fix: Support new CodeDeploy ManagedPolicy

samtranslator/model/preferences/deployment_preference_collection.py

@@ -101,9 +101,17 @@ def _codedeploy_iam_role(self):
                 }
             ],
         }
-        iam_role.ManagedPolicyArns = [
-            ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSCodeDeployRoleForLambda")
-        ]
+
+        # CodeDeploy has a new managed policy. We cannot update any existing partitions, without customer reach out
+        # that support AWSCodeDeployRoleForLambda since this could regress stacks that are currently deployed.
+        if ArnGenerator.get_partition_name() in ["aws-iso", "aws-iso-b"]:
+            iam_role.ManagedPolicyArns = [
+                ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSCodeDeployRoleForLambdaLimited")
+            ]
+        else:
+            iam_role.ManagedPolicyArns = [
+                ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSCodeDeployRoleForLambda")
+            ]
 
         return iam_role
 

samtranslator/region_configuration.py

@@ -7,8 +7,6 @@ class RegionConfiguration(object):
     class abstracts all region/partition specific configuration.
     """
 
-    partitions = {"govcloud": "aws-us-gov", "china": "aws-cn"}
-
     @classmethod
     def is_apigw_edge_configuration_supported(cls):
         """
@@ -18,4 +16,9 @@ def is_apigw_edge_configuration_supported(cls):
         :return: True, if API Gateway does not support Edge configuration
         """
 
-        return ArnGenerator.get_partition_name() not in [cls.partitions["govcloud"], cls.partitions["china"]]
+        return ArnGenerator.get_partition_name() not in [
+            "aws-us-gov",
+            "aws-iso",
+            "aws-iso-b",
+            "aws-cn",
+        ]

samtranslator/translator/arn_generator.py

@@ -39,15 +39,23 @@ def get_partition_name(cls, region=None):
         :param region: Optional name of the region
         :return: Partition name
         """
+
         if region is None:
             # Use Boto3 to get the region where code is running. This uses Boto's regular region resolution
             # mechanism, starting from AWS_DEFAULT_REGION environment variable.
             region = boto3.session.Session().region_name
 
+        # setting default partition to aws, this will be overwritten by checking the region below
+        partition = "aws"
+
         region_string = region.lower()
         if region_string.startswith("cn-"):
-            return "aws-cn"
+            partition = "aws-cn"
+        elif region_string.startswith("us-iso-"):
+            partition = "aws-iso"
+        elif region_string.startswith("us-isob"):
+            partition = "aws-iso-b"
         elif region_string.startswith("us-gov"):
-            return "aws-us-gov"
-        else:
-            return "aws"
+            partition = "aws-us-gov"
+
+        return partition

tests/unit/model/preferences/test_deployment_preference_collection.py

@@ -0,0 +1,49 @@
+from unittest import TestCase
+
+from mock import patch
+from parameterized import parameterized
+
+from samtranslator.model.preferences.deployment_preference_collection import DeploymentPreferenceCollection
+
+
+class TestDeploymentPreferenceCollection(TestCase):
+    @parameterized.expand(
+        [
+            ["aws-iso"],
+            ["aws-iso-b"],
+        ]
+    )
+    def test_codedeploy_iam_role_contains_AWSCodeDeployRoleForLambdaLimited_managedpolicy(self, partition):
+
+        with patch(
+            "samtranslator.translator.arn_generator.ArnGenerator.get_partition_name"
+        ) as get_partition_name_patch:
+            get_partition_name_patch.return_value = partition
+
+            iam_role = DeploymentPreferenceCollection().codedeploy_iam_role
+
+            self.assertIn(
+                "arn:{}:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited".format(partition),
+                iam_role.ManagedPolicyArns,
+            )
+
+    @parameterized.expand(
+        [
+            ["aws"],
+            ["aws-cn"],
+            ["aws-us-gov"],
+        ]
+    )
+    def test_codedeploy_iam_role_contains_AWSCodeDeployRoleForLambda_managedpolicy(self, partition):
+
+        with patch(
+            "samtranslator.translator.arn_generator.ArnGenerator.get_partition_name"
+        ) as get_partition_name_patch:
+            get_partition_name_patch.return_value = partition
+
+            iam_role = DeploymentPreferenceCollection().codedeploy_iam_role
+
+            self.assertIn(
+                "arn:{}:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda".format(partition),
+                iam_role.ManagedPolicyArns,
+            )

tests/unit/test_region_configuration.py

@@ -0,0 +1,38 @@
+from unittest import TestCase
+
+from mock import patch
+from parameterized import parameterized
+
+from samtranslator.region_configuration import RegionConfiguration
+
+
+class TestRegionConfiguration(TestCase):
+    @parameterized.expand(
+        [
+            ["aws"],
+        ]
+    )
+    def test_when_apigw_edge_configuration_supported(self, partition):
+
+        with patch(
+            "samtranslator.translator.arn_generator.ArnGenerator.get_partition_name"
+        ) as get_partition_name_patch:
+            get_partition_name_patch.return_value = partition
+
+            self.assertTrue(RegionConfiguration.is_apigw_edge_configuration_supported())
+
+    @parameterized.expand(
+        [
+            ["aws-cn"],
+            ["aws-us-gov"],
+            ["aws-iso"],
+            ["aws-iso-b"],
+        ]
+    )
+    def test_when_apigw_edge_configuration_is_not_supported(self, partition):
+        with patch(
+            "samtranslator.translator.arn_generator.ArnGenerator.get_partition_name"
+        ) as get_partition_name_patch:
+            get_partition_name_patch.return_value = partition
+
+            self.assertFalse(RegionConfiguration.is_apigw_edge_configuration_supported())

tests/unit/translator/test_arn_generator.py

@@ -0,0 +1,35 @@
+from unittest import TestCase
+
+from mock import patch
+from parameterized import parameterized
+
+from samtranslator.translator.arn_generator import ArnGenerator
+
+
+class TestArnGenerator(TestCase):
+    @parameterized.expand(
+        [
+            ["us-east-1", "aws"],
+            ["eu-west-1", "aws"],
+            ["cn-north-1", "aws-cn"],
+            ["us-gov-west-1", "aws-us-gov"],
+            ["us-iso-east-1", "aws-iso"],
+            ["us-isob-east-1", "aws-iso-b"],
+        ]
+    )
+    def test_get_partition_name(self, region, expected_partition):
+        self.assertEqual(expected_partition, ArnGenerator.get_partition_name(region=region))
+
+    @parameterized.expand(
+        [
+            ["us-east-1", "aws"],
+            ["eu-west-1", "aws"],
+            ["cn-north-1", "aws-cn"],
+            ["us-gov-west-1", "aws-us-gov"],
+            ["us-iso-east-1", "aws-iso"],
+            ["us-isob-east-1", "aws-iso-b"],
+        ]
+    )
+    def test_get_partition_name_when_region_not_provided(self, region, expected_partition):
+        with patch("boto3.session.Session.region_name", region):
+            self.assertEqual(expected_partition, ArnGenerator.get_partition_name())