[BUG] SRA Example Terraform Solution deployment fails on GovCloud partition #339
Description
Describe the bug
This issue tracks several fixes needed to make the SRA Terraform solution fully compatible with AWS GovCloud (US) partitions.
-
A few places in the Terraform code still have hardcoded partition in resource specification, rather than deriving the partition value dynamically like many other places in the code.
Ex: In this module ./terraform/common/ssm_parameters/main.tf, the "arn" definition at line 130 may work only in commercial partition.
"arn:aws:logs:${local.region}:${local.account_id}:log-group:/aws/lambda/${var.management_account_parameters_lambda_function_name}:log-stream:*"
It should derive the partition name dynamically like the example below, to work in both commercial and GovCloud partitions.
"arn:${data.aws_partition.current.partition}:logs:${local.region}:${local.account_id}:log-group:/aws/lambda/${var.management_account_parameters_lambda_function_name}:log-stream:*"Following files have the same issue requires similar fix...
- ./terraform/common/secrets_kms/main.tf
- ./terraform/solutions/providers.tf
-
Service link profile policy update in the Inspector solution (./terraform/solutions/inspector/configuration_role/main.tf)
The account-specific ARN prevents the role from being assumed across member accounts in GovCloud, where the Inspector delegated admin flow requires a wildcard account ID.Current value:
- "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2",
Updated Value:
- "arn:${data.aws_partition.current.partition}:iam::*:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2",
-
Add GovCloud regions in the get_enabled_regions function in: ./solutions/common/common_prerequisites/lambda/src/app.py
def get_enabled_regions() -> list: # noqa: CCR001
"eu-west-1",
"ap-southeast-2",
"eu-west-3",
"us-gov-west-1",
"us-gov-east-1"