serverless-operations
diff --git a/‎lib/deploy/stepFunctions/compileIamRole.js
Lines changed: 31 additions & 20 deletions b/‎lib/deploy/stepFunctions/compileIamRole.js
Lines changed: 31 additions & 20 deletions
@@ -4,6 +4,7 @@ const _ = require('lodash');
 const BbPromise = require('bluebird');
 const path = require('path');
 const { isIntrinsic, translateLocalFunctionNames, trimAliasFromLambdaArn } = require('../../utils/aws');
+const { getArnPartition } = require('../../utils/arn');
 
 function getTaskStates(states) {
   return _.flatMap(states, (state) => {
@@ -33,7 +34,8 @@ function sqsQueueUrlToArn(serverless, queueUrl) {
     const region = match[1];
     const accountId = match[2];
     const queueName = match[3];
-    return `arn:aws:sqs:${region}:${accountId}:${queueName}`;
+    const partition = getArnPartition(region);
+    return `arn:${partition}:sqs:${region}:${accountId}:${queueName}`;
   }
   if (isIntrinsic(queueUrl)) {
     if (queueUrl.Ref) {
@@ -91,7 +93,9 @@ function getDynamoDBArn(tableName) {
         'Fn::Join': [
           ':',
           [
-            'arn:aws:dynamodb',
+            'arn',
+            { Ref: 'AWS::Partition' },
+            'dynamodb',
             { Ref: 'AWS::Region' },
             { Ref: 'AWS::AccountId' },
             {
@@ -113,7 +117,9 @@ function getDynamoDBArn(tableName) {
     'Fn::Join': [
       ':',
       [
-        'arn:aws:dynamodb',
+        'arn',
+        { Ref: 'AWS::Partition' },
+        'dynamodb',
         { Ref: 'AWS::Region' },
         { Ref: 'AWS::AccountId' },
         `table/${tableName}`,
@@ -132,7 +138,9 @@ function getBatchPermissions() {
       'Fn::Join': [
         ':',
         [
-          'arn:aws:events',
+          'arn',
+          { Ref: 'AWS::Partition' },
+          'events',
           { Ref: 'AWS::Region' },
           { Ref: 'AWS::AccountId' },
           'rule/StepFunctionsGetEventsForBatchJobsRule',
@@ -159,7 +167,9 @@ function getEcsPermissions() {
       'Fn::Join': [
         ':',
         [
-          'arn:aws:events',
+          'arn',
+          { Ref: 'AWS::Partition' },
+          'events',
           { Ref: 'AWS::Region' },
           { Ref: 'AWS::AccountId' },
           'rule/StepFunctionsGetEventsForECSTaskRule',
@@ -188,7 +198,7 @@ function getLambdaPermissions(state) {
     const segments = functionName.split(':');
 
