fix(datasources): use AWS::Partition in generated ARNs

[sid88in]

fix(datasources): use AWS::Partition in generated ARNs (China / GovCloud)

Closes #352

Problem

The default IAM policy / config ARNs synthesized for data sources hardcode the aws
partition. In the aws-cn (China: cn-north-1, cn-northwest-1) and aws-us-gov
(GovCloud) partitions this produces invalid ARNs and deployment fails, e.g.:

Partition "aws" is not valid for resource "arn:aws:dynamodb:cn-north-1:1234:table/ddbTable".

The ARNs are built with Fn::Join where the partition segment is the literal string
'aws' (so it isn't obvious from a text search for arn:aws:). This affects four sites in
src/resources/DataSource.ts:

• DynamoDB data-source role policy resource ARN
• Relational database (RDS) data-source role policy resource ARN
• Relational database RdsHttpEndpointConfig.DbClusterIdentifier ARN
• OpenSearch data-source role policy resource ARN (endpoint form)

(Reported originally against the v1 src/index.js; the same hardcoding carried into v2.)

Fix

Replace the hardcoded 'aws' partition segment with the CloudFormation pseudo-parameter
{ Ref: 'AWS::Partition' } in all four Fn::Join ARN constructions. CloudFormation resolves
AWS::Partition to the correct partition (aws / aws-cn / aws-us-gov) for the deployment
region, so the ARNs are valid everywhere.

Lambda data sources are unaffected: their ARNs already come from Fn::GetAtt/passthrough
(Api.generateLambdaArn), which are partition-correct.

This mirrors the existing intrinsic-function style in the same arrays (which already use
{ Ref: 'AWS::Region' } and { Ref: 'AWS::AccountId' }).

Tests

• Added a regression test (dataSources.test.ts → DynamoDB): asserts the generated role
  ARN contains { Ref: 'AWS::Partition' } and never the hardcoded ["arn","aws"...].
• Updated the dataSources snapshots. The diff is only "aws" → { "Ref": "AWS::Partition" } (10 occurrences across 6 snapshots); no other changes.

Verification

• npm run build — OK
• npm run lint — 0 errors
• npm test — 21 suites / 348 tests pass; 216 snapshots
• npm run test:e2e — 31 suites / 90 tests pass

Verified the patch applies cleanly to a fresh origin/master (978c4cb) and that the
dataSources suite (26 tests) passes there after npm ci && npm run build.

Note

Verified via offline CloudFormation synthesis only — the sandbox can't deploy to a real
China/GovCloud account. The change is a straightforward swap to the standard partition
pseudo-parameter, which is the documented AWS-recommended approach for partition-agnostic
ARNs.

Summary by CodeRabbit

• Bug Fixes

  • Updated IAM role policies for DynamoDB, RDS, and OpenSearch data sources to dynamically reference AWS partition values instead of using hardcoded partition identifiers.

• Tests

  • Added test to verify correct IAM role policy generation for DynamoDB data sources.

[coderabbitai]

📝 Walkthrough

Walkthrough

DataSource now generates AWS ARN strings using CloudFormation's AWS::Partition pseudo-parameter instead of hardcoding the 'aws' partition. This change affects RDS cluster identifiers and IAM policy generation for DynamoDB, RDS Data API, and OpenSearch resources. A regression test validates that DynamoDB policies reference AWS::Partition instead of hardcoded partition strings.

Changes

Partition-aware ARN construction

Layer / File(s)	Summary
Partition-aware ARN construction in DataSource src/resources/DataSource.ts	RDS cluster ARN in getRelationalDbConfig and DynamoDB, RDS Data API, and OpenSearch resource ARNs in getDefaultDataSourcePolicyStatements now use { Ref: 'AWS::Partition' } instead of hardcoded 'aws' partition.
DynamoDB partition-aware ARN regression test src/__tests__/dataSources.test.ts	New test builds a DynamoDB DataSource, compiles its IAM role policy, and asserts the resulting JSON contains "Ref":"AWS::Partition" and does not contain "arn","aws" fragments.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Partitions once hardcoded in stone,

Now dance with CloudFormation's own!

From aws to aws-cn they play,

Multi-region deployments brighten the day! 🌍✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and concisely describes the main change: replacing hardcoded partitions with CloudFormation's AWS::Partition pseudo-parameter in DataSource ARN generation.
Linked Issues check	✅ Passed	The PR successfully addresses issue #352 by replacing hardcoded 'aws' partition strings with CloudFormation's AWS::Partition pseudo-parameter in all four specified ARN locations (DynamoDB, RDS, RdsHttpEndpoint, and OpenSearch DataSources).
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing partition-aware ARN generation in DataSource.ts and adding a regression test; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/352-aws-partition

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/resources/DataSource.ts (1)

370-390: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

OpenSearch endpoint regex hardcodes .es.amazonaws.com, preventing the AWS::Partition ARN fix from working for aws-cn

The regex at lines 370-371 only matches ...es.amazonaws.com; China endpoints use ...es.amazonaws.com.cn, so rx.exec(...) returns null and the code throws Invalid AWS OpenSearch endpoint (lines 373-376) before building the ARN with AWS::Partition (line 383). The domain-based branch via Fn::GetAtt (lines 391-397) remains partition-agnostic.

🛠️ Proposed regex adjustment

-          const rx =
-            /^https:\/\/([a-z0-9-]+\.(\w{2}-[a-z]+-\d)\.es\.amazonaws\.com)$/;
+          const rx =
+            /^https:\/\/([a-z0-9-]+\.(\w{2}-[a-z]+-\d)\.es\.amazonaws\.com(?:\.cn)?)$/;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/resources/DataSource.ts` around lines 370 - 390, The endpoint regex (rx)
in DataSource.ts is too specific to ".es.amazonaws.com" and fails for China
partitions (".es.amazonaws.com.cn"); update rx to accept both variants (e.g.,
allow an optional ".cn" suffix or otherwise match the partition-specific host)
while preserving the capture groups used later (so result[1] retains the full
host and result[2] retains the region-like segment), then keep the existing ARN
construction that uses result[1] and result[2] and throws the same error when
exec returns null.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/resources/DataSource.ts`:
- Around line 370-390: The endpoint regex (rx) in DataSource.ts is too specific
to ".es.amazonaws.com" and fails for China partitions (".es.amazonaws.com.cn");
update rx to accept both variants (e.g., allow an optional ".cn" suffix or
otherwise match the partition-specific host) while preserving the capture groups
used later (so result[1] retains the full host and result[2] retains the
region-like segment), then keep the existing ARN construction that uses
result[1] and result[2] and throws the same error when exec returns null.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0e98a597-b8d3-46cf-9bc2-d7924e869e0c

📥 Commits

Reviewing files that changed from the base of the PR and between 978c4cb and 3ec977b.

⛔ Files ignored due to path filters (1)

• src/__tests__/__snapshots__/dataSources.test.ts.snap is excluded by !**/*.snap

📒 Files selected for processing (2)

• src/__tests__/dataSources.test.ts
• src/resources/DataSource.ts