diff --git a/heat/engine/clients/os/barbican.py b/heat/engine/clients/os/barbican.py
index 764b14ffd7..e02ef1f312 100644
--- a/heat/engine/clients/os/barbican.py
+++ b/heat/engine/clients/os/barbican.py
@@ -63,8 +63,25 @@ class BarbicanClientPlugin(client_plugin.ClientPlugin):
                     name=secret_ref)
             raise ex
 
+    def get_container_by_ref(self, container_ref):
+        try:
+            return self.client().containers.get(
+                container_ref)._get_formatted_entity()
+        except Exception as ex:
+            if self.is_not_found(ex):
+                raise exception.EntityNotFound(
+                    entity="Container",
+                    name=container_ref)
+            raise ex
+
 
 class SecretConstraint(constraints.BaseCustomConstraint):
     resource_client_name = CLIENT_NAME
     resource_getter_name = 'get_secret_by_ref'
     expected_exceptions = (exception.EntityNotFound,)
+
+
+class ContainerConstraint(constraints.BaseCustomConstraint):
+    resource_client_name = CLIENT_NAME
+    resource_getter_name = 'get_container_by_ref'
+    expected_exceptions = (exception.EntityNotFound,)
diff --git a/heat/engine/resources/openstack/barbican/order.py b/heat/engine/resources/openstack/barbican/order.py
index 7c20309f93..5e70573626 100644
--- a/heat/engine/resources/openstack/barbican/order.py
+++ b/heat/engine/resources/openstack/barbican/order.py
@@ -134,6 +134,9 @@ class Order(resource.Resource):
             properties.Schema.STRING,
             _('The source of certificate request.'),
             support_status=support.SupportStatus(version='5.0.0'),
+            constraints=[
+                constraints.CustomConstraint('barbican.container')
+            ],
         ),
         CA_ID: properties.Schema(
             properties.Schema.STRING,
diff --git a/heat/tests/clients/test_barbican_client.py b/heat/tests/clients/test_barbican_client.py
index 91d6136f4c..5fa0c69bcc 100644
--- a/heat/tests/clients/test_barbican_client.py
+++ b/heat/tests/clients/test_barbican_client.py
@@ -69,3 +69,23 @@ class SecretConstraintTest(common.HeatTestCase):
         self.mock_get_secret_by_ref.side_effect = exception.EntityNotFound(
             entity='Secret', name='bar')
         self.assertFalse(self.constraint.validate("bar", self.ctx))
+
+
+class ContainerConstraintTest(common.HeatTestCase):
+
+    def setUp(self):
+        super(ContainerConstraintTest, self).setUp()
+        self.ctx = utils.dummy_context()
+        self.mock_get_container_by_ref = mock.Mock()
+        self.ctx.clients.client_plugin(
+            'barbican').get_container_by_ref = self.mock_get_container_by_ref
+        self.constraint = barbican.ContainerConstraint()
+
+    def test_validation(self):
+        self.mock_get_container_by_ref.return_value = {}
+        self.assertTrue(self.constraint.validate("foo", self.ctx))
+
+    def test_validation_error(self):
+        self.mock_get_container_by_ref.side_effect = exception.EntityNotFound(
+            entity='Container', name='bar')
+        self.assertFalse(self.constraint.validate("bar", self.ctx))
diff --git a/setup.cfg b/setup.cfg
index 554c0eadc8..200531946c 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -86,6 +86,7 @@ heat.constraints =
     test_constr = heat.engine.constraint.common_constraints:TestConstraintDelay
     timezone = heat.engine.constraint.common_constraints:TimezoneConstraint
     # service constraints
+    barbican.container = heat.engine.clients.os.barbican:ContainerConstraint
     barbican.secret = heat.engine.clients.os.barbican:SecretConstraint
     cinder.backup = heat.engine.clients.os.cinder:VolumeBackupConstraint
     cinder.snapshot = heat.engine.clients.os.cinder:VolumeSnapshotConstraint