Added support for AWS Govcloud DoD shard

Author: airizarryDB

aws/constants.go

@@ -3,15 +3,23 @@ package aws
 var AwsConfig = map[string]map[string]string{
 	"aws": {
 		"accountId":            "414351767826",
+		"awsNamespace":         "aws",
 		"logDeliveryIamArn":    "arn:aws:iam::414351767826:role/SaasUsageDeliveryRole-prod-IAMRole-3PLHICCRR1TK",
 		"unityCatalogueIamArn": "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
 	},
 	"aws-us-gov": {
 		"accountId":            "044793339203",
+		"awsNamespace":         "aws-us-gov",
 		"logDeliveryIamArn":    "arn:aws-us-gov:iam::044793339203:role/SaasUsageDeliveryRole-prod-aws-gov-IAMRole-L4QM0RCHYQ1G",
 		"unityCatalogueIamArn": "arn:aws-us-gov:iam::044793339203:role/unity-catalog-prod-UCMasterRole-1QRFA8SGY15OJ",
 	},
+	"aws-us-gov-dod": {
+		"accountId":            "170661010020",
+		"awsNamespace":         "aws-us-gov",
+		"logDeliveryIamArn":    "arn:aws-us-gov:iam::170661010020:role/SaasUsageDeliveryRole-prod-aws-gov-dod-IAMRole-1DMEHBYR8VC5P",
+		"unityCatalogueIamArn": "arn:aws-us-gov:iam::170661010020:role/unity-catalog-prod-UCMasterRole-1DI6DL6ZP26AS",
+	},
 }
 
-var AwsPartitions = []string{"aws", "aws-us-gov"}
-var AwsPartitionsValidationError = "aws_partition must be either 'aws' or 'aws-us-gov'"
+var AwsPartitions = []string{"aws", "aws-us-gov", "aws-us-gov-dod"}
+var AwsPartitionsValidationError = "aws_partition must be either 'aws' or 'aws-us-gov' or 'aws-us-gov-dod'"

aws/data_aws_assume_role_policy.go

@@ -34,6 +34,7 @@ func DataAwsAssumeRolePolicy() common.Resource {
 			externalID := d.Get("external_id").(string)
 			awsPartition := d.Get("aws_partition").(string)
 			databricksAwsAccountId := d.Get("databricks_account_id").(string)
+			awsNamespace := AwsConfig[awsPartition]["awsNamespace"]
 
 			if databricksAwsAccountId == "" {
 				databricksAwsAccountId = AwsConfig[awsPartition]["accountId"]
@@ -51,7 +52,7 @@ func DataAwsAssumeRolePolicy() common.Resource {
 							},
 						},
 						Principal: map[string]string{
-							"AWS": fmt.Sprintf("arn:%s:iam::%s:root", awsPartition, databricksAwsAccountId),
+							"AWS": fmt.Sprintf("arn:%s:iam::%s:root", awsNamespace, databricksAwsAccountId),
 						},
 					},
 				},

aws/data_aws_assume_role_policy_test.go

@@ -36,6 +36,22 @@ func TestDataAwsAssumeRolePolicyGov(t *testing.T) {
 	assert.Lenf(t, j, 306, "Strange length for policy: %s", j)
 }
 
+func TestDataAwsAssumeRolePolicyGovDoD(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Read:        true,
+		Resource:    DataAwsAssumeRolePolicy(),
+		NonWritable: true,
+		ID:          ".",
+		HCL: `
+		aws_partition = "aws-us-gov-dod"
+		external_id = "abc"
+		`,
+	}.Apply(t)
+	assert.NoError(t, err)
+	j := d.Get("json")
+	assert.Lenf(t, j, 306, "Strange length for policy: %s", j)
+}
+
 func TestDataAwsAssumeRolePolicyLogDelivery(t *testing.T) {
 	d, err := qa.ResourceFixture{
 		Read:        true,
@@ -68,3 +84,20 @@ func TestDataAwsAssumeRolePolicyLogDeliveryGov(t *testing.T) {
 	j := d.Get("json")
 	assert.Lenf(t, j, 362, "Strange length for policy: %s", j)
 }
+
+func TestDataAwsAssumeRolePolicyLogDeliveryGovDoD(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Read:        true,
+		Resource:    DataAwsAssumeRolePolicy(),
+		NonWritable: true,
+		ID:          ".",
+		HCL: `
+		aws_partition = "aws-us-gov-dod"
+		external_id = "abc"
+		for_log_delivery = true
+		`,
+	}.Apply(t)
+	assert.NoError(t, err)
+	j := d.Get("json")
+	assert.Lenf(t, j, 367, "Strange length for policy: %s", j)
+}

