search

cloudposse / terraform-aws-ecs-container-definition

Terraform module to generate well-formed JSON documents (container definitions) that are passed to the aws_ecs_task_definition Terraform resource
https://cloudposse.com/accelerate
Apache License 2.0
339 stars 244 forks source link

Add validation to `secrets` and `map_secrets`'s `valueFrom` to ensure it's an arn #144

Open nitrocode opened 3 years ago

nitrocode commented 3 years ago

Have a question? Please checkout our Slack Community or visit our Slack Archive.

Slack Community

Describe the Feature

Add validation to secrets and map_secrets's valueFrom to ensure it's an arn

Expected Behavior

Fail if any valueFrom does not use a valid arn format

Use Case

At the moment, this will error after an apply. An input validation would catch it earlier.

Describe Ideal Solution

Input var validation using a regex.

For example, this is a valid arn

arn:aws:ssm:us-east-2:snip:parameter/global/snip

Perhaps the regex from here https://github.com/hashicorp/terraform-provider-aws/issues/8307

^arn:[\w-]+:([a-zA-Z0-9\-])+:([a-z]{2}-((?:gov|iso|isob)-)?[a-z]+-\d{1})?:(\d{12})?:(.*)$

or even simpler

^arn:.*

Alternatives Considered

Additional Context

bartelemi commented 2 years ago

Not sure this is a good idea, as the original AWS's container def's accept a string that maps to a SSM Parameter Store param name. So you can supply a string, that's not an ARN, but is still valid.

Refs: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-parameters.html#secrets-envvar-parameters

If the Systems Manager Parameter Store parameter exists in the same Region as the task you are launching, then you can use either the full ARN or name of the parameter.