From 254206881482a099976bb1c16fe3ddaad52dd920 Mon Sep 17 00:00:00 2001
From: Trent Nadeau <tanadeau@gmail.com>
Date: Fri, 19 Feb 2021 12:35:29 -0500
Subject: [PATCH] GovCloud support (#10)

---
 README.md    | 1 +
 main.tf      | 2 +-
 variables.tf | 6 ++++++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8cdd0c5..9a0301c 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,7 @@ Check versions for this module on:
 | essential | (Optional) Determines whether all other containers in a task are stopped, if this container fails or stops for any reason. Due to how Terraform type casts booleans in json it is required to double quote this value | `bool` | `true` | no |
 | firelens\_configuration | (Optional) The FireLens configuration for the container. This is used to specify and configure a log router for container logs. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_FirelensConfiguration.html | <pre>object({<br>    type    = string<br>    options = map(string)<br>  })</pre> | `null` | no |
 | healthcheck | (Optional) A map containing command (string), timeout, interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy), and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries) | <pre>object({<br>    command     = list(string)<br>    retries     = number<br>    timeout     = number<br>    interval    = number<br>    startPeriod = number<br>  })</pre> | `null` | no |
+| iam_partition | (Optional) IAM partition to use when referencing standard policies. GovCloud and some other regions use different partitions | `string` | `aws` | no |
 | links | (Optional) List of container names this container can communicate with without port mappings | `list(string)` | `null` | no |
 | linux\_parameters | Linux-specific modifications that are applied to the container, such as Linux kernel capabilities. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LinuxParameters.html | <pre>object({<br>    capabilities = object({<br>      add  = list(string)<br>      drop = list(string)<br>    })<br>    devices = list(object({<br>      containerPath = string<br>      hostPath      = string<br>      permissions   = list(string)<br>    }))<br>    initProcessEnabled = bool<br>    maxSwap            = number<br>    sharedMemorySize   = number<br>    swappiness         = number<br>    tmpfs = list(object({<br>      containerPath = string<br>      mountOptions  = list(string)<br>      size          = number<br>    }))<br>  })</pre> | `null` | no |
 | log\_configuration | (Optional) Log configuration options to send to a custom log driver for the container. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LogConfiguration.html | <pre>object({<br>    logDriver = string<br>    options   = map(string)<br>    secretOptions = list(object({<br>      name      = string<br>      valueFrom = string<br>    }))<br>  })</pre> | `null` | no |
diff --git a/main.tf b/main.tf
index a5e813b..01e61bb 100644
--- a/main.tf
+++ b/main.tf
@@ -9,7 +9,7 @@ resource "aws_iam_role" "ecs_task_execution_role" {
 
 resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attach" {
   role       = aws_iam_role.ecs_task_execution_role.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+  policy_arn = "arn:${var.iam_partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
 resource "aws_iam_policy" "ecs_task_execution_role_custom_policy" {
diff --git a/variables.tf b/variables.tf
index 96bfaa5..900fa0e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -316,6 +316,12 @@ variable "docker_security_options" {
 #------------------------------------------------------------------------------
 # AWS ECS Task Definition Variables
 #------------------------------------------------------------------------------
+variable "iam_partition" {
+  description = "IAM partition to use when referencing standard policies. GovCloud and some other regions use different partitions"
+  type        = string
+  default     = "aws"
+}
+
 variable "permissions_boundary" {
   description = "(Optional) The ARN of the policy that is used to set the permissions boundary for the `ecs_task_execution_role` role."
   type        = string