[PR #103] [MERGED] fix: support eu sovereign cloud #235

New issue

Closed

opened 2026-03-15 11:55:01 +03:00 by kerem · 0 comments

kerem commented

2026-03-15 11:55:01 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/awslabs/iam-policy-autopilot/pull/103
Author: @C85297
Created: 1/14/2026
Status: ✅ Merged
Merged: 2/4/2026
Merged by: @mschlaipfer

Base: main ← Head: policy-gen-support-eusc-partition

📝 Commits (5)

43abbb7 fix: support eu sovereign cloud
e844436 Merge branch 'main' into policy-gen-support-eusc-partition
e2659eb CHANGELOG
306fda4 Merge branch 'main' into policy-gen-support-eusc-partition
e89055c Merge branch 'main' into policy-gen-support-eusc-partition

📊 Changes

7 files changed (+302 additions, -30 deletions)

View changed files

📝 CHANGELOG.md (+4 -0)
📝 iam-policy-autopilot-cli/src/main.rs (+1 -1)
📝 iam-policy-autopilot-cli/tests/integration_tests.rs (+133 -0)
📝 iam-policy-autopilot-mcp-server/src/tools/generate_policy.rs (+1 -1)
📝 iam-policy-autopilot-policy-generation/build.rs (+57 -0)
📝 iam-policy-autopilot-policy-generation/src/api/model.rs (+53 -28)
📝 iam-policy-autopilot-policy-generation/src/embedded_data.rs (+53 -0)

📄 Description

Currently, AwsContext uses some heuristics to guess the corresponding partition for a given region. This is not ideal as it requires manual fixes when new partitions are created by AWS. The new EU Sovereign Cloud partition is not recognised by the heuristics.

I updated AwsContext to pull in botocore's partitions.json file. This file provides a region regex for each partition, which we can use to check if a region is in a given partition. This ensures we can automatically support new partitions without any work as soon as they are added to botocore.

Note: the existing code would assume unknown regions are in the aws partition. I would suggest this is not sensible behaviour - if we have the aws partition's region regex and know it doesn't match, then it is more likely that the region is either invalid or in a partition we are not aware of yet. In both those cases, I would say it would be a better idea to exit with an error, which I've implemented.

The code does not cache the parsed partitions data, so multiple invocations of AwsContext::new will be unnecessarily expensive. Since AwsContext::new is only invoked once during the CLI's execution, and no more than once during an MCP call, I decided to keep the code simple. I can change this if you'd prefer.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/awslabs/iam-policy-autopilot/pull/103 **Author:** [@C85297](https://github.com/C85297) **Created:** 1/14/2026 **Status:** ✅ Merged **Merged:** 2/4/2026 **Merged by:** [@mschlaipfer](https://github.com/mschlaipfer) **Base:** `main` ← **Head:** `policy-gen-support-eusc-partition` --- ### 📝 Commits (5) - [`43abbb7`](https://github.com/awslabs/iam-policy-autopilot/commit/43abbb7ce116b03f986d9d59098fa7da0f9450a9) fix: support eu sovereign cloud - [`e844436`](https://github.com/awslabs/iam-policy-autopilot/commit/e8444362873cbd87f1101c459ce2d3e680d8191a) Merge branch 'main' into policy-gen-support-eusc-partition - [`e2659eb`](https://github.com/awslabs/iam-policy-autopilot/commit/e2659eb1d88f678d5e0800d07ceb60b14fb18f08) CHANGELOG - [`306fda4`](https://github.com/awslabs/iam-policy-autopilot/commit/306fda491d604e70f518ee114a1090482e2d31c1) Merge branch 'main' into policy-gen-support-eusc-partition - [`e89055c`](https://github.com/awslabs/iam-policy-autopilot/commit/e89055cf9be1dfc9a2b6fb848c05fe47241a0d57) Merge branch 'main' into policy-gen-support-eusc-partition ### 📊 Changes **7 files changed** (+302 additions, -30 deletions) <details> <summary>View changed files</summary> 📝 `CHANGELOG.md` (+4 -0) 📝 `iam-policy-autopilot-cli/src/main.rs` (+1 -1) 📝 `iam-policy-autopilot-cli/tests/integration_tests.rs` (+133 -0) 📝 `iam-policy-autopilot-mcp-server/src/tools/generate_policy.rs` (+1 -1) 📝 `iam-policy-autopilot-policy-generation/build.rs` (+57 -0) 📝 `iam-policy-autopilot-policy-generation/src/api/model.rs` (+53 -28) 📝 `iam-policy-autopilot-policy-generation/src/embedded_data.rs` (+53 -0) </details> ### 📄 Description Currently, `AwsContext` uses some heuristics to guess the corresponding partition for a given region. This is not ideal as it requires manual fixes when new partitions are created by AWS. The new EU Sovereign Cloud partition is not recognised by the heuristics. I updated `AwsContext` to pull in botocore's `partitions.json` file. This file provides a region regex for each partition, which we can use to check if a region is in a given partition. This ensures we can automatically support new partitions without any work as soon as they are added to botocore. Note: the existing code would assume unknown regions are in the `aws` partition. I would suggest this is not sensible behaviour - if we have the `aws` partition's region regex and know it doesn't match, then it is more likely that the region is either invalid or in a partition we are not aware of yet. In both those cases, I would say it would be a better idea to exit with an error, which I've implemented. The code does not cache the parsed partitions data, so multiple invocations of `AwsContext::new` will be unnecessarily expensive. Since `AwsContext::new` is only invoked once during the CLI's execution, and no more than once during an MCP call, I decided to keep the code simple. I can change this if you'd prefer. By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>