aws/data_aws_bucket_policy.go

@@ -18,6 +18,7 @@ func DataAwsBucketPolicy() common.Resource {
 			bucket := d.Get("bucket").(string)
 			awsPartition := d.Get("aws_partition").(string)
 			databricksAwsAccountId := AwsConfig[awsPartition]["accountId"]
+			awsNamespace := AwsConfig[awsPartition]["awsNamespace"]
 
 			if databricksAwsAccountId == "" {
 				databricksAwsAccountId = AwsConfig[awsPartition]["accountId"]
@@ -37,11 +38,11 @@ func DataAwsBucketPolicy() common.Resource {
 							"s3:GetBucketLocation",
 						},
 						Resources: []string{
-							fmt.Sprintf("arn:%s:s3:::%s/*", awsPartition, bucket),
-							fmt.Sprintf("arn:%s:s3:::%s", awsPartition, bucket),
+							fmt.Sprintf("arn:%s:s3:::%s/*", awsNamespace, bucket),
+							fmt.Sprintf("arn:%s:s3:::%s", awsNamespace, bucket),
 						},
 						Principal: map[string]string{
-							"AWS": fmt.Sprintf("arn:%s:iam::%s:root", awsPartition, databricksAwsAccountId),
+							"AWS": fmt.Sprintf("arn:%s:iam::%s:root", awsNamespace, databricksAwsAccountId),
 						},
 					},
 				},

aws/data_aws_bucket_policy_test.go

@@ -69,3 +69,19 @@ func TestDataAwsBucketPolicyPartitionGov(t *testing.T) {
 	j := d.Get("json")
 	assert.Lenf(t, j, 461, "Strange length for policy: %s", j)
 }
+
+func TestDataAwsBucketPolicyPartitionGovDoD(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Read:        true,
+		Resource:    DataAwsBucketPolicy(),
+		NonWritable: true,
+		ID:          ".",
+		HCL: `
+		bucket = "abc"
+		aws_partition = "aws-us-gov-dod"
+		`,
+	}.Apply(t)
+	assert.NoError(t, err)
+	j := d.Get("json")
+	assert.Lenf(t, j, 461, "Strange length for policy: %s", j)
+}

