template.yml

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Venafi policy enforcement for AWS Private CA.

Metadata:
  AWS::ServerlessRepo::Application:
    Name: aws-private-ca-policy-venafi
    Description: Venafi Lambda functions for AWS that enforce enterprise security policy for the AWS Private CA.
    Author: Venafi
    SpdxLicenseId: Apache-2.0
    LicenseUrl: LICENSE.txt
    ReadmeUrl: README.md
    Labels: ['tls','ssl','certificates','aws-certificate-manager','venafi-platform','venafi-cloud']
    HomePageUrl: https://github.com/Venafi/aws-private-ca-policy-venafi
    SemanticVersion: 0.0.5
    SourceCodeUrl: https://github.com/Venafi/aws-private-ca-policy-venafi

Parameters:
  TPPUSER:
    Type: String
    Default: ""
  TPPPASSWORD:
    NoEcho : "true"
    Type: String
    Default: ""
  TPPAccessToken:
    NoEcho: "true"
    Type: String
    Default: ""
  TPPRefreshToken:
    NoEcho: "true"
    Type: String
    Default: ""
  TPPURL:
    Type: String
    Default: ""
  TrustBundle:
    Type: String
    Default: ""
  CLOUDURL:
    Type: String
    Default: ""
  CLOUDAPIKEY:
    NoEcho : "true"
    Default: ""
    Type: String
  SavePolicyFromRequest:
    Default: "false"
    Type: String
  DEFAULTZONE:
    Default: "Default"
    Type: String
  RequestLambdaRole:
    Default: "VenafiRequestLambdaRole"
    Type: String
  PolicyLambdaRole:
    Default: "VenafiPolicyLambdaRole"
    Type: String

Resources:
  VenafiLambdaApi:
    Type: AWS::Serverless::Api
    Properties:
      Name: VenafiLambdaApi
      StageName: v1
#      TODO: fix API gatewy logging enable
#      MethodSettings:
#        - LoggingLevel: ERROR
#          MetricsEnabled: true
      Auth:
        DefaultAuthorizer: AWS_IAM
        InvokeRole: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${RequestLambdaRole}'

  VenafiCertRequestLambda:
    Type: 'AWS::Serverless::Function'
    Properties:
      Handler: cert-request
      Runtime: go1.x
      CodeUri: dist/cert-request
      Description: Venafi request with a RESTful API endpoint using Amazon API Gateway.
      MemorySize: 512
      Timeout: 10
      #TODO: provide json for creating a role
      Role: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${RequestLambdaRole}'
      Environment:
        Variables:
          SAVE_POLICY_FROM_REQUEST: !Ref  SavePolicyFromRequest
          DEFAULT_ZONE: !Ref DEFAULTZONE
      Policies:
        - CloudWatchPutMetricPolicy: {}
        - DynamoDBCrudPolicy:
            TableName:
              Ref: CertPolicyTable
      Events:
        ApiRequest:
          Type: Api
          Properties:
            Path: /request
            Method: POST
            RestApiId: !Ref VenafiLambdaApi
            Auth:
              Authorizer: AWS_IAM

  VenafiCertPolicyLambda:
    Type: 'AWS::Serverless::Function'
    Properties:
      Handler: cert-policy
      Runtime: go1.x
      CodeUri: dist/cert-policy
      Description: Venafi policy with a RESTful API endpoint using Amazon API Gateway.
      MemorySize: 512
      Timeout: 10
      Role: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${PolicyLambdaRole}'
      Environment:
        Variables:
          TPPUSER: !Ref  TPPUSER
          TPPPASSWORD: !Ref TPPPASSWORD
          TPP_ACCESS_TOKEN: !Ref TPPAccessToken
          TPP_REFRESH_TOKEN: !Ref TPPRefreshToken
          TPPURL: !Ref TPPURL
          CLOUDURL: !Ref CLOUDURL
          CLOUDAPIKEY: !Ref CLOUDAPIKEY
          TRUST_BUNDLE: !Ref TrustBundle
      Policies:
        - CloudWatchPutMetricPolicy: {}
        - DynamoDBCrudPolicy:
            TableName:
              Ref: CertPolicyTable
      Events:
        Schedule:
          Type: Schedule
          Properties:
            Schedule: rate(1 minute)

  CertPolicyTable:
    Type: 'AWS::DynamoDB::Table'
    Properties:
      TableName: VenafiCertPolicy
      AttributeDefinitions:
        - AttributeName: PolicyID
          AttributeType: S
      KeySchema:
        - AttributeName: PolicyID
          KeyType: HASH
      ProvisionedThroughput:
        ReadCapacityUnits: 1
        WriteCapacityUnits: 1

  RequestLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Join ['/', ['/aws/lambda', !Ref VenafiCertRequestLambda]]
      RetentionInDays: 7 # days

  PolicyLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Join ['/', ['/aws/lambda', !Ref VenafiCertPolicyLambda]]
      RetentionInDays: 7 # days
Outputs:
  CertRequestApi:
    Description: "API Gateway endpoint URL for Prod stage for Hello World function"
    Value: !Sub "https://${VenafiLambdaApi}.execute-api.${AWS::Region}.amazonaws.com/v1/request/"