Created
December 14, 2018 05:22
-
-
Save duttonw/7491018854bfbc9eefbb04bb2f8d7d74 to your computer and use it in GitHub Desktop.
Cloudformation template for Secrets Manager rotating a user access key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| AWSTemplateFormatVersion: '2010-09-09' | |
| Parameters: | |
| BuildVersion: | |
| Description: Build number | |
| Type: String | |
| Environment: | |
| Description: Environment | |
| Type: String | |
| Service: | |
| Description: Service Name | |
| Type: String | |
| SecretName: | |
| Description: Secret Name | |
| Type: String | |
| SecretDescription: | |
| Description: Secret Description | |
| Type: String | |
| KmsKeyId: | |
| Description: KMS key to use for encryption | |
| Type: String | |
| Default: "" #this is key which allows Secrets Manager and cross account access | |
| IamUserName: | |
| Description: must start with smtp- | |
| Type: String | |
| AllowedPattern: "^smtp-[a-zA-Z0-9-]*$" | |
| CrossAccountList: | |
| Description: comma delimited list of arn's to allow access to the secret | |
| Type: String | |
| AllowedPattern: "^[a-zA-Z0-9-:,]*$" | |
| Default: "arn:aws:iam::111222333444:root,arn:aws:iam::555666777888:root" | |
| LambdaKeyRotationExportName: | |
| Description: export name for the lambda function to rotate the secret | |
| Type: String | |
| Default: "${Product}${Environment}LambdaKeyRotationIPARN" | |
| SnsTopicExportName: | |
| Description: export name of the sns that will notify | |
| Type: String | |
| Default: "${Product}${Environment}SNSTopic" | |
| Resources: | |
| myuser: | |
| Type: AWS::IAM::User | |
| Properties: | |
| Path: "/smtp/" | |
| UserName: !Ref IamUserName | |
| SmtpUserSecret: | |
| Type: AWS::SecretsManager::Secret | |
| Properties: | |
| Name: !Ref SecretName | |
| Description: !Ref SecretDescription | |
| KmsKeyId: !Ref KmsKeyId | |
| SecretString: !Sub | |
| - | | |
| {"smtpUser": "${IamUserName}", | |
| "smtpAccessKeyId": "willbereplaced", | |
| "smtpSecretKey": "willbereplaced", | |
| "smtpUsername": "willbereplaced", | |
| "smtpPassword": "willbereplaced", | |
| "snsTopic": "${SnsTopicExportNameImport}"} | |
| - SnsTopicExportNameImport: | |
| Fn::ImportValue: | |
| !Sub "${SnsTopicExportName}" | |
| Tags: | |
| - Key: "Service" | |
| Value: !Ref Service | |
| # This is a ResourcePolicy resource which attaches a resource policy to the referenced secret. | |
| # The resource policy denies the DeleteSecret action to all principals in the current account. | |
| # It allow attaches any arn's which should have access to the secret. | |
| # NOTE: it should really match the kms key else errors will occur | |
| SmtpUserSecretResourcePolicy: | |
| Type: AWS::SecretsManager::ResourcePolicy | |
| Properties: | |
| SecretId: !Ref SmtpUserSecret | |
| ResourcePolicy: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: "Deny" | |
| Principal: | |
| AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" | |
| Action: "secretsmanager:DeleteSecret" | |
| Resource: "*" | |
| - Effect: "Allow" | |
| Principal: | |
| AWS: !Split [ "," , !Ref CrossAccountList ] | |
| Action: "secretsmanager:GetSecretValue" | |
| Resource: "*" | |
| Condition: | |
| ForAnyValue:StringEquals: | |
| secretsmanager:VersionStage: AWSCURRENT | |
| SmtpUserSecretRotationSchedule: | |
| Type: AWS::SecretsManager::RotationSchedule | |
| Properties: | |
| SecretId: !Ref SmtpUserSecret | |
| RotationLambdaARN: | |
| Fn::ImportValue: !Sub "${LambdaKeyRotationExportName}" | |
| RotationRules: | |
| AutomaticallyAfterDays: 30 | |
| Outputs: | |
| SmtpUserSecret: | |
| Description: Secrets Manager Secret which was created | |
| Value: !Ref SmtpUserSecret |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment