duttonw · December 14, 2018 05:14
diff --git a/key-rotation-lambda.yml b/key-rotation-lambda.yml
 ---

 AWSTemplateFormatVersion: '2010-09-09'
 Parameters:
  BuildVersion:
    Description: Build number
    Type: String
  Environment:
    Description: Deploy Target
    Type: String
  Product:
    Description: Deploy Target
    Type: String
    Default: "SMTPUserRotation"
  NamePrefix:
    Description: Name prefix
    Type: String
    Default: "KeyRotation"
  FileLocation:
    Description: Lambda function s3 bucket
    Type: String
    Default: "cf-templates-${region bucket}"
  FileName:
    Description: Name of the object in s3
    Type: String
    Default: "aws-key-rotation-lambda.zip"
  LambdaHandler:
    Description: Lambda handler
    Type: String
    Default: "aws-key-rotation-lambda.lambda_handler"
  LambdaMemoryAllocation:
    Description: Memory to be allocated to Lambda function
    Type: String
    Default: "128"
  LambdaRuntime:
    Description: Runtime of the Lambda function
    Type: String
    Default: "python3.6"
  LambdaTimeout:
    Description: Timeout threshold of the Lambda function
    Type: String
    Default: "30"
  SNSTopicName:
    Description: Name of the SNS topic for publishing rotation notifications
    Type: String
    Default: "key-rotation"

 Resources:

  IAMRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: !Sub "${NamePrefix}LambdaRole"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        -
          Effect: "Allow"
          Principal:
            Service:
            - "lambda.amazonaws.com"
          Action:
          - "sts:AssumeRole"
      Path: "/"
      Policies:
        -
          PolicyName: !Sub "${NamePrefix}LambdaPolicy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
            - Effect: "Allow"
              Action:
              - "iam:ListAccessKeys"
              - "iam:DeleteAccessKey"
              - "iam:CreateAccessKey"
              Resource: !Sub "arn:aws:iam::${AWS::AccountId}:user/smtp*"
            - Effect: "Allow"
              Action:
              - "secretsmanager:GetResourcePolicy"
              - "secretsmanager:DescribeSecret"
              - "secretsmanager:ListSecretVersionIds"
              - "secretsmanager:GetSecretValue"
              - "secretsmanager:PutSecretValue"
              - "secretsmanager:UpdateSecret"
              - "secretsmanager:UpdateSecretVersionStage"
              Resource: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:smtp-*"
            - Effect: "Allow"
              Action:
              - "logs:CreateLogGroup"
              - "logs:CreateLogStream"
              - "logs:PutLogEvents"
              Resource: "*"
            - Effect: "Allow"
              Action: "secretsmanager:GetRandomPassword"
              Resource: "*"
            - Effect: "Allow"
              Action:
              - "sns:Publish"
              Resource:
              - !Sub "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${SNSTopicName}"

  Lambda:
    Type: AWS::Lambda::Function
    DependsOn: IAMRole
    Properties:
      Description:
        Fn::Join:
          - ""
          - - "Build Version "
            - !Ref BuildVersion
      FunctionName: !Sub "${NamePrefix}LambdaFunction"
      Code:
        S3Bucket: !Ref FileLocation
        S3Key: !Ref FileName
      Handler: !Ref LambdaHandler
      MemorySize: !Ref LambdaMemoryAllocation
      Role:
        Fn::GetAtt:
          - IAMRole
          - 'Arn'
      Runtime: !Ref LambdaRuntime
      Timeout: !Ref LambdaTimeout
      Environment:
        Variables:
          SECRETS_MANAGER_ENDPOINT: !Sub "https://secretsmanager.${AWS::Region}.amazonaws.com/"

  LambdaSecretsManagerPermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt 'Lambda.Arn'
      Action: "lambda:InvokeFunction"
      Principal: "secretsmanager.amazonaws.com"

  SNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: !Ref SNSTopicName

  mysnspolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Id: MyTopicPolicy
        Version: '2012-10-17'
        Statement:
        - Sid: ListAllDefaultOwnAccount
          Effect: Allow
          Principal:
            AWS: "*"
          Action:
          - SNS:Publish
          - SNS:RemovePermission
          - SNS:SetTopicAttributes
          - SNS:DeleteTopic
          - SNS:ListSubscriptionsByTopic
          - SNS:GetTopicAttributes
          - SNS:Receive
          - SNS:AddPermission
          - SNS:Subscribe
          Resource:
          - !Ref SNSTopic
          Condition:
            StringEquals:
              AWS:SourceOwner: !Sub '${AWS::AccountId}'
        - Sid: SubscribeReceiveOtherAccounts
          Effect: Allow
          Principal:
            AWS: "*"
          Action:
          - SNS:Subscribe
          - SNS:Receive
          Resource:
          - !Ref SNSTopic
          Condition:
            StringEquals:
              aws:PrincipalOrgID: '${YOUR-ORG-ID from organisations}'
      Topics:
      - !Ref SNSTopic

 Outputs:
  LambdaKeyRotationIPARN:
    Description: ARN for lambda key rotation
    Value: !GetAtt Lambda.Arn
    Export:
      Name:
        Fn::Sub: "${Product}${Environment}LambdaKeyRotationIPARN"
  SNSTopc:
    Description: ARN for sns topic for rotation notifications
    Value: !Ref SNSTopic
    Export:
      Name:
        Fn::Sub: "${Product}${Environment}SNSTopic"
	---

