fix(aws): Handle Cloudfront Regions in different partitions (#10690)

bbernays · web-flow · commit 158aab10de74 · 2023-05-11T13:28:34.000Z
#### Summary

When syncing `aws-cn` the cloudfront region should be set to `cn-north-1`  when partition is `aws-gov` then there is no cloudfront so no reason to set the multiplexer
diff --git a/plugins/source/aws/client/account.go b/plugins/source/aws/client/account.go
@@ -88,10 +88,18 @@ func (c *Client) setupAWSAccount(ctx context.Context, logger zerolog.Logger, aws
 		}
 	}
 
+	var cloudfrontRegion string
+	switch iamArn.Partition {
+	case "aws":
+		cloudfrontRegion = awsCloudfrontScopeRegion
+	case "aws-cn":
+		cloudfrontRegion = awsCnCloudfrontScopeRegion
+	}
+
 	svcsDetails[len(account.Regions)] = svcsDetail{
 		partition: iamArn.Partition,
 		accountId: *output.Account,
-		svcs:      initServices(cloudfrontScopeRegion, awsCfg),
+		svcs:      initServices(cloudfrontRegion, awsCfg),
 	}
 	return svcsDetails, nil
 }
diff --git a/plugins/source/aws/client/client.go b/plugins/source/aws/client/client.go
@@ -52,9 +52,10 @@ type ServicesManager struct {
 }
 
 const (
-	defaultRegion         = "us-east-1"
-	defaultVar            = "default"
-	cloudfrontScopeRegion = defaultRegion
+	defaultRegion              = "us-east-1"
+	defaultVar                 = "default"
+	awsCloudfrontScopeRegion   = defaultRegion
+	awsCnCloudfrontScopeRegion = "cn-north-1"
 )
 
 var errInvalidRegion = errors.New("region wildcard \"*\" is only supported as first argument")
diff --git a/plugins/source/aws/client/multiplexers.go b/plugins/source/aws/client/multiplexers.go
@@ -118,8 +118,14 @@ func ServiceAccountRegionScopeMultiplexer(table, service string) func(meta schem
 		client := meta.(*Client)
 		for partition := range client.ServicesManager.services {
 			for accountID := range client.ServicesManager.services[partition] {
-				// always fetch cloudfront related resources
-				l = append(l, client.withPartitionAccountIDRegionAndScope(partition, accountID, cloudfrontScopeRegion, wafv2types.ScopeCloudfront))
+				// always fetch cloudfront related resources as long as in aws or aws-cn partition
+				switch partition {
+				case "aws":
+					l = append(l, client.withPartitionAccountIDRegionAndScope(partition, accountID, awsCloudfrontScopeRegion, wafv2types.ScopeCloudfront))
+				case "aws-cn":
+					l = append(l, client.withPartitionAccountIDRegionAndScope(partition, accountID, awsCnCloudfrontScopeRegion, wafv2types.ScopeCloudfront))
+				}
+
 				for region := range client.ServicesManager.services[partition][accountID] {
 					if !isSupportedServiceForRegion(service, region) {
 						if client.specificRegions {

Original file line number	Diff line number	Diff line change
`@@ -88,10 +88,18 @@ func (c *Client) setupAWSAccount(ctx context.Context, logger zerolog.Logger, aws`
`88`	`88`	`}`
`89`	`89`	`}`
`90`	`90`
	`91`	`+ var cloudfrontRegion string`
	`92`	`+ switch iamArn.Partition {`
	`93`	`+ case "aws":`
	`94`	`+ cloudfrontRegion = awsCloudfrontScopeRegion`
	`95`	`+ case "aws-cn":`
	`96`	`+ cloudfrontRegion = awsCnCloudfrontScopeRegion`
	`97`	`+ }`
	`98`	`+`
`91`	`99`	`svcsDetails[len(account.Regions)] = svcsDetail{`
`92`	`100`	`partition: iamArn.Partition,`
`93`	`101`	`accountId: *output.Account,`
`94`		`- svcs: initServices(cloudfrontScopeRegion, awsCfg),`
	`102`	`+ svcs: initServices(cloudfrontRegion, awsCfg),`
`95`	`103`	`}`
`96`	`104`	`return svcsDetails, nil`
`97`	`105`	`}`
Original file line number	Diff line number	Diff line change
`@@ -52,9 +52,10 @@ type ServicesManager struct {`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`const (`
`55`		`- defaultRegion = "us-east-1"`
`56`		`- defaultVar = "default"`
`57`		`- cloudfrontScopeRegion = defaultRegion`
	`55`	`+ defaultRegion = "us-east-1"`
	`56`	`+ defaultVar = "default"`
	`57`	`+ awsCloudfrontScopeRegion = defaultRegion`
	`58`	`+ awsCnCloudfrontScopeRegion = "cn-north-1"`
`58`	`59`	`)`
`59`	`60`
`60`	`61`	`var errInvalidRegion = errors.New("region wildcard \"*\" is only supported as first argument")`