feat: add GovCloud multi-partition support

aidandaly24 · aidandaly24 · commit 6241e3b7d45c · 2026-04-22T11:01:02.000-04:00
Add partition-aware ARN construction, endpoint URL generation, and
console URL generation to support aws-us-gov (and future aws-cn)
partitions.

- Create src/cli/aws/partition.ts with getPartition, arnPrefix,
  dnsSuffix, serviceEndpoint, and consoleDomain utilities
- Replace all hardcoded arn:aws: in ARN template literals with
  arnPrefix(region)
- Update ARN regex patterns to accept any partition (arn:[^:]+:)
- Replace hardcoded amazonaws.com in endpoint URLs with
  serviceEndpoint()
- Replace hardcoded console.aws.amazon.com with consoleDomain()
- Add us-gov-west-1 to AgentCoreRegionSchema, BEDROCK_REGIONS,
  and LLM compacted types
- Add aws-us-gov to cdk.json target-partitions
- Fix execution-role-policy.json to use partition wildcard (arn:*)
- Add 15 unit tests for partition utilities
- Document multi-partition rules and checklists in AGENTS.md
diff --git a/AGENTS.md b/AGENTS.md
@@ -143,6 +143,44 @@ See `docs/TESTING.md` for details.
 - Always look for existing types before creating a new type inline.
 - Re-usable constants must be defined in a constants file in the closest sensible subdirectory.
 
+## Multi-Partition Support (GovCloud, China)
+
+The CLI supports multiple AWS partitions (commercial, GovCloud, China) through a central utility at
+`src/cli/aws/partition.ts`. This module maps region prefixes to partition-specific values.
+
+### Rules
+
+- **Never hardcode `arn:aws:`** in ARN construction. Use `arnPrefix(region)` from `src/cli/aws/partition.ts`.
+- **Never hardcode `amazonaws.com`** in endpoint URLs. Use `serviceEndpoint(service, region)` or `dnsSuffix(region)`.
+- **Never hardcode `console.aws.amazon.com`** in console URLs. Use `consoleDomain(region)`.
+- **ARN regex patterns** must use `arn:[^:]+:` (not `arn:aws:`) to match any partition.
+- **Static JSON assets** (e.g., IAM policies in `src/assets/`) cannot use TypeScript utilities — use `arn:*:` as the
+  partition wildcard since IAM evaluates it across all partitions.
+
+### Adding a New Region
+
+Update these files in the CLI repo:
+
+1. `src/schema/schemas/aws-targets.ts` — add to `AgentCoreRegionSchema` enum
+2. `src/schema/llm-compacted/aws-targets.ts` — add to `AgentCoreRegion` type union
+3. `src/schema/schemas/__tests__/aws-targets.test.ts` — add to `validRegions` array
+4. `src/cli/operations/agent/import/constants.ts` — add to `BEDROCK_REGIONS` (if applicable to Bedrock Agent import)
+
+Update these files in the CDK repo (`@aws/agentcore-cdk`):
+
+5. `src/schema/schemas/aws-targets.ts` — add to `AgentCoreRegionSchema` enum
+6. `src/schema/llm-compacted/aws-targets.ts` — add to `AgentCoreRegion` type union
+
+Then run `npm run test:update-snapshots` in the CLI repo if any asset files changed.
+
+### Adding a New Partition
+
+1. Add a new entry to `PARTITION_CONFIGS` in `src/cli/aws/partition.ts` with the region prefix, partition name, DNS
+   suffix, and console domain.
+2. Add tests for the new partition in `src/cli/aws/__tests__/partition.test.ts`.
+3. Update `src/assets/cdk/cdk.json` — add the partition to `@aws-cdk/core:target-partitions`.
+4. Run `npm run test:update-snapshots` to update asset snapshots.
+
 ## TUI Harness
 
