#  Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
#  the License. A copy of the License is located at
#      http://aws.amazon.com/apache2.0/
#  or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
#  CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
#  limitations under the License.

AWSTemplateFormatVersion: '2010-09-09'
Description: Creates a CMK in KMS and grants access to other accounts
Parameters:
  NonProdAccount:
    Description: AWS AccountNumber for the non-prod account
    Type: Number
  ProjectName:
    Description: Name of the Project
    Type: String
  CodeBuildCondition:
    Description: Conditionally adds the access required by code build project role
    Type: String
    Default: false
Conditions:
  AddCodeBuildResource: !Equals [ !Ref CodeBuildCondition, true ]
Resources:
  KMSKey:
    Type: AWS::KMS::Key
    Properties:
      Description: Used by Assumed Roles in Non Prod accounts to Encrypt/Decrypt code
      EnableKeyRotation: true
      KeyPolicy:
        Version: "2012-10-17"
        Id: !Ref AWS::StackName
        Statement:
          -
            Sid: Allows admin of the key
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action:
              - "kms:Create*"
              - "kms:Describe*"
              - "kms:Enable*"
              - "kms:List*"
              - "kms:Put*"
              - "kms:Update*"
              - "kms:Revoke*"
              - "kms:Disable*"
              - "kms:Get*"
              - "kms:Delete*"
              - "kms:ScheduleKeyDeletion"
              - "kms:CancelKeyDeletion"
            Resource: "*"
          -
            Sid: Allow use of the key for CryptoGraphy Lambda
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${NonProdAccount}:root
                - !Sub arn:aws:iam::${AWS::AccountId}:root
                - !If
                  - AddCodeBuildResource
                  - !Sub arn:aws:iam::${AWS::AccountId}:role/${ProjectName}-CodeBuildRole
                  - !Ref AWS::NoValue
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: "*"
  KMSAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Sub alias/codepipeline-crossaccounts-${ProjectName}
      TargetKeyId: !Ref KMSKey
  ArtifactBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
Outputs:
  CMK:
    Value: !GetAtt [KMSKey,Arn]
  ArtifactBucket:
    Value: !Ref ArtifactBucket