AwsManaged policies for IAM groups

[senyberg]

Describe the bug
According to documentation, you can use the name of the policy or ARN to add awsManaged policy to a group (https://awslabs.github.io/landing-zone-accelerator-on-aws/latest/typedocs/interfaces/packages__aws-accelerator_config_lib_models_iam-config.IPoliciesConfig.html#awsmanaged)

But adding the arn is causing failures in the Operations action of the pipeline:
Resource handler returned message: "ARN arn:aws:iam::aws:policy/arn:aws:iam::aws:policy/SecurityAudit is not valid.

To Reproduce
Create a IAM groupset:

• deploymentTargets:
  accounts:
  - AccountA
  groups:
  - name: name-of-group
  policies:
  awsManaged:
  - arn:aws:iam::aws:policy/SecurityAudit

Expected behavior
According to docs this should work using ARN, but seems like it you need to use the name of the policy.

Please complete the following information about the solution:

• Version: v1.14.2
• Region: eu-north-1
• Was the solution modified from the version published on this repository?
• If the answer to the previous question was yes, are the changes available on GitHub?
• Have you checked your service quotas for the services this solution uses?
• Were there any errors in the CloudWatch Logs?

[fdjahnke]

Hi @senyberg,

Thank you for filing this issue. We appreciate you bringing this to our attention.

You're correct that ARN format isn't currently supported. Only the policy name works at this time. We acknowledge that our documentation indicates ARN support should be available, which creates confusion.
We are currently looking into this.
We will keep this issue open for tracking purposes. We'll provide status updates as we make progress on this bug.

Thank you for supporting Landing Zone Accelerator!