iam role boundary does not account for gov-cloud

[zer0glitch]

Summary

When using a gov cloud policy the arn starts with 'arn:aws-us-gov:iam'

if not module.params.get("boundary").startswith("arn:aws:iam"):
module.fail_json(msg="Boundary policy must be an ARN")

Issue Type

Bug Report

Component Name

community.aws.iam_role:

Ansible Version

$ ansible --version
ansible [core 2.14.2]
  config file = /home/oitchawhetsj0/dev/mhvops-ansible/ansible.cfg
  configured module search path = ['/home/oitchawhetsj0/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /home/oitchawhetsj0/.ansible/collections:/usr/share/ansible/collections
  executable location = /bin/ansible
  python version = 3.11.2 (main, Feb 17 2023, 09:28:16) [GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] (/usr/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True

Collection Versions

$ ansible-galaxy collection list
amazon.aws        6.0.0  
ansible.posix     1.3.0  
ansible.windows   1.10.0 

community.aws     6.0.0  
community.crypto  2.3.1  
community.docker  3.4.3  
community.general 4.8.1  
community.grafana 1.4.0  
community.windows 1.10.0 
kubernetes.core   2.4.0 

AWS SDK versions

$ pip show boto boto3 botocore

Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: [email protected]
License: MIT
Location: /home/oitchawhetsj0/.local/lib/python3.11/site-packages
Requires: 
Required-by: 
---
Name: boto3
Version: 1.26.156
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /home/oitchawhetsj0/.local/lib/python3.11/site-packages
Requires: botocore, jmespath, s3transfer
Required-by: 
---
Name: botocore
Version: 1.29.156
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /home/oitchawhetsj0/.local/lib/python3.11/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer

Configuration

$ ansible-config dump --only-changed

OS / Environment

RHEL8

Steps to Reproduce

- name: Create IAM Role for EKS Cluster
  community.aws.iam_role:
    name: "{{ cluster_iam_role_name }}_node"
    path: "{{ path }}"
    assume_role_policy_document: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
          },
          {
            "Effect": "Allow",
            "Principal": {
              "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
          }
        ]
      }
    state: "{{ state|default('present') }}"
    region: "{{ aws_region }}"
    purge_policies: true
    #boundary: arn:aw-us-govs:iam::000000000000:policy/mypolicy

    create_instance_profile: False
    managed_policies:
    - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy

Expected Results

I expected the role to be created

Actual Results

 msg: Boundary policy must be an ARN

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[zer0glitch]

The example has the boundary commented, but not in the actual code

[tremble]

Thanks for taking the time to open this issue. It looks like we did this in various places. I've lined up a pair of PRs to try and fix the issue.