${AWS::Partition} will always resolve to aws regardless of the partition its in.

[liamquilter-gen]

Hey,
On a deeper look at the changes just made in #660
Specifically on,
https://github.com/serverless-operations/serverless-step-functions/blob/master/lib/deploy/stepFunctions/compileIamRole.js#L743
Am I right to assume this will always resolve to aws, even when we are in a different partition like aws-cn or aws-eusc.

Maybe something like this is needed to ensure that it resolves to the correct partition.

function getCurrentPartition() {
  // From environment variable set by deployment
  if (process.env.AWS_PARTITION) {
    return process.env.AWS_PARTITION;
  }
  
  // Or detect from AWS region
  const region = process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION;
  if (region?.startsWith('cn-')) return 'aws-cn';
  if (region?.startsWith('us-gov-')) return 'aws-us-gov';
  return 'aws';
}

function getIamPermissions(taskStates, partition = getCurrentPartition()) {
  return _.flatMap(taskStates, (state) => {
    const resourceName = typeof state.Resource === 'string'
      ? state.Resource.replace(/\$\{AWS::Partition\}/g, partition)
      : state.Resource;
    
    switch (resourceName) {
      case `arn:${partition}:states:::states:startExecution.sync`:
        // ...
    }
  });
}

Or something more appropriate, bare in mind not able to deploy to any of these AWS Partitions as of yet so testing ourselves is difficult.

[zirkelc]

The resourceName is only normalized for the following switch statement to find the right actions:

serverless-step-functions/lib/deploy/stepFunctions/compileIamRole.js

Lines 742 to 746 in e0434ac

	const resourceName = typeof state.Resource === 'string'
	? state.Resource.replace(/^arn:(aws(-[a-z]+)*|\$\{AWS::Partition\}):/, 'arn:aws:')
	: state.Resource;
	switch (resourceName) {
	case 'arn:aws:states:::sqs:sendMessage':

The actually IAM permissions come from the functions which are using the ${AWS::Partition} partition:

serverless-step-functions/lib/deploy/stepFunctions/compileIamRole.js

Lines 133 to 146 in e0434ac

	return {
	'Fn::Join': [
	':',
	[
	'arn',
	{ Ref: 'AWS::Partition' },
	'dynamodb',
	{ Ref: 'AWS::Region' },
	{ Ref: 'AWS::AccountId' },
	`table/${tableName}`,
	],
	],
	};
	}

However, it is a bit unambiguous when state.Resource is not a string. In this case it will go to the switch default case which does not handle the partition yet:

serverless-step-functions/lib/deploy/stepFunctions/compileIamRole.js

Lines 842 to 857 in e0434ac

	default:
	if (isIntrinsic(state.Resource) || !!state.Resource.match(/arn:aws(-[a-z]+)*:lambda/)) {
	const trimmedArn = trimAliasFromLambdaArn(state.Resource);
	const functionArn = translateLocalFunctionNames.bind(this)(trimmedArn);
	return [{
	action: 'lambda:InvokeFunction',
	resource: [
	functionArn,
	{ 'Fn::Sub': ['${functionArn}:*', { functionArn }] },
	],
	}];
	}
	logger.log('Cannot generate IAM policy statement for Task state', state);
	return [];
	}
	});

---

Could you share a small minimal example of your stack? Which IAM permission have the wrong partition?