fix: update ARN validation to support wildcards and gov cloud partitions

[lgallard]

This PR fixes the overly restrictive ARN validation reported in issue #261.

Changes

• Allow wildcards (*) in any ARN component (region, account, resource)
• Support AWS partitions: aws, aws-us-gov, aws-cn
• Maintain backward compatibility with existing ARN formats

Validation

The following ARNs from the issue now work correctly:

• arn:aws:ec2:*:*:instance/*
• arn:aws-us-gov:s3:::*

Fixes #261

Generated with Claude Code

[lgallard]

Codebot

[claude]

Claude finished @lgallard's task —— View job

---

Code Review Analysis

Analyzing the ARN validation fix for issue #261...

Todo List

• Read and analyze variables.tf changes
• Review ARN validation regex patterns
• Check security implications of wildcard support
• Verify AWS partition support completeness
• Provide comprehensive review feedback

---

Code Review Summary

This PR successfully addresses the overly restrictive ARN validation reported in issue #261. The changes are well-implemented and secure. ✅

Review Details

✅ Strengths

1. Comprehensive Wildcard Support: All ARN components (region, account, resource) now properly support wildcards (*) while maintaining validation integrity.

2. Multi-Partition Support: Correctly adds support for AWS partitions:

   • aws (standard AWS)
   • aws-us-gov (AWS GovCloud)
   • aws-cn (AWS China)

   Using (-[a-z-]+)? pattern properly makes the partition suffix optional, maintaining backward compatibility.

3. Consistent Pattern Application: All 8 service types (DynamoDB, EC2, RDS, EFS, FSx, S3, Storage Gateway) receive identical wildcard and partition support.

4. Improved Error Message: Updated to include wildcard examples and GovCloud usage.

🔒 Security Assessment

Low Risk - The wildcard support is appropriate for backup resource selection:

• Wildcards are intentional for backup scenarios (e.g., backing up all instances: arn:aws:ec2:*:*:instance/*)
• Validation still ensures ARN format correctness
• No elevation of privileges or access controls
• Maintains service-specific resource type validation

🔍 Technical Analysis

Regex Pattern Changes (variables.tf:572-578):

- can(regex("^arn:aws:dynamodb:[a-z0-9-]+:[0-9]+:table/[a-zA-Z0-9._-]+$", resource)) ||
+ can(regex("^arn:aws(-[a-z-]+)?:dynamodb:([a-z0-9-]+|\\*):([0-9]+|\\*):table/([a-zA-Z0-9._-]+|\\*)$", resource)) ||

Pattern Breakdown:

• aws(-[a-z-]+)? - Supports aws, aws-us-gov, aws-cn partitions
• ([a-z0-9-]+|\\*) - Region: specific region OR wildcard
• ([0-9]+|\\*) - Account: specific account OR wildcard
• ([a-zA-Z0-9._-]+|\\*) - Resource: specific resource OR wildcard

✅ Test Validation

The PR correctly enables these ARNs from issue #261:

• arn:aws:ec2:*:*:instance/* ✅
• arn:aws-us-gov:s3:::* ✅

📋 Minor Observations

1. All Good: No security concerns, performance issues, or bugs detected
2. Consistent Implementation: All service patterns updated uniformly
3. Backward Compatible: Existing ARNs continue to work
4. Well-Documented: Clear commit message and error message updates

🎯 Recommendation

APPROVED - This is a clean, well-implemented fix that solves the reported issue without introducing risks.

The changes are production-ready and follow Terraform best practices for input validation.

---