aws/data_aws_crossaccount_policy.go

@@ -27,7 +27,7 @@ func DataAwsCrossaccountPolicy() common.Resource {
 		if !slices.Contains(AwsPartitions, data.AwsPartition) {
 			return errors.New(AwsPartitionsValidationError)
 		}
-
+        awsNamespace := AwsConfig[data.AwsPartition]["awsNamespace"]
 		if !slices.Contains([]string{"managed", "customer", "restricted"}, data.PolicyType) {
 			return fmt.Errorf("policy_type must be either 'managed', 'customer' or 'restricted'")
 		}
@@ -151,7 +151,7 @@ func DataAwsCrossaccountPolicy() common.Resource {
 						"iam:CreateServiceLinkedRole",
 						"iam:PutRolePolicy",
 					},
-					Resources: fmt.Sprintf("arn:%s:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot", data.AwsPartition),
+					Resources: fmt.Sprintf("arn:%s:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot", awsNamespace),
 					Condition: map[string]map[string]string{
 						"StringLike": {
 							"iam:AWSServiceName": "spot.amazonaws.com",
@@ -174,7 +174,6 @@ func DataAwsCrossaccountPolicy() common.Resource {
 		if data.PolicyType == "restricted" {
 			region := data.Region
 			aws_account_id := data.AwsAccountId
-			awsPartition := data.AwsPartition
 			vpc_id := data.VpcId
 			security_group_id := data.SecurityGroupId
 			policy.Statements = append(policy.Statements,
@@ -186,7 +185,7 @@ func DataAwsCrossaccountPolicy() common.Resource {
 						"ec2:DisassociateIamInstanceProfile",
 						"ec2:ReplaceIamInstanceProfileAssociation",
 					},
-					Resources: fmt.Sprintf("arn:%s:ec2:%s:%s:instance/*", awsPartition, region, aws_account_id),
+					Resources: fmt.Sprintf("arn:%s:ec2:%s:%s:instance/*", awsNamespace, region, aws_account_id),
 					Condition: map[string]map[string]string{
 						"StringEquals": {
 							"ec2:ResourceTag/Vendor": "Databricks",
@@ -198,8 +197,8 @@ func DataAwsCrossaccountPolicy() common.Resource {
 					Effect:  "Allow",
 					Actions: "ec2:RunInstances",
 					Resources: []string{
-						fmt.Sprintf("arn:%s:ec2:%s:%s:volume/*", awsPartition, region, aws_account_id),
-						fmt.Sprintf("arn:%s:ec2:%s:%s:instance/*", awsPartition, region, aws_account_id),
+						fmt.Sprintf("arn:%s:ec2:%s:%s:volume/*", awsNamespace, region, aws_account_id),
+						fmt.Sprintf("arn:%s:ec2:%s:%s:instance/*", awsNamespace, region, aws_account_id),
 					},
 					Condition: map[string]map[string]string{
 						"StringEquals": {
@@ -211,7 +210,7 @@ func DataAwsCrossaccountPolicy() common.Resource {
 					Sid:       "AllowEc2RunInstanceImagePerTag",
 					Effect:    "Allow",
 					Actions:   "ec2:RunInstances",
-					Resources: fmt.Sprintf("arn:%s:ec2:%s:%s:image/*", awsPartition, region, aws_account_id),
+					Resources: fmt.Sprintf("arn:%s:ec2:%s:%s:image/*", awsNamespace, region, aws_account_id),
 					Condition: map[string]map[string]string{
 						"StringEquals": {
 							"aws:ResourceTag/Vendor": "Databricks",
@@ -223,13 +222,13 @@ func DataAwsCrossaccountPolicy() common.Resource {
 					Effect:  "Allow",
 					Actions: "ec2:RunInstances",
 					Resources: []string{
-						fmt.Sprintf("arn:%s:ec2:%s:%s:network-interface/*", awsPartition, region, aws_account_id),
-						fmt.Sprintf("arn:%s:ec2:%s:%s:subnet/*", awsPartition, region, aws_account_id),
-						fmt.Sprintf("arn:%s:ec2:%s:%s:security-group/*", awsPartition, region, aws_account_id),
+						fmt.Sprintf("arn:%s:ec2:%s:%s:network-interface/*", awsNamespace, region, aws_account_id),
+						fmt.Sprintf("arn:%s:ec2:%s:%s:subnet/*", awsNamespace, region, aws_account_id),
+						fmt.Sprintf("arn:%s:ec2:%s:%s:security-group/*", awsNamespace, region, aws_account_id),
 					},
 					Condition: map[string]map[string]string{
 						"StringEquals": {
-							"ec2:vpc": fmt.Sprintf("arn:%s:ec2:%s:%s:vpc/%s", awsPartition, region, aws_account_id, vpc_id),
+							"ec2:vpc": fmt.Sprintf("arn:%s:ec2:%s:%s:vpc/%s", awsNamespace, region, aws_account_id, vpc_id),
 						},
 					},
