forked from aws/aws-connected-device-framework
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cfn-auth-devicecert.yaml
127 lines (118 loc) · 3.99 KB
/
cfn-auth-devicecert.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#-----------------------------------------------------------------------------------------------------------------------
# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
# with the License. A copy of the License is located at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
# OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
# and limitations under the License.
#-----------------------------------------------------------------------------------------------------------------------
---
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: CDF Custom Auth
Parameters:
Environment:
Description: Name of environment. Used to name the created resources.
Type: String
MinLength: 1
KmsKeyId:
Description: The KMS key ID used to encrypt SSM parameters
Type: String
MinLength: 1
OpenSslLambdaLayerArn:
Description: OpenSSL lambda layer ARN
Type: String
MinLength: 1
Resources:
CustAuthLambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub 'cdf-deviceCert-auth-${Environment}'
CodeUri: ../bundle.zip
Handler: packages/services/auth-devicecert/dist/index.handler
Layers:
- !Ref OpenSslLambdaLayerArn
MemorySize: 512
Role: !GetAtt LambdaExecutionRole.Arn
Runtime: nodejs18.x
Timeout: 30
Environment:
Variables:
APP_CONFIG_DIR: 'packages/services/auth-devicecert/src/config'
Tracing: Active
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: '/'
ManagedPolicyArns:
- !Ref SSMPolicy
- !Ref LambdaExecutionPolicy
- arn:aws:iam::aws:policy/AWSLambdaExecute
- arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess
DependsOn:
- SSMPolicy
SSMPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: 'cdf-customauth policy for accessing SSM and KMS'
Path: '/'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'ssm:GetParameter*'
Effect: Allow
Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/cdf-rootca-pem'
- Action:
- 'kms:Decrypt'
Effect: Allow
Resource: !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${KmsKeyId}'
LambdaExecutionPolicy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
Description: 'cdf-auth policy'
Path: '/'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'iot:ListCACertificates'
Effect: Allow
Resource: !Sub 'arn:aws:iot:${AWS::Region}:${AWS::AccountId}:cert/*'
ApiGwAuthInvokeRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
- apigateway.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: apiGwLambdaInvoke
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: lambda:invokeFunction
Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*'
Outputs:
CustomAuthLambdaArn:
Description: Custom Auth Lambda Arn
Value: !Sub '${CustAuthLambdaFunction.Arn}'
Export:
Name: !Sub '${AWS::StackName}-CustAuthLambdaArn'