Skip to content

Commit

Permalink
Merge pull request #97 from glb/85-use-partition-pseudo-parameter
Browse files Browse the repository at this point in the history 
fix: use AWS::Partition pseudo-parameter in ARNs
  • Loading branch information
@horike37
horike37 authored Aug 18, 2020
2 parents bd51680 + f40bbdf commit 2858498
Show file tree
Hide file tree
Showing 24 changed files with 142 additions and 97 deletions.
2 changes: 1 addition & 1 deletion lib/package/dynamodb/compileIamRoleToDynamodb.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ module.exports = {
Action: `dynamodb:${action}`,
Resource: {
'Fn::Sub': [
'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}',
'arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}',
{ tableName }
]
}
Expand Down
6 changes: 3 additions & 3 deletions lib/package/dynamodb/compileIamRoleToDynamodb.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ describe('#compileIamRoleToDynamodb()', () => {
Action: 'dynamodb:PutItem',
Resource: {
'Fn::Sub': [
'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}',
'arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}',
{
tableName: { Ref: 'mytable' }
}
Expand All @@ -108,7 +108,7 @@ describe('#compileIamRoleToDynamodb()', () => {
Action: 'dynamodb:GetItem',
Resource: {
'Fn::Sub': [
'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}',
'arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}',
{
tableName: 'mytable'
}
Expand All @@ -120,7 +120,7 @@ describe('#compileIamRoleToDynamodb()', () => {
Action: 'dynamodb:DeleteItem',
Resource: {
'Fn::Sub': [
'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}',
'arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}',
{
tableName: 'mytable'
}
Expand Down
2 changes: 1 addition & 1 deletion lib/package/dynamodb/compileMethodsToDynamodb.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ module.exports = {
},
Uri: {
'Fn::Sub': [
'arn:aws:apigateway:${AWS::Region}:dynamodb:action/${action}',
'arn:${AWS::Partition}:apigateway:${AWS::Region}:dynamodb:action/${action}',
{ action: http.action }
]
},
Expand Down
10 changes: 5 additions & 5 deletions lib/package/dynamodb/compileMethodsToDynamodb.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ describe('#compileMethodsToDynamodb()', () => {

const uri = {
'Fn::Sub': [
'arn:aws:apigateway:${AWS::Region}:dynamodb:action/${action}',
'arn:${AWS::Partition}:apigateway:${AWS::Region}:dynamodb:action/${action}',
{
action: 'PutItem'
}
Expand Down Expand Up @@ -183,7 +183,7 @@ describe('#compileMethodsToDynamodb()', () => {

const uri = {
'Fn::Sub': [
'arn:aws:apigateway:${AWS::Region}:dynamodb:action/${action}',
'arn:${AWS::Partition}:apigateway:${AWS::Region}:dynamodb:action/${action}',
{
action: 'GetItem'
}
Expand Down Expand Up @@ -220,7 +220,7 @@ describe('#compileMethodsToDynamodb()', () => {

const uri = {
'Fn::Sub': [
'arn:aws:apigateway:${AWS::Region}:dynamodb:action/${action}',
'arn:${AWS::Partition}:apigateway:${AWS::Region}:dynamodb:action/${action}',
{
action: 'DeleteItem'
}
Expand Down Expand Up @@ -757,7 +757,7 @@ describe('#compileMethodsToDynamodb()', () => {
Credentials: { 'Fn::GetAtt': ['ApigatewayToDynamodbRole', 'Arn'] },
Uri: {
'Fn::Sub': [
'arn:aws:apigateway:${AWS::Region}:dynamodb:action/${action}',
'arn:${AWS::Partition}:apigateway:${AWS::Region}:dynamodb:action/${action}',
{ action: 'PutItem' }
]
},
Expand Down Expand Up @@ -873,7 +873,7 @@ describe('#compileMethodsToDynamodb()', () => {
Credentials: { 'Fn::GetAtt': ['ApigatewayToDynamodbRole', 'Arn'] },
Uri: {
'Fn::Sub': [
'arn:aws:apigateway:${AWS::Region}:dynamodb:action/${action}',
'arn:${AWS::Partition}:apigateway:${AWS::Region}:dynamodb:action/${action}',
{ action: 'PutItem' }
]
},
Expand Down
2 changes: 1 addition & 1 deletion lib/package/eventbridge/compileIamRoleToEventBridge.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ module.exports = {

