openshift · JoelSpeed · Jun 19, 2026 · Jun 19, 2026 · tthvo · Jun 20, 2026
diff --git a/...g/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-CustomNoUpgrade.crd.yaml b/...g/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses-CustomNoUpgrade.crd.yaml
@@ -79,6 +79,9 @@ spec:
                           <role-name> is the IAM role name.
                         type: string
                         x-kubernetes-validations:
+                        - message: 'privateZoneIAMRole must be a valid AWS IAM role
+                            ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
+                          rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$')
                         - message: 'privateZoneIAMRole must be a valid AWS IAM role
                             ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
                           rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$')
 // +openshift:validation:FeatureGateAwareXValidation:featureGate="",rule=`matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$')`,message=`privateZoneIAMRole must be a valid AWS IAM role ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>` 
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=AWSEuropeanSovereignCloudInstall,rule=`matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$')`,message=`privateZoneIAMRole must be a valid AWS IAM role ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>` 
 // +optional 
 PrivateZoneIAMRole string `json:"privateZoneIAMRole"` 
 // +openshift:validation:FeatureGateAwareXValidation:featureGate="",rule=`matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$')`,message=`privateZoneIAMRole must be a valid AWS IAM role ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>` 
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=AWSEuropeanSovereignCloudInstall,rule=`matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$')`,message=`privateZoneIAMRole must be a valid AWS IAM role ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>` 
 // +optional 
 PrivateZoneIAMRole string `json:"privateZoneIAMRole"` 

diff --git a/.../zz_generated.crd-manifests/0000_10_config-operator_01_dnses-DevPreviewNoUpgrade.crd.yaml b/.../zz_generated.crd-manifests/0000_10_config-operator_01_dnses-DevPreviewNoUpgrade.crd.yaml
@@ -79,6 +79,9 @@ spec:
                           <role-name> is the IAM role name.
                         type: string
                         x-kubernetes-validations:
+                        - message: 'privateZoneIAMRole must be a valid AWS IAM role
+                            ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
+                          rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$')
                         - message: 'privateZoneIAMRole must be a valid AWS IAM role
                             ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
                           rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$')

diff --git a/...zz_generated.crd-manifests/0000_10_config-operator_01_dnses-TechPreviewNoUpgrade.crd.yaml b/...zz_generated.crd-manifests/0000_10_config-operator_01_dnses-TechPreviewNoUpgrade.crd.yaml
@@ -79,6 +79,9 @@ spec:
                           <role-name> is the IAM role name.
                         type: string
                         x-kubernetes-validations:
+                        - message: 'privateZoneIAMRole must be a valid AWS IAM role
+                            ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
+                          rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$')
                         - message: 'privateZoneIAMRole must be a valid AWS IAM role
                             ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
                           rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$')

diff --git a/...nerated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml b/...nerated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml
@@ -1084,6 +1084,9 @@ spec:
                         type: array
                         x-kubernetes-list-type: atomic
                         x-kubernetes-validations:
+                        - message: vcenters cannot be added or removed once set
+                          rule: 'size(self) != size(oldSelf) ? size(oldSelf) == 0
+                            && size(self) < 2 : true'
                         - message: Cannot add and remove vCenters at the same time
                           rule: 'size(self) >= size(oldSelf) ? oldSelf.all(x, self.exists(y,
                             y.server == x.server)) : true'
@@ -1100,6 +1103,9 @@ spec:
                       rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)'
                 type: object
                 x-kubernetes-validations:
+                - message: vcenters can have at most 1 item when configured post-install
+                  rule: '!has(oldSelf.vsphere) && has(self.vsphere) ? (has(self.vsphere.vcenters)
+                    && size(self.vsphere.vcenters) < 2) : true'
                 - message: vcenters is required once set and cannot be removed
                   rule: 'oldSelf.?vsphere.vcenters.hasValue() ? self.?vsphere.vcenters.hasValue()
                     : true'

diff --git a/...v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml b/...v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml
@@ -1018,6 +1018,9 @@ spec:
                         type: array
                         x-kubernetes-list-type: atomic
                         x-kubernetes-validations:
+                        - message: vcenters cannot be added or removed once set
+                          rule: 'size(self) != size(oldSelf) ? size(oldSelf) == 0
+                            && size(self) < 2 : true'
                         - message: vcenters must have unique server values
                           rule: self.all(x, self.exists_one(y, y.server == x.server))
                     type: object

diff --git a/...ted.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml b/...ted.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml
@@ -1084,6 +1084,9 @@ spec:
                         type: array
                         x-kubernetes-list-type: atomic
                         x-kubernetes-validations:
+                        - message: vcenters cannot be added or removed once set
+                          rule: 'size(self) != size(oldSelf) ? size(oldSelf) == 0
+                            && size(self) < 2 : true'
                         - message: Cannot add and remove vCenters at the same time
                           rule: 'size(self) >= size(oldSelf) ? oldSelf.all(x, self.exists(y,
                             y.server == x.server)) : true'
@@ -1100,6 +1103,9 @@ spec:
                       rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)'
                 type: object
                 x-kubernetes-validations:
+                - message: vcenters can have at most 1 item when configured post-install
+                  rule: '!has(oldSelf.vsphere) && has(self.vsphere) ? (has(self.vsphere.vcenters)
+                    && size(self.vsphere.vcenters) < 2) : true'
                 - message: vcenters is required once set and cannot be removed
                   rule: 'oldSelf.?vsphere.vcenters.hasValue() ? self.?vsphere.vcenters.hasValue()
                     : true'

diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml
@@ -1018,6 +1018,9 @@ spec:
                         type: array
                         x-kubernetes-list-type: atomic
                         x-kubernetes-validations:
+                        - message: vcenters cannot be added or removed once set
+                          rule: 'size(self) != size(oldSelf) ? size(oldSelf) == 0
+                            && size(self) < 2 : true'
                         - message: vcenters must have unique server values
                           rule: self.all(x, self.exists_one(y, y.server == x.server))
                     type: object

diff --git a/...ed.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml b/...ed.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml
@@ -1084,6 +1084,9 @@ spec:
                         type: array
                         x-kubernetes-list-type: atomic
                         x-kubernetes-validations:
+                        - message: vcenters cannot be added or removed once set
+                          rule: 'size(self) != size(oldSelf) ? size(oldSelf) == 0
+                            && size(self) < 2 : true'
                         - message: Cannot add and remove vCenters at the same time
                           rule: 'size(self) >= size(oldSelf) ? oldSelf.all(x, self.exists(y,
                             y.server == x.server)) : true'
@@ -1100,6 +1103,9 @@ spec:
                       rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)'
                 type: object
                 x-kubernetes-validations:
+                - message: vcenters can have at most 1 item when configured post-install
+                  rule: '!has(oldSelf.vsphere) && has(self.vsphere) ? (has(self.vsphere.vcenters)
+                    && size(self.vsphere.vcenters) < 2) : true'
                 - message: vcenters is required once set and cannot be removed
                   rule: 'oldSelf.?vsphere.vcenters.hasValue() ? self.?vsphere.vcenters.hasValue()
                     : true'

diff --git a/...erated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml b/...erated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml
@@ -135,6 +135,9 @@ spec:
                                   <role-name> is the IAM role name.
                                 type: string
                                 x-kubernetes-validations:
+                                - message: 'privateZoneIAMRole must be a valid AWS
+                                    IAM role ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
+                                  rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$')
                                 - message: 'privateZoneIAMRole must be a valid AWS
                                     IAM role ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
                                   rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$')
@@ -1373,6 +1376,10 @@ spec:
                                 type: array
                                 x-kubernetes-list-type: atomic
                                 x-kubernetes-validations:
+                                - message: vcenters cannot be added or removed once
+                                    set
+                                  rule: 'size(self) != size(oldSelf) ? size(oldSelf)
+                                    == 0 && size(self) < 2 : true'
                                 - message: Cannot add and remove vCenters at the same
                                     time
                                   rule: 'size(self) >= size(oldSelf) ? oldSelf.all(x,
@@ -1393,6 +1400,10 @@ spec:
                               rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)'
                         type: object
                         x-kubernetes-validations:
+                        - message: vcenters can have at most 1 item when configured
+                            post-install
+                          rule: '!has(oldSelf.vsphere) && has(self.vsphere) ? (has(self.vsphere.vcenters)
+                            && size(self.vsphere.vcenters) < 2) : true'
                         - message: vcenters is required once set and cannot be removed
                           rule: 'oldSelf.?vsphere.vcenters.hasValue() ? self.?vsphere.vcenters.hasValue()
                             : true'

