From 801d24208abb4547c695c7b38545d3b9142d4dbf Mon Sep 17 00:00:00 2001
From: Daniel Morris <daniel@honestempire.com>
Date: Sat, 11 Jan 2025 14:36:37 +0000
Subject: [PATCH] feat: Support non-default AWS partitions (#65)

Adds support for audiences other than sts.amazonaws.com, this determines
the DNS suffix from the partition and builds the URL correctly, so that
regions such as China can use the module.
---
 data.tf | 7 +++++--
 main.tf | 4 +++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/data.tf b/data.tf
index b9a21b9..f766c6e 100644
--- a/data.tf
+++ b/data.tf
@@ -31,8 +31,11 @@ data "aws_iam_policy_document" "assume_role" {
     }
 
     condition {
-      test     = "StringEquals"
-      values   = var.additional_audiences != null ? concat(["sts.amazonaws.com"], var.additional_audiences) : ["sts.amazonaws.com"]
+      test = "StringEquals"
+      values = var.additional_audiences != null ? concat(
+        [local.audience],
+        var.additional_audiences,
+      ) : [local.audience]
       variable = "token.actions.githubusercontent.com:aud"
     }
 
diff --git a/main.tf b/main.tf
index 063ae22..d466ac7 100644
--- a/main.tf
+++ b/main.tf
@@ -13,9 +13,11 @@
 // limitations under the License.
 
 locals {
+  audience = format("sts.%v", local.dns_suffix)
   github_organizations = toset([
     for repo in var.github_repositories : split("/", repo)[0]
   ])
+  dns_suffix        = data.aws_partition.current.dns_suffix
   oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : ""
   partition         = data.aws_partition.current.partition
 }
@@ -67,7 +69,7 @@ resource "aws_iam_openid_connect_provider" "github" {
 
   client_id_list = concat(
     [for org in local.github_organizations : "https://github.com/${org}"],
-    ["sts.amazonaws.com"]
+    [local.audience],
   )
 
   tags = var.tags