Provider-AWS does not support GovCloud Partition IDs

[rsavage-nozominetworks]

What happened?

I have multiple AWS accounts, some in the regular Commercial regions, and some in the Gov Cloud regions. All of my composite resources create as expected in the Commercial regions. As for the ones in the Gov Cloud regions, I am seeing issues where certain AWS resources aren't able to create due to improper partition ids. In this example, I am attempting to create a SNS topic which will alert for relative issues. I am providing my provider and controller configs below.

How can we reproduce it?

Original provider configuration (before any attempts to troubleshoot):

apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"aws.upbound.io/v1beta1","kind":"ProviderConfig","metadata":{"annotations":{},"name":"default"},"spec":{"credentials":{"source":"IRSA"}}}
  finalizers:
  - in-use.crossplane.io
  generation: 1
  name: default
spec:
  credentials:
    source: IRSA
status:
  users: 9

An updated provider configuration (after trying to troubleshoot):

apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"aws.upbound.io/v1beta1","kind":"ProviderConfig","metadata":{"annotations":{},"name":"default"},"spec":{"credentials":{"source":"IRSA"}}}
  finalizers:
  - in-use.crossplane.io
  generation: 2
  name: default
spec:
  credentials:
    source: IRSA
  endpoint:
    partitionId: aws-us-gov
    url:
      dynamic:
        host: amazonaws-us-gov.com
        protocol: https
      type: Dynamic
status:
  users: 9

Here is my current ControllerConfig. Notice: I added the env variables for AWS_REGION and AWS_DEFAULT_REGION as recommend by other related issues.

apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws-us-gov:iam::REDACTED:role/REDACTED-crossplane
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"pkg.crossplane.io/v1alpha1","kind":"ControllerConfig","metadata":{"annotations":{"eks.amazonaws.com/role-arn":"arn:aws-us-gov:iam::REDACTED:role/REDACTED-crossplane"},"name":"aws-config"},"spec":{"podSecurityContext":{"fsGroup":2000}}}
  generation: 5
  name: aws-config
spec:
  args:
  - --debug
  env:
  - name: AWS_REGION
    value: us-gov-east-1
  - name: AWS_DEFAULT_REGION
    value: us-gov-east-1
  podSecurityContext:
    fsGroup: 2000

When I run the controller with DEBUG enabled, I see the follow error during SNS topic creation in Gov Cloud:

2023-08-08T17:00:42Z	DEBUG	events	cannot run refresh: refresh failed: reading SNS Topic (arn:aws:sns:us-gov-east-1:REDACTED:REDACTED-notifications-topic): InvalidParameter: Invalid parameter: TopicArn Reason: A us-gov-east-1 ARN must begin with arn:aws-us-gov, not arn:aws:sns:us-gov-east-1:REDACTED:REDACTED-notifications-topic

So from the logs above, it's clear that the provider is trying to use an unsupported ARN in Gov Cloud due to the incorrect partition id. I'd like to know if there is a way to configure that partition id or is this something the developers need to change to properly support Gov Cloud?

Thanks.

What environment did it happen in?

Environment: AWS GovCloud US-GOV-EAST-1
Crossplane version: 1.13.1
Provider version: v0.37.0

[haarchri]

Please add this Issue in upbound/provider-aws thanks