feat: choose partition from context

Author: Felix Zieger

.github/workflows/workflow.yaml

@@ -14,10 +14,10 @@ jobs:
       with:
         terraform_version: 1.0.10
 
-      # note: we can only validate the example atm. see https://github.com/hashicorp/terraform/issues/28490  
+      # note: we can only validate the example atm. see https://github.com/hashicorp/terraform/issues/28490
     - run: terraform init -backend=false
       working-directory: examples/basic-aws-integration
-      
+
     - run: terraform validate
       working-directory: examples/basic-aws-integration
 

README.md

@@ -165,6 +165,7 @@ Before opening a Pull Request, we recommend following the below steps to get a f
 
 | Name | Version |
 |------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.33.0 |
 | <a name="provider_aws.automation"></a> [aws.automation](#provider\_aws.automation) | 5.33.0 |
 | <a name="provider_aws.management"></a> [aws.management](#provider\_aws.management) | 5.33.0 |
 | <a name="provider_aws.meshcloud"></a> [aws.meshcloud](#provider\_aws.meshcloud) | 5.33.0 |
@@ -186,6 +187,7 @@ Before opening a Pull Request, we recommend following the below steps to get a f
 | [aws_caller_identity.automation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_caller_identity.management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_caller_identity.meshcloud](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 

main.tf

@@ -8,6 +8,8 @@ data "aws_caller_identity" "automation" {
   provider = aws.automation
 }
 
+data "aws_partition" "current" {}
+
 module "meshcloud_account_metering_access" {
   source = "./modules/meshcloud-cost-explorer/ce-meshcloud-account-access"
   providers = {

modules/meshcloud-cost-explorer/ce-management-account-access/data.tf

@@ -39,7 +39,7 @@ data "aws_iam_policy_document" "cost_explorer_service_assume_role" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.meshcloud_account_id}:user/${var.meshcloud_account_service_user_name}"]
+      identifiers = ["arn:${data.aws_partition.current.partition}:iam::${var.meshcloud_account_id}:user/${var.meshcloud_account_service_user_name}"]
     }
     actions = ["sts:AssumeRole"]
     condition {

modules/meshcloud-cost-explorer/ce-meshcloud-account-access/README.md

@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.21.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.7.0 |
 
 ## Modules
 

modules/meshcloud-cost-explorer/ce-meshcloud-account-access/data.tf

@@ -9,7 +9,7 @@ data "aws_iam_policy_document" "meshcloud_cost_explorer_user_assume_role" {
   statement {
     effect    = "Allow"
     actions   = ["sts:AssumeRole"]
-    resources = ["arn:aws:iam::${var.management_account_id}:role/${var.management_account_service_role_name}"]
+    resources = ["arn:${data.aws_partition.current.partition}:iam::${var.management_account_id}:role/${var.management_account_service_role_name}"]
     condition {
       test     = "StringEquals"
       variable = "sts:ExternalId"

modules/meshcloud-replicator/replicator-automation-account-access/data.tf

@@ -10,7 +10,7 @@ data "aws_iam_policy_document" "meshfed_automation_assume_role" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.meshcloud_account_id}:user/${var.meshcloud_account_service_user_name}"]
+      identifiers = ["arn:${data.aws_partition.current.partition}:iam::${var.meshcloud_account_id}:user/${var.meshcloud_account_service_user_name}"]
     }
     actions = ["sts:AssumeRole"]
     condition {
@@ -59,6 +59,6 @@ data "aws_iam_policy_document" "cloudformation_stackset_execution" {
     sid       = "VisualEditor0"
     effect    = "Allow"
     actions   = ["sts:AssumeRole"]
-    resources = ["arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole"]
+    resources = ["arn:${data.aws_partition.current.partition}:iam::*:role/AWSCloudFormationStackSetExecutionRole"]
   }
 }

modules/meshcloud-replicator/replicator-management-account-access/README.md

@@ -26,7 +26,7 @@ No modules.
 | [aws_iam_role_policy_attachment.meshfed_service_enrollment_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.meshfed_service_enrollment_sc_adm_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.meshfed_service_enrollment_sc_enduser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_servicecatalog_principal_portfolio_association.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/servicecatalog_principal_portfolio_association) | resource |
+| [aws_servicecatalog_principal_portfolio_association.meshfed_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/servicecatalog_principal_portfolio_association) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.meshfed_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.meshfed_service_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

