hashicorp · ewbankkit · Jan 3, 2022 · Mar 14, 2021 · Mar 14, 2021 · Jan 3, 2022
@@ -0,0 +1,3 @@
+```release-note:enhancement
+provider: Add validation for `session-name`
+```
diff --git a/aws/provider.go b/aws/provider.go
@@ -1480,9 +1480,10 @@ func assumeRoleSchema() *schema.Schema {
 					ValidateFunc: validateArn,
 				},
 				"session_name": {
-					Type:        schema.TypeString,
-					Optional:    true,
-					Description: "Identifier for the assumed role session.",
+					Type:         schema.TypeString,
+					Optional:     true,
+					Description:  "Identifier for the assumed role session.",
+					ValidateFunc: validateSessionName,
 				},
 				"tags": {
 					Type:        schema.TypeMap,

diff --git a/aws/validators.go b/aws/validators.go
@@ -26,17 +26,20 @@ const (
 	awsAccountIDRegexpInternalPattern = `(aws|\d{12})`
 	awsPartitionRegexpInternalPattern = `aws(-[a-z]+)*`
 	awsRegionRegexpInternalPattern    = `[a-z]{2}(-[a-z]+)+-\d`
+	awsSessionNameRegexpInternalPattern = `[\w+=,.@-]*`
 )
 
 const (
-	awsAccountIDRegexpPattern = "^" + awsAccountIDRegexpInternalPattern + "$"
-	awsPartitionRegexpPattern = "^" + awsPartitionRegexpInternalPattern + "$"
-	awsRegionRegexpPattern    = "^" + awsRegionRegexpInternalPattern + "$"
+	awsAccountIDRegexpPattern   = "^" + awsAccountIDRegexpInternalPattern + "$"
+	awsPartitionRegexpPattern   = "^" + awsPartitionRegexpInternalPattern + "$"
+	awsRegionRegexpPattern      = "^" + awsRegionRegexpInternalPattern + "$"
+	awsSessionNameRegexpPattern = "^" + awsSessionNameRegexpInternalPattern + "$"
 )
 
 var awsAccountIDRegexp = regexp.MustCompile(awsAccountIDRegexpPattern)
 var awsPartitionRegexp = regexp.MustCompile(awsPartitionRegexpPattern)
 var awsRegionRegexp = regexp.MustCompile(awsRegionRegexpPattern)
+var awsSessionNameRegexp = regexp.MustCompile(awsSessionNameRegexpPattern)
 
 // validateTypeStringNullableBoolean provides custom error messaging for TypeString booleans
 // Some arguments require three values: true, false, and "" (unspecified).
@@ -679,6 +682,24 @@ func validatePrincipal(v interface{}, k string) (ws []string, errors []error) {
 	return ws, errors
 }
 
+func validateSessionName(v interface{}, k string) (ws []string, errors []error) {
+	value := v.(string)
+
+	if value == "" {
+		return ws, errors
+	}
+
+	if len(value) > 64 {
+		errors = append(errors, fmt.Errorf("%q (%s) is an invalid session name (maximum length is 64)", k, value))
+	}
+
+	if !awsSessionNameRegexp.MatchString(value) {
+		errors = append(errors, fmt.Errorf("%q (%s) is an invalid session name (expecting to match regular expression: %s)", k, value, awsSessionNameRegexpPattern))
+	}
+
+	return ws, errors
+}
+
 func validateArn(v interface{}, k string) (ws []string, errors []error) {
 	value := v.(string)
 

diff --git a/aws/validators_test.go b/aws/validators_test.go
@@ -359,6 +359,45 @@ func TestValidateArn(t *testing.T) {
 	}
 }
 
+func TestValidateSessionName(t *testing.T) {
+	v := ""
+	_, errors := validateArn(v, "arn")
+	if len(errors) != 0 {
+		t.Fatalf("%q should not be validated as a session name: %q", v, errors)
+	}
+
+	validSessionNames := []string{
+		"",
+		"test-session1",
+		"test-session2",
+		"test-session+3",
+		"test-session@4",
+		"test-session,5",
+		"test-session.6",
+		"test-session=7",
+		"test-session+8",
+		"test-session+=@,.9",
+	}
+	for _, v := range validSessionNames {
+		_, errors := validateSessionName(v, "session_name")
+		if len(errors) != 0 {
+			t.Fatalf("%q should be a valid session name: %q", v, errors)
+		}
+	}
+
+	invalidSessionNames := []string{
+		"test session with spaces",
+		"test_session_with_invalid_symbol_*",
+		"session-session-with-a-very-very-very-very-very-long-name-longer-than-64",
+	}
+	for _, v := range invalidSessionNames {
+		_, errors := validateArn(v, "session_name")
+		if len(errors) == 0 {
+			t.Fatalf("%q should be an invalid session name", v)
+		}
+	}
+}
+
 func TestValidatePrincipal(t *testing.T) {
 	v := ""
 	_, errors := validatePrincipal(v, "arn")