const policyResource = eventBusNames.map((eventBusName) => ({
'Fn::Sub': [
'arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}',
'arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}',
{ eventBusName }
]
}))
Expand Down
4 changes: 2 additions & 2 deletions lib/package/eventbridge/compileIamRoleToEventBridge.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,13 +83,13 @@ describe('#compileIamRoleToEventBridge()', () => {
Resource: [
{
'Fn::Sub': [
'arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}',
'arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}',
{ eventBusName: { Ref: 'EventBus1' } }
]
},
{
'Fn::Sub': [
'arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}',
'arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}',
{ eventBusName: { Ref: 'EventBus2' } }
]
}
Expand Down
2 changes: 1 addition & 1 deletion lib/package/eventbridge/compileMethodsToEventBridge.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ module.exports = {
Type: 'AWS',
Credentials: roleArn,
Uri: {
'Fn::Sub': 'arn:aws:apigateway:${AWS::Region}:events:action/PutEvents'
'Fn::Sub': 'arn:${AWS::Partition}:apigateway:${AWS::Region}:events:action/PutEvents'
},
PassthroughBehavior: 'NEVER',
RequestParameters: {
Expand Down
10 changes: 5 additions & 5 deletions lib/package/eventbridge/compileMethodsToEventBridge.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ describe('#compileMethodsToEventBridge()', () => {
Type: 'AWS',
Credentials: { 'Fn::GetAtt': ['ApigatewayToEventBridgeRole', 'Arn'] },
Uri: {
'Fn::Sub': 'arn:aws:apigateway:${AWS::Region}:events:action/PutEvents'
'Fn::Sub': 'arn:${AWS::Partition}:apigateway:${AWS::Region}:events:action/PutEvents'
},
PassthroughBehavior: 'NEVER',
RequestParameters: {
Expand Down Expand Up @@ -189,7 +189,7 @@ describe('#compileMethodsToEventBridge()', () => {
Type: 'AWS',
Credentials: { 'Fn::GetAtt': ['ApigatewayToEventBridgeRole', 'Arn'] },
Uri: {
'Fn::Sub': 'arn:aws:apigateway:${AWS::Region}:events:action/PutEvents'
'Fn::Sub': 'arn:${AWS::Partition}:apigateway:${AWS::Region}:events:action/PutEvents'
},
PassthroughBehavior: 'NEVER',
RequestParameters: {
Expand Down Expand Up @@ -308,7 +308,7 @@ describe('#compileMethodsToEventBridge()', () => {
Type: 'AWS',
Credentials: { 'Fn::GetAtt': ['ApigatewayToEventBridgeRole', 'Arn'] },
Uri: {
'Fn::Sub': 'arn:aws:apigateway:${AWS::Region}:events:action/PutEvents'
'Fn::Sub': 'arn:${AWS::Partition}:apigateway:${AWS::Region}:events:action/PutEvents'
},
PassthroughBehavior: 'NEVER',
RequestParameters: {
Expand Down Expand Up @@ -687,7 +687,7 @@ describe('#compileMethodsToEventBridge()', () => {
Type: 'AWS',
Credentials: { 'Fn::GetAtt': ['ApigatewayToEventBridgeRole', 'Arn'] },
Uri: {
'Fn::Sub': 'arn:aws:apigateway:${AWS::Region}:events:action/PutEvents'
'Fn::Sub': 'arn:${AWS::Partition}:apigateway:${AWS::Region}:events:action/PutEvents'
},
PassthroughBehavior: 'NEVER',
RequestParameters: {
Expand Down Expand Up @@ -794,7 +794,7 @@ describe('#compileMethodsToEventBridge()', () => {
Type: 'AWS',
Credentials: { 'Fn::GetAtt': ['ApigatewayToEventBridgeRole', 'Arn'] },
Uri: {
'Fn::Sub': 'arn:aws:apigateway:${AWS::Region}:events:action/PutEvents'
'Fn::Sub': 'arn:${AWS::Partition}:apigateway:${AWS::Region}:events:action/PutEvents'
},
PassthroughBehavior: 'NEVER',
RequestParameters: {
Expand Down
2 changes: 1 addition & 1 deletion lib/package/kinesis/compileIamRoleToKinesis.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ module.exports = {

