feat: Support "aws" GovCloud accounts #43
Description
Describe the bug
The module does not use the correct partition for ARNs in GovCloud accounts. Instead of arn:aws:logs:* the ARN should be arn:aws-us-gov:logs:*.
Steps to reproduce
module "lacework_agentless_scanning_govcloud_org" {
source = "lacework/agentless-scanning/aws"
version = "~> 0.6"
providers = {
aws = aws.secops
}
global = true
organization = {
// This list may contain account IDs, OUs, or the organization root.
monitored_accounts = [data.aws_organizations_organization.master.roots[0].id]
// This account ID must be the AWS organizations "management account".
// This wil be used to enumerate the accounts and OUs in the list of monitored accounts.
// This account must also have the snapshot_role installed.
management_account = local.aws_master_account_id
}
lacework_integration_name = "our-govcloud-agentless"
}Expected behavior
Leverage:
data "aws_partition" "current" {}
# data.aws_partition.current.partitionEnsure the correct partition is used for all ARNs and policies.
Screenshots
Error: 1 error occurred: * creating inline policy (AllowCloudWatch): MalformedPolicyDocument: Partition "aws" is not valid for resource "arn:aws:logs:::log-group:/ecs/lacework-agentless-scanning-*". status code: 400, request id:
with module.lacework_agentless_scanning_govcloud_org.aws_iam_role.agentless_scan_ecs_execution_role[0]
on .terraform/modules/lacework_agentless_scanning_govcloud_org/main.tf line 326, in resource "aws_iam_role" "agentless_scan_ecs_execution_role"
Please complete the following information):
- Terraform Version:
v1.0.9 - Module Version
~> 0.6
Additional context
Works fine in normal AWS accounts.