-
Notifications
You must be signed in to change notification settings - Fork 3
/
template.yml
163 lines (155 loc) · 4.54 KB
/
template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Venafi policy enforcement for AWS Private CA.
Metadata:
AWS::ServerlessRepo::Application:
Name: aws-private-ca-policy-venafi
Description: Venafi Lambda functions for AWS that enforce enterprise security policy for the AWS Private CA.
Author: Venafi
SpdxLicenseId: Apache-2.0
LicenseUrl: LICENSE.txt
ReadmeUrl: README.md
Labels: ['tls','ssl','certificates','aws-certificate-manager','venafi-platform','venafi-cloud']
HomePageUrl: https://github.com/Venafi/aws-private-ca-policy-venafi
SemanticVersion: 0.0.5
SourceCodeUrl: https://github.com/Venafi/aws-private-ca-policy-venafi
Parameters:
TPPUSER:
Type: String
Default: ""
TPPPASSWORD:
NoEcho : "true"
Type: String
Default: ""
TPPAccessToken:
NoEcho: "true"
Type: String
Default: ""
TPPRefreshToken:
NoEcho: "true"
Type: String
Default: ""
TPPURL:
Type: String
Default: ""
TrustBundle:
Type: String
Default: ""
CLOUDURL:
Type: String
Default: ""
CLOUDAPIKEY:
NoEcho : "true"
Default: ""
Type: String
SavePolicyFromRequest:
Default: "false"
Type: String
DEFAULTZONE:
Default: "Default"
Type: String
RequestLambdaRole:
Default: "VenafiRequestLambdaRole"
Type: String
PolicyLambdaRole:
Default: "VenafiPolicyLambdaRole"
Type: String
Resources:
VenafiLambdaApi:
Type: AWS::Serverless::Api
Properties:
Name: VenafiLambdaApi
StageName: v1
# TODO: fix API gatewy logging enable
# MethodSettings:
# - LoggingLevel: ERROR
# MetricsEnabled: true
Auth:
DefaultAuthorizer: AWS_IAM
InvokeRole: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${RequestLambdaRole}'
VenafiCertRequestLambda:
Type: 'AWS::Serverless::Function'
Properties:
Handler: cert-request
Runtime: go1.x
CodeUri: dist/cert-request
Description: Venafi request with a RESTful API endpoint using Amazon API Gateway.
MemorySize: 512
Timeout: 10
#TODO: provide json for creating a role
Role: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${RequestLambdaRole}'
Environment:
Variables:
SAVE_POLICY_FROM_REQUEST: !Ref SavePolicyFromRequest
DEFAULT_ZONE: !Ref DEFAULTZONE
Policies:
- CloudWatchPutMetricPolicy: {}
- DynamoDBCrudPolicy:
TableName:
Ref: CertPolicyTable
Events:
ApiRequest:
Type: Api
Properties:
Path: /request
Method: POST
RestApiId: !Ref VenafiLambdaApi
Auth:
Authorizer: AWS_IAM
VenafiCertPolicyLambda:
Type: 'AWS::Serverless::Function'
Properties:
Handler: cert-policy
Runtime: go1.x
CodeUri: dist/cert-policy
Description: Venafi policy with a RESTful API endpoint using Amazon API Gateway.
MemorySize: 512
Timeout: 10
Role: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${PolicyLambdaRole}'
Environment:
Variables:
TPPUSER: !Ref TPPUSER
TPPPASSWORD: !Ref TPPPASSWORD
TPP_ACCESS_TOKEN: !Ref TPPAccessToken
TPP_REFRESH_TOKEN: !Ref TPPRefreshToken
TPPURL: !Ref TPPURL
CLOUDURL: !Ref CLOUDURL
CLOUDAPIKEY: !Ref CLOUDAPIKEY
TRUST_BUNDLE: !Ref TrustBundle
Policies:
- CloudWatchPutMetricPolicy: {}
- DynamoDBCrudPolicy:
TableName:
Ref: CertPolicyTable
Events:
Schedule:
Type: Schedule
Properties:
Schedule: rate(1 minute)
CertPolicyTable:
Type: 'AWS::DynamoDB::Table'
Properties:
TableName: VenafiCertPolicy
AttributeDefinitions:
- AttributeName: PolicyID
AttributeType: S
KeySchema:
- AttributeName: PolicyID
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
RequestLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['/', ['/aws/lambda', !Ref VenafiCertRequestLambda]]
RetentionInDays: 7 # days
PolicyLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['/', ['/aws/lambda', !Ref VenafiCertPolicyLambda]]
RetentionInDays: 7 # days
Outputs:
CertRequestApi:
Description: "API Gateway endpoint URL for Prod stage for Hello World function"
Value: !Sub "https://${VenafiLambdaApi}.execute-api.${AWS::Region}.amazonaws.com/v1/request/"