conditions.

References

• Introduced by: feat: add optional RDS DB Proxy support #72
• Terraform can function: https://developer.hashicorp.com/terraform/language/functions/can
• Terraform custom conditions: https://developer.hashicorp.com/terraform/language/expressions/custom-conditions

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Improved validation for proxy client password authentication to safely handle edge cases while preserving accepted values and null allowance.
• Chores
  • Updated remote-state module to v2.0.0 across relevant stack configurations.
  • Switched an IAM roles module reference from a local path to the updated remote module release to standardize sourcing.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9f329fdf-edea-456a-a5e5-77dce3d2dc18

📥 Commits

Reviewing files that changed from the base of the PR and between ca0c551 and dfceebc.

📒 Files selected for processing (1)

• src/providers.tf

---

📝 Walkthrough

Walkthrough

Updated Terraform variable validation for proxy_client_password_auth_type to use can(index(...)) instead of contains(...). Bumped cloudposse/stack-config/yaml//modules/remote-state version from 1.8.0 to 2.0.0 in four module blocks and replaced a local iam_roles module source with a GitHub module reference.

Changes

Cohort / File(s)	Summary
Validation Logic src/variables.tf	Replaced contains() membership check with can(index(...)) in proxy_client_password_auth_type validation; allowed values and null handling unchanged.
Remote-state module version bumps src/remote-state.tf	Updated version for cloudposse/stack-config/yaml//modules/remote-state from 1.8.0 → 2.0.0 across module blocks (vpc, vpc_ingress, eks, dns_gbl_delegated).
Module source update src/providers.tf	Changed module "iam_roles" source from ../account-map/modules/iam-roles to github.com/cloudposse-terraform-components/aws-account-map//src/modules/iam-roles?ref=v1.537.2.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: add optional RDS DB Proxy support #72 — touches the same proxy_client_password_auth_type variable validation logic and may contain similar validation changes.

Suggested labels

minor

Poem

🐰 I hopped through code with nimble cheer,
Swapped contains for can(index(...)) so errors fear,
Bumped module tags and set a new source line,
I nibbled a carrot and called it fine,
Hooray — the terraform fields now shine ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: use can(index()) to handle null proxy_client_password_auth_type' accurately describes the main change in src/variables.tf, which is the core fix mentioned in the PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[RoseSecurity]

We may also need to adjust the version constraints on this

[wavemoran]

We may also need to adjust the version constraints on this

Are you referencing this?

There's a few hops, but looks like the issue is conflicting versions being pulled in from account-map and cloudposse/satack-config.

We can test updating the latter to 2.0.0

[RoseSecurity]

/terratest

[RoseSecurity]

/terratest

[goruha]

@wavemoran could you pls replace https://github.com/wavemoran/aws-aurora-postgres/blob/fix/proxy-auth-type-validation-null/src/providers.tf#L17 with github.com/cloudposse-terraform-components/aws-account-map//src/modules/iam-roles?ref=v1.537.2

[goruha]

check comments

[mergify]

Thanks @wavemoran for creating this pull request!

A maintainer will review your changes shortly. Please don't be discouraged if it takes a while.

While you wait, make sure to review our contributor guidelines.

Tip

Need help or want to ask for a PR review to be expedited?

Join us on Slack in the #pr-reviews channel.

[mergify]

Heads up! This pull request looks stale. It will be closed soon, if there are no new commits. ⏳

[mergify]

Thanks @wavemoran for creating this pull request!

A maintainer will review your changes shortly. Please don't be discouraged if it takes a while.

While you wait, make sure to review our contributor guidelines.

Tip

Need help or want to ask for a PR review to be expedited?

Join us on Slack in the #pr-reviews channel.

[mergify]

Heads up! This pull request looks stale. It will be closed soon, if there are no new commits. ⏳

[mergify]

Thanks @wavemoran for creating this pull request!

A maintainer will review your changes shortly. Please don't be discouraged if it takes a while.

While you wait, make sure to review our contributor guidelines.

Tip

Need help or want to ask for a PR review to be expedited?

Join us on Slack in the #pr-reviews channel.

[mergify]

Heads up! This pull request looks stale. It will be closed soon, if there are no new commits. ⏳

[mergify]

Thanks @wavemoran for creating this pull request!

A maintainer will review your changes shortly. Please don't be discouraged if it takes a while.

While you wait, make sure to review our contributor guidelines.

Tip

Need help or want to ask for a PR review to be expedited?

Join us on Slack in the #pr-reviews channel.

[mergify]

Heads up! This pull request looks stale. It will be closed soon, if there are no new commits. ⏳

[mergify]

Thanks @wavemoran for creating this pull request!

A maintainer will review your changes shortly. Please don't be discouraged if it takes a while.

While you wait, make sure to review our contributor guidelines.

Tip

Need help or want to ask for a PR review to be expedited?

Join us on Slack in the #pr-reviews channel.

[mergify]

Heads up! This pull request looks stale. It will be closed soon, if there are no new commits. ⏳

[mergify]

Thanks @wavemoran for creating this pull request!

A maintainer will review your changes shortly. Please don't be discouraged if it takes a while.

While you wait, make sure to review our contributor guidelines.

Tip

Need help or want to ask for a PR review to be expedited?

Join us on Slack in the #pr-reviews channel.