#  Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
#  the License. A copy of the License is located at
#      http://aws.amazon.com/apache2.0/
#  or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
#  CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
#  limitations under the License.

AWSTemplateFormatVersion: '2010-09-09'
Description: Creates a CMK in KMS and grants access to other accounts
Parameters:
  ToolsAccount:
    Description: AWS AccountNumber for Tools account
    Type: Number
Resources:
  CodePipelineRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub CodePipelineRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              AWS:
                - !Ref ToolsAccount
            Action:
              - sts:AssumeRole
      Path: /
  CloudFormationExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub CloudFormationExecutionRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - cloudformation.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
  KMSKey:
    Type: AWS::KMS::Key
    Properties:
      Description: Used by Assumed Roles in Dev/Test/Prod accounts to Encrypt/Decrypt code
      EnableKeyRotation: true
      KeyPolicy:
        Version: "2012-10-17"
        Id: !Ref AWS::StackName
        Statement:
          -
            Sid: Allows admin of the key
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action:
              - "kms:Create*"
              - "kms:Describe*"
              - "kms:Enable*"
              - "kms:List*"
              - "kms:Put*"
              - "kms:Update*"
              - "kms:Revoke*"
              - "kms:Disable*"
              - "kms:Get*"
              - "kms:Delete*"
              - "kms:ScheduleKeyDeletion"
              - "kms:CancelKeyDeletion"
            Resource: "*"
          -
            Sid: Allow use of the key for CryptoGraphy Lambda
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${ToolsAccount}:root
                - !Sub arn:aws:iam::${AWS::AccountId}:root
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: "*"
  KMSAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Sub alias/codepipeline-crossaccounts
      TargetKeyId: !Ref KMSKey
Outputs:
  CMKArn:
    Value: !GetAtt KMSKey.Arn