Govcloud partition refactor

.header.md

@@ -13,6 +13,12 @@ Module layout:
 * `byo-vpc/byo-db`
 * `byo-vpc/byo-db/byo-ecs`
 
+# AWS GovCloud Compatibility
+
+The root module, `byo-vpc`, its nested AWS modules, and non-CloudFront addons are intended to remain partition-aware so they can be used in AWS GovCloud (US) where the underlying AWS service is available.
+
+`addons/cloudfront-software-installers` is intentionally out of scope for AWS GovCloud compatibility because CloudFront is not available inside the AWS GovCloud (US) partition. Any deployment that combines CloudFront with GovCloud resources is a cross-partition architecture and should be reviewed separately.
+
 # KMS Coverage
 
 This root module now exposes optional customer-managed KMS key (CMK) support for every KMS-capable surface that this stack manages directly or passes through to child modules.

README.md

@@ -13,6 +13,12 @@ Module layout:
 * `byo-vpc/byo-db`
 * `byo-vpc/byo-db/byo-ecs`
 
+# AWS GovCloud Compatibility
+
+The root module, `byo-vpc`, its nested AWS modules, and non-CloudFront addons are intended to remain partition-aware so they can be used in AWS GovCloud (US) where the underlying AWS service is available.
+
+`addons/cloudfront-software-installers` is intentionally out of scope for AWS GovCloud compatibility because CloudFront is not available inside the AWS GovCloud (US) partition. Any deployment that combines CloudFront with GovCloud resources is a cross-partition architecture and should be reviewed separately.
+
 # KMS Coverage
 
 This root module now exposes optional customer-managed KMS key (CMK) support for every KMS-capable surface that this stack manages directly or passes through to child modules.

addons/byo-file-carving/target-account/s3.tf

@@ -1,4 +1,5 @@
 data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
 
 # IAM policy document for the KMS key
 data "aws_iam_policy_document" "kms_key_policy" {
@@ -8,7 +9,7 @@ data "aws_iam_policy_document" "kms_key_policy" {
     resources = ["*"]
     principals {
       type        = "AWS"
-      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+      identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
   }
 }

addons/byo-firehose-logging-destination/target-account/firehose.tf

@@ -1,3 +1,5 @@
+data "aws_partition" "current" {}
+
 data "aws_iam_policy_document" "osquery_firehose_assume_role" {
   statement {
     effect  = "Allow"
@@ -31,7 +33,7 @@ data "aws_iam_policy_document" "firehose_policy" {
     effect  = "Allow"
     actions = ["logs:PutLogEvents"]
     resources = [
-      for name in keys(var.log_destinations) : "arn:aws:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.log_destinations[name].name}:*"
+      for name in keys(var.log_destinations) : "arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.log_destinations[name].name}:*"
     ]
   }
 

addons/cloudfront-software-installers/.header.md

@@ -9,6 +9,10 @@ https://victoronsoftware.com/posts/cloudfront-signed-urls/
 
 The second link includes a script that can be used to test and see if signed URLs are working outside of Fleet for troubleshooting purposes.
 
+## AWS GovCloud Scope
+
+This addon is intentionally out of scope for AWS GovCloud compatibility. CloudFront is not available inside the AWS GovCloud (US) partition, so using it with GovCloud-hosted resources is a cross-partition architecture that should be designed and reviewed separately.
+
 
 ## Other module requirements
 

addons/cloudfront-software-installers/README.md

@@ -9,6 +9,10 @@ https://victoronsoftware.com/posts/cloudfront-signed-urls/
 
 The second link includes a script that can be used to test and see if signed URLs are working outside of Fleet for troubleshooting purposes.
 
