Merge pull request #89 from suprememoocow/partition-aware

ivankatliarchuk · web-flow · commit 902488d91c16 · 2025-01-05T11:22:58.000Z
fix: Allow non-aws partitions to be used, including GovCloud
diff --git a/data.tf b/data.tf
@@ -1,3 +1,9 @@
+data "aws_partition" "current" {}
+
+locals {
+  partition = data.aws_partition.current.partition
+}
+
 data "aws_iam_policy_document" "this" {
 
   statement {
@@ -21,7 +27,7 @@ data "aws_iam_policy_document" "this" {
       "iam:DeleteVirtualMFADevice"
     ]
     resources = [
-      "arn:aws:iam::${var.account_id}:mfa/&{aws:username}",
+      "arn:${local.partition}:iam::${var.account_id}:mfa/&{aws:username}",
     ]
   }
 
@@ -32,8 +38,8 @@ data "aws_iam_policy_document" "this" {
       "iam:DeleteVirtualMFADevice",
     ]
     resources = [
-      "arn:aws:iam::${var.account_id}:mfa/&{aws:username}",
-      "arn:aws:iam::${var.account_id}:user/&{aws:username}",
+      "arn:${local.partition}:iam::${var.account_id}:mfa/&{aws:username}",
+      "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}",
     ]
     condition {
       test     = "Bool"
@@ -49,7 +55,7 @@ data "aws_iam_policy_document" "this" {
       "iam:ListGroupsForUser",
     ]
     resources = [
-      "arn:aws:iam::${var.account_id}:user/&{aws:username}",
+      "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}",
     ]
   }
 
@@ -59,7 +65,7 @@ data "aws_iam_policy_document" "this" {
       "iam:ListGroups",
     ]
     resources = [
-      "arn:aws:iam::${var.account_id}:group/",
+      "arn:${local.partition}:iam::${var.account_id}:group/",
     ]
   }
 
@@ -70,7 +76,7 @@ data "aws_iam_policy_document" "this" {
       "iam:ListAttachedGroupPolicies",
     ]
     resources = [
-      "arn:aws:iam::${var.account_id}:group/*",
+      "arn:${local.partition}:iam::${var.account_id}:group/*",
     ]
   }
 
@@ -81,8 +87,8 @@ data "aws_iam_policy_document" "this" {
       "iam:ListMFADevices",
     ]
     resources = [
-      "arn:aws:iam::*:mfa/*",
-      "arn:aws:iam::*:user/&{aws:username}"
+      "arn:${local.partition}:iam::*:mfa/*",
+      "arn:${local.partition}:iam::*:user/&{aws:username}"
     ]
 
   }
@@ -102,7 +108,7 @@ data "aws_iam_policy_document" "this" {
       "iam:GetLoginProfile",
     ]
     resources = [
-      "arn:aws:iam::${var.account_id}:user/&{aws:username}",
+      "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}",
     ]
   }
 
@@ -118,8 +124,8 @@ data "aws_iam_policy_document" "this" {
     ]
 
     resources = [
-      "arn:aws:iam::*:mfa/&{aws:username}",
-      "arn:aws:iam::*:user/&{aws:username}"
+      "arn:${local.partition}:iam::*:mfa/&{aws:username}",
+      "arn:${local.partition}:iam::*:user/&{aws:username}"
     ]
   }
 
@@ -132,7 +138,7 @@ data "aws_iam_policy_document" "this" {
       "iam:GetSSHPublicKey",
     ]
     resources = [
-      "arn:aws:iam::${var.account_id}:user/&{aws:username}",
+      "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}",
     ]
   }
 
