feat: support China region

gnought · gnought · commit 391ea2100305 · 2025-08-04T18:29:41.000+08:00
diff --git a/builder/common/helper_funcs.go b/builder/common/helper_funcs.go
@@ -76,3 +76,10 @@ func DestroyAMIs(imageids []*string, ec2conn *ec2.EC2) error {
 	}
 	return nil
 }
+
+func AwsPartition(isRestricted bool) string {
+	if isRestricted {
+		return "aws-cn"
+	}
+	return "aws"
+}
diff --git a/builder/common/step_iam_instance_profile.go b/builder/common/step_iam_instance_profile.go
@@ -18,7 +18,7 @@ import (
 )
 
 const (
-	AmazonSSMManagedInstanceCorePolicyArn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+	AmazonSSMManagedInstanceCorePolicyArnPart = "iam::aws:policy/AmazonSSMManagedInstanceCore"
 )
 
 type StepIamInstanceProfile struct {
@@ -27,6 +27,7 @@ type StepIamInstanceProfile struct {
 	SkipProfileValidation                     bool
 	TemporaryIamInstanceProfilePolicyDocument *PolicyDocument
 	SSMAgentEnabled                           bool
+	IsRestricted                              bool
 	createdInstanceProfileName                string
 	createdRoleName                           string
 	createdPolicyName                         string
@@ -81,18 +82,22 @@ func (s *StepIamInstanceProfile) Run(ctx context.Context, state multistep.StateB
 		}
 
 		ui.Sayf("Creating temporary role for this instance: %s", profileName)
-		trustPolicy := `{
-				"Version": "2012-10-17",
-				"Statement": [
-						{
-								"Effect": "Allow",
-								"Principal": {
-										"Service": "ec2.amazonaws.com"
-								},
-								"Action": "sts:AssumeRole"
-						}
-				]
-		}`
+		service := "ec2.amazonaws.com"
+		if s.IsRestricted {
+			service = "ec2.amazonaws.com.cn"
+		}
+		trustPolicy := fmt.Sprintf(`{
+			"Version": "2012-10-17",
+			"Statement": [
+					{
+							"Effect": "Allow",
+							"Principal": {
+									"Service": "%s"
+							},
+							"Action": "sts:AssumeRole"
+					}
+			]
+	}`, service)
 		roleResp, err := iamsvc.CreateRole(&iam.CreateRoleInput{
 			RoleName:                 aws.String(profileName),
 			Description:              aws.String("Temporary role for Packer"),
@@ -136,7 +141,7 @@ func (s *StepIamInstanceProfile) Run(ctx context.Context, state multistep.StateB
 			s.createdPolicyName = profileName
 		}
 		if s.SSMAgentEnabled {
-			ssmPolicyArn := aws.String(AmazonSSMManagedInstanceCorePolicyArn)
+			ssmPolicyArn := aws.String(fmt.Sprintf("arn:%s:%s", AwsPartition(s.IsRestricted), AmazonSSMManagedInstanceCorePolicyArnPart))
 			_, err = iamsvc.AttachRolePolicy(&iam.AttachRolePolicyInput{
 				PolicyArn: ssmPolicyArn,
 				RoleName:  aws.String(s.createdRoleName),
@@ -204,7 +209,7 @@ func (s *StepIamInstanceProfile) Cleanup(state multistep.StateBag) {
 
