From 4c4014e0bd3fa90402cfc22971f1cbe5d372642f Mon Sep 17 00:00:00 2001
From: Kaizen Conroy <36202692+kaizencc@users.noreply.github.com>
Date: Thu, 11 May 2023 12:51:52 -0400
Subject: [PATCH] fix(bootstrap): bootstrap doesn't work in non-aws partitions
 anymore (revert security hub finding fix) (#25540)

**NOTE**: This PR bumps the version of the bootstrap stack to 18, but there is no need to update your bootstrap stacks as this PR changes no functionality.

We are reverting #24588 because it includes hardcoded partitions in the bootstrap causing the `p0` in #25272. Including intrinsics `${AWS::Partition}` here is impossible. In addition, #24588 was reported to not actually fix the Security Hub finding: https://github.com/aws/aws-cdk/issues/19380#issuecomment-1512009270.

Although this is a revert, I am rolling forward the bootstrap version to 18.

reverts #24588. fixes #25272. see #25273 & #25507.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../lib/api/bootstrap/bootstrap-template.yaml | 45 +++++++------------
 1 file changed, 15 insertions(+), 30 deletions(-)

diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
index 4d8a4d1dcce64..321a5fdd76089 100644
--- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
+++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -473,35 +473,20 @@ Resources:
                     StringNotEquals:
                         s3:ResourceAccount:
                             Ref: 'AWS::AccountId'
-              - Fn::If:
-                - HasTrustedAccounts
-                - Sid: PipelineCrossAccountArtifactsKey
-                  # Use keys only for the purposes of reading encrypted files from S3.
-                  Effect: Allow
-                  Action:
-                    - kms:Decrypt
-                    - kms:DescribeKey
-                    - kms:Encrypt
-                    - kms:ReEncrypt*
-                    - kms:GenerateDataKey*
-
-                  # SecurityHub's rule KMS.2 complains if we put a '*' here, so instead we'll
-                  # turn the list of trusted accountIds ['111', '222', ...] into a list of
-                  # wildcard ARNS: ['arn:aws:kms:*:1111:*', 'arn:aws:kms:*:2222:*', ...].
-                  Resource:
-                    Fn::Split:
-                      - "|"
-                      - Fn::Sub:
-                        - "arn:aws:kms:*:${JoinedAccounts}:*"
-                        - JoinedAccounts:
-                            Fn::Join:
-                              - ":*|arn:aws:kms:*:"
-                              - { Ref: TrustedAccounts }
-                  Condition:
-                    StringEquals:
-                      kms:ViaService:
-                        Fn::Sub: s3.${AWS::Region}.amazonaws.com
-                - { Ref: AWS::NoValue }
+              - Sid: PipelineCrossAccountArtifactsKey
+                # Use keys only for the purposes of reading encrypted files from S3.
+                Effect: Allow
+                Action:
+                  - kms:Decrypt
+                  - kms:DescribeKey
+                  - kms:Encrypt
+                  - kms:ReEncrypt*
+                  - kms:GenerateDataKey*
+                Resource: "*"
+                Condition:
+                  StringEquals:
+                    kms:ViaService:
+                      Fn::Sub: s3.${AWS::Region}.amazonaws.com
               - Action: iam:PassRole
                 Resource:
                   Fn::Sub: "${CloudFormationExecutionRole.Arn}"
@@ -633,7 +618,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '17'
+      Value: '18'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack