Running CF template in AWS govcloud fails to create integration role

[brianatinstrumental]

Expected Behavior

CF template creates all resources in the correct govcloud partition with included policy documents also referring to the govcloud partition

Actual Behavior

The CF template creates resources but references the main AWS partition instead of the govcloud one resulting in resource creation failures. In particular the following ARN is declared in a policy statement:

- 'arn:aws:iam::${DdAWSAccountId}:root' declared here: https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml#L76C1-L77C1

If the policy isn't needed in govcloud because we're using keys, we shouldn't create the resource. If we are using this role then it should be using the correct policy/role based off of the DdSite variable which can act as a toggle between govcloud/non govcloud partitions.

I'm also 99% sure that the account id needs to be different for the govcloud region as well if this policy is indeed used.

Steps to Reproduce the Problem

1. Deploy CF template in US govcloud region

Specifications

• Datadog CloudFormation template version: Latest/unknown

Stacktrace

From cloudformation:

Invalid principal in policy: "AWS":"arn:aws:iam::464622532012:root" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: edfb2d9c-ff31-424b-9664-401d59aadc7d; Proxy: null)

[brentshulman-silkline]

This looks changed in the latest quickstart, but I am still getting the principal error.

Resource handler returned message: "Invalid principal in policy: "AWS":"arn:aws-us-gov:iam::464622532012:root
 ...