 See `docs/tui-harness.md` for the full TUI harness usage guide (MCP tools, screen markers, examples, and error
diff --git a/src/assets/__tests__/__snapshots__/assets.snapshot.test.ts.snap b/src/assets/__tests__/__snapshots__/assets.snapshot.test.ts.snap
@@ -149,7 +149,7 @@ exports[`Assets Directory Snapshots > CDK assets > cdk/cdk/cdk.json should match
     "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": true,
     "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
     "@aws-cdk/core:checkSecretUsage": true,
-    "@aws-cdk/core:target-partitions": ["aws", "aws-cn"],
+    "@aws-cdk/core:target-partitions": ["aws", "aws-cn", "aws-us-gov"],
     "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
     "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
     "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
diff --git a/src/assets/cdk/cdk.json b/src/assets/cdk/cdk.json
@@ -9,7 +9,7 @@
     "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": true,
     "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
     "@aws-cdk/core:checkSecretUsage": true,
-    "@aws-cdk/core:target-partitions": ["aws", "aws-cn"],
+    "@aws-cdk/core:target-partitions": ["aws", "aws-cn", "aws-us-gov"],
     "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
     "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
     "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
diff --git a/src/assets/evaluators/python-lambda/execution-role-policy.json b/src/assets/evaluators/python-lambda/execution-role-policy.json
@@ -4,7 +4,7 @@
     {
       "Effect": "Allow",
       "Action": ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"],
-      "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*"
+      "Resource": "arn:*:logs:*:*:log-group:/aws/lambda/*"
     }
   ]
 }
diff --git a/src/cli/aws/__tests__/partition.test.ts b/src/cli/aws/__tests__/partition.test.ts
@@ -0,0 +1,76 @@
+import { arnPrefix, consoleDomain, dnsSuffix, getPartition, serviceEndpoint } from '../partition';
+import { describe, expect, it } from 'vitest';
+
+describe('getPartition', () => {
+  it('returns aws for standard commercial regions', () => {
+    expect(getPartition('us-east-1')).toBe('aws');
+    expect(getPartition('eu-west-1')).toBe('aws');
+    expect(getPartition('ap-southeast-1')).toBe('aws');
+  });
+
+  it('returns aws-us-gov for GovCloud regions', () => {
+    expect(getPartition('us-gov-west-1')).toBe('aws-us-gov');
+    expect(getPartition('us-gov-east-1')).toBe('aws-us-gov');
+  });
+
+  it('returns aws-cn for China regions', () => {
+    expect(getPartition('cn-north-1')).toBe('aws-cn');
+    expect(getPartition('cn-northwest-1')).toBe('aws-cn');
+  });
+});
+
+describe('arnPrefix', () => {
+  it('returns arn:aws for commercial regions', () => {
+    expect(arnPrefix('us-east-1')).toBe('arn:aws');
+  });
+
+  it('returns arn:aws-us-gov for GovCloud regions', () => {
+    expect(arnPrefix('us-gov-west-1')).toBe('arn:aws-us-gov');
+  });
+
+  it('returns arn:aws-cn for China regions', () => {
+    expect(arnPrefix('cn-north-1')).toBe('arn:aws-cn');
+  });
+});
+
+describe('dnsSuffix', () => {
+  it('returns amazonaws.com for commercial regions', () => {
+    expect(dnsSuffix('us-east-1')).toBe('amazonaws.com');
+  });
+
+  it('returns amazonaws.com for GovCloud regions', () => {
+    expect(dnsSuffix('us-gov-west-1')).toBe('amazonaws.com');
+  });
+
+  it('returns amazonaws.com.cn for China regions', () => {
+    expect(dnsSuffix('cn-north-1')).toBe('amazonaws.com.cn');
+  });
+});
+
+describe('serviceEndpoint', () => {
+  it('builds correct endpoint for commercial regions', () => {
+    expect(serviceEndpoint('bedrock-agentcore', 'us-east-1')).toBe('bedrock-agentcore.us-east-1.amazonaws.com');
+  });
+
+  it('builds correct endpoint for GovCloud regions', () => {
+    expect(serviceEndpoint('bedrock-agentcore', 'us-gov-west-1')).toBe('bedrock-agentcore.us-gov-west-1.amazonaws.com');
+  });
+
+  it('builds correct endpoint for China regions', () => {
+    expect(serviceEndpoint('bedrock-agentcore', 'cn-north-1')).toBe('bedrock-agentcore.cn-north-1.amazonaws.com.cn');
+  });
+});
+
+describe('consoleDomain', () => {
+  it('returns console.aws.amazon.com for commercial regions', () => {
+    expect(consoleDomain('us-east-1')).toBe('console.aws.amazon.com');
+  });
+
+  it('returns console.amazonaws-us-gov.com for GovCloud regions', () => {
+    expect(consoleDomain('us-gov-west-1')).toBe('console.amazonaws-us-gov.com');
+  });
+
+  it('returns console.amazonaws.cn for China regions', () => {
+    expect(consoleDomain('cn-north-1')).toBe('console.amazonaws.cn');
+  });
+});
diff --git a/src/cli/aws/agentcore.ts b/src/cli/aws/agentcore.ts
@@ -1,5 +1,6 @@
 import { parseJsonRpcResponse } from '../../lib/utils/json-rpc';
 import { getCredentialProvider } from './account';
+import { serviceEndpoint } from './partition';
 import {
   BedrockAgentCoreClient,
   EvaluateCommand,
@@ -142,11 +143,10 @@ export function extractResult(text: string): string {
 