+## AWS GovCloud Scope
+
+This addon is intentionally out of scope for AWS GovCloud compatibility. CloudFront is not available inside the AWS GovCloud (US) partition, so using it with GovCloud-hosted resources is a cross-partition architecture that should be designed and reviewed separately.
+
 ## Other module requirements
 
 These are the minimum versions of modules required if used:

addons/logging-alb/lambda/sweep_reencrypt.py

@@ -16,6 +16,7 @@
 LOG_PREFIX = os.environ["LOG_PREFIX"]
 ACCOUNT_ID = os.environ["ACCOUNT_ID"]
 REGION = os.environ["REGION"]
+PARTITION = os.environ["PARTITION"]
 BATCH_ROLE_ARN = os.environ["BATCH_ROLE_ARN"]
 
 
@@ -70,7 +71,7 @@ def handler(event, context):
     manifest_etag = put_resp["ETag"]
 
     # Submit S3 Batch Operations job
-    bucket_arn = f"arn:aws:s3:::{BUCKET}"
+    bucket_arn = f"arn:{PARTITION}:s3:::{BUCKET}"
     job = s3control.create_job(
         AccountId=ACCOUNT_ID,
         Operation={

addons/logging-alb/main.tf

@@ -548,6 +548,7 @@ resource "aws_lambda_function" "sweep_reencrypt" {
       LOG_PREFIX     = local.s3_path_prefix
       ACCOUNT_ID     = data.aws_caller_identity.current.account_id
       REGION         = data.aws_region.current.region
+      PARTITION      = data.aws_partition.current.partition
       BATCH_ROLE_ARN = aws_iam_role.batch_reencrypt[0].arn
     }
   }

addons/logging-alb/scripts/start-batch-replication-migration.sh

@@ -65,6 +65,7 @@ sanitize_role_name() {
 source_bucket=""
 kms_key_arn=""
 account_id=""
+partition=""
 region=""
 report_bucket=""
 report_prefix="_batch-copy-migration/"
@@ -164,6 +165,8 @@ if [[ -z "$account_id" ]]; then
   account_id="$(aws sts get-caller-identity --query 'Account' --output text)"
 fi
 
+partition="$(aws sts get-caller-identity --query 'Arn' --output text | cut -d: -f2)"
+
 if [[ -z "$region" && -n "$source_bucket" ]]; then
   region="$(aws s3api get-bucket-location --bucket "$source_bucket" --query 'LocationConstraint' --output text)"
   if [[ "$region" == "None" ]]; then
@@ -210,7 +213,7 @@ if [[ -z "$batch_role_arn" ]]; then
   if [[ -z "$batch_role_name" ]]; then
     batch_role_name="$(sanitize_role_name "${source_bucket}-s3-batch-copy")"
   fi
-  batch_role_arn="arn:aws:iam::${account_id}:role/${batch_role_name}"
+  batch_role_arn="arn:${partition}:iam::${account_id}:role/${batch_role_name}"
 elif [[ -z "$batch_role_name" ]]; then
   batch_role_name="${batch_role_arn##*/}"
 fi
@@ -247,8 +250,8 @@ fi
 
 # ── Build manifest ────────────────────────────────────────────────────────────
 
-source_bucket_arn="arn:aws:s3:::${source_bucket}"
-report_bucket_arn="arn:aws:s3:::${report_bucket}"
+source_bucket_arn="arn:${partition}:s3:::${source_bucket}"
+report_bucket_arn="arn:${partition}:s3:::${report_bucket}"
 client_request_token="$(uuidgen | tr '[:upper:]' '[:lower:]')"
 
 tmpdir="$(mktemp -d)"

addons/mdmproxy/iam.tf

@@ -1,3 +1,5 @@
+data "aws_partition" "current" {}
+
 data "aws_iam_policy_document" "mdmproxy" {
   statement {
     effect    = "Allow"
@@ -51,6 +53,6 @@ resource "aws_iam_role" "execution" {
 }
 
 resource "aws_iam_role_policy_attachment" "role_attachment" {
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
   role       = aws_iam_role.execution.name
 }

