diff --git a/examples/existing-cluster/main.tf b/examples/existing-cluster/main.tf index 7fd317c..8828ee7 100644 --- a/examples/existing-cluster/main.tf +++ b/examples/existing-cluster/main.tf @@ -130,7 +130,7 @@ module "eks" { } : {} workers_additional_policies = [ - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser" + "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser" ] map_users = var.map_users diff --git a/modules/cluster/irsa.tf b/modules/cluster/irsa.tf index 1bcdf6d..f5c11aa 100644 --- a/modules/cluster/irsa.tf +++ b/modules/cluster/irsa.tf @@ -7,6 +7,8 @@ // ---------------------------------------------------------------------------- // Tekton Bot IAM Policy, IAM Role and Service Account // ---------------------------------------------------------------------------- + +data "aws_partition" "current" {} data "aws_iam_policy_document" "tekton-bot-policy" { count = var.create_tekton_role ? 1 : 0 statement { @@ -75,7 +77,7 @@ data "aws_iam_policy_document" "external-dns-policy" { actions = [ "route53:ChangeResourceRecordSets", ] - resources = ["arn:aws:route53:::hostedzone/*"] + resources = ["arn:${data.aws_partition.current.partition}:route53:::hostedzone/*"] } statement { effect = "Allow" @@ -132,14 +134,14 @@ data "aws_iam_policy_document" "cert-manager-policy" { actions = [ "route53:GetChange", ] - resources = ["arn:aws:route53:::change/*"] + resources = ["arn:${data.aws_partition.current.partition}:route53:::change/*"] } statement { effect = "Allow" actions = [ "route53:ChangeResourceRecordSets", ] - resources = ["arn:aws:route53:::hostedzone/*"] + resources = ["arn:${data.aws_partition.current.partition}:route53:::hostedzone/*"] } statement { effect = "Allow" @@ -227,7 +229,7 @@ module "iam_assumable_role_controllerbuild" { create_role = var.create_ctrlb_role role_name = var.is_jx2 ? substr("tf-${var.cluster_name}-sa-role-ctrlb-${local.generated_seed}", 0, 60) : "${local.cluster_trunc}-build-ctrl" provider_url = local.oidc_provider_url - role_policy_arns = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"] + role_policy_arns = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonS3FullAccess"] oidc_fully_qualified_subjects = ["system:serviceaccount:jx:jenkins-x-controllerbuild"] } resource "kubernetes_service_account" "jenkins-x-controllerbuild" { diff --git a/modules/cluster/main.tf b/modules/cluster/main.tf index 33562ea..7b62679 100644 --- a/modules/cluster/main.tf +++ b/modules/cluster/main.tf @@ -13,6 +13,8 @@ data "aws_availability_zones" "available" {} data "aws_caller_identity" "current" {} +data "aws_partition" "current" {} + // ---------------------------------------------------------------------------- // Define K8s cluster configuration // ---------------------------------------------------------------------------- @@ -144,7 +146,7 @@ module "eks" { } : {} workers_additional_policies = [ - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser" + "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser" ] map_users = var.map_users diff --git a/modules/vault/main.tf b/modules/vault/main.tf index 31938e1..06ec417 100644 --- a/modules/vault/main.tf +++ b/modules/vault/main.tf @@ -2,6 +2,8 @@ // If the Vault IAM user does exist create one // See https://www.terraform.io/docs/providers/aws/r/iam_user.html // ---------------------------------------------------------------------------- + +data "aws_partition" "current" {} locals { encryption_algo = var.use_kms_s3 ? "aws:kms" : "AES256" } @@ -108,7 +110,7 @@ resource "aws_kms_key" "kms_vault_unseal" { "Principal": { "AWS": [ "${length(data.aws_iam_user.vault_user) > 0 ? data.aws_iam_user.vault_user[0].arn : ""}", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" + "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root" ] }, "Action": "kms:*",