Validation condition

[devops-rob]

Upon testing the validation in the secrets_engines variable, I've learned that it does not behave as expected. The variable block with validation looks like this

variable "secrets_engines" {
  type        = list(string)
  default     = null
  description = "A list of secrets engines to enable"

  validation {
    condition     = can(contains(
    [
      "aws",
      "azure",
      "gcp",
      "consul",
      "pki",
      "transit",
      "rabbitmq",
      "ssh"
    ], var.secrets_engines))
    error_message = "Invalid secrets engines."
  }
}

Expected behaviour

when i use the module with the following configuration (which includes a deliberately misspelled engine), i expect to see "Invalid secrets engines." error message when i run a terraform plan.

module "aws_defaults" {
  source = "../../"

  secrets_engines       = ["awz"]
  aws_backend_role_name = "test"
  aws_iam_groups        = ["test"]
}

Actual behaviour

The output of a terraform plan shows the below

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

It's correct that no changes are detected as the count of the resources is based on the secrets engines being in the list; however, i expect the plan to fail as the validation should detect that the misspelled secrets engine has failed the validation condition.