Add validation to `secrets` and `map_secrets`'s `valueFrom` to ensure it's an arn

[nitrocode]

Have a question? Please checkout our Slack Community or visit our Slack Archive.

Describe the Feature

Add validation to secrets and map_secrets's valueFrom to ensure it's an arn

Expected Behavior

Fail if any valueFrom does not use a valid arn format

Use Case

At the moment, this will error after an apply. An input validation would catch it earlier.

Describe Ideal Solution

Input var validation using a regex.

For example, this is a valid arn

arn:aws:ssm:us-east-2:snip:parameter/global/snip

Perhaps the regex from here hashicorp/terraform-provider-aws#8307

^arn:[\w-]+:([a-zA-Z0-9\-])+:([a-z]{2}-((?:gov|iso|isob)-)?[a-z]+-\d{1})?:(\d{12})?:(.*)$

or even simpler

^arn:.*

Alternatives Considered

• Apply, fail, update.
• Be more vigilant when passing in inputs vars

Additional Context

[bartelemi]

Not sure this is a good idea, as the original AWS's container def's accept a string that maps to a SSM Parameter Store param name. So you can supply a string, that's not an ARN, but is still valid.

Refs:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-parameters.html#secrets-envvar-parameters

If the Systems Manager Parameter Store parameter exists in the same Region as the task you are launching, then you can use either the full ARN or name of the parameter.