 		if s.SSMAgentEnabled {
 			iamsvc.DetachRolePolicy(&iam.DetachRolePolicyInput{
-				PolicyArn: aws.String(AmazonSSMManagedInstanceCorePolicyArn),
+				PolicyArn: aws.String(fmt.Sprintf("arn:%s:%s", AwsPartition(s.IsRestricted), AmazonSSMManagedInstanceCorePolicyArnPart)),
 				RoleName:  aws.String(s.createdRoleName),
 			})
 		}
diff --git a/builder/ebs/builder.go b/builder/ebs/builder.go
@@ -345,10 +345,11 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook)
 			Ctx:                       b.config.ctx,
 		},
 		&awscommon.StepIamInstanceProfile{
-			PollingConfig:                             b.config.PollingConfig,
-			IamInstanceProfile:                        b.config.IamInstanceProfile,
-			SkipProfileValidation:                     b.config.SkipProfileValidation,
-			SSMAgentEnabled:                           b.config.SSMAgentEnabled(),
+			PollingConfig:         b.config.PollingConfig,
+			IamInstanceProfile:    b.config.IamInstanceProfile,
+			SkipProfileValidation: b.config.SkipProfileValidation,
+			SSMAgentEnabled:       b.config.SSMAgentEnabled(),
+			IsRestricted:          b.config.IsChinaCloud(),
 			TemporaryIamInstanceProfilePolicyDocument: b.config.TemporaryIamInstanceProfilePolicyDocument,
 			Tags: b.config.RunTags,
 			Ctx:  b.config.ctx,
diff --git a/builder/ebssurrogate/builder.go b/builder/ebssurrogate/builder.go
@@ -429,10 +429,11 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook)
 			Ctx:                       b.config.ctx,
 		},
 		&awscommon.StepIamInstanceProfile{
-			PollingConfig:                             b.config.PollingConfig,
-			IamInstanceProfile:                        b.config.IamInstanceProfile,
-			SkipProfileValidation:                     b.config.SkipProfileValidation,
-			SSMAgentEnabled:                           b.config.SSMAgentEnabled(),
+			PollingConfig:         b.config.PollingConfig,
+			IamInstanceProfile:    b.config.IamInstanceProfile,
+			SkipProfileValidation: b.config.SkipProfileValidation,
+			SSMAgentEnabled:       b.config.SSMAgentEnabled(),
+			IsRestricted:          b.config.IsChinaCloud(),
 			TemporaryIamInstanceProfilePolicyDocument: b.config.TemporaryIamInstanceProfilePolicyDocument,
 			Tags: b.config.RunTags,
 			Ctx:  b.config.ctx,
diff --git a/builder/ebsvolume/builder.go b/builder/ebsvolume/builder.go
@@ -315,10 +315,11 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook)
 			Ctx:                       b.config.ctx,
 		},
 		&awscommon.StepIamInstanceProfile{
-			PollingConfig:                             b.config.PollingConfig,
-			IamInstanceProfile:                        b.config.IamInstanceProfile,
-			SkipProfileValidation:                     b.config.SkipProfileValidation,
-			SSMAgentEnabled:                           b.config.SSMAgentEnabled(),
+			PollingConfig:         b.config.PollingConfig,
+			IamInstanceProfile:    b.config.IamInstanceProfile,
+			SkipProfileValidation: b.config.SkipProfileValidation,
+			SSMAgentEnabled:       b.config.SSMAgentEnabled(),
+			IsRestricted:          b.config.IsChinaCloud(),
 			TemporaryIamInstanceProfilePolicyDocument: b.config.TemporaryIamInstanceProfilePolicyDocument,
 			Tags: b.config.RunTags,
 			Ctx:  b.config.ctx,
diff --git a/builder/instance/builder.go b/builder/instance/builder.go
@@ -384,10 +384,11 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook)
 			Ctx:                       b.config.ctx,
 		},
 		&awscommon.StepIamInstanceProfile{
-			PollingConfig:                             b.config.PollingConfig,
-			IamInstanceProfile:                        b.config.IamInstanceProfile,
-			SkipProfileValidation:                     b.config.SkipProfileValidation,
-			SSMAgentEnabled:                           b.config.SSMAgentEnabled(),
+			PollingConfig:         b.config.PollingConfig,
+			IamInstanceProfile:    b.config.IamInstanceProfile,
+			SkipProfileValidation: b.config.SkipProfileValidation,
+			SSMAgentEnabled:       b.config.SSMAgentEnabled(),
+			IsRestricted:          b.config.IsChinaCloud(),
 			TemporaryIamInstanceProfilePolicyDocument: b.config.TemporaryIamInstanceProfilePolicyDocument,
 			Tags: b.config.RunTags,
 			Ctx:  b.config.ctx,

Original file line number	Diff line number	Diff line change
`@@ -76,3 +76,10 @@ func DestroyAMIs(imageids []string, ec2conn ec2.EC2) error {`
`76`	`76`	`}`
`77`	`77`	`return nil`
`78`	`78`	`}`
	`79`	`+`
	`80`	`+func AwsPartition(isRestricted bool) string {`
	`81`	`+ if isRestricted {`
	`82`	`+ return "aws-cn"`
	`83`	`+ }`
	`84`	`+ return "aws"`
	`85`	`+}`