Allow to set AWS ARN for S3 bucket policies (#22)

* Allow to set AWS ARN for S3 bucket policies * terraform-aws-s3-log-storage doesn't need arn_format * Updated README.md * Updated README.md Co-authored-by: actions-bot <58130806+actions-bot@users.noreply.github.com> Co-authored-by: PePe Amengual <jose.amengual@gmail.com>
cloudposse · Jul 2, 2020 · 2d303e9 · 2d303e9
1 parent 56481b1
commit 2d303e9
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -145,6 +145,7 @@ Available targets:
 | abort\_incomplete\_multipart\_upload\_days | Maximum time (in days) that you want to allow multipart uploads to remain in progress | `number` | `5` | no |
 | access\_log\_bucket\_name | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no |
 | acl | The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services | `string` | `"log-delivery-write"` | no |
+| arn\_format | ARN format to be used. May be changed to support deployment in GovCloud/China regions. | `string` | `"arn:aws"` | no |
 | attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
 | block\_public\_acls | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no |
 | block\_public\_policy | Set to `false` to disable the blocking of new public policies on the bucket | `bool` | `true` | no |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -20,6 +20,7 @@
 | abort\_incomplete\_multipart\_upload\_days | Maximum time (in days) that you want to allow multipart uploads to remain in progress | `number` | `5` | no |
 | access\_log\_bucket\_name | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no |
 | acl | The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services | `string` | `"log-delivery-write"` | no |
+| arn\_format | ARN format to be used. May be changed to support deployment in GovCloud/China regions. | `string` | `"arn:aws"` | no |
 | attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
 | block\_public\_acls | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no |
 | block\_public\_policy | Set to `false` to disable the blocking of new public policies on the bucket | `bool` | `true` | no |

diff --git a/main.tf b/main.tf
@@ -26,7 +26,7 @@ data "aws_iam_policy_document" "default" {
     ]
 
     resources = [
-      "arn:aws:s3:::${module.label.id}",
+      "${var.arn_format}:s3:::${module.label.id}",
     ]
   }
 
@@ -43,7 +43,7 @@ data "aws_iam_policy_document" "default" {
     ]
 
     resources = [
-      "arn:aws:s3:::${module.label.id}/*",
+      "${var.arn_format}:s3:::${module.label.id}/*",
     ]
 
     condition {

diff --git a/variables.tf b/variables.tf
@@ -76,6 +76,12 @@ variable "region" {
   default     = ""
 }
 
+variable "arn_format" {
+  type        = string
+  default     = "arn:aws"
+  description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions."
+}
+
 variable "force_destroy" {
   type        = bool
   description = "(Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable"