fix: remove hardcoded aws partition in arn (#259)

Signed-off-by: ankitm123 <[email protected]>

examples/existing-cluster/main.tf

@@ -130,7 +130,7 @@ module "eks" {
   } : {}
 
   workers_additional_policies = [
-    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
   ]
 
   map_users                       = var.map_users

modules/cluster/irsa.tf

@@ -7,6 +7,8 @@
 // ----------------------------------------------------------------------------
 // Tekton Bot IAM Policy, IAM Role and Service Account
 // ----------------------------------------------------------------------------
+
+data "aws_partition" "current" {}
 data "aws_iam_policy_document" "tekton-bot-policy" {
   count = var.create_tekton_role ? 1 : 0
   statement {
@@ -75,7 +77,7 @@ data "aws_iam_policy_document" "external-dns-policy" {
     actions = [
       "route53:ChangeResourceRecordSets",
     ]
-    resources = ["arn:aws:route53:::hostedzone/*"]
+    resources = ["arn:${data.aws_partition.current.partition}:route53:::hostedzone/*"]
   }
   statement {
     effect = "Allow"
@@ -132,14 +134,14 @@ data "aws_iam_policy_document" "cert-manager-policy" {
     actions = [
       "route53:GetChange",
     ]
-    resources = ["arn:aws:route53:::change/*"]
+    resources = ["arn:${data.aws_partition.current.partition}:route53:::change/*"]
   }
   statement {
     effect = "Allow"
     actions = [
       "route53:ChangeResourceRecordSets",
     ]
-    resources = ["arn:aws:route53:::hostedzone/*"]
+    resources = ["arn:${data.aws_partition.current.partition}:route53:::hostedzone/*"]
   }
   statement {
     effect = "Allow"
@@ -227,7 +229,7 @@ module "iam_assumable_role_controllerbuild" {
   create_role                   = var.create_ctrlb_role
   role_name                     = var.is_jx2 ? substr("tf-${var.cluster_name}-sa-role-ctrlb-${local.generated_seed}", 0, 60) : "${local.cluster_trunc}-build-ctrl"
   provider_url                  = local.oidc_provider_url
-  role_policy_arns              = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"]
+  role_policy_arns              = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonS3FullAccess"]
   oidc_fully_qualified_subjects = ["system:serviceaccount:jx:jenkins-x-controllerbuild"]
 }
 resource "kubernetes_service_account" "jenkins-x-controllerbuild" {

modules/cluster/main.tf

@@ -13,6 +13,8 @@ data "aws_availability_zones" "available" {}
 
 data "aws_caller_identity" "current" {}
 
+data "aws_partition" "current" {}
+
 // ----------------------------------------------------------------------------
 // Define K8s cluster configuration
 // ----------------------------------------------------------------------------
@@ -144,7 +146,7 @@ module "eks" {
   } : {}
 
   workers_additional_policies = [
-    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
   ]
 
   map_users                       = var.map_users

modules/vault/main.tf

@@ -2,6 +2,8 @@
 // If the Vault IAM user does exist create one
 // See https://www.terraform.io/docs/providers/aws/r/iam_user.html
 // ----------------------------------------------------------------------------
+
+data "aws_partition" "current" {}
 locals {
   encryption_algo = var.use_kms_s3 ? "aws:kms" : "AES256"
 }
@@ -108,7 +110,7 @@ resource "aws_kms_key" "kms_vault_unseal" {
             "Principal": {
                 "AWS": [
                     "${length(data.aws_iam_user.vault_user) > 0 ? data.aws_iam_user.vault_user[0].arn : ""}",
-                    "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+                    "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
                 ]
             },
             "Action": "kms:*",