 /**
  * Build the invoke URL for a runtime ARN.
- * Format: https://bedrock-agentcore.{REGION}.amazonaws.com/runtimes/{ESCAPED_ARN}/invocations?qualifier=DEFAULT
  */
 function buildInvokeUrl(region: string, runtimeArn: string): string {
   const escapedArn = encodeURIComponent(runtimeArn);
-  return `https://bedrock-agentcore.${region}.amazonaws.com/runtimes/${escapedArn}/invocations?qualifier=DEFAULT`;
+  return `https://${serviceEndpoint('bedrock-agentcore', region)}/runtimes/${escapedArn}/invocations?qualifier=DEFAULT`;
 }
 
 /**
diff --git a/src/cli/aws/bedrock-import.ts b/src/cli/aws/bedrock-import.ts
@@ -323,7 +323,7 @@ async function fetchCollaborators(
       const aliasArn = (summary as { agentDescriptor?: { aliasArn?: string } }).agentDescriptor?.aliasArn;
       if (!aliasArn) continue;
 
-      const arnMatch = /^arn:aws:bedrock:[^:]+:[^:]+:agent-alias\/([^/]+)\/([^/]+)$/.exec(aliasArn);
+      const arnMatch = /^arn:[^:]+:bedrock:[^:]+:[^:]+:agent-alias\/([^/]+)\/([^/]+)$/.exec(aliasArn);
       if (!arnMatch) continue;
       const [, collabAgentId, collabAliasId] = arnMatch;
       if (!collabAgentId || !collabAliasId) continue;
diff --git a/src/cli/aws/cloudwatch.ts b/src/cli/aws/cloudwatch.ts
@@ -1,4 +1,5 @@
 import { getCredentialProvider } from './account';
+import { arnPrefix } from './partition';
 import { CloudWatchLogsClient, FilterLogEventsCommand, StartLiveTailCommand } from '@aws-sdk/client-cloudwatch-logs';
 
 export interface LogEvent {
@@ -31,7 +32,7 @@ export async function* streamLogs(options: StreamLogsOptions): AsyncGenerator<Lo
   const { logGroupName, region, accountId, filterPattern, abortSignal } = options;
 
   // StartLiveTail requires ARN format for logGroupIdentifiers
-  const logGroupArn = `arn:aws:logs:${region}:${accountId}:log-group:${logGroupName}`;
+  const logGroupArn = `${arnPrefix(region)}:logs:${region}:${accountId}:log-group:${logGroupName}`;
 
