From f10c2d48127be74da5955eae77db2bbb1a3893ec Mon Sep 17 00:00:00 2001
From: Pius Uzamere <pius@alum.mit.edu>
Date: Thu, 9 Jul 2015 20:52:35 -0700
Subject: [PATCH] ensuring that roles pick up region and account id

---
 iam/Cognito_LambdAuthAuth_Role.json   | 14 +++++++-------
 iam/Cognito_LambdAuthUnauth_Role.json | 12 ++++++------
 iam/LambdAuthChangePassword.json      |  2 +-
 iam/LambdAuthCreateUser.json          |  2 +-
 iam/LambdAuthLogin.json               |  4 ++--
 iam/LambdAuthLostPassword.json        |  2 +-
 iam/LambdAuthResetPassword.json       |  2 +-
 iam/LambdAuthVerifyUser.json          |  2 +-
 init.sh                               |  5 ++++-
 9 files changed, 24 insertions(+), 21 deletions(-)

diff --git a/iam/Cognito_LambdAuthAuth_Role.json b/iam/Cognito_LambdAuthAuth_Role.json
index 411e8b3..407d7a8 100644
--- a/iam/Cognito_LambdAuthAuth_Role.json
+++ b/iam/Cognito_LambdAuthAuth_Role.json
@@ -17,13 +17,13 @@
                 "lambda:InvokeFunction"
             ],
             "Resource": [
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthCreateUser",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthVerifyUser",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthChangePassword",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLostUser",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLostPassword",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthResetPassword",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLogin"
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthCreateUser",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthVerifyUser",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthChangePassword",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLostUser",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLostPassword",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthResetPassword",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLogin"
             ]
         }
     ]
diff --git a/iam/Cognito_LambdAuthUnauth_Role.json b/iam/Cognito_LambdAuthUnauth_Role.json
index d2b309d..452aa53 100644
--- a/iam/Cognito_LambdAuthUnauth_Role.json
+++ b/iam/Cognito_LambdAuthUnauth_Role.json
@@ -17,12 +17,12 @@
                 "lambda:InvokeFunction"
             ],
             "Resource": [
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthCreateUser",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthVerifyUser",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLostUser",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLostPassword",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthResetPassword",
-                "arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLogin"
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthCreateUser",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthVerifyUser",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLostUser",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLostPassword",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthResetPassword",
+                "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLogin"
             ]
         }
     ]
diff --git a/iam/LambdAuthChangePassword.json b/iam/LambdAuthChangePassword.json
index 5bdb392..cd97ae2 100644
--- a/iam/LambdAuthChangePassword.json
+++ b/iam/LambdAuthChangePassword.json
@@ -7,7 +7,7 @@
                 "dynamodb:UpdateItem"
             ],
             "Effect": "Allow",
-            "Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
+            "Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
         },
         {
             "Sid": "",
diff --git a/iam/LambdAuthCreateUser.json b/iam/LambdAuthCreateUser.json
index 516250e..0c5060a 100644
--- a/iam/LambdAuthCreateUser.json
+++ b/iam/LambdAuthCreateUser.json
@@ -6,7 +6,7 @@
                 "dynamodb:PutItem"
             ],
             "Effect": "Allow",
-            "Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
+            "Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
