terraform-aws-ecs-container-definition icon indicating copy to clipboard operation
terraform-aws-ecs-container-definition copied to clipboard

Published 20 hours ago verified publisher icon cloudposse

Add validation to `secrets` and `map_secrets`'s `valueFrom` to ensure it's an arn

Open nitrocode opened this issue 4 years ago • 1 comments

Have a question? Please checkout our Slack Community or visit our Slack Archive.

Slack Community

Describe the Feature

Add validation to secrets and map_secrets's valueFrom to ensure it's an arn

Expected Behavior

Fail if any valueFrom does not use a valid arn format

Use Case

At the moment, this will error after an apply. An input validation would catch it earlier.

Describe Ideal Solution

Input var validation using a regex.

For example, this is a valid arn

arn:aws:ssm:us-east-2:snip:parameter/global/snip

Perhaps the regex from here https://github.com/hashicorp/terraform-provider-aws/issues/8307

^arn:[\w-]+:([a-zA-Z0-9\-])+:([a-z]{2}-((?:gov|iso|isob)-)?[a-z]+-\d{1})?:(\d{12})?:(.*)$

or even simpler

^arn:.*

Alternatives Considered

  • Apply, fail, update.
  • Be more vigilant when passing in inputs vars

Additional Context

nitrocode avatar Aug 11 '21 17:08 nitrocode

Not sure this is a good idea, as the original AWS's container def's accept a string that maps to a SSM Parameter Store param name. So you can supply a string, that's not an ARN, but is still valid.

Refs: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-parameters.html#secrets-envvar-parameters

If the Systems Manager Parameter Store parameter exists in the same Region as the task you are launching, then you can use either the full ARN or name of the parameter.

bartelemi avatar Mar 08 '22 00:03 bartelemi