CODEWITHSUNDEEP
regexaws-cloudformation
rk123
rk123

Reputation: 83

What is the Regex for cloudformation IAM policy name

I am trying define a parameter for the IAM role name. Here's my parameter

         Type: String
         AllowedPattern: "arn:aws:iam::*$"
         ConstraintDescription: Must be an IAM policy ARN.

The IAM policy name is of the format - arn:aws:iam::AccountNumber:policy/staging_test

Here's the error I am getting Parameter EnvDynamoDbPolicy failed to satisfy constraint:

Upvotes: 1

Views: 9946

Answers (4)

EnzoR
EnzoR

Reputation: 3346

According to documentation, the RE2 (so also terraform and any other RE2-based software) regex is:

^arn:aws:iam::(\d{12})?:policy/[\w+=,.@-]{1,128}$

where the 12-digits account-id is actually optional while within the same account and the :aws: segment could hold a "partition" name other than AWS'. String must match from begin to end, of course.

Upvotes: 1

Jay Shark
Jay Shark

Reputation: 655

Cloudformation actually gives you the pattern in the events output, if an input fails for any reason. For example, if the policy value input to the template isn't correct, you'll get an error like - 

validation error detected: Value '[the invalid value]' at 'role' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:(aws[a-zA-Z-]*)?:iam::\d{12}:policy/?[a-zA-Z_0-9+=,.@\-_/]+

So, the regex you need in your case is arn:(aws[a-zA-Z-]*)?:iam::\d{12}:policy/?[a-zA-Z_0-9+=,.@-_/]+

Upvotes: 0

404
404

Reputation: 8562

* in regex is not a "wildcard operator", it has a specific meaning (namely, zero or more of the preceding character/group).

The "description" of the rules that a custom IAM policy ARN must satisfy are:

  1. Start with "arn:aws:iam::"
  2. Followed by Account ID, which is 12 digits
  3. Followed by ":policy/"
  4. Followed by... at least one character?

So the regex pattern would be:

^arn:aws:iam::\d{12}:policy/.+

Which is exactly what the steps above describe. (You may need to escape the forward slashes with a backslash, depending on the regex engine used.)

Upvotes: 1

praiseHellRaiseDale
praiseHellRaiseDale

Reputation: 2270

Was there anything after Parameter EnvDynamoDbPolicy failed to satisfy constraint:?

If you look at the java.util.regex.Pattern, which is what cloudformation uses for regex matching, I don't see them using the dollar sign.

Here's a link to the docs that point to the java patterns, and Here's a link to the patterns themselves.

I'm not a regex wizard, but it looks like if you just removed the dollar sign it would work. So...

I haven't tested this, it's just a guess

Type: String
AllowedPattern: "arn:aws:iam::*"
ConstraintDescription: Must be an IAM policy ARN.

It could also be the case for other people that have this problem that the name of their parameter doesn't meet the constraints. Here's a link to the constraint description.

Upvotes: 0

Related Questions