feat(iam): update IAM policy ARNs to use dynamic AWS partition

feat(iam): replace static AWS partition with variable for resource ARNs
lablabs · Dec 12, 2024 · 580a71b · 580a71b
1 parent 21f7af9
commit 580a71b
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 13 deletions.
diff --git a/iam.tf b/iam.tf
@@ -101,7 +101,7 @@ data "aws_iam_policy_document" "this" {
     actions = [
       "ec2:CreateTags"
     ]
-    resources = ["arn:aws:ec2:*:*:security-group/*"]
+    resources = ["arn:${var.aws_partition}:ec2:*:*:security-group/*"]
     condition {
       test     = "StringEquals"
       variable = "ec2:CreateAction"
@@ -120,7 +120,7 @@ data "aws_iam_policy_document" "this" {
       "ec2:CreateTags",
       "ec2:DeleteTags"
     ]
-    resources = ["arn:aws:ec2:*:*:security-group/*"]
+    resources = ["arn:${var.aws_partition}:ec2:*:*:security-group/*"]
     condition {
       test     = "Null"
       variable = "aws:RequestTag/elbv2.k8s.aws/cluster"
@@ -180,9 +180,9 @@ data "aws_iam_policy_document" "this" {
       "elasticloadbalancing:RemoveTags"
     ]
     resources = [
-      "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
-      "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
-      "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+      "arn:${var.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*",
+      "arn:${var.aws_partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+      "arn:${var.aws_partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*"
     ]
     condition {
       test     = "Null"
@@ -203,10 +203,10 @@ data "aws_iam_policy_document" "this" {
       "elasticloadbalancing:RemoveTags"
     ]
     resources = [
-      "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
-      "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
-      "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
-      "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
+      "arn:${var.aws_partition}:elasticloadbalancing:*:*:listener/net/*/*/*",
+      "arn:${var.aws_partition}:elasticloadbalancing:*:*:listener/app/*/*/*",
+      "arn:${var.aws_partition}:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
+      "arn:${var.aws_partition}:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
     ]
   }
 
@@ -216,9 +216,9 @@ data "aws_iam_policy_document" "this" {
       "elasticloadbalancing:AddTags"
     ]
     resources = [
-      "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
-      "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
-      "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+      "arn:${var.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*",
+      "arn:${var.aws_partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+      "arn:${var.aws_partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*"
     ]
     condition {
       test     = "StringEquals"
@@ -263,7 +263,7 @@ data "aws_iam_policy_document" "this" {
       "elasticloadbalancing:RegisterTargets",
       "elasticloadbalancing:DeregisterTargets"
     ]
-    resources = ["arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"]
+    resources = ["arn:${var.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*"]
   }
 
   statement {

diff --git a/variables.tf b/variables.tf
@@ -378,3 +378,9 @@ variable "helm_lint" {
   default     = false
   description = "Run the helm chart linter during the plan"
 }
+
+variable "aws_partition" {
+  type        = string
+  default     = "aws"
+  description = "AWS partition in which the resources are located. Available values are `aws`, `aws-cn`, `aws-us-gov`"
+}