Filter out gov regions by default.

[iainelder-smg]

I would make it even simpler. No parameters. Always remove the GovCloud regions.

return [
    entry.get('id', '').split(':')[1]
    for entry in response.json().get('prices')
    if entry.get('id').startswith('controltower') and not "us-gov-" in entry.get('id')
]

Each AWS account is scoped to one partition.

You cannot use IAM credentials from one partition to interact with resources in a different partition.

Those features mean an AWS account created in the aws partition will never be able to use a region in the aws-us-gov partition.

Similarly an AWS account created in the aws-us-gov partition will never be able to use a region in the aws partition.

So enable_gov_regions=True will never work. Since it returns the regions across all partitions, it is going to fail in the aws partition and in the aws-us-gov partition.

So for now just make it work again in the aws partition.

---

Later if you want to make it work in either partition you could add a check for the current partition and then build a payload that contains just the regions that belong to that partition.

You can check the current partition using STS.GetCallerIdentity.

Session().client("sts").get_caller_identity()["Arn"].split(":")[1]

That will return one of aws, aws-us-gov, or aws-cn depending on the partition you are in.

That's how we detect the partition in botocove. (See https://github.com/connelldave/botocove/issues/63.)

caller_id = self.sts_client.get_caller_identity()
self.host_account_id = caller_id["Account"]
self.host_account_partition = caller_id["Arn"].split(":")[1]

[iainelder]

I need to get better at using my personal account for personal stuff :joy:

[costastf]

Assuming you agree with @iainelder @aperov9 I have made the change. If you guys are ok, i can release a patch version.

[iainelder]

@costastf , let us know when you publish a new patch version so that we can use it downstream in superwerker :-)

[costastf]

v3.1.4 is released. Thanks!