diff --git a/acmpca-iam-rolesanywhere/README.md b/acmpca-iam-rolesanywhere/README.md
index 86e8d59..cdf7368 100644
--- a/acmpca-iam-rolesanywhere/README.md
+++ b/acmpca-iam-rolesanywhere/README.md
@@ -133,7 +133,7 @@ certificate_subject = {
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [role\_name](#input\_role\_name) | IAM RolesAnywhere Role Name (including r- prefix if necessary) | `string` | n/a | yes |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
-| [validity\_days](#input\_validity\_days) | Number of days for which the certificate is valid. For the short lived certificate, this must be <= 7 | `number` | `365` | no |
+| [validity\_days](#input\_validity\_days) | Number of days for which the certificate is valid, 1 to 365. For the short lived certificate, this must be <= 7. Default is 365 days (also the maximum). | `number` | `365` | no |
## Outputs
diff --git a/acmpca-iam-rolesanywhere/variables.tf b/acmpca-iam-rolesanywhere/variables.tf
index 7652c8f..43b7799 100644
--- a/acmpca-iam-rolesanywhere/variables.tf
+++ b/acmpca-iam-rolesanywhere/variables.tf
@@ -9,13 +9,13 @@ variable "contact_email" {
}
variable "validity_days" {
- description = "Number of days for which the certificate is valid. For the short lived certificate, this must be <= 7"
+ description = "Number of days for which the certificate is valid, 1 to 365. For the short lived certificate, this must be <= 7. Default is 365 days (also the maximum)."
type = number
default = 365
validation {
- condition = var.validity_days > 0
- error_message = "validity_days must be larger than 0."
+ condition = var.validity_days > 0 && var.validity_days <= 365
+ error_message = "validity_days must be larger than 0 and less than or equal to 365 (1 year)."
}
}