refactor: added partition dynamic value

src/common/helpers/appsyncmergedapi-helper.ts

@@ -149,10 +149,10 @@ export function setMergedApiRole(mergedApiID: String, sourceApiId: String, merge
       actions: ['appsync:SourceGraphQL',
         'appsync:StartSchemaMerge'],
       resources: [
-        'arn:aws:appsync:' + Aws.REGION + ':' + Aws.ACCOUNT_ID
+        'arn:' + Aws.PARTITION + ':appsync:' + Aws.REGION + ':' + Aws.ACCOUNT_ID
            + ':apis/' + sourceApiId + '/*',
-        'arn:aws:appsync:'+ Aws.REGION+':'+Aws.ACCOUNT_ID+':apis/'+mergedApiID+'/sourceApiAssociations/*',
-        'arn:aws:appsync:'+ Aws.REGION+':'+Aws.ACCOUNT_ID+':apis/'+sourceApiId+'/sourceApiAssociations/*',
+        'arn:' + Aws.PARTITION + ':appsync:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':apis/' + mergedApiID + '/sourceApiAssociations/*',
+        'arn:' + Aws.PARTITION + ':appsync:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':apis/' + sourceApiId + '/sourceApiAssociations/*',
       ],
     }),
   );

src/patterns/gen-ai/aws-langchain-common-layer/README.md

@@ -62,8 +62,8 @@ const lambdaRuntime = lambda.Runtime.PYTHON_3_10;
 // This is one way of getting a lambda powertools layer
 const powerToolsArn =
         lambdaArchitecture === lambda.Architecture.X86_64
-          ? `arn:aws:lambda:${cdk.Aws.REGION}:017000801446:layer:AWSLambdaPowertoolsPythonV2:42`
-          : `arn:aws:lambda:${cdk.Aws.REGION}:017000801446:layer:AWSLambdaPowertoolsPythonV2-Arm64:42`;
+          ? `arn:${Aws.PARTITION}:lambda:${Aws.REGION}:017000801446:layer:AWSLambdaPowertoolsPythonV2:42`
+          : `arn:${Aws.PARTITION}:lambda:${Aws.REGION}:017000801446:layer:AWSLambdaPowertoolsPythonV2-Arm64:42`;
 
 const lambdaDepsLayer = new LangchainCommonDepsLayer(this, 'lambdagenaidepslayer', {
         runtime: lambdaRuntime,

