Update CloudFormation templates for GovCloud compatibility by replacing hardcoded amazonaws.com service principals with dynamic AWS::URLSuffix

Bob Strahan · gudivt · commit 603b4202cb13 · 2025-09-11T11:33:58.000-05:00
diff --git a/template.yaml b/template.yaml
@@ -2661,6 +2661,111 @@ Resources:
       SourceArn: !GetAtt WorkflowStateChangeRule.Arn
 
   ##########################################################################
+  # Step Functions Subscription Publisher
+  ##########################################################################
+  StepFunctionSubscriptionPublisher:
+    Type: AWS::Serverless::Function
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W89
+            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
+          - id: W92
+            reason: "Function does not require reserved concurrency as it scales based on demand"
+          - id: W12
+            reason: "Lambda requires CloudWatch logs permissions"
+    # checkov:skip=CKV_AWS_116: "DLQ not required for subscription publisher function"
+    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
+    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
+    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
+    Properties:
+      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
+      CodeUri: src/lambda/stepfunction_subscription_publisher/
+      Handler: index.handler
+      Runtime: python3.12
+      Architectures:
+        - x86_64
+      MemorySize: 256
+      Timeout: 30
+      LoggingConfig:
+        LogGroup: !Ref StepFunctionSubscriptionPublisherLogGroup
+      Environment:
+        Variables:
+          APPSYNC_API_URL: !GetAtt GraphQLApi.GraphQLUrl
+          LOG_LEVEL: !Ref LogLevel
+      Policies:
+        - Statement:
+            - Effect: Allow
+              Action:
+                - states:DescribeExecution
+                - states:GetExecutionHistory
+              Resource: 
+                - !Sub
+                  - "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:${StateMachineName}*"
+                  - StateMachineName: !If
+                    - IsPattern3
+                    - !GetAtt PATTERN3STACK.Outputs.StateMachineName
+                    - !If
+                      - IsPattern2
+                      - !GetAtt PATTERN2STACK.Outputs.StateMachineName
+                      - !GetAtt PATTERN1STACK.Outputs.StateMachineName
+            - Effect: Allow
+              Action:
+                - appsync:GraphQL
+              Resource:
+                - !Sub "${GraphQLApi.Arn}/types/Subscription/*"
+                - !Sub "${GraphQLApi.Arn}/types/Mutation/*"
+            - Effect: Allow
+              Action:
+                - kms:Encrypt
+                - kms:Decrypt
+                - kms:ReEncrypt*
+                - kms:GenerateDataKey*
+                - kms:DescribeKey
+              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
+
+  StepFunctionSubscriptionPublisherLogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
+      RetentionInDays: !Ref LogRetentionDays
+
+  StepFunctionSubscriptionRule:
+    Type: AWS::Events::Rule
+    Properties:
+      EventPattern:
+        source:
+          - aws.states
+        detail-type:
+          - Step Functions Execution Status Change
+        detail:
+          stateMachineArn:
+            - !If
+              - IsPattern3
+              - !GetAtt PATTERN3STACK.Outputs.StateMachineArn
+              - !If
+                - IsPattern2
+                - !GetAtt PATTERN2STACK.Outputs.StateMachineArn
+                - !GetAtt PATTERN1STACK.Outputs.StateMachineArn
+          status:
+            - RUNNING
+            - SUCCEEDED
+            - FAILED
+            - TIMED_OUT
+            - ABORTED
+      Targets:
+        - Arn: !GetAtt StepFunctionSubscriptionPublisher.Arn
+          Id: "StepFunctionSubscriptionPublisher"
+          RetryPolicy:
+            MaximumRetryAttempts: 3
+
+  StepFunctionSubscriptionPublisherPermission:
+    Type: AWS::Lambda::Permission
+    Properties:
+      Action: lambda:InvokeFunction
+      FunctionName: !Ref StepFunctionSubscriptionPublisher
+      Principal: !Sub "events.${AWS::URLSuffix}"
+      SourceArn: !GetAtt StepFunctionSubscriptionRule.Arn
 
   ##########################################################################
   # Optional Post Processing Lambda Hook