     let functionArns;
-    if (functionName.startsWith('arn:aws:lambda')) {
+    if (functionName.match(/^arn:aws(-[a-z]+)*:lambda/)) {
       // full ARN
       functionArns = [
         functionName,
@@ -197,17 +207,17 @@ function getLambdaPermissions(state) {
     } else if (segments.length === 3 && segments[0].match(/^\d+$/)) {
       // partial ARN
       functionArns = [
-        { 'Fn::Sub': `arn:aws:lambda:\${AWS::Region}:${functionName}` },
-        { 'Fn::Sub': `arn:aws:lambda:\${AWS::Region}:${functionName}:*` },
+        { 'Fn::Sub': `arn:\${AWS::Partition}:lambda:\${AWS::Region}:${functionName}` },
+        { 'Fn::Sub': `arn:\${AWS::Partition}:lambda:\${AWS::Region}:${functionName}:*` },
       ];
     } else {
       // name-only (with or without alias)
       functionArns = [
         {
-          'Fn::Sub': `arn:aws:lambda:\${AWS::Region}:\${AWS::AccountId}:function:${functionName}`,
+          'Fn::Sub': `arn:\${AWS::Partition}:lambda:\${AWS::Region}:\${AWS::AccountId}:function:${functionName}`,
         },
         {
-          'Fn::Sub': `arn:aws:lambda:\${AWS::Region}:\${AWS::AccountId}:function:${functionName}:*`,
+          'Fn::Sub': `arn:\${AWS::Partition}:lambda:\${AWS::Region}:\${AWS::AccountId}:function:${functionName}:*`,
         },
       ];
     }
@@ -236,13 +246,13 @@ function getLambdaPermissions(state) {
       resource: [
         {
           'Fn::Sub': [
-            'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionArn}',
+            'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionArn}',
             { functionArn },
           ],
         },
         {
           'Fn::Sub': [
-            'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionArn}:*',
+            'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionArn}:*',
             { functionArn },
           ],
         },
@@ -282,7 +292,7 @@ function getStepFunctionsPermissions(state) {
     action: 'events:PutTargets,events:PutRule,events:DescribeRule',
     resource: {
       'Fn::Sub': [
-        'arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule',
+        'arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule',
         {},
       ],
     },
@@ -296,15 +306,15 @@ function getCodeBuildPermissions(state) {
     action: 'codebuild:StartBuild,codebuild:StopBuild,codebuild:BatchGetBuilds',
     resource: {
       'Fn::Sub': [
-        `arn:aws:codebuild:$\{AWS::Region}:$\{AWS::AccountId}:project/${projectName}`,
+        `arn:\${AWS::Partition}:codebuild:$\{AWS::Region}:$\{AWS::AccountId}:project/${projectName}`,
         {},
       ],
     },
   }, {
     action: 'events:PutTargets,events:PutRule,events:DescribeRule',
     resource: {
       'Fn::Sub': [
-        'arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventForCodeBuildStartBuildRule',
+        'arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventForCodeBuildStartBuildRule',
         {},
       ],
     },
@@ -319,7 +329,7 @@ function getSageMakerPermissions(state) {
       action: 'sagemaker:CreateTransformJob,sagemaker:DescribeTransformJob,sagemaker:StopTransformJob',
       resource: {
         'Fn::Sub': [
-          `arn:aws:sagemaker:$\{AWS::Region}:$\{AWS::AccountId}:transform-job/${transformJobName}*`,
+          `arn:\${AWS::Partition}:sagemaker:$\{AWS::Region}:$\{AWS::AccountId}:transform-job/${transformJobName}*`,
           {},
         ],
       },
@@ -332,7 +342,7 @@ function getSageMakerPermissions(state) {
       action: 'events:PutTargets,events:PutRule,events:DescribeRule',
       resource: {
         'Fn::Sub': [
-          'arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForSageMakerTransformJobsRule',
+          'arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForSageMakerTransformJobsRule',
           {},
         ],
       },
@@ -352,7 +362,7 @@ function getEventBridgePermissions(state) {
       action: 'events:PutEvents',
       resource: [...eventBuses].map(eventBus => ({
         'Fn::Sub': [
-          'arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBus}',
+          'arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBus}',
           { eventBus },
         ],
       })),
@@ -399,7 +409,8 @@ function consolidatePermissionsByResource(permissions) {
 
 function getIamPermissions(taskStates) {
   return _.flatMap(taskStates, (state) => {
-    switch (state.Resource) {
+    const resourceName = typeof state.Resource === 'string' ? state.Resource.replace(/^arn:aws(-[a-z]+)*:/, 'arn:aws:') : state.Resource;
+    switch (resourceName) {
       case 'arn:aws:states:::sqs:sendMessage':
       case 'arn:aws:states:::sqs:sendMessage.waitForTaskToken':
         return getSqsPermissions(this.serverless, state);
@@ -452,7 +463,7 @@ function getIamPermissions(taskStates) {
         return getEventBridgePermissions(state);
 
       default:
-        if (isIntrinsic(state.Resource) || state.Resource.startsWith('arn:aws:lambda')) {
+        if (isIntrinsic(state.Resource) || !!state.Resource.match(/arn:aws(-[a-z]+)*:lambda/)) {
           const trimmedArn = trimAliasFromLambdaArn(state.Resource);
           const functionArn = translateLocalFunctionNames.bind(this)(trimmedArn);
           return [{