Skip to content

Commit

Permalink
Merge pull request #89 from suprememoocow/partition-aware
Browse files Browse the repository at this point in the history 
fix: Allow non-aws partitions to be used, including GovCloud
  • Loading branch information
@ivankatliarchuk
ivankatliarchuk authored Jan 5, 2025
2 parents 3d6270b + 4a14bfc commit 902488d
Showing 1 changed file with 24 additions and 18 deletions.
42 changes: 24 additions & 18 deletions data.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
data "aws_partition" "current" {}

locals {
partition = data.aws_partition.current.partition
}

data "aws_iam_policy_document" "this" {

statement {
Expand All @@ -21,7 +27,7 @@ data "aws_iam_policy_document" "this" {
"iam:DeleteVirtualMFADevice"
]
resources = [
"arn:aws:iam::${var.account_id}:mfa/&{aws:username}",
"arn:${local.partition}:iam::${var.account_id}:mfa/&{aws:username}",
]
}

Expand All @@ -32,8 +38,8 @@ data "aws_iam_policy_document" "this" {
"iam:DeleteVirtualMFADevice",
]
resources = [
"arn:aws:iam::${var.account_id}:mfa/&{aws:username}",
"arn:aws:iam::${var.account_id}:user/&{aws:username}",
"arn:${local.partition}:iam::${var.account_id}:mfa/&{aws:username}",
"arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}",
]
condition {
test = "Bool"
Expand All @@ -49,7 +55,7 @@ data "aws_iam_policy_document" "this" {
"iam:ListGroupsForUser",
]
resources = [
"arn:aws:iam::${var.account_id}:user/&{aws:username}",
"arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}",
]
}

Expand All @@ -59,7 +65,7 @@ data "aws_iam_policy_document" "this" {
"iam:ListGroups",
]
resources = [
"arn:aws:iam::${var.account_id}:group/",
"arn:${local.partition}:iam::${var.account_id}:group/",
]
}

Expand All @@ -70,7 +76,7 @@ data "aws_iam_policy_document" "this" {
"iam:ListAttachedGroupPolicies",
]
resources = [
"arn:aws:iam::${var.account_id}:group/*",
"arn:${local.partition}:iam::${var.account_id}:group/*",
]
}

Expand All @@ -81,8 +87,8 @@ data "aws_iam_policy_document" "this" {
"iam:ListMFADevices",
]
resources = [
"arn:aws:iam::*:mfa/*",
"arn:aws:iam::*:user/&{aws:username}"
"arn:${local.partition}:iam::*:mfa/*",
"arn:${local.partition}:iam::*:user/&{aws:username}"
]

}
Expand All @@ -102,7 +108,7 @@ data "aws_iam_policy_document" "this" {
"iam:GetLoginProfile",
]
resources = [
"arn:aws:iam::${var.account_id}:user/&{aws:username}",
"arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}",
]
}

Expand All @@ -118,8 +124,8 @@ data "aws_iam_policy_document" "this" {
]

resources = [
"arn:aws:iam::*:mfa/&{aws:username}",
"arn:aws:iam::*:user/&{aws:username}"
"arn:${local.partition}:iam::*:mfa/&{aws:username}",
"arn:${local.partition}:iam::*:user/&{aws:username}"
]
}

Expand All @@ -132,7 +138,7 @@ data "aws_iam_policy_document" "this" {
"iam:GetSSHPublicKey",
]
resources = [
"arn:aws:iam::${var.account_id}:user/&{aws:username}",
"arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}",
]
}

Expand All @@ -143,8 +149,8 @@ data "aws_iam_policy_document" "this" {
"iam:DeactivateMFADevice"
]
resources = [
"arn:aws:iam::*:mfa/&{aws:username}",
"arn:aws:iam::*:user/&{aws:username}"
"arn:${local.partition}:iam::*:mfa/&{aws:username}",
"arn:${local.partition}:iam::*:user/&{aws:username}"
]
condition {
test = "Bool"
Expand Down Expand Up @@ -188,7 +194,7 @@ data "aws_iam_policy_document" "this" {
"iam:UpdateAccessKey",
]
resources = [
"arn:aws:iam::${var.account_id}:user/&{aws:username}"
"arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}"
]
condition {
test = "BoolIfExists"
Expand All @@ -212,7 +218,7 @@ data "aws_iam_policy_document" "this" {
"iam:UploadSigningCertificate",
]
resources = [
"arn:aws:iam::${var.account_id}:user/&{aws:username}"
"arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}"
]
condition {
test = "BoolIfExists"
Expand All @@ -234,7 +240,7 @@ data "aws_iam_policy_document" "this" {
"iam:UploadSSHPublicKey"
]
resources = [
"arn:aws:iam::${var.account_id}:user/&{aws:username}"
"arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}"
]
condition {
test = "BoolIfExists"
Expand All @@ -258,7 +264,7 @@ data "aws_iam_policy_document" "this" {
"iam:UpdateServiceSpecificCredential",
]
resources = [
"arn:aws:iam::${var.account_id}:user/&{aws:username}"
"arn:${local.partition}:iam::${var.account_id}:user/&{aws:username}"
]
condition {
test = "BoolIfExists"
Expand Down

0 comments on commit 902488d

Please sign in to comment.