Merge branch 'fix/govcloud-principals' into 'develop'

rstrahan · rstrahan · commit 81242ad8b493 · 2025-09-10T15:22:34.000Z
GovCloud Compatibility - Hardcoded Service Domain References

See merge request genaiic-reusable-assets/engagement-artifacts/genaiic-idp-accelerator!294
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,14 @@ SPDX-License-Identifier: MIT-0
   - **Integrated Workflow**: Development setup combining Windows tools (VS Code, browsers) with native Linux environment
   - **Target Use Cases**: Windows developers needing Linux compatibility without Docker Desktop or VM overhead
 
+### Fixed
+- **GovCloud Compatibility - Hardcoded Service Domain References**
+  - Fixed hardcoded `amazonaws.com` references in CloudFormation templates that prevented GovCloud deployment
+  - Updated all service principals and endpoints to use dynamic `${AWS::URLSuffix}` expressions for automatic region-based resolution
+  - **Templates Updated**: `template.yaml` (main template), `patterns/pattern-3/sagemaker_classifier_endpoint.yaml`
+  - **Services Fixed**: EventBridge, Cognito, SageMaker, ECR, CloudFront, CodeBuild, AppSync, Lambda, DynamoDB, CloudWatch Logs, Glue
+  - Resolves GitHub Issue #50 - templates now deploy correctly in both standard AWS and GovCloud regions
+
 
 ## [0.3.14]
 
diff --git a/memory-bank/activeContext.md b/memory-bank/activeContext.md
@@ -2,14 +2,15 @@
 
 ## Current Task Status
 
-**Feature Implementation**: ✅ **COMPLETED** - GovCloud Template Generation System
+**Feature Implementation**: ✅ **COMPLETED** - Service Principal GovCloud Compatibility Updates
 
 ## Feature Overview
 
-Successfully created a comprehensive GovCloud-compatible version of the GenAI IDP Accelerator that addresses both key requirements:
+Successfully updated all CloudFormation templates to replace hardcoded AWS service principals with dynamic expressions for GovCloud compatibility:
 
-1. **ARN Partition Updates**: All templates now use `arn:${AWS::Partition}:` for GovCloud compatibility
-2. **Stripped-Down Template**: Created generation script that removes UI components for headless operation
+1. **Service Principal Updates**: All templates now use `!Sub "<service>.${AWS::URLSuffix}"` for GovCloud compatibility
+2. **Template Fixes**: Fixed YAML validation errors and duplicate parameter issues
+3. **Comprehensive Coverage**: Updated all templates in main, options, and patterns directories
 
 ## Implementation Summary
 
diff --git a/options/bda-lending-project/template.yaml b/options/bda-lending-project/template.yaml
@@ -57,7 +57,7 @@ Resources:
         Statement:
           - Effect: Allow
             Principal:
-              Service: lambda.amazonaws.com
+              Service: !Sub "lambda.${AWS::URLSuffix}"
             Action: sts:AssumeRole
       ManagedPolicyArns:
         - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
diff --git a/options/bedrockkb/template.yaml b/options/bedrockkb/template.yaml
@@ -400,7 +400,7 @@ Resources:
         - Effect: Allow
           Principal:
             Service:
-            - lambda.amazonaws.com
+            - !Sub "lambda.${AWS::URLSuffix}"
           Action:
           - sts:AssumeRole
       PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
@@ -524,7 +524,7 @@ Resources:
           - Effect: Allow
             Principal:
               Service:
-                - bedrock.amazonaws.com
+                - !Sub "bedrock.${AWS::URLSuffix}"
             Action:
               - sts:AssumeRole
             Condition:
@@ -725,7 +725,7 @@ Resources:
         Statement:
           - Effect: Allow
             Principal:
-              Service: lambda.amazonaws.com
+              Service: !Sub "lambda.${AWS::URLSuffix}"
             Action: sts:AssumeRole
       ManagedPolicyArns:
         - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
@@ -831,7 +831,7 @@ Resources:
         Statement:
           - Effect: Allow
             Principal:
-              Service: scheduler.amazonaws.com
+              Service: !Sub "scheduler.${AWS::URLSuffix}"
             Action: sts:AssumeRole
       PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
       Policies:
diff --git a/patterns/pattern-1/template.yaml b/patterns/pattern-1/template.yaml
@@ -854,7 +854,7 @@ Resources:
     Properties:
       Action: lambda:InvokeFunction
       FunctionName: !Ref BDACompletionFunction
-      Principal: events.amazonaws.com
+      Principal: !Sub "events.${AWS::URLSuffix}"
       SourceArn: !GetAtt BDAEventRule.Arn
 
   # DynamoDB Table for BDA process records metadata
@@ -945,7 +945,7 @@ Resources:
         Statement:
           - Effect: Allow
             Principal:
-              Service: lambda.amazonaws.com
+              Service: !Sub "lambda.${AWS::URLSuffix}"
             Action: sts:AssumeRole
       ManagedPolicyArns:
         - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
@@ -1119,7 +1119,7 @@ Resources:
     Properties:
       FunctionName: !Ref HITLProcessLambdaFunction
       Action: 'lambda:InvokeFunction'
-      Principal: 'events.amazonaws.com'
+      Principal: !Sub "events.${AWS::URLSuffix}"
       SourceArn: !GetAtt HITLEventRule.Arn
 
 
diff --git a/patterns/pattern-2/template.yaml b/patterns/pattern-2/template.yaml
@@ -91,14 +91,6 @@ Parameters:
       - "false"
     Description: "Enable Human In The Loop (A2I) for document review"
 
