From f60a7272e016cc30621485b56d3d68632645d627 Mon Sep 17 00:00:00 2001
From: Paul Cram <paul.cram@techcyte.com>
Date: Wed, 1 Mar 2023 13:13:06 -0500
Subject: [PATCH 1/2] Replace hardcoded "aws" parition with data lookup

---
 iam.tf | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/iam.tf b/iam.tf
index e24fc9b..b878553 100644
--- a/iam.tf
+++ b/iam.tf
@@ -1,3 +1,5 @@
+data "aws_partition" "this" {}
+
 locals {
   service_roles_with_policies = var.create_graphql_api ? { for k, v in var.datasources : k => v if contains(["AWS_LAMBDA", "AMAZON_DYNAMODB", "AMAZON_ELASTICSEARCH"], v.type) && tobool(lookup(v, "create_service_role", true)) } : {}
 
@@ -19,7 +21,7 @@ locals {
         dynamodb = {
           effect    = "Allow"
           actions   = lookup(v, "policy_actions", null) == null ? var.dynamodb_allowed_actions : v.policy_actions
-          resources = [for _, f in ["arn:aws:dynamodb:%v:%v:table/%v", "arn:aws:dynamodb:%v:%v:table/%v/*"] : format(f, v.region, lookup(v, "aws_account_id", data.aws_caller_identity.this.account_id), v.table_name)]
+          resources = [for _, f in ["arn:${data.aws_partition.this.partition}:dynamodb:%v:%v:table/%v", "arn:${data.aws_partition.this.partition}:dynamodb:%v:%v:table/%v/*"] : format(f, v.region, lookup(v, "aws_account_id", data.aws_caller_identity.this.account_id), v.table_name)]
         }
       }
     }
@@ -31,7 +33,7 @@ locals {
         elasticsearch = {
           effect    = "Allow"
           actions   = lookup(v, "policy_actions", null) == null ? var.elasticsearch_allowed_actions : v.policy_actions
-          resources = [format("arn:aws:es:%v::domain/%v/*", v.region, v.endpoint)]
+          resources = [format("arn:${data.aws_partition.this.partition}:es:%v::domain/%v/*", v.region, v.endpoint)]
         }
       }
     }
@@ -72,7 +74,7 @@ resource "aws_iam_role" "logs" {
 resource "aws_iam_role_policy_attachment" "logs" {
   count = var.logging_enabled && var.create_logs_role ? 1 : 0
 
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"
+  policy_arn = "arn:${data.aws_partition.this.partition}:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"
   role       = aws_iam_role.logs[0].name
 }
 

From 214eef35830153747f9e078bd3e464d46dc085f2 Mon Sep 17 00:00:00 2001
From: Anton Babenko <anton@antonbabenko.com>
Date: Fri, 3 Mar 2023 12:08:20 +0100
Subject: [PATCH 2/2] Fixed docs

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 27afb17..cc41414 100644
--- a/README.md
+++ b/README.md
@@ -144,6 +144,7 @@ No modules.
 | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.service_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs