-
Notifications
You must be signed in to change notification settings - Fork 20
/
aws-resources.yaml
149 lines (143 loc) · 4.67 KB
/
aws-resources.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
---
AWSTemplateFormatVersion: "2010-09-09"
Conditions:
EnableSecretsManagerCondition:
Fn::Equals:
- Ref: EnableSecretsManager
- "True"
PackerIAMRoleCondition:
Fn::Equals:
- Ref: CreatePackerIAMRole
- "True"
PackerBucketCondition:
Fn::Equals:
- Ref: CreatePackerBucket
- "True"
Description: Create Instance Profile for running Packer AEM
Parameters:
PackerAemS3Bucket:
Type: String
Description: Name of the S3 Bucket where the artifacts are to be stored
StackPrefix:
Description: Used to Namespace the Exported Resources
Type: String
EnableSecretsManager:
Description: Toggle creating an AWS Secrets Manager secret (true/false)
Type: String
CreatePackerBucket:
Description: Toggle creating an S3 Bucket for Packer AEM (true/false)
Type: String
CreatePackerIAMRole:
Description: Toggle creating a Packer IAM role/instance profile (true/false)
Default: "true"
Type: String
Resources:
PackerAemArtefactBucket:
Type: AWS::S3::Bucket
Condition: PackerBucketCondition
Properties:
BucketName:
Ref: PackerAemS3Bucket
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
SecretsManagerAemCertificateKey:
Type: AWS::SecretsManager::Secret
Condition: EnableSecretsManagerCondition
Properties:
Description:
Fn::Join: ['', ['The Private Key used for TLS on ELBs and AEM OpenCloud for: ', Ref: 'StackPrefix']]
SecretString: "overwrite-me"
Name:
# Workaround for bug where delimiter does not apply and triggers an invalid QDN on cloudformation.
Fn::Join: ['/', ['aem-opencloud', Ref: 'StackPrefix', 'certificate-key']]
PackerAemBucketPolicy:
Type: AWS::IAM::Policy
Condition: PackerIAMRoleCondition
Properties:
PolicyDocument:
Statement:
- Action: ['s3:GetObject', 's3:ListBucket']
Effect: Allow
Resource:
- Fn::Join: ['', ['arn:aws:s3:::', Ref: 'PackerAemS3Bucket']]
PolicyName: PackerAemBucketPolicy
Roles: [Ref: 'PackerAemRole']
PackerAemRole:
Type: AWS::IAM::Role
Condition: PackerIAMRoleCondition
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: PackerAemRolePolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- acm:GetCertificate
- ec2:AttachVolume
- ec2:AuthorizeSecurityGroupIngress
- ec2:CopyImage
- ec2:CreateImage
- ec2:CreateKeypair
- ec2:CreateSecurityGroup
- ec2:CreateSnapshot
- ec2:CreateTags
- ec2:CreateVolume
- ec2:DeleteKeypair
- ec2:DeleteSecurityGroup
- ec2:DeleteSnapshot
- ec2:DeleteVolume
- ec2:DeregisterImage
- ec2:DescribeImageAttribute
- ec2:DescribeImages
- ec2:DescribeInstances
- ec2:DescribeRegions
- ec2:DescribeSecurityGroups
- ec2:DescribeSnapshots
- ec2:DescribeSubnets
- ec2:DescribeTags
- ec2:DescribeVolumes
- ec2:DetachVolume
- ec2:GetPasswordData
- ec2:ModifyImageAttribute
- ec2:ModifyInstanceAttribute
- ec2:ModifySnapshotAttribute
- ec2:RegisterImage
- ec2:RunInstances
- ec2:StopInstances
- ec2:TerminateInstances
- iam:GetServerCertificate
- iam:PassRole
- kms:Decrypt
- secretsmanager:GetSecretValue
- ssm:GetParameterHistory
- ssm:GetParametersByPath
- ssm:GetParameters
- ssm:GetParameter
Resource: "*"
- Effect: Allow
Action:
- s3:*
Resource: "*"
- Effect: Allow
Action:
- logs:*
Resource:
- arn:aws:logs:*:*:*
PackerAemInstanceProfile:
Type: AWS::IAM::InstanceProfile
Condition: PackerIAMRoleCondition
Properties:
Path: /
Roles:
- Ref: PackerAemRole