const policyResource = kinesisStreamNames.map((streamName) => ({
'Fn::Sub': [
'arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}',
'arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}',
{ streamName }
]
}))
Expand Down
4 changes: 2 additions & 2 deletions lib/package/kinesis/compileIamRoleToKinesis.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,13 +83,13 @@ describe('#compileIamRoleToKinesis()', () => {
Resource: [
{
'Fn::Sub': [
'arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}',
'arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}',
{ streamName: { Ref: 'KinesisStream1' } }
]
},
{
'Fn::Sub': [
'arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}',
'arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}',
{ streamName: { Ref: 'KinesisStream2' } }
]
}
Expand Down
2 changes: 1 addition & 1 deletion lib/package/kinesis/compileMethodsToKinesis.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ module.exports = {
Type: 'AWS',
Credentials: roleArn,
Uri: {
'Fn::Sub': 'arn:aws:apigateway:${AWS::Region}:kinesis:action/PutRecord'
'Fn::Sub': 'arn:${AWS::Partition}:apigateway:${AWS::Region}:kinesis:action/PutRecord'
},
PassthroughBehavior: 'NEVER',
RequestTemplates: this.getKinesisIntegrationRequestTemplates(http)
Expand Down
10 changes: 5 additions & 5 deletions lib/package/kinesis/compileMethodsToKinesis.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ describe('#compileMethodsToKinesis()', () => {
Type: 'AWS',
Credentials: { 'Fn::GetAtt': ['ApigatewayToKinesisRole', 'Arn'] },
Uri: {
'Fn::Sub': 'arn:aws:apigateway:${AWS::Region}:kinesis:action/PutRecord'
'Fn::Sub': 'arn:${AWS::Partition}:apigateway:${AWS::Region}:kinesis:action/PutRecord'
},
PassthroughBehavior: 'NEVER',
RequestTemplates: {
Expand Down Expand Up @@ -181,7 +181,7 @@ describe('#compileMethodsToKinesis()', () => {
Type: 'AWS',
Credentials: { 'Fn::GetAtt': ['ApigatewayToKinesisRole', 'Arn'] },
Uri: {
'Fn::Sub': 'arn:aws:apigateway:${AWS::Region}:kinesis:action/PutRecord'
'Fn::Sub': 'arn:${AWS::Partition}:apigateway:${AWS::Region}:kinesis:action/PutRecord'
},
PassthroughBehavior: 'NEVER',
RequestTemplates: {
Expand Down Expand Up @@ -293,7 +293,7 @@ describe('#compileMethodsToKinesis()', () => {
Type: 'AWS',
Credentials: { 'Fn::GetAtt': ['ApigatewayToKinesisRole', 'Arn'] },
Uri: {
'Fn::Sub': 'arn:aws:apigateway:${AWS::Region}:kinesis:action/PutRecord'
'Fn::Sub': 'arn:${AWS::Partition}:apigateway:${AWS::Region}:kinesis:action/PutRecord'
},
PassthroughBehavior: 'NEVER',
RequestTemplates: {
Expand Down Expand Up @@ -707,7 +707,7 @@ describe('#compileMethodsToKinesis()', () => {
Type: 'AWS',
Credentials: { 'Fn::GetAtt': ['ApigatewayToKinesisRole', 'Arn'] },
Uri: {
'Fn::Sub': 'arn:aws:apigateway:${AWS::Region}:kinesis:action/PutRecord'
'Fn::Sub': 'arn:${AWS::Partition}:apigateway:${AWS::Region}:kinesis:action/PutRecord'
},
PassthroughBehavior: 'NEVER',
RequestTemplates: {
Expand Down Expand Up @@ -807,7 +807,7 @@ describe('#compileMethodsToKinesis()', () => {
Type: 'AWS',
Credentials: { 'Fn::GetAtt': ['ApigatewayToKinesisRole', 'Arn'] },
Uri: {
'Fn::Sub': 'arn:aws:apigateway:${AWS::Region}:kinesis:action/PutRecord'
'Fn::Sub': 'arn:${AWS::Partition}:apigateway:${AWS::Region}:kinesis:action/PutRecord'
},
PassthroughBehavior: 'NEVER',
RequestTemplates: {
Expand Down
16 changes: 9 additions & 7 deletions lib/package/s3/compileIamRoleToS3.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,14 @@ function convertToArn(bucket) {
'Fn::GetAtt': [logicalId, 'Arn']
}
} else {
return `arn:aws:s3:::${bucket}`
return {
'Fn::Sub': [
'arn:${AWS::Partition}:s3:::${bucket}',
{
bucket
}
]
}
}
}

