diff --git a/modules/forwarder/tests/validation.tftest.hcl b/modules/forwarder/tests/validation.tftest.hcl
new file mode 100644
index 0000000..9652128
--- /dev/null
+++ b/modules/forwarder/tests/validation.tftest.hcl
@@ -0,0 +1,82 @@
+
+# The below variables are all valid. We will validate them in first test, and
+# then successively override them with bad inputs.
+variables {
+  name = "test"
+  destination = {
+    bucket = "bucket_name"
+  }
+  source_bucket_names = ["*", "a-b-c-", "a31asf"]
+  source_topic_arns   = ["arn:aws:sns:us-west-2:123456789012:my-topic-name"]
+  source_kms_key_arns = ["arn:aws:kms:us-west-2:123456789012:key/abcd1234-ab12-cd34-ef56-abcdef123456"]
+
+  content_type_overrides = [
+    {
+      pattern      = ".*"
+      content_type = "application/json"
+    }
+  ]
+}
+
+run "valid_canned_variables" {
+  command = plan
+}
+
+run "invalid_uri_scheme" {
+  command         = plan
+  expect_failures = [var.destination]
+
+  variables {
+    destination = {
+      uri = "ftp://foo"
+    }
+  }
+}
+
+run "mutually_exclusive_uri_and_bucket" {
+  command         = plan
+  expect_failures = [var.destination]
+
+  variables {
+    destination = {
+      uri    = "https://foo.com"
+      bucket = "foo.com"
+    }
+  }
+}
+
+run "invalid_source_bucket_name" {
+  command         = plan
+  expect_failures = [var.source_bucket_names]
+
+  variables {
+    source_bucket_names = ["a*c"]
+  }
+}
+
+run "source_bucket_arn" {
+  command         = plan
+  expect_failures = [var.source_bucket_names]
+
+  variables {
+    source_bucket_names = ["arn:s3:::hello-world"]
+  }
+}
+
+run "invalid_source_topic_arn" {
+  command         = plan
+  expect_failures = [var.source_topic_arns]
+
+  variables {
+    source_topic_arns = ["foo"]
+  }
+}
+
+run "invalid_source_kms_key_arn" {
+  command         = plan
+  expect_failures = [var.source_kms_key_arns]
+
+  variables {
+    source_kms_key_arns = ["foo"]
+  }
+}
diff --git a/modules/forwarder/variables.tf b/modules/forwarder/variables.tf
index f814975..c1c7b35 100644
--- a/modules/forwarder/variables.tf
+++ b/modules/forwarder/variables.tf
@@ -54,6 +54,14 @@ variable "source_bucket_names" {
   type        = list(string)
   nullable    = false
   default     = []
+
+  validation {
+    # this check is not exhaustive, but it ensures wildcard can only be used as
+    # a suffix, and filters out most common misconfiguration of providing an
+    # ARN.
+    condition     = alltrue([for name in var.source_bucket_names : can(regex("^[a-z0-9-.]*(\\*)?$", name))])
+    error_message = "Invalid S3 bucket name"
+  }
 }
 
 variable "source_topic_arns" {
@@ -63,6 +71,11 @@ variable "source_topic_arns" {
   type        = list(string)
   nullable    = false
   default     = []
+
+  validation {
+    condition     = alltrue([for arn in var.source_topic_arns : can(regex("^arn:[^:]+:sns:", arn))])
+    error_message = "Invalid SNS ARN"
+  }
 }
 
 variable "source_kms_key_arns" {
@@ -72,6 +85,11 @@ variable "source_kms_key_arns" {
   type        = list(string)
   nullable    = false
   default     = []
+
+  validation {
+    condition     = alltrue([for arn in var.source_kms_key_arns : can(regex("^arn:[^:]+:kms:", arn))])
+    error_message = "Invalid KMS ARN"
+  }
 }
 
 variable "max_file_size" {