src/patterns/gen-ai/aws-qa-appsync-opensearch/README.md

@@ -56,14 +56,14 @@ Typescript
 
 ``` typescript
 import { Construct } from 'constructs';
-import { Stack, StackProps } from 'aws-cdk-lib';
+import { Stack, StackProps, Aws } from 'aws-cdk-lib';
 import * as os from 'aws-cdk-lib/aws-opensearchservice';
 import * as cognito from 'aws-cdk-lib/aws-cognito';
 import { QaAppsyncOpensearch, QaAppsyncOpensearchProps } from '@cdklabs/generative-ai-cdk-constructs';
 
 // get an existing OpenSearch provisioned cluster
 const osDomain = os.Domain.fromDomainAttributes(this, 'osdomain', {
-    domainArn: 'arn:aws:es:us-east-1:XXXXXX',
+    domainArn: 'arn:' + Aws.PARTITION + ':es:us-east-1:XXXXXX',
     domainEndpoint: 'https://XXXXX.us-east-1.es.amazonaws.com'
 });
 

src/patterns/gen-ai/aws-qa-appsync-opensearch/index.ts

@@ -424,7 +424,7 @@ export class QaAppsyncOpensearch extends Construct {
           'ec2:UnassignPrivateIpAddresses',
         ],
         resources: [
-          'arn:aws:ec2:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':*/*',
+          'arn:' + Aws.PARTITION + ':ec2:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':*/*',
         ],
       }),
     );
@@ -449,8 +449,8 @@ export class QaAppsyncOpensearch extends Construct {
         effect: iam.Effect.ALLOW,
         actions: ['s3:GetObject', 's3:GetObject*', 's3:GetBucket*', 's3:List*'],
         resources: [
-          'arn:aws:s3:::' + this.s3InputAssetsBucketInterface?.bucketName,
-          'arn:aws:s3:::' +
+          'arn:' + Aws.PARTITION + ':s3:::' + this.s3InputAssetsBucketInterface?.bucketName,
+          'arn:' + Aws.PARTITION + ':s3:::' +
             this.s3InputAssetsBucketInterface?.bucketName +
             '/*',
         ],
@@ -463,14 +463,14 @@ export class QaAppsyncOpensearch extends Construct {
           effect: iam.Effect.ALLOW,
           actions: ['es:*'],
           resources: [
-            'arn:aws:es:' +
+            'arn:' + Aws.PARTITION + ':es:' +
               Aws.REGION +
               ':' +
               Aws.ACCOUNT_ID +
               ':domain/' +
               props.existingOpensearchDomain.domainName +
               '/*',
-            'arn:aws:es:' +
+            'arn:' + Aws.PARTITION + ':es:' +
               Aws.REGION +
               ':' +
               Aws.ACCOUNT_ID +
@@ -486,7 +486,7 @@ export class QaAppsyncOpensearch extends Construct {
         effect: iam.Effect.ALLOW,
         actions: ['aoss:APIAccessAll'],
         resources: [
-          'arn:aws:aoss:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':collection/'+props.openSearchIndexName,
+          'arn:' + Aws.PARTITION + ':aoss:' + Aws.REGION+':' + Aws.ACCOUNT_ID + ':collection/'+props.openSearchIndexName,
         ],
       }));
     }
@@ -500,8 +500,8 @@ export class QaAppsyncOpensearch extends Construct {
           'bedrock:InvokeModelWithResponseStream',
         ],
         resources: [
-          'arn:aws:bedrock:' + Aws.REGION + '::foundation-model',
-          'arn:aws:bedrock:' + Aws.REGION + '::foundation-model/*',
+          'arn:' + Aws.PARTITION + ':bedrock:' + Aws.REGION + '::foundation-model',
+          'arn:' + Aws.PARTITION + ':bedrock:' + Aws.REGION + '::foundation-model/*',
         ],
       }),
     );
@@ -571,7 +571,7 @@ export class QaAppsyncOpensearch extends Construct {
         effect: iam.Effect.ALLOW,
         actions: ['appsync:GraphQL'],
         resources: [
-          'arn:aws:appsync:' +
+          'arn:' + Aws.PARTITION + ':appsync:' +
             Aws.REGION +
             ':' +
             Aws.ACCOUNT_ID +

src/patterns/gen-ai/aws-rag-appsync-stepfn-opensearch/README.md

@@ -61,15 +61,15 @@ Here is a minimal deployable pattern definition:
 Typescript
 ``` typescript
 import { Construct } from 'constructs';
-import { Stack, StackProps } from 'aws-cdk-lib';
+import { Stack, StackProps, Aws } from 'aws-cdk-lib';
 import * as os from 'aws-cdk-lib/aws-opensearchservice';
 import * as cognito from 'aws-cdk-lib/aws-cognito';
 import { RagAppsyncStepfnOpensearch, RagAppsyncStepfnOpensearchProps } from '@cdklabs/generative-ai-cdk-constructs';
 
 // get an existing OpenSearch provisioned cluster in the same VPC as of RagAppsyncStepfnOpensearch construct 
 // Security group for the existing opensearch cluster should allow traffic on 443.
 const osDomain = os.Domain.fromDomainAttributes(this, 'osdomain', {
-    domainArn: 'arn:aws:es:us-east-1:XXXXXX',
+    domainArn: 'arn:' + Aws.PARTITION + ':es:us-east-1:XXXXXX',
     domainEndpoint: 'https://XXXXX.us-east-1.es.amazonaws.com'
 });
 

src/patterns/gen-ai/aws-rag-appsync-stepfn-opensearch/index.ts

@@ -455,7 +455,7 @@ export class RagAppsyncStepfnOpensearch extends Construct {
         'appsync:GraphQL',
       ],
       resources: [
-        'arn:aws:appsync:'+ Aws.REGION+':'+Aws.ACCOUNT_ID+':apis/'+updateGraphQlApiId+'/*',
+        'arn:' + Aws.PARTITION + ':appsync:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':apis/' + updateGraphQlApiId + '/*',
       ],
     }));
     // The lambda will pull documents from the input bucket, transform them, and upload
@@ -487,7 +487,7 @@ export class RagAppsyncStepfnOpensearch extends Construct {
         'ec2:UnassignPrivateIpAddresses',
       ],
       resources: [
-        'arn:aws:ec2:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':*/*',
+        'arn:' + Aws.PARTITION + ':ec2:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':*/*',
       ],
     }));
     // Decribe only works if it's allowed on all resources.
@@ -512,8 +512,8 @@ export class RagAppsyncStepfnOpensearch extends Construct {
           's3:List*',
         ],
         resources: [
-          'arn:aws:s3:::' + this.s3InputAssetsBucketInterface?.bucketName,
-          'arn:aws:s3:::' + this.s3InputAssetsBucketInterface?.bucketName + '/*',
+          'arn:' + Aws.PARTITION + ':s3:::' + this.s3InputAssetsBucketInterface?.bucketName,
+          'arn:' + Aws.PARTITION + ':s3:::' + this.s3InputAssetsBucketInterface?.bucketName + '/*',
         ],
       }),
     );
@@ -532,8 +532,8 @@ export class RagAppsyncStepfnOpensearch extends Construct {
           's3:PutObject',
           's3:GetObject*'],
         resources: [
-          'arn:aws:s3:::' + this.s3ProcessedAssetsBucketInterface?.bucketName,
-          'arn:aws:s3:::' + this.s3ProcessedAssetsBucketInterface?.bucketName + '/*',
+          'arn:' + Aws.PARTITION + ':s3:::' + this.s3ProcessedAssetsBucketInterface?.bucketName,
+          'arn:' + Aws.PARTITION + ':s3:::' + this.s3ProcessedAssetsBucketInterface?.bucketName + '/*',
         ],
       }),
     );
@@ -546,7 +546,7 @@ export class RagAppsyncStepfnOpensearch extends Construct {
         'appsync:GraphQL',
       ],
       resources: [
-        'arn:aws:appsync:'+ Aws.REGION+':'+Aws.ACCOUNT_ID+':apis/'+updateGraphQlApiId+'/*',
+        'arn:' + Aws.PARTITION + ':appsync:' + Aws.REGION+':' + Aws.ACCOUNT_ID + ':apis/' + updateGraphQlApiId + '/*',
       ],
     }));
 
