ravipranjal
commented
1 month ago Hi! Apologies for not getting back. This issue was internally tracked and fixed in 2024.08 release. The fix was to update the pattern to "^(?:arn:(?:aws|aws-us-gov|aws-cn):secretsmanager:[a-z0-9-]+:[0-9]{12}:secret:[A-Za-z0-9\-\_\+\=\/\.\@]{1,519})?$". Thanks.
Describe the bug The regex pattern to confirm a valid secret arn for the parametter ServiceAccountPasswordSecretArn is not ok since is not allowing the slash (/) in the arn. For example the _arn us-west-2:123456789012:secret:application/research_and_engineeringstudio is rejected by the use of a slash.
Using that arn value we got the following output
│ Error: creating CloudFormation Stack (res-hw-lightmatter): operation error CloudFormation: CreateStack, https response error StatusCode: 400, RequestID: 0bea9954-df95-4292-853f-efcae1514f17, api error ValidationError: Parameter 'ServiceAccountPasswordSecretArn' must match pattern ^(?:arn:(?:aws|aws-us-gov|aws-cn):secretsmanager:[a-z0-9-]{1,20}:[0-9]{12}:secret:[A-Za-z0-9-\+\=\,.\@]{1,128})?$ │ │ with aws_cloudformation_stack.res_hw, │ on res-test.tf line 3, in resource "aws_cloudformation_stack" "res_hw": │ 3: resource "aws_cloudformation_stack" "reshw" { │ ╵
To handle this error we had to create a new secret without a slash (/).
Expected behavior the regex pattern has to accept all the possible arn secrets for ServiceAccountPasswordSecretArn
Actual behavior The regex pattern is excluding slash symbols (/) which are normally used for secrets.
Environment (please complete the following information):
Additional context This was tested in terraforn (resource "aws_cloudformation_stack" ) using the most recent version as CloudFormation stack template.