-  IsPattern2HITLEnabled:
-    Type: String
-    Default: "false"
-    AllowedValues:
-      - "true"
-      - "false"
-    Description: "Pattern-2 specific HITL enablement flag"
-
   SageMakerA2IReviewPortalURL:
     Type: String
     Default: ""
@@ -130,8 +122,6 @@ Conditions:
   HasPermissionsBoundary: !Not [!Equals [!Ref PermissionsBoundaryArn, ""]]
   IsHITLEnabled: !Equals [!Ref EnableHITL, "true"]
   HasAppSyncApi: !Not [!Equals [!Ref AppSyncApiArn, ""]]
-  IsPattern2HITLEnabled: !Equals [!Ref IsPattern2HITLEnabled, "true"]
-
 
 Resources:
 
@@ -1371,12 +1361,15 @@ Resources:
               - kms:GenerateDataKey*
               - kms:DescribeKey
             Resource: !Ref CustomerManagedEncryptionKeyArn
-          # AppSync permissions for updating document status
-          - Effect: Allow
-            Action:
-              - appsync:GraphQL
-            Resource: 
-              - !Sub "${AppSyncApiArn}/types/Mutation/*"
+          # AppSync permissions for updating document status (only if AppSync API is available)
+          - !If
+            - HasAppSyncApi
+            - Effect: Allow
+              Action:
+                - appsync:GraphQL
+              Resource:
+                - !Sub "${AppSyncApiArn}/types/Mutation/*"
+            - !Ref AWS::NoValue
 
   HITLWaitFunctionLogGroup:
     Type: AWS::Logs::LogGroup
@@ -1486,7 +1479,7 @@ Resources:
         Statement:
           - Effect: Allow
             Principal:
-              Service: lambda.amazonaws.com
+              Service: !Sub "lambda.${AWS::URLSuffix}"
             Action: sts:AssumeRole
       ManagedPolicyArns:
         - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
@@ -1546,7 +1539,7 @@ Resources:
     Properties:
       FunctionName: !Ref HITLProcessLambdaFunction
       Action: 'lambda:InvokeFunction'
-      Principal: 'events.amazonaws.com'
+      Principal: !Sub "events.${AWS::URLSuffix}"
       SourceArn: !GetAtt HITLEventRule.Arn
 
   SummarizationFunction:
diff --git a/patterns/pattern-3/sagemaker_classifier_endpoint.yaml b/patterns/pattern-3/sagemaker_classifier_endpoint.yaml
@@ -86,7 +86,7 @@ Resources:
           - Effect: Allow
             Principal:
               Service:
-                - sagemaker.amazonaws.com
+                - !Sub "sagemaker.${AWS::URLSuffix}"
             Action:
               - sts:AssumeRole
       ManagedPolicyArns:
@@ -127,7 +127,7 @@ Resources:
     Properties:
       ExecutionRoleArn: !GetAtt UDOPExecutionRole.Arn
       PrimaryContainer:
-        Image: !Sub 763104351884.dkr.ecr.${AWS::Region}.amazonaws.com/pytorch-inference:2.1.0-gpu-py310
+        Image: !Sub "763104351884.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/pytorch-inference:2.1.0-gpu-py310"
         ModelDataUrl: !Ref UDOPModelArtifactPath
         Environment:
           SAGEMAKER_PROGRAM: inference.py
@@ -163,7 +163,7 @@ Resources:
       MaxCapacity: !Ref MaxInstanceCount
       MinCapacity: !Ref MinInstanceCount
       ResourceId: !Sub endpoint/${UDOPEndpoint.EndpointName}/variant/AllTraffic
-      RoleARN: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint"
+      RoleARN: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/sagemaker.application-autoscaling.${AWS::URLSuffix}/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint"
       ScalableDimension: sagemaker:variant:DesiredInstanceCount
       ServiceNamespace: sagemaker
 
diff --git a/scripts/generate_govcloud_template.py b/scripts/generate_govcloud_template.py
@@ -194,7 +194,8 @@ def __init__(self, verbose: bool = False):
             'WebUITestEnvFile',
             'SageMakerA2IReviewPortalURL',
             'LabelingConsoleURL',
-            'ExternalMCPAgentsSecretName'
+            'ExternalMCPAgentsSecretName',
+            'PrivateWorkteamArn'
         }
 
     def setup_logging(self):
diff --git a/template.yaml b/template.yaml

Original file line number	Diff line number	Diff line change
`@@ -194,7 +194,8 @@ def __init__(self, verbose: bool = False):`
`194`	`194`	`'WebUITestEnvFile',`
`195`	`195`	`'SageMakerA2IReviewPortalURL',`
`196`	`196`	`'LabelingConsoleURL',`
`197`		`- 'ExternalMCPAgentsSecretName'`
	`197`	`+ 'ExternalMCPAgentsSecretName',`
	`198`	`+ 'PrivateWorkteamArn'`
`198`	`199`	`}`
`199`	`200`
`200`	`201`	`def setup_logging(self):`