@@ -614,7 +614,7 @@ export class RagAppsyncStepfnOpensearch extends Construct {
         'ec2:UnassignPrivateIpAddresses',
       ],
       resources: [
-        'arn:aws:ec2:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':*/*',
+        'arn:' + Aws.PARTITION + ':ec2:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':*/*',
       ],
     }));
     // Decribe only works if it's allowed on all resources.
@@ -639,8 +639,8 @@ export class RagAppsyncStepfnOpensearch extends Construct {
           's3:List*',
         ],
         resources: [
-          'arn:aws:s3:::' + this.s3ProcessedAssetsBucketInterface?.bucketName,
-          'arn:aws:s3:::' + this.s3ProcessedAssetsBucketInterface?.bucketName + '/*',
+          'arn:' + Aws.PARTITION + ':s3:::' + this.s3ProcessedAssetsBucketInterface?.bucketName,
+          'arn:' + Aws.PARTITION + ':s3:::' + this.s3ProcessedAssetsBucketInterface?.bucketName + '/*',
         ],
       }),
     );
@@ -650,8 +650,8 @@ export class RagAppsyncStepfnOpensearch extends Construct {
         effect: iam.Effect.ALLOW,
         actions: ['es:*'],
         resources: [
-          'arn:aws:es:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':domain/'+props.existingOpensearchDomain.domainName+'/*',
-          'arn:aws:es:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':domain/'+props.existingOpensearchDomain.domainName,
+          'arn:' + Aws.PARTITION + ':es:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':domain/'+props.existingOpensearchDomain.domainName + '/*',
+          'arn:' + Aws.PARTITION + ':es:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':domain/'+props.existingOpensearchDomain.domainName,
         ],
       }));
     }
@@ -661,7 +661,7 @@ export class RagAppsyncStepfnOpensearch extends Construct {
         effect: iam.Effect.ALLOW,
         actions: ['aoss:APIAccessAll'],
         resources: [
-          'arn:aws:aoss:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':collection/'+props.openSearchIndexName,
+          'arn:' + Aws.PARTITION + ':aoss:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':collection/' + props.openSearchIndexName,
         ],
       }));
     }
@@ -671,8 +671,8 @@ export class RagAppsyncStepfnOpensearch extends Construct {
       effect: iam.Effect.ALLOW,
       actions: ['bedrock:*'],
       resources: [
-        'arn:aws:bedrock:'+Aws.REGION+'::foundation-model',
-        'arn:aws:bedrock:'+Aws.REGION+'::foundation-model/*',
+        'arn:' + Aws.PARTITION + ':bedrock:' + Aws.REGION + '::foundation-model',
+        'arn:' + Aws.PARTITION + ':bedrock:' + Aws.REGION + '::foundation-model/*',
       ],
     }));
 
@@ -740,7 +740,7 @@ export class RagAppsyncStepfnOpensearch extends Construct {
         'appsync:GraphQL',
       ],
       resources: [
-        'arn:aws:appsync:'+ Aws.REGION+':'+Aws.ACCOUNT_ID+':apis/'+updateGraphQlApiId+'/*',
+        'arn:' + Aws.PARTITION + ':appsync:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':apis/' + updateGraphQlApiId + '/*',
       ],
     }));
 

src/patterns/gen-ai/aws-summarization-appsync-stepfn/index.ts

@@ -460,7 +460,7 @@ export class SummarizationAppsyncStepfn extends Construct {
         'ec2:UnassignPrivateIpAddresses',
       ],
       resources: [
-        'arn:aws:ec2:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':*/*',
+        'arn:' + Aws.PARTITION + ':ec2:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':*/*',
       ],
     }));
     // Decribe only works if it's allowed on all resources.
@@ -483,9 +483,9 @@ export class SummarizationAppsyncStepfn extends Construct {
           's3:ListBucket',
           'appsync:GraphQL'],
 
