From 8d52fd25362c0934ef6316baf8cc112a91c0811b Mon Sep 17 00:00:00 2001
From: Michael Fraenkel <michael.fraenkel@dominodatalab.com>
Date: Wed, 7 Dec 2022 11:18:08 -0700
Subject: [PATCH] PLAT-6040: Use partition in all arns

To support govcloud, the correct partition must be used when building
ARNs.
---
 cdk/domino_cdk/config/iam.py               |  2 +-
 cdk/domino_cdk/provisioners/eks/eks_iam.py | 20 +++++++++++++++++---
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/cdk/domino_cdk/config/iam.py b/cdk/domino_cdk/config/iam.py
index ad8a9ab4..73b3c68d 100755
--- a/cdk/domino_cdk/config/iam.py
+++ b/cdk/domino_cdk/config/iam.py
@@ -35,7 +35,7 @@ def do_cf():
             "cloudformation:GetTemplate",
         ],
         "Resource": [
-            # f"arn:aws:cloudformation:*:{aws_account_id}:stack/{stack_name}-eks-stack/*",
+            # f"arn:{partition}:cloudformation:*:{aws_account_id}:stack/{stack_name}-eks-stack/*",
             f"arn:{partition}:cloudformation:*:{aws_account_id}:stack/{stack_name}*",
         ],
     }
diff --git a/cdk/domino_cdk/provisioners/eks/eks_iam.py b/cdk/domino_cdk/provisioners/eks/eks_iam.py
index 5d5fae10..d19c98bd 100644
--- a/cdk/domino_cdk/provisioners/eks/eks_iam.py
+++ b/cdk/domino_cdk/provisioners/eks/eks_iam.py
@@ -3,6 +3,7 @@
 import aws_cdk.aws_iam as iam
 from aws_cdk import core as cdk
 from aws_cdk.aws_s3 import Bucket
+from aws_cdk.region_info import Fact, FactName
 
 
 class DominoEksIamProvisioner:
@@ -12,7 +13,14 @@ def __init__(
     ) -> None:
         self.scope = scope
 
-    def provision(self, stack_name: str, cluster_name: str, r53_zone_ids: List[str], buckets: Dict[str, Bucket]):
+    def provision(
+        self,
+        stack_name: str,
+        cluster_name: str,
+        r53_zone_ids: List[str],
+        buckets: Dict[str, Bucket],
+    ):
+        partition = Fact.require_fact(self.scope.region, FactName.PARTITION)
         asg_group_statement = iam.PolicyStatement(
             actions=[
                 "autoscaling:DescribeAutoScalingInstances",
@@ -115,13 +123,19 @@ def provision(self, stack_name: str, cluster_name: str, r53_zone_ids: List[str],
                 iam.PolicyStatement(
                     effect=iam.Effect.ALLOW,
                     actions=["ec2:CreateTags"],
-                    resources=["arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:snapshot/*"],
+                    resources=[
+                        f"arn:{partition}:ec2:*:*:volume/*",
+                        f"arn:{partition}:ec2:*:*:snapshot/*",
+                    ],
                     conditions={"StringEquals": {"ec2:CreateAction": ["CreateVolume", "CreateSnapshot"]}},
                 ),
                 iam.PolicyStatement(
                     effect=iam.Effect.ALLOW,
                     actions=["ec2:DeleteTags"],
-                    resources=["arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:snapshot/*"],
+                    resources=[
+                        f"arn:{partition}:ec2:*:*:volume/*",
+                        f"arn:{partition}:ec2:*:*:snapshot/*",
+                    ],
                 ),
                 iam.PolicyStatement(
                     effect=iam.Effect.ALLOW,