Skip to content

Commit

Permalink
chore(CFN): add another KMS Key ARN for Key Store Testing (#236)
Browse files Browse the repository at this point in the history
  • Loading branch information
@texastony
texastony authored Mar 8, 2024
1 parent 83cfd2f commit bd549c8
Showing 1 changed file with 298 additions and 0 deletions.
298 changes: 298 additions & 0 deletions cfn/ESDK-Hierarchy-CI.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,298 @@
AWSTemplateFormatVersion: "2010-09-09"
Description: "DDB Table and IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing"

Parameters:
TableName:
Type: String
Description: Test Table Name
Default: HierarchicalKeyringTestTable
KeyStoreTable:
Type: String
Description: Key Store Test Table Name
Default: KeyStoreTestTable
KeyStoreDdbTable:
Type: String
Description: Key Store DynamoDB Table Name
Default: KeyStoreDdbTable
ProjectName:
Type: String
Description: A prefix that will be applied to any names
# This must remain ESDK-Dafny, or several GHWs will break
Default: ESDK-Dafny
GitHubRepo:
Type: String
Description: GitHub Repo that invokes CI
Default: aws/private-aws-encryption-sdk-dafny-staging

Resources:
KeyStoreTestTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: "branch-key-id"
AttributeType: "S"
- AttributeName: "type"
AttributeType: "S"
- AttributeName: "status"
AttributeType: "S"
KeySchema:
- AttributeName: "branch-key-id"
KeyType: "HASH"
- AttributeName: "type"
KeyType: "RANGE"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
TableName: !Ref KeyStoreTable
GlobalSecondaryIndexes:
- IndexName: !Sub "Active-Keys"
KeySchema:
- AttributeName: "branch-key-id"
KeyType: "HASH"
- AttributeName: "status"
KeyType: "RANGE"
Projection:
ProjectionType: "ALL"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
- IndexName: !Sub "Active-Keys-KeyStoreTestTable"
KeySchema:
- AttributeName: "branch-key-id"
KeyType: "HASH"
- AttributeName: "status"
KeyType: "RANGE"
Projection:
ProjectionType: "ALL"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
KeyStoreTestDdbTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: "branch-key-id"
AttributeType: "S"
- AttributeName: "type"
AttributeType: "S"
KeySchema:
- AttributeName: "branch-key-id"
KeyType: "HASH"
- AttributeName: "type"
KeyType: "RANGE"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
TableName: !Ref KeyStoreDdbTable

HierarchicalKeyringTestTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: "branch-key-id"
AttributeType: "S"
- AttributeName: "version"
AttributeType: "S"
- AttributeName: "status"
AttributeType: "S"
KeySchema:
- AttributeName: "branch-key-id"
KeyType: "HASH"
- AttributeName: "version"
KeyType: "RANGE"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
TableName: !Ref TableName
GlobalSecondaryIndexes:
- IndexName: "Active-Keys"
KeySchema:
- AttributeName: "status"
KeyType: "HASH"
- AttributeName: "branch-key-id"
KeyType: "RANGE"
Projection:
ProjectionType: "ALL"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"

# This policy SHOULD be given to:
# - aws/private-aws-encryption-sdk-dafny-staging
# - ToolsDevelopment
HierarchicalKeyringTestTableUsage:
Type: "AWS::IAM::ManagedPolicy"
Properties:
Description: "Allow Read, Write, and Delete of Items in HierarchicalKeyringTestTable"
ManagedPolicyName: !Sub "${ProjectName}-DDB-ReadWriteDelete-${AWS::Region}"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- dynamodb:PutItem
- dynamodb:DeleteItem
- dynamodb:GetItem
- dynamodb:Query
Resource:
- !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${TableName}"
- !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${TableName}/index/*"
- Effect: Allow
Action:
- dynamodb:DescribeTable
- dynamodb:CreateTable
- dynamodb:PutItem
- dynamodb:DeleteItem
- dynamodb:GetItem
- dynamodb:Query
- dynamodb:ConditionCheckItem
- dynamodb:UpdateItem
Resource:
- !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${KeyStoreTable}"
- !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${KeyStoreTable}/index/*"
- Effect: Allow
Action:
- dynamodb:DescribeTable
- dynamodb:CreateTable
- dynamodb:PutItem
- dynamodb:DeleteItem
- dynamodb:GetItem
- dynamodb:Query
- dynamodb:ConditionCheckItem
- dynamodb:UpdateItem
Resource:
- !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${KeyStoreDdbTable}"
- !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${KeyStoreDdbTable}/index/*"

HierarchicalGitHubKMSKeyID:
Type: "AWS::KMS::Key"
Properties:
Description: KMS Key for GitHub Action Workflow
Enabled: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: "kms:*"
Resource: "*"

HierarchicalGitHubKMSKeyIDTwo:
Type: "AWS::KMS::Key"
Properties:
Description: Another KMS Key for GitHub Action Workflow
Enabled: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: "kms:*"
Resource: "*"

KMSUsage:
Type: "AWS::IAM::ManagedPolicy"
Properties:
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ReEncrypt*",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:ListGrant",
"kms:RevokeGrant"
],
"Resource": [
"arn:aws:kms:*:${AWS::AccountId}:key/${HierarchicalGitHubKMSKeyID}",
"arn:aws:kms:*:${AWS::AccountId}:key/${HierarchicalGitHubKMSKeyIDTwo}"
]
}
]
}
ManagedPolicyName: Hierarchical-GitHub-KMS-Key-Policy

RSAGitHubKMSKeyID:
Type: "AWS::KMS::Key"
Properties:
Description: KMS RSA Key for GitHub Action Workflow
Enabled: true
KeyPolicy:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: "kms:*"
Resource: "*"
KeySpec: "RSA_2048"
KeyUsage: "ENCRYPT_DECRYPT"
MultiRegion: true

RSAKMSUsage:
Type: "AWS::IAM::ManagedPolicy"
Properties:
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:Generate*",
"kms:GetPublicKey",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:*:${AWS::AccountId}:key/${RSAGitHubKMSKeyID}"
}
]
}
ManagedPolicyName: RSA-GitHub-KMS-Key-Policy

# The MPL-Dafny Repo get access to everything here
# via the CI.yaml#GitHubCIRole
GitHubCIRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}"
Description: "Access DDB, KMS, Resources for CI from GitHub"
ManagedPolicyArns:
- "arn:aws:iam::370957321024:policy/PolymorphTestModels-KMS-us-west-2"
- !Ref KMSUsage
- !Ref RSAKMSUsage
- "arn:aws:iam::370957321024:policy/PolymorphTestModels-DDB-ReadWriteDelete-us-west-2"
- !Ref HierarchicalKeyringTestTableUsage
AssumeRolePolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" },
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:${GitHubRepo}:*"
}
}
},
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" },
"Action": "sts:AssumeRole"
}
]
}

0 comments on commit bd549c8

Please sign in to comment.