diff --git a/...1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml b/...1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml
@@ -1305,6 +1305,10 @@ spec:
                                 type: array
                                 x-kubernetes-list-type: atomic
                                 x-kubernetes-validations:
+                                - message: vcenters cannot be added or removed once
+                                    set
+                                  rule: 'size(self) != size(oldSelf) ? size(oldSelf)
+                                    == 0 && size(self) < 2 : true'
                                 - message: vcenters must have unique server values
                                   rule: self.all(x, self.exists_one(y, y.server ==
                                     x.server))

diff --git a/...ed.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml b/...ed.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml
@@ -135,6 +135,9 @@ spec:
                                   <role-name> is the IAM role name.
                                 type: string
                                 x-kubernetes-validations:
+                                - message: 'privateZoneIAMRole must be a valid AWS
+                                    IAM role ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
+                                  rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$')
                                 - message: 'privateZoneIAMRole must be a valid AWS
                                     IAM role ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
                                   rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$')
@@ -1373,6 +1376,10 @@ spec:
                                 type: array
                                 x-kubernetes-list-type: atomic
                                 x-kubernetes-validations:
+                                - message: vcenters cannot be added or removed once
+                                    set
+                                  rule: 'size(self) != size(oldSelf) ? size(oldSelf)
+                                    == 0 && size(self) < 2 : true'
                                 - message: Cannot add and remove vCenters at the same
                                     time
                                   rule: 'size(self) >= size(oldSelf) ? oldSelf.all(x,
@@ -1393,6 +1400,10 @@ spec:
                               rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)'
                         type: object
                         x-kubernetes-validations:
+                        - message: vcenters can have at most 1 item when configured
+                            post-install
+                          rule: '!has(oldSelf.vsphere) && has(self.vsphere) ? (has(self.vsphere.vcenters)
+                            && size(self.vsphere.vcenters) < 2) : true'
                         - message: vcenters is required once set and cannot be removed
                           rule: 'oldSelf.?vsphere.vcenters.hasValue() ? self.?vsphere.vcenters.hasValue()
                             : true'

diff --git a/...on/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml b/...on/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml
@@ -1305,6 +1305,10 @@ spec:
                                 type: array
                                 x-kubernetes-list-type: atomic
                                 x-kubernetes-validations:
+                                - message: vcenters cannot be added or removed once
+                                    set
+                                  rule: 'size(self) != size(oldSelf) ? size(oldSelf)
+                                    == 0 && size(self) < 2 : true'
                                 - message: vcenters must have unique server values
                                   rule: self.all(x, self.exists_one(y, y.server ==
                                     x.server))

diff --git a/...d.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml b/...d.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml
@@ -135,6 +135,9 @@ spec:
                                   <role-name> is the IAM role name.
                                 type: string
                                 x-kubernetes-validations:
+                                - message: 'privateZoneIAMRole must be a valid AWS
+                                    IAM role ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
+                                  rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$')
                                 - message: 'privateZoneIAMRole must be a valid AWS
                                     IAM role ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
                                   rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$')
@@ -1373,6 +1376,10 @@ spec:
                                 type: array
                                 x-kubernetes-list-type: atomic
                                 x-kubernetes-validations:
+                                - message: vcenters cannot be added or removed once
+                                    set
+                                  rule: 'size(self) != size(oldSelf) ? size(oldSelf)
+                                    == 0 && size(self) < 2 : true'
                                 - message: Cannot add and remove vCenters at the same
                                     time
                                   rule: 'size(self) >= size(oldSelf) ? oldSelf.all(x,
@@ -1393,6 +1400,10 @@ spec:
                               rule: '!has(oldSelf.ingressIPs) || has(self.ingressIPs)'
                         type: object
                         x-kubernetes-validations:
+                        - message: vcenters can have at most 1 item when configured
+                            post-install
+                          rule: '!has(oldSelf.vsphere) && has(self.vsphere) ? (has(self.vsphere.vcenters)
+                            && size(self.vsphere.vcenters) < 2) : true'
                         - message: vcenters is required once set and cannot be removed
                           rule: 'oldSelf.?vsphere.vcenters.hasValue() ? self.?vsphere.vcenters.hasValue()
                             : true'