   while (!abortSignal?.aborted) {
     const client = new CloudWatchLogsClient({
diff --git a/src/cli/aws/index.ts b/src/cli/aws/index.ts
@@ -1,5 +1,6 @@
 export { detectAwsContext, type AwsContext } from './aws-context';
 export { detectAccount, getCredentialProvider } from './account';
+export { getPartition, arnPrefix, dnsSuffix, serviceEndpoint, consoleDomain } from './partition';
 export { detectRegion, type RegionDetectionResult } from './region';
 export {
   invokeBedrockSync,
diff --git a/src/cli/aws/partition.ts b/src/cli/aws/partition.ts
@@ -0,0 +1,49 @@
+interface PartitionConfig {
+  partition: string;
+  dnsSuffix: string;
+  consoleDomain: string;
+}
+
+const PARTITION_CONFIGS: { prefix: string; config: PartitionConfig }[] = [
+  {
+    prefix: 'us-gov-',
+    config: { partition: 'aws-us-gov', dnsSuffix: 'amazonaws.com', consoleDomain: 'console.amazonaws-us-gov.com' },
+  },
+  {
+    prefix: 'cn-',
+    config: { partition: 'aws-cn', dnsSuffix: 'amazonaws.com.cn', consoleDomain: 'console.amazonaws.cn' },
+  },
+];
+
+const DEFAULT_CONFIG: PartitionConfig = {
+  partition: 'aws',
+  dnsSuffix: 'amazonaws.com',
+  consoleDomain: 'console.aws.amazon.com',
+};
+
+export function getPartition(region: string): string {
+  return getPartitionConfig(region).partition;
+}
+
+export function arnPrefix(region: string): string {
+  return `arn:${getPartition(region)}`;
+}
+
+export function dnsSuffix(region: string): string {
+  return getPartitionConfig(region).dnsSuffix;
+}
+
+export function serviceEndpoint(service: string, region: string): string {
+  return `${service}.${region}.${dnsSuffix(region)}`;
+}
+
+export function consoleDomain(region: string): string {
+  return getPartitionConfig(region).consoleDomain;
+}
+
+function getPartitionConfig(region: string): PartitionConfig {
+  for (const { prefix, config } of PARTITION_CONFIGS) {
+    if (region.startsWith(prefix)) return config;
+  }
+  return DEFAULT_CONFIG;
+}
diff --git a/src/cli/aws/transaction-search.ts b/src/cli/aws/transaction-search.ts
@@ -1,5 +1,6 @@
 import { getErrorMessage, isAccessDeniedError } from '../errors';
 import { getCredentialProvider } from './account';
+import { arnPrefix } from './partition';
 import { ApplicationSignalsClient, StartDiscoveryCommand } from '@aws-sdk/client-application-signals';
 import {
   CloudWatchLogsClient,
@@ -64,11 +65,11 @@ export async function enableTransactionSearch(
             Principal: { Service: 'xray.amazonaws.com' },
             Action: 'logs:PutLogEvents',
             Resource: [
-              `arn:aws:logs:${region}:${accountId}:log-group:aws/spans:*`,
-              `arn:aws:logs:${region}:${accountId}:log-group:/aws/application-signals/data:*`,
+              `${arnPrefix(region)}:logs:${region}:${accountId}:log-group:aws/spans:*`,
+              `${arnPrefix(region)}:logs:${region}:${accountId}:log-group:/aws/application-signals/data:*`,
             ],
             Condition: {
-              ArnLike: { 'aws:SourceArn': `arn:aws:xray:${region}:${accountId}:*` },
+              ArnLike: { 'aws:SourceArn': `${arnPrefix(region)}:xray:${region}:${accountId}:*` },
               StringEquals: { 'aws:SourceAccount': accountId },
             },
           },
diff --git a/src/cli/commands/import/actions.ts b/src/cli/commands/import/actions.ts
@@ -8,6 +8,7 @@ import type {
   Memory,
 } from '../../../schema';
 import { validateAwsCredentials } from '../../aws/account';
+import { arnPrefix } from '../../aws/partition';
 import { ExecLogger } from '../../logging';
 import { setupPythonProject } from '../../operations/python/setup';
 import { executeCdkImportPipeline } from './import-pipeline';
@@ -521,7 +522,7 @@ export async function handleImport(options: ImportOptions): Promise<ImportResult
           id: a.physicalAgentId!,
           arn:
             a.physicalAgentArn ??
-            `arn:aws:bedrock-agentcore:${target.region}:${target.account}:runtime/${a.physicalAgentId}`,
+            `${arnPrefix(target.region)}:bedrock-agentcore:${target.region}:${target.account}:runtime/${a.physicalAgentId}`,
         })),
       ...memoriesToImport
         .filter(m => m.physicalMemoryId)
@@ -531,7 +532,7 @@ export async function handleImport(options: ImportOptions): Promise<ImportResult
           id: m.physicalMemoryId!,
           arn:
             m.physicalMemoryArn ??
-            `arn:aws:bedrock-agentcore:${target.region}:${target.account}:memory/${m.physicalMemoryId}`,
+            `${arnPrefix(target.region)}:bedrock-agentcore:${target.region}:${target.account}:memory/${m.physicalMemoryId}`,
         })),
     ];
 
