Open brianatinstrumental opened 10 months ago
This looks changed in the latest quickstart, but I am still getting the principal error.
Resource handler returned message: "Invalid principal in policy: "AWS":"arn:aws-us-gov:iam::464622532012:root
...
Expected Behavior
CF template creates all resources in the correct govcloud partition with included policy documents also referring to the govcloud partition
Actual Behavior
The CF template creates resources but references the main AWS partition instead of the govcloud one resulting in resource creation failures. In particular the following ARN is declared in a policy statement:
- 'arn:aws:iam::${DdAWSAccountId}:root'
declared here: https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml#L76C1-L77C1If the policy isn't needed in govcloud because we're using keys, we shouldn't create the resource. If we are using this role then it should be using the correct policy/role based off of the DdSite variable which can act as a toggle between govcloud/non govcloud partitions.
I'm also 99% sure that the account id needs to be different for the govcloud region as well if this policy is indeed used.
Steps to Reproduce the Problem
Specifications
Stacktrace
From cloudformation: