Fix/remove hard coded aws partition from arns (#385)

bd79d496 · Naris Silpakit · GitHub · 743f3f11 · bd79d496 · bd79d496
Unverified Commit bd79d496 authored 2 years ago by Naris Silpakit Committed by GitHub 2 years ago
--- a/.github/workflows/e2e-parallel-destroy.yml
+++ b/.github/workflows/e2e-parallel-destroy.yml
@@ -71,7 +71,7 @@ jobs:
          then
            echo "Skipping pre-setup for ${{ matrix.example_path }}"
            cp -R ${{ matrix.example_path }}/* deploy/e2e/gh-e2e-test/
-          else 
+          else
            echo "Running pre-setup for ${{ matrix.example_path }}"
            cp -R deploy/e2e/gh-e2e-template/* deploy/e2e/gh-e2e-test/
            sed -i "s!REPLACE_ME!${{ matrix.tenant_name }}!g" deploy/e2e/gh-e2e-test/base.tfvars

--- a/.github/workflows/e2e-parallel-full.yml
+++ b/.github/workflows/e2e-parallel-full.yml
@@ -73,7 +73,7 @@ jobs:
          then
            echo "Skipping pre-setup for ${{ matrix.example_path }}"
            cp -R ${{ matrix.example_path }}/* deploy/e2e/gh-e2e-test/
-          else 
+          else
            echo "Running pre-setup for ${{ matrix.example_path }}"
            cp -R deploy/e2e/gh-e2e-template/* deploy/e2e/gh-e2e-test/
            sed -i "s!REPLACE_ME!${{ matrix.tenant_name }}!g" deploy/e2e/gh-e2e-test/base.tfvars

--- a/deploy/e2e/gh-e2e-template/README.md
+++ b/deploy/e2e/gh-e2e-template/README.md
@@ -34,4 +34,3 @@ No resources.
 No outputs.

 <!--- END_TF_DOCS --->
-
--- a/deploy/e2e/gh-e2e-template/backend.conf
+++ b/deploy/e2e/gh-e2e-template/backend.conf
 bucket = "terraform-ssp-github-actions-state"
 region = "us-west-2"
-key    = "e2e/TF_STATE_PATH.tfstate"
\ No newline at end of file
+key    = "e2e/TF_STATE_PATH.tfstate"
--- a/modules/aws-eks-self-managed-node-groups/locals.tf
+++ b/modules/aws-eks-self-managed-node-groups/locals.tf
@@ -49,7 +49,7 @@ locals {
  default_custom_ami_id = contains(local.predefined_ami_types, local.self_managed_node_group["launch_template_os"]) ? data.aws_ami.predefined[local.self_managed_node_group["launch_template_os"]].id : ""
  custom_ami_id         = local.self_managed_node_group["custom_ami_id"] == "" ? local.default_custom_ami_id : local.self_managed_node_group["custom_ami_id"]

-  policy_arn_prefix = "arn:aws:iam::aws:policy"
+  policy_arn_prefix = "arn:${var.context.aws_partition_id}:iam::aws:policy"
  ec2_principal     = "ec2.${var.context.aws_partition_dns_suffix}"

  # EKS Worker Managed Policies

--- a/modules/kubernetes-addons/aws-for-fluentbit/data.tf
+++ b/modules/kubernetes-addons/aws-for-fluentbit/data.tf
@@ -6,14 +6,14 @@ data "aws_iam_policy_document" "irsa" {
  statement {
    sid       = "PutLogEvents"
    effect    = "Allow"
-    resources = ["arn:aws:logs:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:log-group:*:log-stream:*"]
+    resources = ["arn:${var.addon_context.aws_partition_id}:logs:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:log-group:*:log-stream:*"]
    actions   = ["logs:PutLogEvents"]
  }

  statement {
    sid       = "CreateCWLogs"
    effect    = "Allow"
-    resources = ["arn:aws:logs:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:log-group:*"]
+    resources = ["arn:${var.addon_context.aws_partition_id}:logs:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:log-group:*"]

    actions = [
      "logs:CreateLogStream",
@@ -33,7 +33,7 @@ data "aws_iam_policy_document" "kms" {

    principals {
      type = "AWS"
-      identifiers = ["arn:aws:iam::${var.addon_context.aws_caller_identity_account_id}:root",
+      identifiers = ["arn:${var.addon_context.aws_partition_id}:iam::${var.addon_context.aws_caller_identity_account_id}:root",
      data.aws_iam_session_context.current.issuer_arn]
    }
  }
@@ -54,7 +54,7 @@ data "aws_iam_policy_document" "kms" {
    condition {
      test     = "ArnEquals"
      variable = "kms:EncryptionContext:aws:logs:arn"
-      values   = ["arn:aws:logs:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:log-group:${local.log_group_name}"]
+      values   = ["arn:${var.addon_context.aws_partition_id}:logs:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:log-group:${local.log_group_name}"]
    }

    principals {

--- a/modules/kubernetes-addons/crossplane/data.tf
+++ b/modules/kubernetes-addons/crossplane/data.tf
@@ -2,7 +2,7 @@ data "aws_iam_policy_document" "s3_policy" {
  statement {
    sid       = "VisualEditor0"
    effect    = "Allow"
-    resources = ["arn:aws:s3:::*"]
+    resources = ["arn:${var.addon_context.aws_partition_id}:s3:::*"]

    actions = [
      "s3:Get*",

--- a/modules/kubernetes-addons/keda/data.tf
+++ b/modules/kubernetes-addons/keda/data.tf
@@ -3,8 +3,8 @@ data "aws_iam_policy_document" "keda_irsa" {
    effect = "Allow"

    resources = [
-      "arn:aws:cloudwatch:*:${var.addon_context.aws_caller_identity_account_id}:metric-stream/*",
-      "arn:aws:sqs:*:${var.addon_context.aws_caller_identity_account_id}:*",
+      "arn:${var.addon_context.aws_partition_id}:cloudwatch:*:${var.addon_context.aws_caller_identity_account_id}:metric-stream/*",
+      "arn:${var.addon_context.aws_partition_id}:sqs:*:${var.addon_context.aws_caller_identity_account_id}:*",
    ]

    actions = [