aws-eks : ALB controller IAM policies created in China using wrong partition

[ItielOlenick]

Describe the bug

When using the CDK to create a EKS cluster and specifying the use of alb controller, upon the creation of the IAM policy for alb controller the following error arises:

Partition "aws" is not valid for resource "arn:aws:ec2:*:*:security-group/*". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID
: xxxx-xx-xx-xxxxx-xxx-xx-xxx; Proxy: null)

A quick search for "arn:aws:ec2:*:*:security-group/*" in the repo shows a few pages where this is used.

Expected Behavior

A EKS cluster should be successfully created when using CDK to create in China

Current Behavior

Partition "aws" is not valid for resource "arn:aws:ec2:*:*:security-group/*". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID
: xxxx-xx-xx-xxxxx-xxx-xx-xxx; Proxy: null)

Reproduction Steps

Try to create a EKS cluster in China with the ALB controller enabled:

self.eks_cluster = aws_eks.Cluster(
    self,
    id="cvat-in-k8s-cluster",
    version=aws_eks.KubernetesVersion.V1_21,
    vpc=self.vpc,
    vpc_subnets=[aws_ec2.SubnetSelection(subnet_type=aws_ec2.SubnetType.PRIVATE_WITH_NAT)],
    default_capacity=2,
    alb_controller=aws_eks.AlbControllerOptions(
        version=aws_eks.AlbControllerVersion.V2_4_1
    ),
    endpoint_access=aws_eks.EndpointAccess.PUBLIC_AND_PRIVATE.only_from(*CIDR_BLOCKS),
)

Possible Solution

Check if the region is in China, and if so change the partition to aws-cn

Additional Information/Context

No response

CDK CLI Version

2.37.1

Framework Version

No response

Node.js Version

15

OS

Linux

Language

Python

Language Version

No response

Other information

No response

[pahud]

Thanks for your report. Which aws region were you deploying to? cn-north-1 or cn-northwest-1 ?

[zorrofox]

I think either cn-north-1 or cn-northwest-1 for China partition is not work for the default IAM policy, as the policy document is come from this line

aws-cdk/packages/@aws-cdk/aws-eks/lib/alb-controller.ts

Line 216 in 33ee4de

const policy: any = props.policy ?? JSON.parse(fs.readFileSync(path.join(__dirname, 'addons', `alb-iam_policy-${props.version.version}.json`), 'utf8'));

And all these version policy documents are come from ALB ingress repo for this file, they are all for global partition not for GOV or China partitions. There have another policy document in the repo is for the China partition.

[zorrofox]

Same issue for #22520

[ItielOlenick]

For me this happened in cn-northwest-1, But like @zorrofox said, this has to do with the use of the wrong partition in the alb policy.

Taking a quick look at https://github.com/aws/aws-cdk/search?q=arn%3Aaws%3Aec2%3A*%3A*%3Asecurity-group%2F* shows that nothing is done to check the partition in the alb-iam_policy files which results in the use of the wrong one.

[zorrofox]

Can we just use the commercial partition policy files to substitute with China or GOV partitions? Or we just like commercial partition to host all the policy files for China and GOV partitions?