replace hardcoded aws partition in ARNs with ${AWS::Partition}

[PatMyron]

@michaelwittig #191, aws-cloudformation/cfn-lint#1805

https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arns-syntax
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-sub.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html#cfn-pseudo-param-partition

brew install gnu-sed
gsed -i 's/arn:aws:/arn:${AWS::Partition}:/g' **/*.yaml

manually added !Sub for a few IAM ARNs

only a couple files left with hardcoded aws partition ARNs after this merges:

• state/s3.yaml
• security/cloudtrail.yaml

[andreaswittig]

@PatMyron Thanks a lot for your contribution. I do have two questions.

1. What's the motivation for this change? I understand, that cfn-lint advises to use the pseudo-parameter for the AWS partition. Is that the only reason for this change? Or do you plan to deploy the templates in China or GovCloud?
2. Is there a reason to keep the hardcoded partitions for s3.yaml and cloudtrail.yaml?

My only concern is, that we don't have the capability to run our test suite in China/GovCloud. I expect, that some templates break in these environments. For example, due to missing or limited features/services. What do you think about that? @PatMyron @michaelwittig?

[PatMyron]

do you plan to deploy the templates in China or GovCloud?

Not personally.. for others to run into fewer issues deploying into other partitions

we don't have the capability to run our test suite in China/GovCloud. I expect, that some templates break in these environments

I also no longer have access to those partitions, so I can't test there either. Agree there are likely other issues not yet addressed, but this should be a decent first step

Is there a reason to keep the hardcoded partitions for s3.yaml and cloudtrail.yaml?

state/s3.yaml seems okay anyways since it looks region-specific already:

aws-cf-templates/state/s3.yaml

Lines 248 to 252 in a1a80ef

	- !If [HasPartitionPublic, 'arn:aws:iam::507241528517:root', !Ref 'AWS::NoValue'] # sa-east-1
	- !If [HasPartitionUsGov, 'arn:aws-us-gov:iam::048591011584:root', !Ref 'AWS::NoValue'] # us-gov-west-1*
	- !If [HasPartitionUsGov, 'arn:aws-us-gov:iam::190560391635:root', !Ref 'AWS::NoValue'] # us-gov-east-1*
	- !If [HasPartitionChina, 'arn:aws-cn:iam::638102146993:root', !Ref 'AWS::NoValue'] # cn-north-1*
	- !If [HasPartitionChina, 'arn:aws-cn:iam::037604701340:root', !Ref 'AWS::NoValue'] # cn-northwest-1*

security/cloudtrail.yaml just also needed Sub so I just pushed that too:

aws-cf-templates/security/cloudtrail.yaml

Line 170 in b751cec

EventSelectors: !If [IsS3DataEvents, [{DataResources: [{Type: 'AWS::S3::Object', Values: [!Sub 'arn:${AWS::Partition}:s3:::']}], IncludeManagementEvents: true, ReadWriteType: All}], !Ref 'AWS::NoValue']

aws-cf-templates/security/cloudtrail.yaml

Line 187 in b751cec

EventSelectors: !If [IsS3DataEvents, [{DataResources: [{Type: 'AWS::S3::Object', Values: [!Sub 'arn:${AWS::Partition}:s3:::']}], IncludeManagementEvents: true, ReadWriteType: All}], !Ref 'AWS::NoValue']

[michaelwittig]

The reason why I never worked on #191 is that CloudFormation (sometimes/always?) believes that an attribute changes even if the resulting !Sub has the same value as the String before. So we might replace resources because of that. What we would need to do is this:

1. Launch stack using old template.
2. Update using new template and see what happens.

I also agree that we have no way to test the templates in other partitions which is a problem.