From 1fa19c441502025491b1fef0452261add15d36a4 Mon Sep 17 00:00:00 2001
From: Patrick Joyce <pjaudiomv@gmail.com>
Date: Fri, 9 Aug 2024 14:56:42 -0400
Subject: [PATCH] Update flow log ARNs to use partition from aws_partition data
 source, ensuring compatibility with AWS GovCloud and other partitions

tfdocs
---
 README.md        | 1 +
 vpc-flow-logs.tf | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 220ad3e80..9814ab2ee 100644
--- a/README.md
+++ b/README.md
@@ -352,6 +352,7 @@ No modules.
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.flow_log_cloudwatch_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf
index 7697a9274..d44cd4d75 100644
--- a/vpc-flow-logs.tf
+++ b/vpc-flow-logs.tf
@@ -8,6 +8,11 @@ data "aws_caller_identity" "current" {
   count = var.create_vpc && var.enable_flow_log ? 1 : 0
 }
 
+data "aws_partition" "current" {
+  # Call this API only if create_vpc and enable_flow_log are true
+  count = var.create_vpc && var.enable_flow_log ? 1 : 0
+}
+
 locals {
   # Only create flow log if user selected to create a VPC as well
   enable_flow_log = var.create_vpc && var.enable_flow_log
@@ -20,7 +25,7 @@ locals {
   flow_log_cloudwatch_log_group_name_suffix = var.flow_log_cloudwatch_log_group_name_suffix == "" ? local.vpc_id : var.flow_log_cloudwatch_log_group_name_suffix
   flow_log_group_arns = [
     for log_group in aws_cloudwatch_log_group.flow_log :
-    "arn:aws:logs:${data.aws_region.current[0].name}:${data.aws_caller_identity.current[0].account_id}:log-group:${log_group.name}:*"
+    "arn:${data.aws_partition.current[0].partition}:logs:${data.aws_region.current[0].name}:${data.aws_caller_identity.current[0].account_id}:log-group:${log_group.name}:*"
   ]
 }