modules/meshcloud-replicator/replicator-management-account-access/data.tf

@@ -10,7 +10,7 @@ data "aws_iam_policy_document" "meshfed_service" {
     sid       = "StsAccessMemberAccount"
     effect    = "Allow"
     actions   = ["sts:AssumeRole"]
-    resources = ["arn:aws:iam::*:role/${var.meshstack_access_role_name}"]
+    resources = ["arn:${data.aws_partition.current.partition}:iam::*:role/${var.meshstack_access_role_name}"]
     condition {
       test     = "StringEquals"
       variable = "sts:ExternalId"
@@ -30,9 +30,9 @@ data "aws_iam_policy_document" "meshfed_service" {
       "organizations:ListTagsForResource"
     ]
     resources = [
-      "arn:aws:organizations::*:account/o-*/*",
-      "arn:aws:organizations::*:ou/o-*/ou-*",
-      "arn:aws:organizations::${local.account_id}:root/o-*/r-*"
+      "arn:${data.aws_partition.current.partition}:organizations::*:account/o-*/*",
+      "arn:${data.aws_partition.current.partition}:organizations::*:ou/o-*/ou-*",
+      "arn:${data.aws_partition.current.partition}:organizations::${local.account_id}:root/o-*/r-*"
     ]
   }
 
@@ -49,9 +49,9 @@ data "aws_iam_policy_document" "meshfed_service" {
         # The actions organizations:TagResource and organizations:UntagResource act on accounts.
         # The actions can not be restricted to a subtree of the OU hierarchy. This is a limitation in the permission model of AWS Organization Service.
         # To supprt tagging for this meshPlatform we need to allow both actions on all accounts.
-        "arn:aws:organizations::*:account/o-*/*",
+        "arn:${data.aws_partition.current.partition}:organizations::*:account/o-*/*",
         # New accounts need to be moved from root to the target OU.
-        "arn:aws:organizations::${local.account_id}:root/o-*/r-*"
+        "arn:${data.aws_partition.current.partition}:organizations::${local.account_id}:root/o-*/r-*"
       ],
     var.landing_zone_ou_arns)
   }
@@ -80,8 +80,8 @@ data "aws_iam_policy_document" "meshfed_service" {
     ]
     resources = [
       "${var.aws_sso_instance_arn}",
-      "arn:aws:sso:::permissionSet/*/*",
-      "arn:aws:sso:::account/*"
+      "arn:${data.aws_partition.current.partition}:sso:::permissionSet/*/*",
+      "arn:${data.aws_partition.current.partition}:sso:::account/*"
     ]
   }
 
@@ -99,8 +99,8 @@ data "aws_iam_policy_document" "meshfed_service" {
         "iam:GetSAMLProvider"
       ]
       resources = [
-        "arn:aws:iam::${local.account_id}:saml-provider/*",
-        "arn:aws:iam::${local.account_id}:role/*"
+        "arn:${data.aws_partition.current.partition}:iam::${local.account_id}:saml-provider/*",
+        "arn:${data.aws_partition.current.partition}:iam::${local.account_id}:role/*"
       ]
     }
   }
@@ -112,7 +112,7 @@ data "aws_iam_policy_document" "meshfed_service_assume_role" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.meshcloud_account_id}:user/${var.meshcloud_account_service_user_name}"]
+      identifiers = ["arn:${data.aws_partition.current.partition}:iam::${var.meshcloud_account_id}:user/${var.meshcloud_account_service_user_name}"]
     }
     actions = ["sts:AssumeRole"]
     condition {

modules/meshcloud-replicator/replicator-management-account-access/module.tf

@@ -18,13 +18,13 @@ resource "aws_iam_role_policy_attachment" "meshfed_service" {
 resource "aws_iam_role_policy_attachment" "meshfed_service_enrollment_sc_enduser" {
   count      = var.control_tower_enrollment_enabled ? 1 : 0
   role       = aws_iam_role.meshfed_service.name
-  policy_arn = "arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess"
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSServiceCatalogEndUserFullAccess"
 }
 
 resource "aws_iam_role_policy_attachment" "meshfed_service_enrollment_sc_adm_read" {
   count      = var.control_tower_enrollment_enabled ? 1 : 0
   role       = aws_iam_role.meshfed_service.name
-  policy_arn = "arn:aws:iam::aws:policy/AWSServiceCatalogAdminReadOnlyAccess"
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSServiceCatalogAdminReadOnlyAccess"
 }
 
 resource "aws_iam_policy" "meshfed_service_enrollment_additional" {