Parametrize the AWS ARN for S3 bucket policies (#39)

ericamador · web-flow · commit 7a0f82a4254b · 2020-03-26T11:23:17.000-07:00
This change allows a user to override the AWS ARN (which to defaults to
the most common use case of "arn:aws") in order to allow one to use this
module in the AWS GovCloud/China regions. This can be done by setting
the value of the arn_format variable to "arn:aws-us-gov"/"arn:aws-cn"
respectively.
diff --git a/README.md b/README.md
@@ -160,6 +160,7 @@ Available targets:
 |------|-------------|:----:|:-----:|:-----:|
 | acl | The canned ACL to apply to the S3 bucket | string | `private` | no |
 | additional_tag_map | Additional tags for appending to each tag map | map(string) | `<map>` | no |
+| arn_format | ARN format to be used. May be changed to support deployment in GovCloud/China regions. | string | `arn:aws` | no |
 | attributes | Additional attributes (e.g. `state`) | list(string) | `<list>` | no |
 | billing_mode | DynamoDB billing mode | string | `PROVISIONED` | no |
 | block_public_acls | Whether Amazon S3 should block public ACLs for this bucket | bool | `true` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -4,6 +4,7 @@
 |------|-------------|:----:|:-----:|:-----:|
 | acl | The canned ACL to apply to the S3 bucket | string | `private` | no |
 | additional_tag_map | Additional tags for appending to each tag map | map(string) | `<map>` | no |
+| arn_format | ARN format to be used. May be changed to support deployment in GovCloud/China regions. | string | `arn:aws` | no |
 | attributes | Additional attributes (e.g. `state`) | list(string) | `<list>` | no |
 | billing_mode | DynamoDB billing mode | string | `PROVISIONED` | no |
 | block_public_acls | Whether Amazon S3 should block public ACLs for this bucket | bool | `true` | no |
diff --git a/main.tf b/main.tf
@@ -55,7 +55,7 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
     ]
 
     resources = [
-      "arn:aws:s3:::${local.bucket_name}/*",
+      "${var.arn_format}:s3:::${local.bucket_name}/*",
     ]
 
     condition {
@@ -83,7 +83,7 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
     ]
 
     resources = [
-      "arn:aws:s3:::${local.bucket_name}/*",
+      "${var.arn_format}:s3:::${local.bucket_name}/*",
     ]
 
     condition {
diff --git a/variables.tf b/variables.tf
@@ -87,6 +87,12 @@ variable "region" {
   description = "AWS Region the S3 bucket should reside in"
 }
 
+variable "arn_format" {
+  type        = string
+  default     = "arn:aws"
+  description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions."
+}
+
 variable "acl" {
   type        = string
   description = "The canned ACL to apply to the S3 bucket"

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" {`
`55`	`55`	`]`
`56`	`56`
`57`	`57`	`resources = [`
`58`		`- "arn:aws:s3:::${local.bucket_name}/*",`
	`58`	`+ "${var.arn_format}:s3:::${local.bucket_name}/*",`
`59`	`59`	`]`
`60`	`60`
`61`	`61`	`condition {`
`@@ -83,7 +83,7 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" {`
`83`	`83`	`]`
`84`	`84`
`85`	`85`	`resources = [`
`86`		`- "arn:aws:s3:::${local.bucket_name}/*",`
	`86`	`+ "${var.arn_format}:s3:::${local.bucket_name}/*",`
`87`	`87`	`]`
`88`	`88`
`89`	`89`	`condition {`