feat: Support non-default AWS partitions (#65)

Adds support for audiences other than sts.amazonaws.com, this determines
the DNS suffix from the partition and builds the URL correctly, so that
regions such as China can use the module.

data.tf

@@ -31,8 +31,11 @@ data "aws_iam_policy_document" "assume_role" {
     }
 
     condition {
-      test     = "StringEquals"
-      values   = var.additional_audiences != null ? concat(["sts.amazonaws.com"], var.additional_audiences) : ["sts.amazonaws.com"]
+      test = "StringEquals"
+      values = var.additional_audiences != null ? concat(
+        [local.audience],
+        var.additional_audiences,
+      ) : [local.audience]
       variable = "token.actions.githubusercontent.com:aud"
     }
 

main.tf

@@ -13,9 +13,11 @@
 // limitations under the License.
 
 locals {
+  audience = format("sts.%v", local.dns_suffix)
   github_organizations = toset([
     for repo in var.github_repositories : split("/", repo)[0]
   ])
+  dns_suffix        = data.aws_partition.current.dns_suffix
   oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : ""
   partition         = data.aws_partition.current.partition
 }
@@ -67,7 +69,7 @@ resource "aws_iam_openid_connect_provider" "github" {
 
   client_id_list = concat(
     [for org in local.github_organizations : "https://github.com/${org}"],
-    ["sts.amazonaws.com"]
+    [local.audience],
   )
 
   tags = var.tags