fix regions to list

terraform-modules · Mar 31, 2023 · 45c9027 · 45c9027
1 parent 5d57087
commit 45c9027
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 2 deletions.
diff --git a/iam-general-policies/README.md b/iam-general-policies/README.md
@@ -140,6 +140,7 @@ No modules.
 | <a name="input_ipr_vpc_cidr_blocks"></a> [ipr\_vpc\_cidr\_blocks](#input\_ipr\_vpc\_cidr\_blocks) | VPC CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
 | <a name="input_ipr_vpc_endpoints"></a> [ipr\_vpc\_endpoints](#input\_ipr\_vpc\_endpoints) | VPC Endpoints to permit for IP based API restrictions (default: S3 interface endpoints in do2-govloud) | `list(string)` | <pre>[<br>  "vpce-047c17aeb6c23cab8",<br>  "vpce-0bc724bf64e6aeb64"<br>]</pre> | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_regions"></a> [regions](#input\_regions) | List of regions for which multiple regions are used in creating region-based policies | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 
 ## Outputs

diff --git a/iam-general-policies/policy.cloudforms.tf b/iam-general-policies/policy.cloudforms.tf
@@ -1,3 +1,7 @@
+locals {
+  regions = length(var.regions) == 0 ? ["*"] : var.regions
+
+}
 data "aws_iam_policy_document" "cloudforms" {
   # from AmazonEC2FullAccess
   statement {
@@ -98,15 +102,15 @@ data "aws_iam_policy_document" "cloudforms" {
   statement {
     sid       = "AWSManageCloudformsSQS"
     effect    = "Allow"
-    resources = [for r in values(var.region_map) : format("arn:%v:sqs:%v:%v:manageiq-awsconfig-queue-*", data.aws_arn.current.partition, r, var.account_id)]
+    resources = [for r in values(var.regions) : format("arn:%v:sqs:%v:%v:manageiq-awsconfig-queue-*", data.aws_arn.current.partition, r, var.account_id)]
     actions   = ["sqs:*"]
   }
 
   # for SNS
   statement {
     sid       = "AWSCloudformsSNS"
     effect    = "Allow"
-    resources = [for r in values(var.region_map) : format("arn:%v:sns:%v:%v:AWSConfig_topic", data.aws_arn.current.partition, r, var.account_id)]
+    resources = [for r in values(var.regions) : format("arn:%v:sns:%v:%v:AWSConfig_topic", data.aws_arn.current.partition, r, var.account_id)]
     actions   = ["sns:*"]
   }
 

diff --git a/iam-general-policies/variables.tf b/iam-general-policies/variables.tf
@@ -51,3 +51,9 @@ variable "ipr_vpc_endpoints" {
   type        = list(string)
   default     = ["vpce-047c17aeb6c23cab8", "vpce-0bc724bf64e6aeb64"]
 }
+
+variable "regions" {
+  description = "List of regions for which multiple regions are used in creating region-based policies"
+  type        = list(string)
+  default     = []
+}