[PR #104] [MERGED] fix: non-commercial partition and region support in access-denied #239

New issue

Closed

opened 2026-03-15 11:55:02 +03:00 by kerem · 0 comments

kerem commented

2026-03-15 11:55:02 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/awslabs/iam-policy-autopilot/pull/104
Author: @C85297
Created: 1/14/2026
Status: ✅ Merged
Merged: 1/23/2026
Merged by: @mschlaipfer

Base: main ← Head: autopilot-access-denied-handle-non-commercial-partitions-and-regions

📝 Commits (1)

8a6078f fix: non-commercial partition and region support in access-denied

📊 Changes

2 files changed (+217 additions, -46 deletions)

View changed files

📝 iam-policy-autopilot-access-denied/src/lib.rs (+30 -0)
📝 iam-policy-autopilot-access-denied/src/parsing/utils.rs (+187 -46)

📄 Description

Autopilot fix-access-denied currently does not support non-commercial AWS partitions and regions, such as US Gov Cloud and the EU Sovereign Cloud.

I've updated the code to assume a partition beginning with aws- is a valid non-commercial AWS partition, and to handle these as far as possible. In cases where we are unable to detect what the relevant partition is, I've updated the code to output resources with a wildcard * in the partition part of the ARN. This will ensure the policy changes work across any partition. I've also updated and expanded the test coverage in this area.

Note: I updated the use of OnceLock to a LazyLock. This reduces code duplication as the initialisation code only needs to be specified once.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/awslabs/iam-policy-autopilot/pull/104 **Author:** [@C85297](https://github.com/C85297) **Created:** 1/14/2026 **Status:** ✅ Merged **Merged:** 1/23/2026 **Merged by:** [@mschlaipfer](https://github.com/mschlaipfer) **Base:** `main` ← **Head:** `autopilot-access-denied-handle-non-commercial-partitions-and-regions` --- ### 📝 Commits (1) - [`8a6078f`](https://github.com/awslabs/iam-policy-autopilot/commit/8a6078f2e055a3c30dd164b4c4881649eefb79b8) fix: non-commercial partition and region support in access-denied ### 📊 Changes **2 files changed** (+217 additions, -46 deletions) <details> <summary>View changed files</summary> 📝 `iam-policy-autopilot-access-denied/src/lib.rs` (+30 -0) 📝 `iam-policy-autopilot-access-denied/src/parsing/utils.rs` (+187 -46) </details> ### 📄 Description Autopilot fix-access-denied currently does not support non-commercial AWS partitions and regions, such as US Gov Cloud and the EU Sovereign Cloud. I've updated the code to assume a partition beginning with `aws-` is a valid non-commercial AWS partition, and to handle these as far as possible. In cases where we are unable to detect what the relevant partition is, I've updated the code to output resources with a wildcard `*` in the partition part of the ARN. This will ensure the policy changes work across any partition. I've also updated and expanded the test coverage in this area. Note: I updated the use of `OnceLock` to a `LazyLock`. This reduces code duplication as the initialisation code only needs to be specified once. By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>