diff --git a/docs/providers-guide.md b/docs/providers-guide.md index 08bfe5085..0dbc69eed 100644 --- a/docs/providers-guide.md +++ b/docs/providers-guide.md @@ -139,7 +139,7 @@ Please note: you can use S3 as a source and deployment provider. The properties that are available are slightly different. The role used to fetch the object from the S3 bucket is: -`arn:aws:iam::${source_account_id}:role/adf-codecommit-role`. +`arn:${partition}:iam::${source_account_id}:role/adf-codecommit-role`. Provider type: `s3`. @@ -383,7 +383,7 @@ Provider type: `codedeploy`. > The name of the CodeDeploy Application you want to use for this deployment. - *deployment_group_name* *(String)* **(required)** > The name of the Deployment Group you want to use for this deployment. -- *role* - *(String)* default `arn:aws:iam::${target_account_id}:role/adf-cloudformation-role`. +- *role* - *(String)* default `arn:${partition}:iam::${target_account_id}:role/adf-cloudformation-role`. > The role you would like to use on the target AWS account to execute the > CodeDeploy action. The role should allow the CodeDeploy service to assume > it. As is [documented in the CodeDeploy service role documentation](https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-service-role.html). @@ -436,7 +436,7 @@ Provider type: `cloudformation`. > > Defaults to empty string, the root of the source repository or input > artifact. -- *role* - *(String)* default `arn:aws:iam::${target_account_id}:role/adf-cloudformation-deployment-role`. +- *role* - *(String)* default `arn:${partition}:iam::${target_account_id}:role/adf-cloudformation-deployment-role`. > The role you would like to use on the target AWS account to execute the > CloudFormation action. Ensure that the CloudFormation service should be > allowed to assume that role. @@ -495,7 +495,7 @@ Provider type: `lambda`. Service Catalog deployment provider. The role used to deploy the service catalog is: -`arn:aws:iam::${target_account_id}:role/adf-cloudformation-role`. +`arn:${partition}:iam::${target_account_id}:role/adf-cloudformation-role`. Provider type: `service_catalog`. @@ -520,7 +520,7 @@ Please note: you can use S3 as a source and deployment provider. The properties that are available are slightly different. The role used to upload the object(s) to the S3 bucket is: -`arn:aws:iam::${target_account_id}:role/adf-cloudformation-role`. +`arn:${partition}:iam::${target_account_id}:role/adf-cloudformation-role`. Provider type: `s3`. @@ -533,5 +533,5 @@ Provider type: `s3`. - *extract* - *(Boolean)* default: `False`. > Whether CodePipeline should extract the contents of the object when > it deploys it. -- *role* - *(String)* default: `arn:aws:iam::${target_account_id}:role/adf-cloudformation-role`. +- *role* - *(String)* default: `arn:${partition}:iam::${target_account_id}:role/adf-cloudformation-role`. > The role you would like to use for this action. diff --git a/samples/sample-rdk-rules/templates/lambda-role.json b/samples/sample-rdk-rules/templates/lambda-role.json index b97b23cb8..ccc249765 100644 --- a/samples/sample-rdk-rules/templates/lambda-role.json +++ b/samples/sample-rdk-rules/templates/lambda-role.json @@ -26,7 +26,7 @@ "Action": ["s3:GetObject"], "Effect": "Allow", "Resource": { - "Fn::Sub": "arn:aws:s3:::${SourceBucket}/${SourceBucketFolder}/*" + "Fn::Sub": "arn:${AWS::Partition}:s3:::${SourceBucket}/${SourceBucketFolder}/*" } }, { @@ -68,7 +68,7 @@ ], "ManagedPolicyArns": [ { - "Fn::Sub": "arn:aws:iam::aws:policy/ReadOnlyAccess" + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess" } ] } diff --git a/src/lambda_codebase/account_processing/configure_account_alias.py b/src/lambda_codebase/account_processing/configure_account_alias.py index f5f2e41e1..8c815b77e 100644 --- a/src/lambda_codebase/account_processing/configure_account_alias.py +++ b/src/lambda_codebase/account_processing/configure_account_alias.py @@ -14,6 +14,7 @@ LOGGER = configure_logger(__name__) ADF_ROLE_NAME = os.getenv("ADF_ROLE_NAME") +AWS_PARTITION = os.getenv("AWS_PARTITION") def create_account_alias(account, iam_client): @@ -39,7 +40,7 @@ def lambda_handler(event, _): sts = STS() account_id = event.get("account_id") role = sts.assume_cross_account_role( - f"arn:aws:iam::{account_id}:role/{ADF_ROLE_NAME}", + f"arn:{AWS_PARTITION}:iam::{account_id}:role/{ADF_ROLE_NAME}", "adf_account_alias_config", ) create_account_alias(event, role.client("iam")) diff --git a/src/lambda_codebase/account_processing/delete_default_vpc.py b/src/lambda_codebase/account_processing/delete_default_vpc.py index 7820ce096..1e223c3ef 100644 --- a/src/lambda_codebase/account_processing/delete_default_vpc.py +++ b/src/lambda_codebase/account_processing/delete_default_vpc.py @@ -13,12 +13,13 @@ LOGGER = configure_logger(__name__) ADF_ROLE_NAME = os.getenv("ADF_ROLE_NAME") +AWS_PARTITION = os.getenv("AWS_PARTITION") def assume_role(account_id): sts = STS() return sts.assume_cross_account_role( - f"arn:aws:iam::{account_id}:role/{ADF_ROLE_NAME}", + f"arn:{AWS_PARTITION}:iam::{account_id}:role/{ADF_ROLE_NAME}", "adf_delete_default_vpc", ) diff --git a/src/lambda_codebase/account_processing/get_account_regions.py b/src/lambda_codebase/account_processing/get_account_regions.py index 3439c3928..aac5a512f 100644 --- a/src/lambda_codebase/account_processing/get_account_regions.py +++ b/src/lambda_codebase/account_processing/get_account_regions.py @@ -14,6 +14,7 @@ LOGGER = configure_logger(__name__) ADF_ROLE_NAME = os.getenv("ADF_ROLE_NAME") +AWS_PARTITION = os.getenv("AWS_PARTITION") def lambda_handler(event, _): @@ -21,7 +22,7 @@ def lambda_handler(event, _): sts = STS() account_id = event.get("account_id") role = sts.assume_cross_account_role( - f"arn:aws:iam::{account_id}:role/{ADF_ROLE_NAME}", + f"arn:{AWS_PARTITION}:iam::{account_id}:role/{ADF_ROLE_NAME}", "adf_account_get_regions", ) diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_chatbot.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_chatbot.py index 2db87476d..95b40abca 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_chatbot.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_chatbot.py @@ -38,8 +38,16 @@ def __init__( **kwargs, ): # pylint: disable=W0622 super().__init__(scope, id, **kwargs) - slack_channel_arn = f"arn:aws:chatbot::{ADF_DEPLOYMENT_ACCOUNT_ID}:chat-configuration/slack-channel/{notification_config.get('target')}" - pipeline_arn = f"arn:aws:codepipeline:{ADF_DEPLOYMENT_REGION}:{ADF_DEPLOYMENT_ACCOUNT_ID}:{pipeline.ref}" + stack = core.Stack.of(self) + slack_channel_arn = ( + f"arn:{stack.partition}:chatbot::{ADF_DEPLOYMENT_ACCOUNT_ID}:" + f"chat-configuration/slack-channel/" + f"{notification_config.get('target')}" + ) + pipeline_arn = ( + f"arn:{stack.partition}:codepipeline:{ADF_DEPLOYMENT_REGION}:" + "{ADF_DEPLOYMENT_ACCOUNT_ID}:{pipeline.ref}" + ) cp_notifications.CfnNotificationRule( scope, "pipeline-notification", diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_stacks/tests/test_pipeline_creation.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_stacks/tests/test_pipeline_creation.py index 41cb0085e..bbbfc3164 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_stacks/tests/test_pipeline_creation.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_stacks/tests/test_pipeline_creation.py @@ -445,10 +445,14 @@ def test_pipeline_creation_outputs_as_expected_when_notification_endpoint_is_cha assert resources["pipelinenoti"]["Type"] == ( "AWS::CodeStarNotifications::NotificationRule" ) - assert target["TargetAddress"] == ( - "arn:aws:chatbot::111111111111:" - "chat-configuration/slack-channel/fake-config" - ) + assert target["TargetAddress"] == { + "Fn::Join": ["", [ + "arn:", + {"Ref": "AWS::Partition"}, + ":chatbot::111111111111:" + "chat-configuration/slack-channel/fake-config" + ]] + } assert target["TargetType"] == "AWSChatbotSlack" assert pipeline_notification["EventTypeIds"] == [ "codepipeline-pipeline-stage-execution-succeeded", diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/helpers/sts.sh b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/helpers/sts.sh index 3e3cbab8d..db04f6f67 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/helpers/sts.sh +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/helpers/sts.sh @@ -1,7 +1,11 @@ #!/usr/bin/env bash +if [ -z "$AWS_PARTITION" ]; then + AWS_PARTITION="aws" +fi + # Example usage sts 123456789012 adf-terraform-deployment-role -export ROLE=arn:aws:iam::$1:role/$2 +export ROLE=arn:$AWS_PARTITION:iam::$1:role/$2 temp_role=$(aws sts assume-role --role-arn $ROLE --role-session-name $2-$ADF_PROJECT_NAME) export AWS_ACCESS_KEY_ID=$(echo $temp_role | jq -r .Credentials.AccessKeyId) export AWS_SECRET_ACCESS_KEY=$(echo $temp_role | jq -r .Credentials.SecretAccessKey) diff --git a/src/template.yml b/src/template.yml index 2e37ad147..5737bdb76 100644 --- a/src/template.yml +++ b/src/template.yml @@ -357,6 +357,7 @@ Resources: - !Ref LambdaLayerVersion Environment: Variables: + AWS_PARTITION: !Ref AWS::Partition MASTER_ACCOUNT_ID: !Ref AWS::AccountId ORGANIZATION_ID: !GetAtt Organization.OrganizationId ADF_VERSION: !FindInMap ['Metadata', 'ADF', 'Version'] @@ -467,6 +468,7 @@ Resources: - !Ref LambdaLayerVersion Environment: Variables: + AWS_PARTITION: !Ref AWS::Partition MASTER_ACCOUNT_ID: !Ref AWS::AccountId ORGANIZATION_ID: !GetAtt Organization.OrganizationId ADF_VERSION: !FindInMap ['Metadata', 'ADF', 'Version'] @@ -501,6 +503,7 @@ Resources: - !Ref LambdaLayerVersion Environment: Variables: + AWS_PARTITION: !Ref AWS::Partition MASTER_ACCOUNT_ID: !Ref AWS::AccountId ORGANIZATION_ID: !GetAtt Organization.OrganizationId ADF_VERSION: !FindInMap ['Metadata', 'ADF', 'Version']