Implementing custom validators for AWS ARNs and URLs

Implementing custom validators for AWS ARNs and URLs prevents startup failures caused by lenient configuration parsing. Malformed resource identifiers and insecure endpoints bypass default type hints, triggering delayed crashes during SDK initialization. Strict schema enforcement guarantees configuration integrity before secrets reach production workloads.

Pydantic Settings defaults to lenient string coercion, treating environment variables as raw text. Without explicit constraints, typographical errors in account IDs or missing https:// prefixes pass validation silently. This structural gap delays failure detection until downstream HTTP clients execute.

To enforce compliance, integrate Custom Validators & Field Constraints directly into your configuration model. This intercepts raw values during initialization, preventing malformed data from propagating to business logic.

from pydantic import BaseModel, field_validator, ConfigDict, ValidationError
from pydantic.networks import HttpUrl
import re
import os

# Strict ARN pattern: enforces partition, service, region, 12-digit account, and resource path
ARN_PATTERN = re.compile(
  r'^arn:aws[a-z0-9-]*:[a-z0-9-]+:[a-z0-9-]*:\d{12}:[a-z0-9-]+(/[a-z0-9-]+)*$'
)

class SecureAppSettings(BaseModel):
  model_config = ConfigDict(strict=True)
  aws_sns_topic_arn: str
  auth_service_url: HttpUrl

  @field_validator('aws_sns_topic_arn', mode='before')
  @classmethod
  def validate_arn(cls, v: str) -> str:
    if not ARN_PATTERN.match(v):
      raise ValueError(f'Invalid AWS ARN format: {v[:10]}***')
    return v

  @field_validator('auth_service_url', mode='after')
  @classmethod
  def enforce_https(cls, v: HttpUrl) -> HttpUrl:
    if v.scheme != 'https':
      raise ValueError('Production endpoints must use HTTPS')
    return v

try:
  settings = SecureAppSettings.model_validate(os.environ)
except ValidationError as e:
  raise SystemExit(f'Configuration validation failed: {e}')

Use mode='before' for raw string parsing and regex matching against untrusted environment inputs. Leverage Pydantic’s native HttpUrl type for automatic domain normalization and scheme validation. Always mask partial values in error messages to prevent credential exposure in stack traces. Enable strict=True globally to eliminate implicit type coercion and enforce exact schema boundaries.

The regex pattern explicitly validates AWS partitions and enforces mandatory 12-digit account IDs. The HttpUrl type guarantees HTTPS scheme compliance for all production endpoints. Domain resolution and path normalization occur automatically, rejecting malformed strings. Character whitelisting mitigates injection vectors.

Align development and production environments by adopting Type-Safe Validation with Pydantic Settings across all deployment stages. Implement environment-aware rules that permit localhost during local testing while enforcing strict HTTPS in CI/CD pipelines. Integrate dry-run schema validation into deployment workflows to catch configuration drift before secrets are injected.

Pre-commit hooks should lint .env templates against the compiled schema to block malformed values at commit time. Enable structured logging with fully redacted configuration dumps to maintain audit trails without exposing sensitive payloads. Infrastructure-as-code validation layers further reduce drift by verifying variables prior to orchestration.

Strict validation at initialization eliminates silent misconfigurations and prevents runtime SDK failures. By combining regex enforcement, native network types, and secure error masking, teams guarantee environment parity and secure secret injection.