-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinfrastructure.yml
98 lines (90 loc) · 3.98 KB
/
infrastructure.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
AWSTemplateFormatVersion: "2010-09-09"
Resources:
SecureParameter:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
Role: !GetAtt Role.Arn
Runtime: nodejs16.x
Timeout: 60
Code:
ZipFile: >
var response = require('cfn-response');
var aws = require('aws-sdk');
exports.handler = function(event, context) {
console.log('event', event);
var ssm = new aws.SSM();
var resourceProperties = event.ResourceProperties;
console.log('Parsing cloudformation parameters.');
var splitStackArn = event.StackId.split(':');
var region = splitStackArn[3];
var accountId = splitStackArn[4];
var stackName = splitStackArn[5].split("/")[1];
var paramName = stackName + "-" + event.LogicalResourceId + "-" + Math.random().toString(36).substr(2, 5);
var paramArn = "arn:aws:ssm:" + region + ":" + accountId + ":parameter/" + paramName;
console.log('Preparing response callback');
var responseCallback = function(err, resp) {
var cfnRespData = { Arn: paramArn, Name: paramName };
if (err) {
console.log(err);
response.send(event, context, response.FAILED, cfnRespData, paramArn);
} else {
console.log(resp);
response.send(event, context, response.SUCCESS, cfnRespData, paramArn);
}
};
if (event.RequestType == "Create") {
var params = {
Name: paramName,
Type: "SecureString",
Value: "_REPLACE_WITH_ACTUAL_CREDENTIAL_IN_AWS_CONSOLE_",
KeyId: resourceProperties.KeyId,
Description: resourceProperties.Description,
Overwrite: false
};
console.log("Creating parameter input: ", params);
ssm.putParameter(params, responseCallback);
} else if (event.RequestType == "Update") {
var params = {
Name: paramName,
Type: "SecureString",
Value: resourceProperties.Value,
KeyId: resourceProperties.KeyId,
Description: resourceProperties.Description,
Overwrite: true
};
console.log("Updating parameter input: ", params);
ssm.putParameter(params, responseCallback);
} else if (event.RequestType == "Delete") {
var deleteParam = { Name: event.PhysicalResourceId.split('parameter/')[1] };
console.log("Deleting parameter: ", deleteParam);
ssm.deleteParameter(deleteParam, responseCallback);
}
};
Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal: { Service: [ lambda.amazonaws.com ] }
Action: [ sts:AssumeRole ]
Policies:
- PolicyName: SecureParameter
PolicyDocument:
Statement:
- Effect: Allow
Action: [ logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents ]
Resource: arn:aws:logs:*:*:*
- Effect: Allow
Action: [ "ssm:PutParameter", "ssm:DeleteParameter" ]
Resource: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:*/*"
- Effect: Allow
Action: [ "kms:Encrypt" ]
Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
Outputs:
SecureParameter:
Description: Cloudformation polyfill for SSM parameter store secure string.
Value: !GetAtt SecureParameter.Arn
Export:
Name: CfnSecureParameter