fix: Replace hardcoded "aws" parition with data lookup (#47)

pcram-techcyte · antonbabenko · web-flow · commit d6c8501b8abd · 2023-03-03T12:36:55.000+01:00
Co-authored-by: Anton Babenko &lt;anton@antonbabenko.com&gt;
diff --git a/README.md b/README.md
@@ -144,6 +144,7 @@ No modules.
 | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.service_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 
diff --git a/iam.tf b/iam.tf
@@ -1,3 +1,5 @@
+data "aws_partition" "this" {}
+
 locals {
   service_roles_with_policies = var.create_graphql_api ? { for k, v in var.datasources : k => v if contains(["AWS_LAMBDA", "AMAZON_DYNAMODB", "AMAZON_ELASTICSEARCH"], v.type) && tobool(lookup(v, "create_service_role", true)) } : {}
 
@@ -19,7 +21,7 @@ locals {
         dynamodb = {
           effect    = "Allow"
           actions   = lookup(v, "policy_actions", null) == null ? var.dynamodb_allowed_actions : v.policy_actions
-          resources = [for _, f in ["arn:aws:dynamodb:%v:%v:table/%v", "arn:aws:dynamodb:%v:%v:table/%v/*"] : format(f, v.region, lookup(v, "aws_account_id", data.aws_caller_identity.this.account_id), v.table_name)]
+          resources = [for _, f in ["arn:${data.aws_partition.this.partition}:dynamodb:%v:%v:table/%v", "arn:${data.aws_partition.this.partition}:dynamodb:%v:%v:table/%v/*"] : format(f, v.region, lookup(v, "aws_account_id", data.aws_caller_identity.this.account_id), v.table_name)]
         }
       }
     }
@@ -31,7 +33,7 @@ locals {
         elasticsearch = {
           effect    = "Allow"
           actions   = lookup(v, "policy_actions", null) == null ? var.elasticsearch_allowed_actions : v.policy_actions
-          resources = [format("arn:aws:es:%v::domain/%v/*", v.region, v.endpoint)]
+          resources = [format("arn:${data.aws_partition.this.partition}:es:%v::domain/%v/*", v.region, v.endpoint)]
         }
       }
     }
@@ -72,7 +74,7 @@ resource "aws_iam_role" "logs" {
 resource "aws_iam_role_policy_attachment" "logs" {
   count = var.logging_enabled && var.create_logs_role ? 1 : 0
 
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"
+  policy_arn = "arn:${data.aws_partition.this.partition}:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"
   role       = aws_iam_role.logs[0].name
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+data "aws_partition" "this" {}`
	`2`	`+`
`1`	`3`	`locals {`
`2`	`4`	`service_roles_with_policies = var.create_graphql_api ? { for k, v in var.datasources : k => v if contains(["AWS_LAMBDA", "AMAZON_DYNAMODB", "AMAZON_ELASTICSEARCH"], v.type) && tobool(lookup(v, "create_service_role", true)) } : {}`
`3`	`5`
`@@ -19,7 +21,7 @@ locals {`
`19`	`21`	`dynamodb = {`
`20`	`22`	`effect = "Allow"`
`21`	`23`	`actions = lookup(v, "policy_actions", null) == null ? var.dynamodb_allowed_actions : v.policy_actions`
`22`		`- resources = [for _, f in ["arn:aws:dynamodb:%v:%v:table/%v", "arn:aws:dynamodb:%v:%v:table/%v/*"] : format(f, v.region, lookup(v, "aws_account_id", data.aws_caller_identity.this.account_id), v.table_name)]`
	`24`	`+ resources = [for _, f in ["arn:${data.aws_partition.this.partition}:dynamodb:%v:%v:table/%v", "arn:${data.aws_partition.this.partition}:dynamodb:%v:%v:table/%v/*"] : format(f, v.region, lookup(v, "aws_account_id", data.aws_caller_identity.this.account_id), v.table_name)]`
`23`	`25`	`}`
`24`	`26`	`}`
`25`	`27`	`}`
`@@ -31,7 +33,7 @@ locals {`
`31`	`33`	`elasticsearch = {`
`32`	`34`	`effect = "Allow"`
`33`	`35`	`actions = lookup(v, "policy_actions", null) == null ? var.elasticsearch_allowed_actions : v.policy_actions`
`34`		`- resources = [format("arn:aws:es:%v::domain/%v/*", v.region, v.endpoint)]`
	`36`	`+ resources = [format("arn:${data.aws_partition.this.partition}:es:%v::domain/%v/*", v.region, v.endpoint)]`
`35`	`37`	`}`
`36`	`38`	`}`
`37`	`39`	`}`
`@@ -72,7 +74,7 @@ resource "aws_iam_role" "logs" {`
`72`	`74`	`resource "aws_iam_role_policy_attachment" "logs" {`
`73`	`75`	`count = var.logging_enabled && var.create_logs_role ? 1 : 0`
`74`	`76`
`75`		`- policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"`
	`77`	`+ policy_arn = "arn:${data.aws_partition.this.partition}:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"`
`76`	`78`	`role = aws_iam_role.logs[0].name`
`77`	`79`	`}`
`78`	`80`