Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Use AWS::Partition Pseudo Parameter in IAM ARNs #40

Merged
merged 6 commits into from
Aug 6, 2024
Merged

fix: Use AWS::Partition Pseudo Parameter in IAM ARNs #40

merged 6 commits into from
Aug 6, 2024

Conversation

kentquirk
Copy link
Contributor

@kentquirk kentquirk commented Aug 6, 2024
edited
Loading

Which problem is this PR solving?

In AWS GovCloud, the RDS and CloudWatch Logs templates fail because the RDS and CloudWatch Logs templates contain IAM ARNs hardcoded with the AWS commercial partition (aws) instead of (aws-us-gov).

Example Error Message:

waiting for CloudFormation Stack (arn:aws-us-gov:cloudformation:us-gov-west-1:<redacted>) create: stack status (ROLLBACK_COMPLETE): The following resource(s) failed to create: [LogSubscription]. Rollback requested by user.
    	
    Resource handler returned message: "Invalid request provided: AWS::Logs::SubscriptionFilter. Could not deliver test message to specified Firehose stream. Check if the given Firehose stream is in ACTIVE state. (Service: CloudWatchLogs, Status Code: 400, Request ID: 123abc)" (RequestToken: 1fc17137-260a-91fe-803f-75e5cce376c2, HandlerErrorCode: InvalidRequest)

This PR is a copy of #37 but under Honeycomb's repository because of permissions issues

Short description of the changes

Swap the hardcoded AWS partition with the AWS Partition Pseudo Parameter, AWS::Partition

  1. Allow CloudWatch Logs service in non-default AWS Partitions to assume LogStreamRole

  2. For RDS Logs TransformLambdaRole, use correct AWSLambdaBasicExecutionRole ARN for non-default AWS Partitions

How to verify that this has the expected result

Deploy RDS Logs or CloudWatch Logs templates in AWS GovCloud.

dougireton and others added 3 commits June 7, 2024 16:41
@dougireton
Fix hardcoded AWS Partitions in IAM ARNs
73bb221 
1. Allow CloudWatch Logs service in non-default AWS Partitions to assume LogStreamRole

2. For RDS Logs TransformLambdaRole, use correct AWSLambdaBasicExecutionRole ARN for non-default AWS Partitions
@JamieDanielson
kick ci
2e66b9b
@JamieDanielson
Merge branch 'main' into dougireton/aws-partition-pseudo-param
29e6fb5
@kentquirk kentquirk self-assigned this Aug 6, 2024
@kentquirk kentquirk requested a review from a team as a code owner August 6, 2024 19:56
@kentquirk kentquirk changed the title Kent.pseudoparam fix: attempt to make pseudoparam branch build Aug 6, 2024
@JamieDanielson
Copy link
Contributor

Actually can we change the title and details to reflect the changes in the original PR?

@kentquirk kentquirk changed the title fix: attempt to make pseudoparam branch build fix: Use AWS::Partition Pseudo Parameter in IAM ARNs Aug 6, 2024
@kentquirk kentquirk merged commit 7274ca5 into main Aug 6, 2024
7 checks passed
@kentquirk kentquirk deleted the kent.pseudoparam branch August 6, 2024 20:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JamieDanielson JamieDanielson JamieDanielson approved these changes

Assignees

@kentquirk kentquirk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kentquirk @JamieDanielson @dougireton