From 4c4014e0bd3fa90402cfc22971f1cbe5d372642f Mon Sep 17 00:00:00 2001
From: Kaizen Conroy <36202692+kaizencc@users.noreply.github.com>
Date: Thu, 11 May 2023 12:51:52 -0400
Subject: [PATCH 1/5] fix(bootstrap): bootstrap doesn't work in non-aws
 partitions anymore (revert security hub finding fix) (#25540)

**NOTE**: This PR bumps the version of the bootstrap stack to 18, but there is no need to update your bootstrap stacks as this PR changes no functionality.

We are reverting #24588 because it includes hardcoded partitions in the bootstrap causing the `p0` in #25272. Including intrinsics `${AWS::Partition}` here is impossible. In addition, #24588 was reported to not actually fix the Security Hub finding: https://github.com/aws/aws-cdk/issues/19380#issuecomment-1512009270.

Although this is a revert, I am rolling forward the bootstrap version to 18.

reverts #24588. fixes #25272. see #25273 & #25507.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../lib/api/bootstrap/bootstrap-template.yaml | 45 +++++++------------
 1 file changed, 15 insertions(+), 30 deletions(-)

diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
index 4d8a4d1dcce64..321a5fdd76089 100644
--- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
+++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -473,35 +473,20 @@ Resources:
                     StringNotEquals:
                         s3:ResourceAccount:
                             Ref: 'AWS::AccountId'
-              - Fn::If:
-                - HasTrustedAccounts
-                - Sid: PipelineCrossAccountArtifactsKey
-                  # Use keys only for the purposes of reading encrypted files from S3.
-                  Effect: Allow
-                  Action:
-                    - kms:Decrypt
-                    - kms:DescribeKey
-                    - kms:Encrypt
-                    - kms:ReEncrypt*
-                    - kms:GenerateDataKey*
-
-                  # SecurityHub's rule KMS.2 complains if we put a '*' here, so instead we'll
-                  # turn the list of trusted accountIds ['111', '222', ...] into a list of
-                  # wildcard ARNS: ['arn:aws:kms:*:1111:*', 'arn:aws:kms:*:2222:*', ...].
-                  Resource:
-                    Fn::Split:
-                      - "|"
-                      - Fn::Sub:
-                        - "arn:aws:kms:*:${JoinedAccounts}:*"
-                        - JoinedAccounts:
-                            Fn::Join:
-                              - ":*|arn:aws:kms:*:"
-                              - { Ref: TrustedAccounts }
-                  Condition:
-                    StringEquals:
-                      kms:ViaService:
-                        Fn::Sub: s3.${AWS::Region}.amazonaws.com
-                - { Ref: AWS::NoValue }
+              - Sid: PipelineCrossAccountArtifactsKey
+                # Use keys only for the purposes of reading encrypted files from S3.
+                Effect: Allow
+                Action:
+                  - kms:Decrypt
+                  - kms:DescribeKey
+                  - kms:Encrypt
+                  - kms:ReEncrypt*
+                  - kms:GenerateDataKey*
+                Resource: "*"
+                Condition:
+                  StringEquals:
+                    kms:ViaService:
+                      Fn::Sub: s3.${AWS::Region}.amazonaws.com
               - Action: iam:PassRole
                 Resource:
                   Fn::Sub: "${CloudFormationExecutionRole.Arn}"
@@ -633,7 +618,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '17'
+      Value: '18'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack

From e3e9282cc4739fa787699d66e8835e6d864615bc Mon Sep 17 00:00:00 2001
From: corymhall <43035978+corymhall@users.noreply.github.com>
Date: Thu, 11 May 2023 16:57:12 +0000
Subject: [PATCH 2/5] chore(release): 2.79.1

---
 CHANGELOG.v2.alpha.md | 2 ++
 CHANGELOG.v2.md       | 7 +++++++
 version.v2.json       | 4 ++--
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md
index f27e4d70dd031..eca9bb08a52ea 100644
--- a/CHANGELOG.v2.alpha.md
+++ b/CHANGELOG.v2.alpha.md
@@ -2,6 +2,8 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [2.79.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.79.0-alpha.0...v2.79.1-alpha.0) (2023-05-11)
+
 ## [2.79.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.78.0-alpha.0...v2.79.0-alpha.0) (2023-05-10)
 
 
diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md
index 4748fb23ddb77..3343b4c37bbb6 100644
--- a/CHANGELOG.v2.md
+++ b/CHANGELOG.v2.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.79.1](https://github.com/aws/aws-cdk/compare/v2.79.0...v2.79.1) (2023-05-11)
+
+
+### Bug Fixes
+
+* **bootstrap:** bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) ([#25540](https://github.com/aws/aws-cdk/issues/25540)) ([4c4014e](https://github.com/aws/aws-cdk/commit/4c4014e0bd3fa90402cfc22971f1cbe5d372642f)), closes [/github.com/aws/aws-cdk/issues/19380#issuecomment-1512009270](https://github.com/aws//github.com/aws/aws-cdk/issues/19380/issues/issuecomment-1512009270) [#25272](https://github.com/aws/aws-cdk/issues/25272) [#25273](https://github.com/aws/aws-cdk/issues/25273) [#25507](https://github.com/aws/aws-cdk/issues/25507)
+
 ## [2.79.0](https://github.com/aws/aws-cdk/compare/v2.78.0...v2.79.0) (2023-05-10)
 