-        resources: ['arn:aws:s3:::' + inputAssetBucketName + '/*',
-          'arn:aws:s3:::' + transformedAssetBucketName+ '/*',
-          'arn:aws:appsync:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':apis/'+updateGraphQlApiId+ '/*'],
+        resources: ['arn:' + Aws.PARTITION + ':s3:::' + inputAssetBucketName + '/*',
+          'arn:' + Aws.PARTITION + ':s3:::' + transformedAssetBucketName + '/*',
+          'arn:' + Aws.PARTITION + ':appsync:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':apis/'+updateGraphQlApiId + '/*'],
       }),
     );
 
@@ -546,7 +546,7 @@ export class SummarizationAppsyncStepfn extends Construct {
         'ec2:UnassignPrivateIpAddresses',
       ],
       resources: [
-        'arn:aws:ec2:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':*/*',
+        'arn:' + Aws.PARTITION + ':ec2:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':*/*',
       ],
     }));
     // Decribe only works if it's allowed on all resources.
@@ -569,9 +569,9 @@ export class SummarizationAppsyncStepfn extends Construct {
           's3:ListBucket',
           's3:PutObject',
           'appsync:GraphQL'],
-        resources: ['arn:aws:s3:::' + inputAssetBucketName+ '/*',
-          'arn:aws:s3:::' + transformedAssetBucketName+ '/*',
-          'arn:aws:appsync:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':apis/'+updateGraphQlApiId+ '/*'],
+        resources: ['arn:' + Aws.PARTITION + ':s3:::' + inputAssetBucketName + '/*',
+          'arn:' + Aws.PARTITION + ':s3:::' + transformedAssetBucketName + '/*',
+          'arn:' + Aws.PARTITION + ':appsync:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':apis/' + updateGraphQlApiId + '/*'],
       }),
     );
 
@@ -637,7 +637,7 @@ export class SummarizationAppsyncStepfn extends Construct {
         'ec2:UnassignPrivateIpAddresses',
       ],
       resources: [
-        'arn:aws:ec2:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':*/*',
+        'arn:' + Aws.PARTITION + ':ec2:' + Aws.REGION + ':' + Aws.ACCOUNT_ID + ':*/*',
       ],
     }));
     // Decribe only works if it's allowed on all resources.
@@ -662,10 +662,10 @@ export class SummarizationAppsyncStepfn extends Construct {
           'appsync:GraphQL',
           'bedrock:InvokeModel',
           'bedrock:InvokeModelWithResponseStream'],
-        resources: ['arn:aws:s3:::' + inputAssetBucketName+ '/*',
-          'arn:aws:s3:::' + transformedAssetBucketName+ '/*',
-          'arn:aws:appsync:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':apis/'+updateGraphQlApiId+ '/*',
-          'arn:aws:bedrock:'+Aws.REGION+'::foundation-model/*'],
+        resources: ['arn:' + Aws.PARTITION +':s3:::' + inputAssetBucketName + '/*',
+          'arn:' + Aws.PARTITION + ':s3:::' + transformedAssetBucketName + '/*',
+          'arn:' + Aws.PARTITION + ':appsync:'+ Aws.REGION +':' + Aws.ACCOUNT_ID + ':apis/' + updateGraphQlApiId + '/*',
+          'arn:' + Aws.PARTITION + ':bedrock:'+ Aws.REGION +'::foundation-model/*'],
 
       }),
     );

test/patterns/gen-ai/aws-qa-appsync-opensearch/aws-qa-appsync-opensearch.test.ts

@@ -35,7 +35,7 @@ describe('QA Appsync Open search construct', () => {
     });
 
     const osDomain = os.Domain.fromDomainAttributes(qaTestStack, 'osdomain', {
-      domainArn: 'arn:aws:es:region:account:domain/',
+      domainArn: 'arn:' + cdk.Aws.PARTITION + ':es:region:account:domain/',
       domainEndpoint: 'https://osendppint.amazon.aws.com',
     });
 

test/patterns/gen-ai/aws-rag-appsync-stepfn-opensearch/aws-rag-appsync-stepfn-opensearch.test.ts

@@ -55,7 +55,7 @@ describe('RAG Appsync Stepfn Open search construct', () => {
     );
 
     const osDomain = os.Domain.fromDomainAttributes(ragTestStack, 'osdomain', {
-      domainArn: 'arn:aws:es:region:account:domain/',
+      domainArn: 'arn:' + cdk.Aws.PARTITION + ':es:region:account:domain/',
       domainEndpoint: 'https://osendppint.amazon.aws.com',
     });