ensuring that roles pick up region and account id

pius · pius · commit f10c2d48127b · 2015-07-09T20:52:35.000-07:00
diff --git a/iam/Cognito_LambdAuthAuth_Role.json b/iam/Cognito_LambdAuthAuth_Role.json
@@ -17,13 +17,13 @@
                 "lambda:InvokeFunction"
             ],
             "Resource": [
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthCreateUser",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthVerifyUser",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthChangePassword",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLostUser",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLostPassword",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthResetPassword",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLogin"
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthCreateUser",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthVerifyUser",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthChangePassword",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLostUser",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLostPassword",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthResetPassword",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLogin"
             ]
         }
     ]
diff --git a/iam/Cognito_LambdAuthUnauth_Role.json b/iam/Cognito_LambdAuthUnauth_Role.json
@@ -17,12 +17,12 @@
                 "lambda:InvokeFunction"
             ],
             "Resource": [
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthCreateUser",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthVerifyUser",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLostUser",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLostPassword",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthResetPassword",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLogin"
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthCreateUser",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthVerifyUser",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLostUser",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLostPassword",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthResetPassword",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLogin"
             ]
         }
     ]
diff --git a/iam/LambdAuthChangePassword.json b/iam/LambdAuthChangePassword.json
@@ -7,7 +7,7 @@
                 "dynamodb:UpdateItem"
             ],
             "Effect": "Allow",
-            "Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
+            "Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
         },
         {
             "Sid": "",
diff --git a/iam/LambdAuthCreateUser.json b/iam/LambdAuthCreateUser.json
@@ -6,7 +6,7 @@
                 "dynamodb:PutItem"
             ],
             "Effect": "Allow",
-            "Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
+            "Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
         },
         {
             "Effect": "Allow",
diff --git a/iam/LambdAuthLogin.json b/iam/LambdAuthLogin.json
@@ -6,14 +6,14 @@
                 "dynamodb:GetItem"
             ],
             "Effect": "Allow",
-            "Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
+            "Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
         },
         {
             "Effect": "Allow",
             "Action": [
                 "cognito-identity:GetOpenIdTokenForDeveloperIdentity"
             ],
-            "Resource": "arn:aws:cognito-identity:eu-west-1:<AWS_ACCOUNT_ID>:identitypool/<IDENTITY_POOL_ID>"
+            "Resource": "arn:aws:cognito-identity:<REGION>:<AWS_ACCOUNT_ID>:identitypool/<IDENTITY_POOL_ID>"
         },
         {
             "Sid": "",
diff --git a/iam/LambdAuthLostPassword.json b/iam/LambdAuthLostPassword.json
@@ -7,7 +7,7 @@
 	              "dynamodb:UpdateItem"
 	           ],
 	          "Effect": "Allow",
-	          "Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
+	          "Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
 	      },
         {
             "Effect": "Allow",
diff --git a/iam/LambdAuthResetPassword.json b/iam/LambdAuthResetPassword.json
@@ -7,7 +7,7 @@
                 "dynamodb:UpdateItem"
             ],
             "Effect": "Allow",
-            "Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
+            "Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
         },
         {
             "Sid": "",
diff --git a/iam/LambdAuthVerifyUser.json b/iam/LambdAuthVerifyUser.json
@@ -7,7 +7,7 @@
                 "dynamodb:UpdateItem"
             ],
             "Effect": "Allow",
-            "Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
+            "Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
         },
         {
             "Sid": "",
diff --git a/init.sh b/init.sh
@@ -68,6 +68,7 @@ for f in $(ls -1 trust*); do
   sed -e "s/<AWS_ACCOUNT_ID>/$AWS_ACCOUNT_ID/g" \
       -e "s/<DYNAMODB_TABLE>/$DDB_TABLE/g" \
       -e "s/<DYNAMODB_EMAIL_INDEX>/$DDB_EMAIL_INDEX/g" \
+      -e "s/<REGION>/$REGION/g" \
       -e "s/<IDENTITY_POOL_ID>/$IDENTITY_POOL_ID/g" \
       $f > edit/$f
   echo "Editing trust from $f end"
@@ -78,6 +79,7 @@ for f in $(ls -1 Cognito*); do
   sed -e "s/<AWS_ACCOUNT_ID>/$AWS_ACCOUNT_ID/g" \
       -e "s/<DYNAMODB_TABLE>/$DDB_TABLE/g" \
       -e "s/<DYNAMODB_EMAIL_INDEX>/$DDB_EMAIL_INDEX/g" \
+      -e "s/<REGION>/$REGION/g" \
       -e "s/<IDENTITY_POOL_ID>/$IDENTITY_POOL_ID/g" \
 	      $f > edit/$f
   if [[ $f == *Unauth_* ]]; then
@@ -93,7 +95,7 @@ for f in $(ls -1 Cognito*); do
   echo "Creating role $role end"
 done
 echo "Setting identity pool roles begin..."
-roles='{"unauthenticated":"arn:aws:iam::$AWS_ACCOUNT_ID:role/'"$unauthRole"'","authenticated":"arn:aws:iam::$AWS_ACCOUNT_ID:role/'"$authRole"'"}'
+roles='{"unauthenticated":"arn:aws:iam::'"$AWS_ACCOUNT_ID"':role/'"$unauthRole"'","authenticated":"arn:aws:iam::'"$AWS_ACCOUNT_ID"':role/'"$authRole"'"}'
 echo "Roles: $roles"
 aws cognito-identity set-identity-pool-roles \
   --identity-pool-id $IDENTITY_POOL_ID \
@@ -109,6 +111,7 @@ for f in $(ls -1 LambdAuth*); do
       -e "s/<DYNAMODB_TABLE>/$DDB_TABLE/g" \
       -e "s/<DYNAMODB_EMAIL_INDEX>/$DDB_EMAIL_INDEX/g" \
       -e "s/<IDENTITY_POOL_ID>/$IDENTITY_POOL_ID/g" \
+      -e "s/<REGION>/$REGION/g" \
       $f > edit/$f
 	trust="trust_policy_lambda.json"
   aws iam create-role --role-name $role --assume-role-policy-document file://edit/$trust

Original file line number	Diff line number	Diff line change
`@@ -17,12 +17,12 @@`
`17`	`17`	`"lambda:InvokeFunction"`
`18`	`18`	`],`
`19`	`19`	`"Resource": [`
`20`		`- "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthCreateUser",`
`21`		`- "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthVerifyUser",`
`22`		`- "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLostUser",`
`23`		`- "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLostPassword",`
`24`		`- "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthResetPassword",`
`25`		`- "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLogin"`
	`20`	`+ "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthCreateUser",`
	`21`	`+ "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthVerifyUser",`
	`22`	`+ "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLostUser",`
	`23`	`+ "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLostPassword",`
	`24`	`+ "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthResetPassword",`
	`25`	`+ "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLogin"`
`26`	`26`	`]`
`27`	`27`	`}`
`28`	`28`	`]`
Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@`
`7`	`7`	`"dynamodb:UpdateItem"`
`8`	`8`	`],`
`9`	`9`	`"Effect": "Allow",`
`10`		`- "Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"`
	`10`	`+ "Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"`
`11`	`11`	`},`
`12`	`12`	`{`
`13`	`13`	`"Sid": "",`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`	`"dynamodb:PutItem"`
`7`	`7`	`],`
`8`	`8`	`"Effect": "Allow",`
`9`		`- "Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"`
	`9`	`+ "Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"`
`10`	`10`	`},`
`11`	`11`	`{`
`12`	`12`	`"Effect": "Allow",`