 
diff --git a/version.v2.json b/version.v2.json
index 32bb348ad2366..5bfe47ffc5615 100644
--- a/version.v2.json
+++ b/version.v2.json
@@ -1,4 +1,4 @@
 {
-  "version": "2.79.0",
-  "alphaVersion": "2.79.0-alpha.0"
+  "version": "2.79.1",
+  "alphaVersion": "2.79.1-alpha.0"
 }
\ No newline at end of file

From 10e75caaba1e1b134cd9dfe2f225aeda4354f471 Mon Sep 17 00:00:00 2001
From: corymhall <43035978+corymhall@users.noreply.github.com>
Date: Thu, 11 May 2023 17:09:57 +0000
Subject: [PATCH 3/5] chore: fixing generated changelog entry

---
 CHANGELOG.v2.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md
index 3343b4c37bbb6..9d889bf9b7f31 100644
--- a/CHANGELOG.v2.md
+++ b/CHANGELOG.v2.md
@@ -7,7 +7,7 @@ All notable changes to this project will be documented in this file. See [standa
 
 ### Bug Fixes
 
-* **bootstrap:** bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) ([#25540](https://github.com/aws/aws-cdk/issues/25540)) ([4c4014e](https://github.com/aws/aws-cdk/commit/4c4014e0bd3fa90402cfc22971f1cbe5d372642f)), closes [/github.com/aws/aws-cdk/issues/19380#issuecomment-1512009270](https://github.com/aws//github.com/aws/aws-cdk/issues/19380/issues/issuecomment-1512009270) [#25272](https://github.com/aws/aws-cdk/issues/25272) [#25273](https://github.com/aws/aws-cdk/issues/25273) [#25507](https://github.com/aws/aws-cdk/issues/25507)
+* **bootstrap:** bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) ( [#25272](https://github.com/aws/aws-cdk/issues/25272)) ([4c4014e](https://github.com/aws/aws-cdk/commit/4c4014e0bd3fa90402cfc22971f1cbe5d372642f))
 
 ## [2.79.0](https://github.com/aws/aws-cdk/compare/v2.78.0...v2.79.0) (2023-05-10)
 

From 7a8de4d4c53ae2043a4f6e64e0c9b43ade451201 Mon Sep 17 00:00:00 2001
From: corymhall <43035978+corymhall@users.noreply.github.com>
Date: Thu, 11 May 2023 17:10:42 +0000
Subject: [PATCH 4/5] chore: fixing generated changelog entry

---
 CHANGELOG.v2.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md
index 9d889bf9b7f31..25804a11a91a1 100644
--- a/CHANGELOG.v2.md
+++ b/CHANGELOG.v2.md
@@ -7,7 +7,7 @@ All notable changes to this project will be documented in this file. See [standa
 
 ### Bug Fixes
 
-* **bootstrap:** bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) ( [#25272](https://github.com/aws/aws-cdk/issues/25272)) ([4c4014e](https://github.com/aws/aws-cdk/commit/4c4014e0bd3fa90402cfc22971f1cbe5d372642f))
+* **bootstrap:** bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) ([#25272](https://github.com/aws/aws-cdk/issues/25272)) ([4c4014e](https://github.com/aws/aws-cdk/commit/4c4014e0bd3fa90402cfc22971f1cbe5d372642f))
 
 ## [2.79.0](https://github.com/aws/aws-cdk/compare/v2.78.0...v2.79.0) (2023-05-10)
 

From c2b0fe10c40eb6f7fc23478b0e73761fc034b709 Mon Sep 17 00:00:00 2001
From: corymhall <43035978+corymhall@users.noreply.github.com>
Date: Thu, 11 May 2023 17:30:41 +0000
Subject: [PATCH 5/5] chore: fixing generated changelog entry

---
 CHANGELOG.v2.alpha.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md
index eca9bb08a52ea..7aed20c525d1b 100644
--- a/CHANGELOG.v2.alpha.md
+++ b/CHANGELOG.v2.alpha.md
@@ -2,7 +2,7 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-### [2.79.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.79.0-alpha.0...v2.79.1-alpha.0) (2023-05-11)
+## [2.79.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.79.0-alpha.0...v2.79.1-alpha.0) (2023-05-11)
 
 ## [2.79.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.78.0-alpha.0...v2.79.0-alpha.0) (2023-05-10)