diff --git a/CHANGELOG.md b/CHANGELOG.md
index a261902..8c8595c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -39,3 +39,7 @@
* 1.2.1 -- 2025-03-06
- acmpca-eks-cert-manager
- un-hardcode validity_days from 365 to use the variable (due to the ACMPCA issuer lifetime being less than one year right now)
+
+* 1.2.2 -- 2025-03-18
+ - all
+ - add validation of contact_email to include @ and in the census.gov domain
diff --git a/acm/README.md b/acm/README.md
index 76f6d38..5d4d490 100644
--- a/acm/README.md
+++ b/acm/README.md
@@ -60,6 +60,7 @@ the ARN if completed. You'll use the ARN for an AWS LB Listener.
| [aws](#requirement\_aws) | >= 5.0 |
| [local](#requirement\_local) | >= 2.1.0 |
| [null](#requirement\_null) | >= 3.1.0 |
+| [random](#requirement\_random) | >= 3.6.0 |
| [tls](#requirement\_tls) | >= 3.1.0 |
## Providers
diff --git a/acm/variables.tf b/acm/variables.tf
index 038815f..1ba5917 100644
--- a/acm/variables.tf
+++ b/acm/variables.tf
@@ -12,4 +12,9 @@ variable "certificate_san" {
variable "contact_email" {
description = "Email address in @census.gov of contact for the certificate. This is strongly recommended to be a group email address."
type = string
+
+ validation {
+ condition = length(regexall("@", var.contact_email)) > 0 && endswith(lower(var.contact_email), "census.gov")
+ error_message = "contact_email must be a valid email address and in the census.gov domain."
+ }
}
diff --git a/acmpca-eks-cert-manager/variables.tf b/acmpca-eks-cert-manager/variables.tf
index 79a364f..3beac2c 100644
--- a/acmpca-eks-cert-manager/variables.tf
+++ b/acmpca-eks-cert-manager/variables.tf
@@ -6,6 +6,11 @@ variable "cluster_name" {
variable "contact_email" {
description = "Email address in @census.gov of contact for the certificate. This is strongly recommended to be a group email address."
type = string
+
+ validation {
+ condition = length(regexall("@", var.contact_email)) > 0 && endswith(lower(var.contact_email), "census.gov")
+ error_message = "contact_email must be a valid email address and in the census.gov domain."
+ }
}
variable "validity_days" {
diff --git a/acmpca-iam-rolesanywhere/variables.tf b/acmpca-iam-rolesanywhere/variables.tf
index 64c307f..e966865 100644
--- a/acmpca-iam-rolesanywhere/variables.tf
+++ b/acmpca-iam-rolesanywhere/variables.tf
@@ -6,6 +6,11 @@ variable "role_name" {
variable "contact_email" {
description = "Email address in @census.gov of contact for the certificate. This is strongly recommended to be a group email address."
type = string
+
+ validation {
+ condition = length(regexall("@", var.contact_email)) > 0 && endswith(lower(var.contact_email), "census.gov")
+ error_message = "contact_email must be a valid email address and in the census.gov domain."
+ }
}
variable "validity_days" {
diff --git a/acmpca/variables.tf b/acmpca/variables.tf
index b0c8b82..af36f4d 100644
--- a/acmpca/variables.tf
+++ b/acmpca/variables.tf
@@ -13,8 +13,12 @@ variable "certificate_san" {
variable "contact_email" {
description = "Email address in @census.gov of contact for the certificate. This is strongly recommended to be a group email address."
type = string
-}
+ validation {
+ condition = length(regexall("@", var.contact_email)) > 0 && endswith(lower(var.contact_email), "census.gov")
+ error_message = "contact_email must be a valid email address and in the census.gov domain."
+ }
+}
variable "certificate_cn" {
description = "CommonName (CN) to use for certificate, defaults in c=US,o=U.S. Census Bureau,ou=Servers. This will typically be the DNS name. Uses certificate_dns if not provided."
diff --git a/common/version.tf b/common/version.tf
index 54b3493..3472979 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "1.2.1"
+ _module_version = "1.2.2"
}