@@ -143,8 +149,8 @@ data "aws_iam_policy_document" "this" {
       "iam:DeactivateMFADevice"
     ]
     resources = [
-      "arn:aws:iam::*:mfa/&{aws:username}",
-      "arn:aws:iam::*:user/&{aws:username}"
+      "arn:${local.partition}:iam::*:mfa/&{aws:username}",
+      "arn:${local.partition}:iam::*:user/&{aws:username}"
     ]
     condition {
       test     = "Bool"
@@ -188,7 +194,7 @@ data "aws_iam_policy_document" "this" {
         "iam:UpdateAccessKey",
       ]
       resources = [
-        "arn:aws:iam::${var.account_id}:user/&{aws:username}"
+        "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}"
       ]
       condition {
         test     = "BoolIfExists"
@@ -212,7 +218,7 @@ data "aws_iam_policy_document" "this" {
         "iam:UploadSigningCertificate",
       ]
       resources = [
-        "arn:aws:iam::${var.account_id}:user/&{aws:username}"
+        "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}"
       ]
       condition {
         test     = "BoolIfExists"
@@ -234,7 +240,7 @@ data "aws_iam_policy_document" "this" {
         "iam:UploadSSHPublicKey"
       ]
       resources = [
-        "arn:aws:iam::${var.account_id}:user/&{aws:username}"
+        "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}"
       ]
       condition {
         test     = "BoolIfExists"
@@ -258,7 +264,7 @@ data "aws_iam_policy_document" "this" {
         "iam:UpdateServiceSpecificCredential",
       ]
       resources = [
-        "arn:aws:iam::${var.account_id}:user/&{aws:username}"
+        "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}"
       ]
       condition {
         test     = "BoolIfExists"