addons/monitoring/main.tf

@@ -526,7 +526,7 @@ resource "aws_iam_role_policy_attachment" "cron_monitoring_lambda" {
 resource "aws_iam_role_policy_attachment" "cron_monitoring_lambda_managed" {
   count      = var.cron_monitoring == null ? 0 : 1
   role       = aws_iam_role.cron_monitoring_lambda[0].id
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
 }
 
 resource "aws_iam_policy" "cron_monitoring_lambda" {

addons/ses/main.tf

@@ -5,6 +5,24 @@ locals {
     var.custom_mail_from.enabled == true ? "${var.custom_mail_from.domain_prefix}.${aws_ses_domain_identity.default.domain}" : null
   ]))
   dmarc_domain = "_dmarc.${aws_ses_domain_identity.default.domain}"
+
+  # Most SES regions use dkim.amazonses.com, but AWS documents a small set of
+  # region-specific DKIM domains that must be used instead:
+  # https://docs.aws.amazon.com/general/latest/gr/ses.html#ses_dkim_domains
+  ses_dkim_domains = {
+    af-south-1     = "dkim.af-south-1.amazonses.com"
+    ap-northeast-3 = "dkim.ap-northeast-3.amazonses.com"
+    ap-south-2     = "dkim.ap-south-2.amazonses.com"
+    ap-southeast-3 = "dkim.ap-southeast-3.amazonses.com"
+    ap-southeast-5 = "dkim.ap-southeast-5.amazonses.com"
+    ca-west-1      = "dkim.ca-west-1.amazonses.com"
+    eu-central-2   = "dkim.eu-central-2.amazonses.com"
+    eu-south-1     = "dkim.eu-south-1.amazonses.com"
+    il-central-1   = "dkim.il-central-1.amazonses.com"
+    me-central-1   = "dkim.me-central-1.amazonses.com"
+    us-gov-east-1  = "dkim.us-gov-east-1.amazonses.com"
+  }
+  dkim_domain = lookup(local.ses_dkim_domains, data.aws_region.current.region, "dkim.amazonses.com")
 }
 
 data "aws_region" "current" {}
@@ -42,7 +60,7 @@ resource "aws_route53_record" "amazonses_dkim_record" {
   name    = "${element(aws_ses_domain_dkim.default.dkim_tokens, count.index)}._domainkey.${var.domain}"
   type    = "CNAME"
   ttl     = "600"
-  records = ["${element(aws_ses_domain_dkim.default.dkim_tokens, count.index)}.dkim.amazonses.com"]
+  records = ["${element(aws_ses_domain_dkim.default.dkim_tokens, count.index)}.${local.dkim_domain}"]
 }
 
 resource "aws_route53_record" "spf_domain" {
@@ -63,7 +81,7 @@ resource "aws_route53_record" "dmarc_domain" {
 }
 
 resource "aws_iam_policy" "main" {
-  count = var.create_iam_policy ? 1 : 0
+  count  = var.create_iam_policy ? 1 : 0
   policy = data.aws_iam_policy_document.main[0].json
 }
 

byo-vpc/.header.md

@@ -70,7 +70,7 @@ Example:
 
 ```hcl
 locals {
-  cron_monitoring_lambda_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.customer}-cron-monitoring-lambda"
+  cron_monitoring_lambda_role_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/${local.customer}-cron-monitoring-lambda"
 }
 
 module "fleet_byo_vpc" {

byo-vpc/README.md

@@ -70,7 +70,7 @@ Example:
 
 ```hcl
 locals {
-  cron_monitoring_lambda_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.customer}-cron-monitoring-lambda"
+  cron_monitoring_lambda_role_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/${local.customer}-cron-monitoring-lambda"
 }
 
 module "fleet_byo_vpc" {

byo-vpc/byo-db/byo-ecs/iam.tf

@@ -207,6 +207,6 @@ resource "aws_iam_role" "execution" {
 }
 
 resource "aws_iam_role_policy_attachment" "role_attachment" {
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
   role       = aws_iam_role.execution.name
 }