diff --git a/..._generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml b/..._generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml
@@ -133,6 +133,9 @@ spec:
                           <key-id-or-alias> is the KMS key ID or alias name.
                         type: string
                         x-kubernetes-validations:
+                        - message: 'kmsKeyARN must be a valid AWS KMS key ARN in the
+                            format: arn:<partition>:kms:<region>:<account-id>:(key|alias)/<key-id-or-alias>'
+                          rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)/.*$')
                         - message: 'kmsKeyARN must be a valid AWS KMS key ARN in the
                             format: arn:<partition>:kms:<region>:<account-id>:(key|alias)/<key-id-or-alias>'
                           rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)/.*$')

diff --git a/...erated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml b/...erated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml
@@ -133,6 +133,9 @@ spec:
                           <key-id-or-alias> is the KMS key ID or alias name.
                         type: string
                         x-kubernetes-validations:
+                        - message: 'kmsKeyARN must be a valid AWS KMS key ARN in the
+                            format: arn:<partition>:kms:<region>:<account-id>:(key|alias)/<key-id-or-alias>'
+                          rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)/.*$')
                         - message: 'kmsKeyARN must be a valid AWS KMS key ARN in the
                             format: arn:<partition>:kms:<region>:<account-id>:(key|alias)/<key-id-or-alias>'
                           rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)/.*$')

diff --git a/...rated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml b/...rated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml
@@ -133,6 +133,9 @@ spec:
                           <key-id-or-alias> is the KMS key ID or alias name.
                         type: string
                         x-kubernetes-validations:
+                        - message: 'kmsKeyARN must be a valid AWS KMS key ARN in the
+                            format: arn:<partition>:kms:<region>:<account-id>:(key|alias)/<key-id-or-alias>'
+                          rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)/.*$')
                         - message: 'kmsKeyARN must be a valid AWS KMS key ARN in the
                             format: arn:<partition>:kms:<region>:<account-id>:(key|alias)/<key-id-or-alias>'
                           rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f|aws-eusc):kms:[a-z0-9-]+:[0-9]{12}:(key|alias)/.*$')

diff --git a/payload-manifests/crds/0000_10_config-operator_01_dnses-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_dnses-CustomNoUpgrade.crd.yaml
@@ -79,6 +79,9 @@ spec:
                           <role-name> is the IAM role name.
                         type: string
                         x-kubernetes-validations:
+                        - message: 'privateZoneIAMRole must be a valid AWS IAM role
+                            ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
+                          rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$')
                         - message: 'privateZoneIAMRole must be a valid AWS IAM role
                             ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
                           rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$')

diff --git a/payload-manifests/crds/0000_10_config-operator_01_dnses-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_dnses-DevPreviewNoUpgrade.crd.yaml
@@ -79,6 +79,9 @@ spec:
                           <role-name> is the IAM role name.
                         type: string
                         x-kubernetes-validations:
+                        - message: 'privateZoneIAMRole must be a valid AWS IAM role
+                            ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
+                          rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$')
                         - message: 'privateZoneIAMRole must be a valid AWS IAM role
                             ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
                           rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$')

diff --git a/payload-manifests/crds/0000_10_config-operator_01_dnses-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_dnses-TechPreviewNoUpgrade.crd.yaml
@@ -79,6 +79,9 @@ spec:
                           <role-name> is the IAM role name.
                         type: string
                         x-kubernetes-validations:
+                        - message: 'privateZoneIAMRole must be a valid AWS IAM role
+                            ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
+                          rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role/.*$')
                         - message: 'privateZoneIAMRole must be a valid AWS IAM role
                             ARN in the format: arn:<partition>:iam::<account-id>:role/<role-name>'
                           rule: matches(self, '^arn:(aws|aws-cn|aws-us-gov|aws-eusc):iam::[0-9]{12}:role/.*$')