Skip to content

Commit 87ee967

Browse files
SergeyZhSergeyZh
committed
Adopted for AWS China
1 parent 043b26f commit 87ee967

File tree

1 file changed

+8
-8
lines changed

1 file changed

+8
-8
lines changed

template.yaml

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -286,8 +286,8 @@ Resources:
286286
Principal:
287287
Service: "lambda.amazonaws.com"
288288
ManagedPolicyArns:
289-
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
290-
- arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess
289+
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
290+
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AWSXrayWriteOnlyAccess"
291291
Policies:
292292
- PolicyName: CustomLambdaPolicy
293293
PolicyDocument:
@@ -311,8 +311,8 @@ Resources:
311311
- s3:PutObjectAcl
312312
- s3:ListBucket
313313
Resource:
314-
- !Sub "arn:aws:s3:::${BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}"
315-
- !Sub "arn:aws:s3:::${BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}/*"
314+
- !Sub "arn:${AWS::Partition}:s3:::${BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}"
315+
- !Sub "arn:${AWS::Partition}:s3:::${BucketNamePrefix}-${AWS::AccountId}-${AWS::Region}/*"
316316
- Sid: KMSGetDataPolicy
317317
Effect: Allow
318318
Action:
@@ -339,15 +339,15 @@ Resources:
339339
- Sid: AllowIAMThisAccount
340340
Effect: Allow
341341
Principal:
342-
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
342+
AWS: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root"
343343
Action: "kms:*"
344344
Resource: "*"
345345
- Sid: AllowAWSLambdaToRetrieveKMSKey
346346
Effect: Allow
347347
Principal:
348348
Service: "lambda.amazonaws.com"
349349
#AWS: !GetAtt LambdaFunctionRole.Arn # Fails because circular reference
350-
#AWS: !Sub "arn:aws:iam::${AWS::AccountId}:role/serverless-idp-scim-sync-${AWS::AccountId}-${AWS::Region}" # Fails in runtime because the roles is not created yet
350+
#AWS: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/serverless-idp-scim-sync-${AWS::AccountId}-${AWS::Region}" # Fails in runtime because the roles is not created yet
351351
Action:
352352
- kms:Encrypt
353353
- kms:Decrypt
@@ -380,7 +380,7 @@ Resources:
380380
BucketEncryption:
381381
ServerSideEncryptionConfiguration:
382382
- ServerSideEncryptionByDefault:
383-
KMSMasterKeyID: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${KMSKeyAlias}"
383+
KMSMasterKeyID: !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:${KMSKeyAlias}"
384384
SSEAlgorithm: "aws:kms"
385385
BucketKeyEnabled: true # https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html
386386

@@ -394,7 +394,7 @@ Resources:
394394
- Sid: AllowAWSLambdaFunction
395395
Principal:
396396
AWS:
397-
- !Sub "arn:aws:iam::${AWS::AccountId}:role/serverless-idp-scim-sync-${AWS::AccountId}-${AWS::Region}"
397+
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/serverless-idp-scim-sync-${AWS::AccountId}-${AWS::Region}"
398398
Effect: Allow
399399
Action:
400400
- s3:GetObject

0 commit comments

Comments
 (0)