diff --git a/src/cli/commands/import/import-online-eval.ts b/src/cli/commands/import/import-online-eval.ts
@@ -5,6 +5,7 @@ import {
   listAllAgentRuntimes,
   listAllOnlineEvaluationConfigs,
 } from '../../aws/agentcore-control';
+import { arnPrefix } from '../../aws/partition';
 import { ANSI } from './constants';
 import { failResult, findResourceInDeployedState, parseAndValidateArn } from './import-utils';
 import { executeResourceImport } from './resource-import';
@@ -52,7 +53,7 @@ export function toOnlineEvalConfigSpec(
  * since evaluators locked by an online eval config cannot be CFN-imported.
  */
 function buildEvaluatorArns(evaluatorIds: string[], region: string, account: string): string[] {
-  return evaluatorIds.map(id => `arn:aws:bedrock-agentcore:${region}:${account}:evaluator/${id}`);
+  return evaluatorIds.map(id => `${arnPrefix(region)}:bedrock-agentcore:${region}:${account}:evaluator/${id}`);
 }
 
 /**
diff --git a/src/cli/commands/import/import-utils.ts b/src/cli/commands/import/import-utils.ts
@@ -130,10 +130,10 @@ export async function resolveImportTarget(options: ResolveTargetOptions): Promis
   // Validate ARN format early if provided
   if (
     arn &&
-    !/^arn:aws:bedrock-agentcore:([^:]+):([^:]+):(runtime|memory|evaluator|online-evaluation-config)\/(.+)$/.test(arn)
+    !/^arn:[^:]+:bedrock-agentcore:([^:]+):([^:]+):(runtime|memory|evaluator|online-evaluation-config)\/(.+)$/.test(arn)
   ) {
     throw new Error(
-      `Not a valid ARN: "${arn}".\nExpected format: arn:aws:bedrock-agentcore:<region>:<account>:<runtime|memory|evaluator|online-evaluation-config>/<id>`
+      `Not a valid ARN: "${arn}".\nExpected format: arn:<partition>:bedrock-agentcore:<region>:<account>:<runtime|memory|evaluator|online-evaluation-config>/<id>`
     );
   }
 
@@ -146,7 +146,7 @@ export async function resolveImportTarget(options: ResolveTargetOptions): Promis
       );
     }
 
-    const arnMatch = /^arn:aws:bedrock-agentcore:([^:]+):([^:]+):/.exec(arn);
+    const arnMatch = /^arn:[^:]+:bedrock-agentcore:([^:]+):([^:]+):/.exec(arn);
     if (!arnMatch) {
       throw new Error(
         'No deployment targets found in project and could not parse region/account from ARN.\nRun `agentcore deploy` first to set up a target, then re-run import.'
@@ -210,7 +210,7 @@ export interface ParsedArn {
 }
 
 const ARN_PATTERN =
-  /^arn:aws:bedrock-agentcore:([^:]+):([^:]+):(runtime|memory|evaluator|online-evaluation-config)\/(.+)$/;
+  /^arn:[^:]+:bedrock-agentcore:([^:]+):([^:]+):(runtime|memory|evaluator|online-evaluation-config)\/(.+)$/;
 
