Add region validation (#394)

* Add region validation during plan. Closes #265

Validates region format (aws-*/gcp-*) with ERROR on invalid format.
Warns (not errors) on unknown regions since the list may be stale.
Calls the GetRegions API during plan to validate configured regions

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: bechols

internal/provider/namespace_resource.go

@@ -58,6 +58,7 @@ import (
 	namespacev1 "go.temporal.io/cloud-sdk/api/namespace/v1"
 
 	"github.com/temporalio/terraform-provider-temporalcloud/internal/client"
+	"github.com/temporalio/terraform-provider-temporalcloud/internal/provider/validators"
 	internaltypes "github.com/temporalio/terraform-provider-temporalcloud/internal/types"
 )
 
@@ -121,6 +122,7 @@ var (
 	_ resource.Resource                = (*namespaceResource)(nil)
 	_ resource.ResourceWithConfigure   = (*namespaceResource)(nil)
 	_ resource.ResourceWithImportState = (*namespaceResource)(nil)
+	_ resource.ResourceWithModifyPlan  = (*namespaceResource)(nil)
 
 	namespaceCertificateFilterAttrs = map[string]attr.Type{
 		"common_name":              types.StringType,
@@ -211,6 +213,9 @@ func (r *namespaceResource) Schema(ctx context.Context, _ resource.SchemaRequest
 				CustomType: internaltypes.UnorderedStringListType{
 					ListType: basetypes.ListType{ElemType: basetypes.StringType{}},
 				},
+				Validators: []validator.List{
+					listvalidator.ValueStringsAre(validators.RegionFormat()),
+				},
 			},
 			"accepted_client_ca": schema.StringAttribute{
 				CustomType:  internaltypes.EncodedCAType{},
@@ -350,6 +355,63 @@ func (r *namespaceResource) Schema(ctx context.Context, _ resource.SchemaRequest
 	}
 }
 
+// ModifyPlan validates configured regions against the Temporal Cloud API.
+func (r *namespaceResource) ModifyPlan(ctx context.Context, req resource.ModifyPlanRequest, resp *resource.ModifyPlanResponse) {
+	// Skip on destroy.
+	if req.Plan.Raw.IsNull() {
+		return
+	}
+
+	// Skip if the client is not configured (e.g., during early validation or provider config errors).
+	if r.client == nil {
+		return
+	}
+
+	var plan namespaceResourceModel
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// Skip if regions are unknown (computed values not yet resolved).
+	if plan.Regions.IsUnknown() {
+		return
+	}
+
+	configuredRegions, d := getRegionsFromModel(ctx, &plan)
+	resp.Diagnostics.Append(d...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if len(configuredRegions) == 0 {
+		return
+	}
+
+	regionsResp, err := r.client.CloudService().GetRegions(ctx, &cloudservicev1.GetRegionsRequest{})
+	if err != nil {
+		resp.Diagnostics.AddWarning(
+			"Unable to Validate Regions",
+			fmt.Sprintf("Failed to fetch available regions from Temporal Cloud API: %s. Region validation will be skipped.", err.Error()),
+		)
+		return
+	}
+
+	validRegions := make(map[string]bool, len(regionsResp.GetRegions()))
+	for _, region := range regionsResp.GetRegions() {
+		validRegions[region.GetId()] = true
+	}
+
+	for _, region := range configuredRegions {
+		if !validRegions[region] {
+			resp.Diagnostics.AddError(
+				"Invalid Region",
+				fmt.Sprintf("Region %q is not a valid Temporal Cloud region. Use the temporalcloud_regions data source or see https://docs.temporal.io/cloud/regions for the list of available regions.", region),
+			)
+		}
+	}
+}
+
 // Create creates the resource and sets the initial Terraform state.
 func (r *namespaceResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
 	var plan namespaceResourceModel

internal/provider/namespace_resource_test.go

@@ -163,6 +163,56 @@ PEM
 
 }
 
+func TestAccNamespaceInvalidRegion(t *testing.T) {
+	config := `
+provider "temporalcloud" {
+
+}
+
+resource "temporalcloud_namespace" "terraform" {
+  name               = "tf-invalid-region"
+  regions            = ["invalid-region"]
+  api_key_auth       = true
+  retention_days     = 7
+}`
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config:      config,
+				ExpectError: regexp.MustCompile(`Invalid Region Format`),
+			},
+		},
+	})
+}
+
+func TestAccNamespaceInvalidRegionAPIValidation(t *testing.T) {
+	config := `
+provider "temporalcloud" {
+
+}
+
+resource "temporalcloud_namespace" "terraform" {
+  name               = "tf-invalid-api-region"
+  regions            = ["aws-us-fake-99"]
+  api_key_auth       = true
+  retention_days     = 7
+}`
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config:      config,
+				ExpectError: regexp.MustCompile(`Invalid Region`),
+			},
+		},
+	})
+}
+
 func TestAccBasicNamespaceWithApiKeyAuth(t *testing.T) {
 	name := fmt.Sprintf("%s-%s", "tf-basic-namespace", randomString(10))
 	config := func(name string, retention int) string {

internal/provider/validators/region_validator.go

@@ -0,0 +1,45 @@
+package validators
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+)
+
+var regionFormatPattern = regexp.MustCompile(`^(aws|gcp)-[a-z0-9-]+$`)
+
+type regionFormatValidator struct{}
+
+// RegionFormat returns a validator that checks if a string matches the expected
+// Temporal Cloud region format (e.g., aws-us-east-1, gcp-us-central1).
+// It does not verify that the region actually exists — that is handled by
+// ModifyPlan via the GetRegions API.
+func RegionFormat() validator.String {
+	return &regionFormatValidator{}
+}
+
+func (v *regionFormatValidator) Description(ctx context.Context) string {
+	return "must be a valid Temporal Cloud region format (e.g., aws-us-east-1, gcp-us-central1)"
+}
+
+func (v *regionFormatValidator) MarkdownDescription(ctx context.Context) string {
+	return "must be a valid Temporal Cloud region format (e.g., `aws-us-east-1`, `gcp-us-central1`). See [available regions](https://docs.temporal.io/cloud/regions)."
+}
+
+func (v *regionFormatValidator) ValidateString(ctx context.Context, req validator.StringRequest, resp *validator.StringResponse) {
+	if req.ConfigValue.IsNull() || req.ConfigValue.IsUnknown() {
+		return
+	}
+
+	value := req.ConfigValue.ValueString()
+
+	if !regionFormatPattern.MatchString(value) {
+		resp.Diagnostics.AddAttributeError(
+			req.Path,
+			"Invalid Region Format",
+			fmt.Sprintf("Region %q does not match expected format. Regions must be prefixed with cloud provider (e.g., aws-us-east-1, gcp-us-central1). See https://docs.temporal.io/cloud/regions", value),
+		)
+	}
+}