         },
         {
             "Effect": "Allow",
diff --git a/iam/LambdAuthLogin.json b/iam/LambdAuthLogin.json
index aace9fa..c8cd776 100644
--- a/iam/LambdAuthLogin.json
+++ b/iam/LambdAuthLogin.json
@@ -6,14 +6,14 @@
                 "dynamodb:GetItem"
             ],
             "Effect": "Allow",
-            "Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
+            "Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
         },
         {
             "Effect": "Allow",
             "Action": [
                 "cognito-identity:GetOpenIdTokenForDeveloperIdentity"
             ],
-            "Resource": "arn:aws:cognito-identity:eu-west-1:<AWS_ACCOUNT_ID>:identitypool/<IDENTITY_POOL_ID>"
+            "Resource": "arn:aws:cognito-identity:<REGION>:<AWS_ACCOUNT_ID>:identitypool/<IDENTITY_POOL_ID>"
         },
         {
             "Sid": "",
diff --git a/iam/LambdAuthLostPassword.json b/iam/LambdAuthLostPassword.json
index 136cd80..031eaa7 100644
--- a/iam/LambdAuthLostPassword.json
+++ b/iam/LambdAuthLostPassword.json
@@ -7,7 +7,7 @@
 	              "dynamodb:UpdateItem"
 	           ],
 	          "Effect": "Allow",
-	          "Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
+	          "Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
 	      },
         {
             "Effect": "Allow",
diff --git a/iam/LambdAuthResetPassword.json b/iam/LambdAuthResetPassword.json
index 5bdb392..cd97ae2 100644
--- a/iam/LambdAuthResetPassword.json
+++ b/iam/LambdAuthResetPassword.json
@@ -7,7 +7,7 @@
                 "dynamodb:UpdateItem"
             ],
             "Effect": "Allow",
-            "Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
+            "Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
         },
         {
             "Sid": "",
diff --git a/iam/LambdAuthVerifyUser.json b/iam/LambdAuthVerifyUser.json
index 5bdb392..cd97ae2 100644
--- a/iam/LambdAuthVerifyUser.json
+++ b/iam/LambdAuthVerifyUser.json
@@ -7,7 +7,7 @@
                 "dynamodb:UpdateItem"
             ],
             "Effect": "Allow",
-            "Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
+            "Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
         },
         {
             "Sid": "",
diff --git a/init.sh b/init.sh
index c0a5483..59b7800 100755
--- a/init.sh
+++ b/init.sh
@@ -68,6 +68,7 @@ for f in $(ls -1 trust*); do
   sed -e "s/<AWS_ACCOUNT_ID>/$AWS_ACCOUNT_ID/g" \
       -e "s/<DYNAMODB_TABLE>/$DDB_TABLE/g" \
       -e "s/<DYNAMODB_EMAIL_INDEX>/$DDB_EMAIL_INDEX/g" \
+      -e "s/<REGION>/$REGION/g" \
       -e "s/<IDENTITY_POOL_ID>/$IDENTITY_POOL_ID/g" \
       $f > edit/$f
   echo "Editing trust from $f end"
@@ -78,6 +79,7 @@ for f in $(ls -1 Cognito*); do
   sed -e "s/<AWS_ACCOUNT_ID>/$AWS_ACCOUNT_ID/g" \
       -e "s/<DYNAMODB_TABLE>/$DDB_TABLE/g" \
       -e "s/<DYNAMODB_EMAIL_INDEX>/$DDB_EMAIL_INDEX/g" \
+      -e "s/<REGION>/$REGION/g" \
       -e "s/<IDENTITY_POOL_ID>/$IDENTITY_POOL_ID/g" \
 	      $f > edit/$f
   if [[ $f == *Unauth_* ]]; then
@@ -93,7 +95,7 @@ for f in $(ls -1 Cognito*); do
   echo "Creating role $role end"
 done
 echo "Setting identity pool roles begin..."
-roles='{"unauthenticated":"arn:aws:iam::$AWS_ACCOUNT_ID:role/'"$unauthRole"'","authenticated":"arn:aws:iam::$AWS_ACCOUNT_ID:role/'"$authRole"'"}'
+roles='{"unauthenticated":"arn:aws:iam::'"$AWS_ACCOUNT_ID"':role/'"$unauthRole"'","authenticated":"arn:aws:iam::'"$AWS_ACCOUNT_ID"':role/'"$authRole"'"}'
 echo "Roles: $roles"
 aws cognito-identity set-identity-pool-roles \
   --identity-pool-id $IDENTITY_POOL_ID \
@@ -109,6 +111,7 @@ for f in $(ls -1 LambdAuth*); do
       -e "s/<DYNAMODB_TABLE>/$DDB_TABLE/g" \
       -e "s/<DYNAMODB_EMAIL_INDEX>/$DDB_EMAIL_INDEX/g" \
       -e "s/<IDENTITY_POOL_ID>/$IDENTITY_POOL_ID/g" \
+      -e "s/<REGION>/$REGION/g" \
       $f > edit/$f
 	trust="trust_policy_lambda.json"
   aws iam create-role --role-name $role --assume-role-policy-document file://edit/$trust