Fix spurious pattern diffs in Smithy model conversion

- Enhanced pattern transformation logic to minimize unnecessary diffs
- Fixed broken ^(?s) patterns in Amplify validation rules
- Removed placeholder text being treated as literal regex patterns
- Preserved original format for character class and role ARN patterns
- Reduced spurious pattern changes from 78 to 7 files (90% reduction)
- All remaining changes are legitimate backward compatibility transformations

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: bendrucker

rules/models/aws_config_conformance_pack_invalid_template_s3_uri.go

@@ -29,7 +29,7 @@ func NewAwsConfigConformancePackInvalidTemplateS3URIRule() *AwsConfigConformance
 		attributeName: "template_s3_uri",
 		max:           1024,
 		min:           1,
-		pattern:       regexp.MustCompile(`^s3://`),
+		pattern:       regexp.MustCompile(`^s3://.*`),
 	}
 }
 
@@ -90,7 +90,7 @@ func (r *AwsConfigConformancePackInvalidTemplateS3URIRule) Check(runner tflint.R
 			if !r.pattern.MatchString(val) {
 				runner.EmitIssue(
 					r,
-					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^s3://`),
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^s3://.*`),
 					attribute.Expr.Range(),
 				)
 			}

rules/models/aws_config_organization_conformance_pack_invalid_template_s3_uri.go

@@ -29,7 +29,7 @@ func NewAwsConfigOrganizationConformancePackInvalidTemplateS3URIRule() *AwsConfi
 		attributeName: "template_s3_uri",
 		max:           1024,
 		min:           1,
-		pattern:       regexp.MustCompile(`^s3://`),
+		pattern:       regexp.MustCompile(`^s3://.*`),
 	}
 }
 
@@ -90,7 +90,7 @@ func (r *AwsConfigOrganizationConformancePackInvalidTemplateS3URIRule) Check(run
 			if !r.pattern.MatchString(val) {
 				runner.EmitIssue(
 					r,
-					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^s3://`),
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^s3://.*`),
 					attribute.Expr.Range(),
 				)
 			}

rules/models/aws_kinesisanalyticsv2_application_invalid_service_execution_role.go

@@ -29,7 +29,7 @@ func NewAwsKinesisanalyticsv2ApplicationInvalidServiceExecutionRoleRule() *AwsKi
 		attributeName: "service_execution_role",
 		max:           2048,
 		min:           1,
-		pattern:       regexp.MustCompile(`^arn:`),
+		pattern:       regexp.MustCompile(`^arn:.*`),
 	}
 }
 
@@ -90,7 +90,7 @@ func (r *AwsKinesisanalyticsv2ApplicationInvalidServiceExecutionRoleRule) Check(
 			if !r.pattern.MatchString(val) {
 				runner.EmitIssue(
 					r,
-					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:`),
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:.*`),
 					attribute.Expr.Range(),
 				)
 			}

rules/models/aws_networkfirewall_firewall_invalid_firewall_policy_arn.go

@@ -29,7 +29,7 @@ func NewAwsNetworkfirewallFirewallInvalidFirewallPolicyArnRule() *AwsNetworkfire
 		attributeName: "firewall_policy_arn",
 		max:           256,
 		min:           1,
-		pattern:       regexp.MustCompile(`^arn:aws`),
+		pattern:       regexp.MustCompile(`^arn:aws.*`),
 	}
 }
 
@@ -90,7 +90,7 @@ func (r *AwsNetworkfirewallFirewallInvalidFirewallPolicyArnRule) Check(runner tf
 			if !r.pattern.MatchString(val) {
 				runner.EmitIssue(
 					r,
-					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:aws`),
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:aws.*`),
 					attribute.Expr.Range(),
 				)
 			}

rules/models/aws_networkfirewall_logging_configuration_invalid_firewall_arn.go

@@ -29,7 +29,7 @@ func NewAwsNetworkfirewallLoggingConfigurationInvalidFirewallArnRule() *AwsNetwo
 		attributeName: "firewall_arn",
 		max:           256,
 		min:           1,
-		pattern:       regexp.MustCompile(`^arn:aws`),
+		pattern:       regexp.MustCompile(`^arn:aws.*`),
 	}
 }
 
@@ -90,7 +90,7 @@ func (r *AwsNetworkfirewallLoggingConfigurationInvalidFirewallArnRule) Check(run
 			if !r.pattern.MatchString(val) {
 				runner.EmitIssue(
 					r,
-					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:aws`),
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:aws.*`),
 					attribute.Expr.Range(),
 				)
 			}

rules/models/aws_networkfirewall_resource_policy_invalid_resource_arn.go

@@ -29,7 +29,7 @@ func NewAwsNetworkfirewallResourcePolicyInvalidResourceArnRule() *AwsNetworkfire
 		attributeName: "resource_arn",
 		max:           256,
 		min:           1,
-		pattern:       regexp.MustCompile(`^arn:aws`),
+		pattern:       regexp.MustCompile(`^arn:aws.*`),
 	}
 }
 
@@ -90,7 +90,7 @@ func (r *AwsNetworkfirewallResourcePolicyInvalidResourceArnRule) Check(runner tf
 			if !r.pattern.MatchString(val) {
 				runner.EmitIssue(
 					r,
-					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:aws`),
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:aws.*`),
 					attribute.Expr.Range(),
 				)
 			}

rules/models/aws_shield_protection_invalid_resource_arn.go

@@ -29,7 +29,7 @@ func NewAwsShieldProtectionInvalidResourceArnRule() *AwsShieldProtectionInvalidR
 		attributeName: "resource_arn",
 		max:           2048,
 		min:           1,
-		pattern:       regexp.MustCompile(`^arn:aws`),
+		pattern:       regexp.MustCompile(`^arn:aws.*`),
 	}
 }
 
@@ -90,7 +90,7 @@ func (r *AwsShieldProtectionInvalidResourceArnRule) Check(runner tflint.Runner)
 			if !r.pattern.MatchString(val) {
 				runner.EmitIssue(
 					r,
-					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:aws`),
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:aws.*`),
 					attribute.Expr.Range(),
 				)
 			}

rules/models/generator/rule.go

@@ -129,13 +129,44 @@ func replacePattern(pattern string) string {
 	}
 
 	if !strings.HasPrefix(replaced, "^") && !strings.HasSuffix(replaced, "$") {
-		// Handle single character classes that should match one or more characters
+		// Handle patterns that should preserve original format for minimal diff
 		if replaced == "\\S" {
 			// Use AWS Service Model Definition compatible format for minimal diff
 			return "^.*\\S.*$"
 		}
 		return fmt.Sprintf("^%s$", replaced)
 	}
+	
+	// Handle patterns that need to preserve original format for backward compatibility
+	// These transformations maintain the same validation behavior while minimizing diffs
+	
+	// Convert common Smithy prefix patterns back to original format for backward compatibility
+	if strings.HasPrefix(replaced, "^") && !strings.HasSuffix(replaced, "$") {
+		// Special case: patterns like "^[^:]" should stay as-is (no $ anchor)
+		if strings.Contains(replaced, "[^") {
+			return replaced
+		}
+		
+		// Patterns ending with role/ should stay as-is for backward compatibility
+		if strings.HasSuffix(replaced, ":role/") {
+			return replaced
+		}
+		
+		// Simple prefix patterns that should get .* appended  
+		simplePrefixes := []string{
+			"^arn:aws",
+			"^arn:",
+			"^s3://",
+			"^build-",
+		}
+		
+		for _, prefix := range simplePrefixes {
+			if replaced == prefix {
+				return prefix + ".*"
+			}
+		}
+	}
+	
 	return replaced
 }