Expand Down Expand Up @@ -40,12 +47,7 @@ module.exports = {
Effect: 'Allow',
Action: `s3:${action}*`, // e.g. PutObject*, GetObject*, DeleteObject*
Resource: {
'Fn::Sub': [
'${bucket}/*',
{
bucket: convertToArn(bucket)
}
]
'Fn::Join': ['', [convertToArn(bucket), '/*']]
}
}
})
Expand Down
67 changes: 46 additions & 21 deletions lib/package/s3/compileIamRoleToS3.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,49 +103,74 @@ describe('#compileIamRoleToS3()', () => {
Effect: 'Allow',
Action: 's3:PutObject*',
Resource: {
'Fn::Sub': [
'${bucket}/*',
{
bucket: 'arn:aws:s3:::myBucket'
}
'Fn::Join': [
'',
[
{
'Fn::Sub': [
'arn:${AWS::Partition}:s3:::${bucket}',
{
bucket: 'myBucket'
}
]
},
'/*'
]
]
}
},
{
Effect: 'Allow',
Action: 's3:GetObject*',
Resource: {
'Fn::Sub': [
'${bucket}/*',
{
bucket: 'arn:aws:s3:::myBucket'
}
'Fn::Join': [
'',
[
{
'Fn::Sub': [
'arn:${AWS::Partition}:s3:::${bucket}',
{
bucket: 'myBucket'
}
]
},
'/*'
]
]
}
},
{
Effect: 'Allow',
Action: 's3:DeleteObject*',
Resource: {
'Fn::Sub': [
'${bucket}/*',
{
bucket: {
'Fn::Join': [
'',
[
{
'Fn::GetAtt': ['MyBucket', 'Arn']
}
}
},
'/*'
]
]
}
},
{
Effect: 'Allow',
Action: 's3:PutObject*',
Resource: {
'Fn::Sub': [
'${bucket}/*',
{
bucket: 'arn:aws:s3:::myBucketV2'
}
'Fn::Join': [
'',
[
{
'Fn::Sub': [
'arn:${AWS::Partition}:s3:::${bucket}',
{
bucket: 'myBucketV2'
}
]
},
'/*'
]
]
}
}
Expand Down
2 changes: 1 addition & 1 deletion lib/package/s3/compileMethodsToS3.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ module.exports = {
Type: 'AWS',
Credentials: roleArn,
Uri: {
'Fn::Sub': ['arn:aws:apigateway:${AWS::Region}:s3:path/' + pather, {}]
'Fn::Sub': ['arn:${AWS::Partition}:apigateway:${AWS::Region}:s3:path/' + pather, {}]
},
PassthroughBehavior: 'WHEN_NO_MATCH',
RequestParameters: _.merge(requestParams, http.requestParameters)
Expand Down
Loading

0 comments on commit 2858498

Please sign in to comment.