	AWSTemplateFormatVersion: '2010-09-09'
	Parameters:
	BuildVersion:
	Description: Build number
	Type: String
	Environment:
	Description: Deploy Target
	Type: String
	Product:
	Description: Deploy Target
	Type: String
	Default: "SMTPUserRotation"
	NamePrefix:
	Description: Name prefix
	Type: String
	Default: "KeyRotation"
	FileLocation:
	Description: Lambda function s3 bucket
	Type: String
	Default: "cf-templates-${region bucket}"
	FileName:
	Description: Name of the object in s3
	Type: String
	Default: "aws-key-rotation-lambda.zip"
	LambdaHandler:
	Description: Lambda handler
	Type: String
	Default: "aws-key-rotation-lambda.lambda_handler"
	LambdaMemoryAllocation:
	Description: Memory to be allocated to Lambda function
	Type: String
	Default: "128"
	LambdaRuntime:
	Description: Runtime of the Lambda function
	Type: String
	Default: "python3.6"
	LambdaTimeout:
	Description: Timeout threshold of the Lambda function
	Type: String
	Default: "30"
	SNSTopicName:
	Description: Name of the SNS topic for publishing rotation notifications
	Type: String
	Default: "key-rotation"

	Resources:

	IAMRole:
	Type: "AWS::IAM::Role"
	Properties:
	RoleName: !Sub "${NamePrefix}LambdaRole"
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	-
	Effect: "Allow"
	Principal:
	Service:
	- "lambda.amazonaws.com"
	Action:
	- "sts:AssumeRole"
	Path: "/"
	Policies:
	-
	PolicyName: !Sub "${NamePrefix}LambdaPolicy"
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: "Allow"
	Action:
	- "iam:ListAccessKeys"
	- "iam:DeleteAccessKey"
	- "iam:CreateAccessKey"
	Resource: !Sub "arn:aws:iam::${AWS::AccountId}:user/smtp*"
	- Effect: "Allow"
	Action:
	- "secretsmanager:GetResourcePolicy"
	- "secretsmanager:DescribeSecret"
	- "secretsmanager:ListSecretVersionIds"
	- "secretsmanager:GetSecretValue"
	- "secretsmanager:PutSecretValue"
	- "secretsmanager:UpdateSecret"
	- "secretsmanager:UpdateSecretVersionStage"
	Resource: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:smtp-*"
	- Effect: "Allow"
	Action:
	- "logs:CreateLogGroup"
	- "logs:CreateLogStream"
	- "logs:PutLogEvents"
	Resource: "*"
	- Effect: "Allow"
	Action: "secretsmanager:GetRandomPassword"
	Resource: "*"
	- Effect: "Allow"
	Action:
	- "sns:Publish"
	Resource:
	- !Sub "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${SNSTopicName}"

	Lambda:
	Type: AWS::Lambda::Function
	DependsOn: IAMRole
	Properties:
	Description:
	Fn::Join:
	- ""
	- - "Build Version "
	- !Ref BuildVersion
	FunctionName: !Sub "${NamePrefix}LambdaFunction"
	Code:
	S3Bucket: !Ref FileLocation
	S3Key: !Ref FileName
	Handler: !Ref LambdaHandler
	MemorySize: !Ref LambdaMemoryAllocation
	Role:
	Fn::GetAtt:
	- IAMRole
	- 'Arn'
	Runtime: !Ref LambdaRuntime
	Timeout: !Ref LambdaTimeout
	Environment:
	Variables:
	SECRETS_MANAGER_ENDPOINT: !Sub "https://secretsmanager.${AWS::Region}.amazonaws.com/"

	LambdaSecretsManagerPermission:
	Type: AWS::Lambda::Permission
	Properties:
	FunctionName: !GetAtt 'Lambda.Arn'
	Action: "lambda:InvokeFunction"
	Principal: "secretsmanager.amazonaws.com"

	SNSTopic:
	Type: AWS::SNS::Topic
	Properties:
	TopicName: !Ref SNSTopicName

	mysnspolicy:
	Type: AWS::SNS::TopicPolicy
	Properties:
	PolicyDocument:
	Id: MyTopicPolicy
	Version: '2012-10-17'
	Statement:
	- Sid: ListAllDefaultOwnAccount
	Effect: Allow
	Principal:
	AWS: "*"
	Action:
	- SNS:Publish
	- SNS:RemovePermission
	- SNS:SetTopicAttributes
	- SNS:DeleteTopic
	- SNS:ListSubscriptionsByTopic
	- SNS:GetTopicAttributes
	- SNS:Receive
	- SNS:AddPermission
	- SNS:Subscribe
	Resource:
	- !Ref SNSTopic
	Condition:
	StringEquals:
	AWS:SourceOwner: !Sub '${AWS::AccountId}'
	- Sid: SubscribeReceiveOtherAccounts
	Effect: Allow
	Principal:
	AWS: "*"
	Action:
	- SNS:Subscribe
	- SNS:Receive
	Resource:
	- !Ref SNSTopic
	Condition:
	StringEquals:
	aws:PrincipalOrgID: '${YOUR-ORG-ID from organisations}'
	Topics:
	- !Ref SNSTopic

	Outputs:
	LambdaKeyRotationIPARN:
	Description: ARN for lambda key rotation
	Value: !GetAtt Lambda.Arn
	Export:
	Name:
	Fn::Sub: "${Product}${Environment}LambdaKeyRotationIPARN"
	SNSTopc:
	Description: ARN for sns topic for rotation notifications
	Value: !Ref SNSTopic
	Export:
	Name:
	Fn::Sub: "${Product}${Environment}SNSTopic"