 				},
@@ -238,19 +237,19 @@ func DataAwsCrossaccountPolicy() common.Resource {
 					Effect:  "Allow",
 					Actions: "ec2:RunInstances",
 					NotResources: []string{
-						fmt.Sprintf("arn:%s:ec2:%s:%s:image/*", awsPartition, region, aws_account_id),
-						fmt.Sprintf("arn:%s:ec2:%s:%s:network-interface/*", awsPartition, region, aws_account_id),
-						fmt.Sprintf("arn:%s:ec2:%s:%s:subnet/*", awsPartition, region, aws_account_id),
-						fmt.Sprintf("arn:%s:ec2:%s:%s:security-group/*", awsPartition, region, aws_account_id),
-						fmt.Sprintf("arn:%s:ec2:%s:%s:volume/*", awsPartition, region, aws_account_id),
-						fmt.Sprintf("arn:%s:ec2:%s:%s:instance/*", awsPartition, region, aws_account_id),
+						fmt.Sprintf("arn:%s:ec2:%s:%s:image/*", awsNamespace, region, aws_account_id),
+						fmt.Sprintf("arn:%s:ec2:%s:%s:network-interface/*", awsNamespace, region, aws_account_id),
+						fmt.Sprintf("arn:%s:ec2:%s:%s:subnet/*", awsNamespace, region, aws_account_id),
+						fmt.Sprintf("arn:%s:ec2:%s:%s:security-group/*", awsNamespace, region, aws_account_id),
+						fmt.Sprintf("arn:%s:ec2:%s:%s:volume/*", awsNamespace, region, aws_account_id),
+						fmt.Sprintf("arn:%s:ec2:%s:%s:instance/*", awsNamespace, region, aws_account_id),
 					},
 				},
 				&awsIamPolicyStatement{
 					Sid:       "EC2TerminateInstancesTag",
 					Effect:    "Allow",
 					Actions:   "ec2:TerminateInstances",
-					Resources: fmt.Sprintf("arn:%s:ec2:%s:%s:instance/*", awsPartition, region, aws_account_id),
+					Resources: fmt.Sprintf("arn:%s:ec2:%s:%s:instance/*", awsNamespace, region, aws_account_id),
 					Condition: map[string]map[string]string{
 						"StringEquals": {
 							"ec2:ResourceTag/Vendor": "Databricks",
@@ -265,8 +264,8 @@ func DataAwsCrossaccountPolicy() common.Resource {
 						"ec2:DetachVolume",
 					},
 					Resources: []string{
-						fmt.Sprintf("arn:%s:ec2:%s:%s:instance/*", awsPartition, region, aws_account_id),
-						fmt.Sprintf("arn:%s:ec2:%s:%s:volume/*", awsPartition, region, aws_account_id),
+						fmt.Sprintf("arn:%s:ec2:%s:%s:instance/*", awsNamespace, region, aws_account_id),
+						fmt.Sprintf("arn:%s:ec2:%s:%s:volume/*", awsNamespace, region, aws_account_id),
 					},
 					Condition: map[string]map[string]string{
 						"StringEquals": {
@@ -278,7 +277,7 @@ func DataAwsCrossaccountPolicy() common.Resource {
 					Sid:       "EC2CreateVolumeByTag",
 					Effect:    "Allow",
 					Actions:   "ec2:CreateVolume",
-					Resources: fmt.Sprintf("arn:%s:ec2:%s:%s:volume/*", awsPartition, region, aws_account_id),
+					Resources: fmt.Sprintf("arn:%s:ec2:%s:%s:volume/*", awsNamespace, region, aws_account_id),
 					Condition: map[string]map[string]string{
 						"StringEquals": {
 							"aws:RequestTag/Vendor": "Databricks",
@@ -290,7 +289,7 @@ func DataAwsCrossaccountPolicy() common.Resource {
 					Effect:  "Allow",
 					Actions: "ec2:DeleteVolume",
 					Resources: []string{
-						fmt.Sprintf("arn:%s:ec2:%s:%s:volume/*", awsPartition, region, aws_account_id),
+						fmt.Sprintf("arn:%s:ec2:%s:%s:volume/*", awsNamespace, region, aws_account_id),
 					},
 					Condition: map[string]map[string]string{
 						"StringEquals": {
@@ -307,10 +306,10 @@ func DataAwsCrossaccountPolicy() common.Resource {
 						"ec2:RevokeSecurityGroupEgress",
 						"ec2:RevokeSecurityGroupIngress",
 					},
-					Resources: fmt.Sprintf("arn:%s:ec2:%s:%s:security-group/%s", awsPartition, region, aws_account_id, security_group_id),
+					Resources: fmt.Sprintf("arn:%s:ec2:%s:%s:security-group/%s", awsNamespace, region, aws_account_id, security_group_id),
 					Condition: map[string]map[string]string{
 						"StringEquals": {
-							"ec2:vpc": fmt.Sprintf("arn:%s:ec2:%s:%s:vpc/%s", awsPartition, region, aws_account_id, vpc_id),
+							"ec2:vpc": fmt.Sprintf("arn:%s:ec2:%s:%s:vpc/%s", awsNamespace, region, aws_account_id, vpc_id),
 						},
 					},
 				},

