This issue tracks several fixes needed to make the SRA Terraform solution fully compatible with AWS GovCloud (US) partitions.
def get_enabled_regions() -> list: # noqa: CCR001
"eu-west-1",
"ap-southeast-2",
"eu-west-3",
"us-gov-west-1",
"us-gov-east-1"
Describe the bug
This issue tracks several fixes needed to make the SRA Terraform solution fully compatible with AWS GovCloud (US) partitions.
A few places in the Terraform code still have hardcoded partition in resource specification, rather than deriving the partition value dynamically like many other places in the code.
Ex: In this module ./terraform/common/ssm_parameters/main.tf, the "arn" definition at line 130 may work only in commercial partition.
"
arn:aws:logs:${local.region}:${local.account_id}:log-group:/aws/lambda/${var.management_account_parameters_lambda_function_name}:log-stream:*"It should derive the partition name dynamically like the example below, to work in both commercial and GovCloud partitions.
"arn:${data.aws_partition.current.partition}:logs:${local.region}:${local.account_id}:log-group:/aws/lambda/${var.management_account_parameters_lambda_function_name}:log-stream:*"Following files have the same issue requires similar fix...
Service link profile policy update in the Inspector solution (./terraform/solutions/inspector/configuration_role/main.tf)
The account-specific ARN prevents the role from being assumed across member accounts in GovCloud, where the Inspector delegated admin flow requires a wildcard account ID.
Current value:
Updated Value:
Add GovCloud regions in the get_enabled_regions function in: ./solutions/common/common_prerequisites/lambda/src/app.py