-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.yml
133 lines (118 loc) · 3.32 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
AWSTemplateFormatVersion: '2010-09-09'
Resources:
theKey:
Type: AWS::KMS::Key
Properties:
Enabled: true
EnableKeyRotation: false
KeyPolicy:
Version: '2012-10-17'
Id: !Sub '${AWS::StackName}-Key'
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- :root
Action: kms:*
Resource: '*'
PendingWindowInDays: 7
KeyUsage: ENCRYPT_DECRYPT
Tags:
- Key: Name
Value: !Ref AWS::StackName
theAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: !Sub 'alias/${AWS::StackName}'
TargetKeyId: !Ref theKey
iCanEncryptStuffGroup:
Type: AWS::IAM::Group
Properties:
GroupName: !Sub '${AWS::StackName}-iCanEncryptStuffGroup'
Policies:
- PolicyName: !Sub '${AWS::StackName}-iCanEncryptStuffPolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- kms:Encrypt
- kms:GenerateDataKey
Resource:
- arn:aws:kms:*
EncryptorUser:
Type: AWS::IAM::User
Properties:
UserName: !Sub '${AWS::StackName}-encryptor-user'
Groups:
- !Ref iCanEncryptStuffGroup
Tags:
- Key: Name
Value: !Ref AWS::StackName
EncryptorUserAccessKey:
Type: AWS::IAM::AccessKey
Properties:
UserName: !Ref EncryptorUser
iCanDecryptStuffGroup:
Type: AWS::IAM::Group
Properties:
GroupName: !Sub '${AWS::StackName}-iCanDecryptStuffGroup'
Policies:
- PolicyName: !Sub '${AWS::StackName}-iCanDecryptStuffPolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- kms:Decrypt
Resource:
- arn:aws:kms:*
DecryptorUser:
Type: AWS::IAM::User
Properties:
UserName: !Sub '${AWS::StackName}-decryptor-user'
Groups:
- !Ref iCanDecryptStuffGroup
Tags:
- Key: Name
Value: !Ref AWS::StackName
DecryptorUserAccessKey:
Type: AWS::IAM::AccessKey
Properties:
UserName: !Ref DecryptorUser
Outputs:
theKey:
Description: 'theKey key ID'
Value: !Ref theKey
Export:
Name: theKeyId
theKeyAlias:
Description: 'theAlias Alias'
Value: !Ref theAlias
Export:
Name: theKeyAlias
EncryptorUserAccessKey:
Description: 'EncryptorUser AccessKeyId'
Value: !Ref EncryptorUserAccessKey
Export:
Name: EncryptorUserAccessKey
EncryptorUserSecretAccessKey:
Description: 'EncryptorUser SecretAccessKey'
Value: !GetAtt EncryptorUserAccessKey.SecretAccessKey
Export:
Name: EncryptorUserSecretAccessKey
DecryptorUserAccessKey:
Description: 'DecryptorUser AccessKeyId'
Value: !Ref DecryptorUserAccessKey
Export:
Name: DecryptorUserAccessKey
DecryptorUserSecretAccessKey:
Description: 'DecryptorUser SecretAccessKey'
Value: !GetAtt DecryptorUserAccessKey.SecretAccessKey
Export:
Name: DecryptorUserSecretAccessKey