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,9 @@`
	`1`	`+data "aws_partition" "current" {}`
	`2`	`+`
	`3`	`+locals {`
	`4`	`+ partition = data.aws_partition.current.partition`
	`5`	`+}`
	`6`	`+`
`1`	`7`	`data "aws_iam_policy_document" "this" {`
`2`	`8`
`3`	`9`	`statement {`
`@@ -21,7 +27,7 @@ data "aws_iam_policy_document" "this" {`
`21`	`27`	`"iam:DeleteVirtualMFADevice"`
`22`	`28`	`]`
`23`	`29`	`resources = [`
`24`		`- "arn:aws:iam::${var.account_id}:mfa/&{aws:username}",`
	`30`	`+ "arn:${local.partition}:iam::${var.account_id}:mfa/&{aws:username}",`
`25`	`31`	`]`
`26`	`32`	`}`
`27`	`33`
`@@ -32,8 +38,8 @@ data "aws_iam_policy_document" "this" {`
`32`	`38`	`"iam:DeleteVirtualMFADevice",`
`33`	`39`	`]`
`34`	`40`	`resources = [`
`35`		`- "arn:aws:iam::${var.account_id}:mfa/&{aws:username}",`
`36`		`- "arn:aws:iam::${var.account_id}:user/&{aws:username}",`
	`41`	`+ "arn:${local.partition}:iam::${var.account_id}:mfa/&{aws:username}",`
	`42`	`+ "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}",`
`37`	`43`	`]`
`38`	`44`	`condition {`
`39`	`45`	`test = "Bool"`
`@@ -49,7 +55,7 @@ data "aws_iam_policy_document" "this" {`
`49`	`55`	`"iam:ListGroupsForUser",`
`50`	`56`	`]`
`51`	`57`	`resources = [`
`52`		`- "arn:aws:iam::${var.account_id}:user/&{aws:username}",`
	`58`	`+ "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}",`
`53`	`59`	`]`
`54`	`60`	`}`
`55`	`61`
`@@ -59,7 +65,7 @@ data "aws_iam_policy_document" "this" {`
`59`	`65`	`"iam:ListGroups",`
`60`	`66`	`]`
`61`	`67`	`resources = [`
`62`		`- "arn:aws:iam::${var.account_id}:group/",`
	`68`	`+ "arn:${local.partition}:iam::${var.account_id}:group/",`
`63`	`69`	`]`
`64`	`70`	`}`
`65`	`71`
`@@ -70,7 +76,7 @@ data "aws_iam_policy_document" "this" {`
`70`	`76`	`"iam:ListAttachedGroupPolicies",`
`71`	`77`	`]`
`72`	`78`	`resources = [`
`73`		`- "arn:aws:iam::${var.account_id}:group/*",`
	`79`	`+ "arn:${local.partition}:iam::${var.account_id}:group/*",`
`74`	`80`	`]`
`75`	`81`	`}`
`76`	`82`
`@@ -81,8 +87,8 @@ data "aws_iam_policy_document" "this" {`
`81`	`87`	`"iam:ListMFADevices",`
`82`	`88`	`]`
`83`	`89`	`resources = [`
`84`		`- "arn:aws:iam:::mfa/",`
`85`		`- "arn:aws:iam::*:user/&{aws:username}"`
	`90`	`+ "arn:${local.partition}:iam:::mfa/",`
	`91`	`+ "arn:${local.partition}:iam::*:user/&{aws:username}"`
`86`	`92`	`]`
`87`	`93`
`88`	`94`	`}`
`@@ -102,7 +108,7 @@ data "aws_iam_policy_document" "this" {`
`102`	`108`	`"iam:GetLoginProfile",`
`103`	`109`	`]`
`104`	`110`	`resources = [`
`105`		`- "arn:aws:iam::${var.account_id}:user/&{aws:username}",`
	`111`	`+ "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}",`
`106`	`112`	`]`
`107`	`113`	`}`
`108`	`114`
`@@ -118,8 +124,8 @@ data "aws_iam_policy_document" "this" {`
`118`	`124`	`]`
`119`	`125`
`120`	`126`	`resources = [`
`121`		`- "arn:aws:iam::*:mfa/&{aws:username}",`
`122`		`- "arn:aws:iam::*:user/&{aws:username}"`
	`127`	`+ "arn:${local.partition}:iam::*:mfa/&{aws:username}",`
	`128`	`+ "arn:${local.partition}:iam::*:user/&{aws:username}"`
`123`	`129`	`]`
`124`	`130`	`}`
`125`	`131`
`@@ -132,7 +138,7 @@ data "aws_iam_policy_document" "this" {`
`132`	`138`	`"iam:GetSSHPublicKey",`
`133`	`139`	`]`
`134`	`140`	`resources = [`
`135`		`- "arn:aws:iam::${var.account_id}:user/&{aws:username}",`
	`141`	`+ "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}",`
`136`	`142`	`]`
`137`	`143`	`}`
`138`	`144`
`@@ -143,8 +149,8 @@ data "aws_iam_policy_document" "this" {`
`143`	`149`	`"iam:DeactivateMFADevice"`
`144`	`150`	`]`
`145`	`151`	`resources = [`
`146`		`- "arn:aws:iam::*:mfa/&{aws:username}",`
`147`		`- "arn:aws:iam::*:user/&{aws:username}"`
	`152`	`+ "arn:${local.partition}:iam::*:mfa/&{aws:username}",`
	`153`	`+ "arn:${local.partition}:iam::*:user/&{aws:username}"`
`148`	`154`	`]`
`149`	`155`	`condition {`
`150`	`156`	`test = "Bool"`
`@@ -188,7 +194,7 @@ data "aws_iam_policy_document" "this" {`
`188`	`194`	`"iam:UpdateAccessKey",`
`189`	`195`	`]`
`190`	`196`	`resources = [`
`191`		`- "arn:aws:iam::${var.account_id}:user/&{aws:username}"`
	`197`	`+ "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}"`
`192`	`198`	`]`
`193`	`199`	`condition {`
`194`	`200`	`test = "BoolIfExists"`
`@@ -212,7 +218,7 @@ data "aws_iam_policy_document" "this" {`
`212`	`218`	`"iam:UploadSigningCertificate",`
`213`	`219`	`]`
`214`	`220`	`resources = [`
`215`		`- "arn:aws:iam::${var.account_id}:user/&{aws:username}"`
	`221`	`+ "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}"`
`216`	`222`	`]`
`217`	`223`	`condition {`
`218`	`224`	`test = "BoolIfExists"`
`@@ -234,7 +240,7 @@ data "aws_iam_policy_document" "this" {`
`234`	`240`	`"iam:UploadSSHPublicKey"`
`235`	`241`	`]`
`236`	`242`	`resources = [`
`237`		`- "arn:aws:iam::${var.account_id}:user/&{aws:username}"`
	`243`	`+ "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}"`
`238`	`244`	`]`
`239`	`245`	`condition {`
`240`	`246`	`test = "BoolIfExists"`
`@@ -258,7 +264,7 @@ data "aws_iam_policy_document" "this" {`
`258`	`264`	`"iam:UpdateServiceSpecificCredential",`
`259`	`265`	`]`
`260`	`266`	`resources = [`
`261`		`- "arn:aws:iam::${var.account_id}:user/&{aws:username}"`
	`267`	`+ "arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}"`
`262`	`268`	`]`
`263`	`269`	`condition {`
`264`	`270`	`test = "BoolIfExists"`