fix(cloudwatch-actions): stack partition is hardcoded 'aws' in action arn (#20224)

This removes the hardcoded partition in the ARNs of Alarm Actions for
EC2 and SSM. This ensures that these don't unnecessarily break in other
non-standard partitions. This uses the ARN of the stack, as done for the
region and account.

This updates a regular expression in `@aws-cdk/aws-cloudwatch` as well
to make sure that EC2 actions are still validated as-expected in GovCloud
and other partitions that may support AlarmActions.

Closes #19765

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: laurelmay

Diff for: packages/@aws-cdk/aws-cloudwatch-actions/lib/ec2.ts

@@ -41,7 +41,7 @@ export class Ec2Action implements cloudwatch.IAlarmAction {
    * Returns an alarm action configuration to use an EC2 action as an alarm action
    */
   bind(_scope: Construct, _alarm: cloudwatch.IAlarm): cloudwatch.AlarmActionConfig {
-    return { alarmActionArn: `arn:aws:automate:${Stack.of(_scope).region}:ec2:${this.ec2Action}` };
+    return { alarmActionArn: `arn:${Stack.of(_scope).partition}:automate:${Stack.of(_scope).region}:ec2:${this.ec2Action}` };
   }
 }
 

Diff for: packages/@aws-cdk/aws-cloudwatch-actions/lib/ssm.ts

@@ -70,9 +70,9 @@ export class SsmAction implements cloudwatch.IAlarmAction {
    */
   bind(_scope: Construct, _alarm: cloudwatch.IAlarm): cloudwatch.AlarmActionConfig {
     if (this.category === undefined) {
-      return { alarmActionArn: `arn:aws:ssm:${Stack.of(_scope).region}:${Stack.of(_scope).account}:opsitem:${this.severity}` };
+      return { alarmActionArn: `arn:${Stack.of(_scope).partition}:ssm:${Stack.of(_scope).region}:${Stack.of(_scope).account}:opsitem:${this.severity}` };
     } else {
-      return { alarmActionArn: `arn:aws:ssm:${Stack.of(_scope).region}:${Stack.of(_scope).account}:opsitem:${this.severity}#CATEGORY=${this.category}` };
+      return { alarmActionArn: `arn:${Stack.of(_scope).partition}:ssm:${Stack.of(_scope).region}:${Stack.of(_scope).account}:opsitem:${this.severity}#CATEGORY=${this.category}` };
     }
   }
 }

Diff for: packages/@aws-cdk/aws-cloudwatch-actions/test/ec2.test.ts

@@ -28,7 +28,11 @@ test('can use instance reboot as alarm action', () => {
         'Fn::Join': [
           '',
           [
-            'arn:aws:automate:',
+            'arn:',
+            {
+              Ref: 'AWS::Partition',
+            },
+            ':automate:',
             {
               Ref: 'AWS::Region',
             },

Diff for: packages/@aws-cdk/aws-cloudwatch-actions/test/ssm.test.ts

@@ -25,7 +25,11 @@ test('can use ssm with critical severity and performance category as alarm actio
         'Fn::Join': [
           '',
           [
-            'arn:aws:ssm:',
+            'arn:',
+            {
+              Ref: 'AWS::Partition',
+            },
+            ':ssm:',
             {
               Ref: 'AWS::Region',
             },
@@ -64,7 +68,11 @@ test('can use ssm with meduim severity and no category as alarm action', () => {
         'Fn::Join': [
           '',
           [
-            'arn:aws:ssm:',
+            'arn:',
+            {
+              Ref: 'AWS::Partition',
+            },
+            ':ssm:',
             {
               Ref: 'AWS::Region',
             },

Diff for: packages/@aws-cdk/aws-cloudwatch/lib/alarm.ts

@@ -245,7 +245,7 @@ export class Alarm extends AlarmBase {
   }
 
   private validateActionArn(actionArn: string): string {
-    const ec2ActionsRegexp: RegExp = /arn:aws:automate:[a-z|\d|-]+:ec2:[a-z]+/;
+    const ec2ActionsRegexp: RegExp = /arn:aws[a-z0-9-]*:automate:[a-z|\d|-]+:ec2:[a-z]+/;
     if (ec2ActionsRegexp.test(actionArn)) {
       // Check per-instance metric
       const metricConfig = this.metric.toMetricConfig();

Diff for: packages/@aws-cdk/aws-cloudwatch/test/alarm.test.ts

@@ -49,6 +49,22 @@ describe('Alarm', () => {
     }).toThrow(/EC2 alarm actions requires an EC2 Per-Instance Metric. \(.+ does not have an 'InstanceId' dimension\)/);
   });
 
+  test('non ec2 instance related alarm does not accept EC2 action in other partitions', () => {
+    const stack = new Stack();
+    const alarm = new Alarm(stack, 'Alarm', {
+      metric: testMetric,
+      threshold: 1000,
+      evaluationPeriods: 2,
+    });
+
+    expect(() => {
+      alarm.addAlarmAction(new Ec2TestAlarmAction('arn:aws-us-gov:automate:us-east-1:ec2:reboot'));
+    }).toThrow(/EC2 alarm actions requires an EC2 Per-Instance Metric. \(.+ does not have an 'InstanceId' dimension\)/);
+    expect(() => {
+      alarm.addAlarmAction(new Ec2TestAlarmAction('arn:aws-cn:automate:us-east-1:ec2:reboot'));
+    }).toThrow(/EC2 alarm actions requires an EC2 Per-Instance Metric. \(.+ does not have an 'InstanceId' dimension\)/);
+  });
+
   test('can make simple alarm', () => {
     // GIVEN
     const stack = new Stack();