From 0d4bb49f59d116c334f10770ad0d515138040039 Mon Sep 17 00:00:00 2001 From: Zach Goldberg Date: Mon, 13 Apr 2026 12:14:43 -0700 Subject: [PATCH] Add aws_partition field to aws_oidc block documentation Documents the new optional aws_partition config field that allows Pipelines to target non-commercial AWS partitions (aws-cn, aws-us-gov) explicitly, rather than relying solely on region-based inference. --- .../pipelines/tutorials/deploying-to-aws-gov-cloud.mdx | 2 +- .../reference/pipelines/configurations-as-code/api.mdx | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/2.0/docs/pipelines/tutorials/deploying-to-aws-gov-cloud.mdx b/docs/2.0/docs/pipelines/tutorials/deploying-to-aws-gov-cloud.mdx index 5a097447f..f71875c77 100644 --- a/docs/2.0/docs/pipelines/tutorials/deploying-to-aws-gov-cloud.mdx +++ b/docs/2.0/docs/pipelines/tutorials/deploying-to-aws-gov-cloud.mdx @@ -40,7 +40,7 @@ This tutorial should take approximately 30 minutes to complete. Adding a new GovCloud account to Gruntwork Pipelines, similar to a regular AWS account, requires bootstrapping Pipelines's ability to authenticate with AWS and assume appropriate IAM roles. A key distinction for GovCloud accounts is that the AWS partition is `aws-us-gov` instead of `aws`. This guide will walk you through executing a template to generate Terragrunt code for an OIDC Provider and IAM roles, configured to use the `aws-us-gov` partition, and then plan/applying that code to authorize pipelines. We'll then create a new S3 bucket in the GovCloud account and verify the bucket was created successfully by Gruntwork Pipelines. Fundamentally, there are three places where the GovCloud partition must be set: -1. The `aws-us-gov` partition must be present in the ARN for the plan/apply roles configured in [aws_oidc](/2.0/reference/pipelines/configurations-as-code/api#aws_oidc-block-attributes) block for the account, typically in the `.gruntwork/`.hcl file. +1. The `aws-us-gov` partition must be present in the ARN for the plan/apply roles configured in the [aws_oidc](/2.0/reference/pipelines/configurations-as-code/api#aws_oidc-block-attributes) block for the account, typically in the `.gruntwork/`.hcl file. The [`aws_partition`](/2.0/reference/pipelines/configurations-as-code/api#aws_oidc-block-attributes) field must also be set to `aws-us-gov` in the same block. 2. A valid GovCloud region must be present in the `/_global/region.hcl` file 3. The `aws-us-gov` partition in the plan/apply IAM policies in the `/_global/pipelines-plan-role/terragrunt.hcl` and `/_global/pipelines-apply-role/terragrunt.hcl` files diff --git a/docs/2.0/reference/pipelines/configurations-as-code/api.mdx b/docs/2.0/reference/pipelines/configurations-as-code/api.mdx index 548cd150a..28cda37fd 100644 --- a/docs/2.0/reference/pipelines/configurations-as-code/api.mdx +++ b/docs/2.0/reference/pipelines/configurations-as-code/api.mdx @@ -433,6 +433,15 @@ The duration in seconds that the AWS session will be valid for. + + + +The AWS partition to use when constructing IAM role ARNs. Must be one of `aws`, `aws-cn`, or `aws-us-gov`. Required when using a role name override (e.g. via the `AWSRoleName` workflow parameter) in non-commercial AWS partitions such as GovCloud or China. + + + + + ### `azure_oidc` block attributes