From 7a0f82a4254b57afc55d11b78bb4233c27759711 Mon Sep 17 00:00:00 2001
From: Eric Amador <eric.amador14@gmail.com>
Date: Thu, 26 Mar 2020 14:23:17 -0400
Subject: [PATCH] Parametrize the AWS ARN for S3 bucket policies (#39)

This change allows a user to override the AWS ARN (which to defaults to
the most common use case of "arn:aws") in order to allow one to use this
module in the AWS GovCloud/China regions. This can be done by setting
the value of the arn_format variable to "arn:aws-us-gov"/"arn:aws-cn"
respectively.
---
 README.md         | 1 +
 docs/terraform.md | 1 +
 main.tf           | 4 ++--
 variables.tf      | 6 ++++++
 4 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 74c1791..5ff43e9 100644
--- a/README.md
+++ b/README.md
@@ -160,6 +160,7 @@ Available targets:
 |------|-------------|:----:|:-----:|:-----:|
 | acl | The canned ACL to apply to the S3 bucket | string | `private` | no |
 | additional_tag_map | Additional tags for appending to each tag map | map(string) | `<map>` | no |
+| arn_format | ARN format to be used. May be changed to support deployment in GovCloud/China regions. | string | `arn:aws` | no |
 | attributes | Additional attributes (e.g. `state`) | list(string) | `<list>` | no |
 | billing_mode | DynamoDB billing mode | string | `PROVISIONED` | no |
 | block_public_acls | Whether Amazon S3 should block public ACLs for this bucket | bool | `true` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index b2d7c88..b7176d3 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -4,6 +4,7 @@
 |------|-------------|:----:|:-----:|:-----:|
 | acl | The canned ACL to apply to the S3 bucket | string | `private` | no |
 | additional_tag_map | Additional tags for appending to each tag map | map(string) | `<map>` | no |
+| arn_format | ARN format to be used. May be changed to support deployment in GovCloud/China regions. | string | `arn:aws` | no |
 | attributes | Additional attributes (e.g. `state`) | list(string) | `<list>` | no |
 | billing_mode | DynamoDB billing mode | string | `PROVISIONED` | no |
 | block_public_acls | Whether Amazon S3 should block public ACLs for this bucket | bool | `true` | no |
diff --git a/main.tf b/main.tf
index 70dd6f2..d0b80f5 100644
--- a/main.tf
+++ b/main.tf
@@ -55,7 +55,7 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
     ]
 
     resources = [
-      "arn:aws:s3:::${local.bucket_name}/*",
+      "${var.arn_format}:s3:::${local.bucket_name}/*",
     ]
 
     condition {
@@ -83,7 +83,7 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
     ]
 
     resources = [
-      "arn:aws:s3:::${local.bucket_name}/*",
+      "${var.arn_format}:s3:::${local.bucket_name}/*",
     ]
 
     condition {
diff --git a/variables.tf b/variables.tf
index 5d98803..a13a622 100644
--- a/variables.tf
+++ b/variables.tf
@@ -87,6 +87,12 @@ variable "region" {
   description = "AWS Region the S3 bucket should reside in"
 }
 
+variable "arn_format" {
+  type        = string
+  default     = "arn:aws"
+  description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions."
+}
+
 variable "acl" {
   type        = string
   description = "The canned ACL to apply to the S3 bucket"