Merge pull request hashicorp#12642 from DrFaust92/provider-validate

add arn validation for policy, policy_arns and role_arn in provider assume_role config block
PaytmLabs · Feb 25, 2021 · 8bd3e35 · 8bd3e35
2 parents 3804858 + 58e3b00
commit 8bd3e35
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 7 deletions.
diff --git a/.changelog/12642.txt b/.changelog/12642.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+provider: Add validation for `role_arn`, `policy_arns`, and `policy`
+```
diff --git a/aws/provider.go b/aws/provider.go
@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags"
 	"github.com/terraform-providers/terraform-provider-aws/aws/internal/mutexkv"
 )
@@ -1456,20 +1457,25 @@ func assumeRoleSchema() *schema.Schema {
 					Description: "Unique identifier that might be required for assuming a role in another account.",
 				},
 				"policy": {
-					Type:        schema.TypeString,
-					Optional:    true,
-					Description: "IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.",
+					Type:         schema.TypeString,
+					Optional:     true,
+					Description:  "IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.",
+					ValidateFunc: validation.StringIsJSON,
 				},
 				"policy_arns": {
 					Type:        schema.TypeSet,
 					Optional:    true,
 					Description: "Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.",
-					Elem:        &schema.Schema{Type: schema.TypeString},
+					Elem: &schema.Schema{
+						Type:         schema.TypeString,
+						ValidateFunc: validateArn,
+					},
 				},
 				"role_arn": {
-					Type:        schema.TypeString,
-					Optional:    true,
-					Description: "Amazon Resource Name of an IAM Role to assume prior to making API calls.",
+					Type:         schema.TypeString,
+					Optional:     true,
+					Description:  "Amazon Resource Name of an IAM Role to assume prior to making API calls.",
+					ValidateFunc: validateArn,
 				},
 				"session_name": {
 					Type:        schema.TypeString,