 /** Unified config for each importable resource type — ARN mapping, deployed state keys. */
 const RESOURCE_TYPE_CONFIG: Record<
@@ -244,7 +244,7 @@ export function parseAndValidateArn(
   const expectedArnType = RESOURCE_TYPE_CONFIG[expectedResourceType].arnType;
   if (!match) {
     throw new Error(
-      `Invalid ARN format: "${arn}". Expected format: arn:aws:bedrock-agentcore:<region>:<account>:${expectedArnType}/<id>`
+      `Invalid ARN format: "${arn}". Expected format: arn:<partition>:bedrock-agentcore:<region>:<account>:${expectedArnType}/<id>`
     );
   }
 
diff --git a/src/cli/commands/status/constants.ts b/src/cli/commands/status/constants.ts
@@ -1,3 +1,4 @@
+import { serviceEndpoint } from '../../aws/partition';
 import { STATUS_COLORS } from '../../tui/theme';
 
 export type ResourceDeploymentState = 'deployed' | 'local-only' | 'pending-removal';
@@ -16,5 +17,5 @@ export const DEPLOYMENT_STATE_LABELS: Record<ResourceDeploymentState, string> =
 
 export function buildRuntimeInvocationUrl(region: string, runtimeArn: string): string {
   const encodedArn = encodeURIComponent(runtimeArn);
-  return `https://bedrock-agentcore.${region}.amazonaws.com/runtimes/${encodedArn}/invocations`;
+  return `https://${serviceEndpoint('bedrock-agentcore', region)}/runtimes/${encodedArn}/invocations`;
 }
diff --git a/src/cli/operations/agent/import/base-translator.ts b/src/cli/operations/agent/import/base-translator.ts
@@ -14,6 +14,7 @@ import type {
   KnowledgeBaseInfo,
   PromptConfiguration,
 } from '../../../aws/bedrock-import-types';
+import { arnPrefix } from '../../../aws/partition';
 import type { MemoryOption } from '../../../tui/screens/generate/types';
 
 export interface TranslatorOptions {
@@ -373,7 +374,9 @@ memory_id = os.environ.get("MEMORY_ID", "")
       if (kb.knowledgeBaseArn) {
         kbArns.push(kb.knowledgeBaseArn);
       } else if (kb.knowledgeBaseId) {
-        kbArns.push(`arn:aws:bedrock:${this.agentRegion}:*:knowledge-base/${kb.knowledgeBaseId}`);
+        kbArns.push(
+          `${arnPrefix(this.agentRegion)}:bedrock:${this.agentRegion}:*:knowledge-base/${kb.knowledgeBaseId}`
+        );
       }
     }
 
diff --git a/src/cli/operations/agent/import/constants.ts b/src/cli/operations/agent/import/constants.ts
@@ -12,6 +12,7 @@ export const BEDROCK_REGIONS = [
   { id: 'ap-south-1', title: 'Asia Pacific (Mumbai)' },
   { id: 'ca-central-1', title: 'Canada (Central)' },
   { id: 'sa-east-1', title: 'South America (Sao Paulo)' },
+  { id: 'us-gov-west-1', title: 'GovCloud (US West)' },
 ] as const;
 
 export const IMPORT_FRAMEWORK_OPTIONS = [
diff --git a/src/cli/operations/traces/trace-url.ts b/src/cli/operations/traces/trace-url.ts
diff --git a/src/cli/tui/screens/import/ArnInputScreen.tsx b/src/cli/tui/screens/import/ArnInputScreen.tsx
diff --git a/src/schema/llm-compacted/aws-targets.ts b/src/schema/llm-compacted/aws-targets.ts
diff --git a/src/schema/schemas/__tests__/aws-targets.test.ts b/src/schema/schemas/__tests__/aws-targets.test.ts
diff --git a/src/schema/schemas/aws-targets.ts b/src/schema/schemas/aws-targets.ts

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`	`{`
`5`	`5`	`"Effect": "Allow",`
`6`	`6`	`"Action": ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"],`
`7`		`- "Resource": "arn:aws:logs:::log-group:/aws/lambda/*"`
	`7`	`+ "Resource": "arn::logs:::log-group:/aws/lambda/"`
`8`	`8`	`}`
`9`	`9`	`]`
`10`	`10`	`}`