aws/data_aws_crossaccount_policy_test.go

@@ -540,13 +540,32 @@ func TestDataAwsCrossAccountRestrictedPolicyPartitionGov(t *testing.T) {
 		aws_account_id = "123456789012"
     aws_partition = "aws-us-gov"
 		vpc_id = "vpc-12345678"
-		region = "us-west-2"
+		region = "us-gov-west-1"
+		security_group_id = "sg-12345678"`,
+		ID: ".",
+	}.Apply(t)
+	assert.NoError(t, err)
+	j := d.Get("json")
+	assert.Lenf(t, j, 5963, "Strange length for policy: %s", j)
+}
+
+func TestDataAwsCrossAccountRestrictedPolicyPartitionGovDoD(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Read:        true,
+		Resource:    DataAwsCrossaccountPolicy(),
+		NonWritable: true,
+		HCL: `
+		policy_type = "restricted"
+		aws_account_id = "123456789012"
+    aws_partition = "aws-us-gov-dod"
+		vpc_id = "vpc-12345678"
+		region = "us-gov-west-1"
 		security_group_id = "sg-12345678"`,
 		ID: ".",
 	}.Apply(t)
 	assert.NoError(t, err)
 	j := d.Get("json")
-	assert.Lenf(t, j, 5879, "Strange length for policy: %s", j)
+	assert.Lenf(t, j, 5963, "Strange length for policy: %s", j)
 }
 
 func TestDataAwsCrossAccountInvalidPolicy(t *testing.T) {

aws/data_aws_unity_catalog_assume_role_policy.go

@@ -24,7 +24,7 @@ func DataAwsUnityCatalogAssumeRolePolicy() common.Resource {
 		if !slices.Contains(AwsPartitions, data.AwsPartition) {
 			return errors.New(AwsPartitionsValidationError)
 		}
-
+		awsNamespace := AwsConfig[data.AwsPartition]["awsNamespace"]
 		if data.UnityCatalogIamArn == "" {
 			data.UnityCatalogIamArn = AwsConfig[data.AwsPartition]["unityCatalogueIamArn"]
 		}
@@ -51,11 +51,11 @@ func DataAwsUnityCatalogAssumeRolePolicy() common.Resource {
 					Actions: "sts:AssumeRole",
 					Condition: map[string]map[string]string{
 						"ArnLike": {
-							"aws:PrincipalArn": fmt.Sprintf("arn:%s:iam::%s:role/%s", data.AwsPartition, data.AwsAccountId, data.RoleName),
+							"aws:PrincipalArn": fmt.Sprintf("arn:%s:iam::%s:role/%s", awsNamespace, data.AwsAccountId, data.RoleName),
 						},
 					},
 					Principal: map[string]string{
-						"AWS": fmt.Sprintf("arn:%s:iam::%s:root", data.AwsPartition, data.AwsAccountId),
+						"AWS": fmt.Sprintf("arn:%s:iam::%s:root", awsNamespace, data.AwsAccountId),
 					},
 				},
 			},

aws/data_aws_unity_catalog_assume_role_policy_test.go

@@ -153,6 +153,55 @@ func TestDataAwsUnityCatalogAssumeRolePolicyGovWithoutUcArn(t *testing.T) {
 	compareJSON(t, j, p)
 }
 
+func TestDataAwsUnityCatalogAssumeRolePolicyGovDoDWithoutUcArn(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Read:        true,
+		Resource:    DataAwsUnityCatalogAssumeRolePolicy(),
+		NonWritable: true,
+		ID:          ".",
+		HCL: `
+        aws_account_id = "123456789098"
+        aws_partition = "aws-us-gov-dod"
+        role_name = "databricks-role"
+        external_id = "12345"
+        `,
+	}.Apply(t)
+	assert.NoError(t, err)
+	j := d.Get("json").(string)
+	p := `{
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Sid": "UnityCatalogAssumeRole",
+              "Effect": "Allow",
+              "Action": "sts:AssumeRole",
+              "Principal": {
+                "AWS": "arn:aws-us-gov:iam::170661010020:role/unity-catalog-prod-UCMasterRole-1DI6DL6ZP26AS"
+              },
+              "Condition": {
+                "StringEquals": {
+                  "sts:ExternalId": "12345"
+                }
+              }
+            },
+            {
+              "Sid": "ExplicitSelfRoleAssumption",
+              "Effect": "Allow",
+              "Action": "sts:AssumeRole",
+              "Principal": {
+                "AWS": "arn:aws-us-gov:iam::123456789098:root"
+              },
+              "Condition": {
+                "ArnLike": {
+                  "aws:PrincipalArn": "arn:aws-us-gov:iam::123456789098:role/databricks-role"
+                }
+              }
+            }
+          ]
+        }`
+	compareJSON(t, j, p)
+}
+
 func TestDataAwsUnityCatalogAssumeRolePolicyInvalidPartition(t *testing.T) {
 	qa.ResourceFixture{
 		Read:        true,