// Jest Snapshot v1, https://goo.gl/fbAQLP exports[`Test Common Stack 1`] = ` Object { "Outputs": Object { "newVpcAndEndpointsIsolatedSubnetId01946D04CC": Object { "Description": "Isolated subnet # 1", "Export": Object { "Name": "SampleAppVpcId:IsolatedSubnet01", }, "Value": Object { "Ref": "newVpcAndEndpointsVPCrdsSubnet1SubnetAAF23892", }, }, "newVpcAndEndpointsIsolatedSubnetId0208B944E6": Object { "Description": "Isolated subnet # 2", "Export": Object { "Name": "SampleAppVpcId:IsolatedSubnet02", }, "Value": Object { "Ref": "newVpcAndEndpointsVPCrdsSubnet2SubnetA06161AB", }, }, "newVpcAndEndpointsVpcIdExportFD71A228": Object { "Description": "Id of VPC created by Ops Private Rate Card Infra CDK", "Export": Object { "Name": "SampleAppVpcId", }, "Value": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, }, "Parameters": Object { "BootstrapVersion": Object { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": Object { "ASMStringParameterB45CE60C": Object { "Properties": Object { "Description": "SSM Parameter to store Secrets ARN foranIdForMyApp", "Name": "/anIdForMyApp/api/dev/myAppSecrets-AsmSsmPara", "Type": "String", "Value": Object { "Ref": "App1Secret46548AA8", }, }, "Type": "AWS::SSM::Parameter", }, "App1Secret46548AA8": Object { "DeletionPolicy": "Delete", "Properties": Object { "GenerateSecretString": Object { "ExcludeCharacters": "\\"@/\\\\", "GenerateStringKey": "password", "SecretStringTemplate": "{\\"database\\":\\"fill_name_of_the_database\\",\\"username\\":\\"fill_username\\"}", }, "KmsKeyId": Object { "Fn::GetAtt": Array [ "SecretsManagerCMKE4C0BBB5", "Arn", ], }, "Name": "/anIdForMyApp/api/dev/myAppSecrets", "Tags": Array [ Object { "Key": "appenv", "Value": "dev", }, Object { "Key": "appfunc", "Value": "api", }, Object { "Key": "appid", "Value": "anIdForMyApp", }, Object { "Key": "dataclassification", "Value": "confidential", }, Object { "Key": "name", "Value": "myAppSecrets", }, ], }, "Type": "AWS::SecretsManager::Secret", "UpdateReplacePolicy": "Delete", }, "IAMPolicyStringParameterC3B35652": Object { "Properties": Object { "Description": "SSM Parameter to store IAM Policy ARN foranIdForMyApp", "Name": "/anIdForMyApp/api/dev/myAppSecrets-IAMSsmPara", "Type": "String", "Value": Object { "Ref": "managedpolicyid28DFA06F", }, }, "Type": "AWS::SSM::Parameter", }, "SecretsManagerCMKAlias76BDF7E4": Object { "Properties": Object { "AliasName": "alias/anIdForMyApp/api/dev/myAppSecrets/kmsKey", "TargetKeyId": Object { "Fn::GetAtt": Array [ "SecretsManagerCMKE4C0BBB5", "Arn", ], }, }, "Type": "AWS::KMS::Alias", }, "SecretsManagerCMKE4C0BBB5": Object { "DeletionPolicy": "Retain", "Properties": Object { "Description": "KMS key to manageanIdForMyAppkeys in Secrets Manager", "EnableKeyRotation": true, "KeyPolicy": Object { "Statement": Array [ Object { "Action": "kms:*", "Effect": "Allow", "Principal": Object { "AWS": Object { "Fn::Join": Array [ "", Array [ "arn:", Object { "Ref": "AWS::Partition", }, ":iam::", Object { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, "Resource": "*", }, Object { "Action": Array [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:CreateGrant", "kms:DescribeKey", "kms:GenerateDataKey", ], "Condition": Object { "StringEquals": Object { "kms:CallerAccount": Object { "Ref": "AWS::AccountId", }, "kms:ViaService": Object { "Fn::Join": Array [ "", Array [ "secretsmanager.", Object { "Ref": "AWS::Region", }, ".amazonaws.com", ], ], }, }, }, "Effect": "Allow", "Principal": Object { "AWS": "*", }, "Resource": "*", }, Object { "Action": Array [ "kms:Decrypt", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Condition": Object { "StringEquals": Object { "kms:ViaService": Object { "Fn::Join": Array [ "", Array [ "secretsmanager.", Object { "Ref": "AWS::Region", }, ".amazonaws.com", ], ], }, }, }, "Effect": "Allow", "Principal": Object { "AWS": Object { "Fn::Join": Array [ "", Array [ "arn:", Object { "Ref": "AWS::Partition", }, ":iam::", Object { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, "Resource": "*", }, Object { "Action": Array [ "kms:CreateGrant", "kms:DescribeKey", ], "Condition": Object { "StringEquals": Object { "kms:ViaService": Object { "Fn::Join": Array [ "", Array [ "secretsmanager.", Object { "Ref": "AWS::Region", }, ".amazonaws.com", ], ], }, }, }, "Effect": "Allow", "Principal": Object { "AWS": Object { "Fn::Join": Array [ "", Array [ "arn:", Object { "Ref": "AWS::Partition", }, ":iam::", Object { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, "Resource": "*", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::KMS::Key", "UpdateReplacePolicy": "Retain", }, "managedpolicyid28DFA06F": Object { "Properties": Object { "Description": "ABAC IAM Policy that will allows Secret access for anIdForMyApp", "Path": "/", "PolicyDocument": Object { "Statement": Array [ Object { "Action": Array [ "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecret", "secretsmanager:DeleteSecret", "secretsmanager:DescribeSecret", ], "Condition": Object { "StringEquals": Object { "secretsmanager:ResourceTag/appenv": "\${aws:PrincipalTag/appenv}", "secretsmanager:ResourceTag/appfunc": "\${aws:PrincipalTag/appfunc}", "secretsmanager:ResourceTag/appid": "\${aws:PrincipalTag/appid}", }, }, "Effect": "Allow", "Resource": Object { "Ref": "App1Secret46548AA8", }, "Sid": "AccessBasedOnResourceTags", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::ManagedPolicy", }, "newVpcAndEndpointsSampleVPCStringParameter2468A3D2": Object { "Properties": Object { "Description": "SSM Parameter to store IAM Policy ARN foranIdForMyApp", "Name": "/anIdForMyApp/api/dev/myAppSecrets-appVpcSsmParam", "Type": "String", "Value": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::SSM::Parameter", }, "newVpcAndEndpointsVPCB9C41036": Object { "Properties": Object { "CidrBlock": "172.31.0.0/16", "EnableDnsHostnames": true, "EnableDnsSupport": true, "InstanceTenancy": "default", "Tags": Array [ Object { "Key": "Name", "Value": "SampleVPCStack VPC", }, ], }, "Type": "AWS::EC2::VPC", }, "newVpcAndEndpointsVPCIGW4FD796B6": Object { "Properties": Object { "Tags": Array [ Object { "Key": "Name", "Value": "SampleVPCStack VPC", }, ], }, "Type": "AWS::EC2::InternetGateway", }, "newVpcAndEndpointsVPCKMSEndpoint257A58F2": Object { "Properties": Object { "PrivateDnsEnabled": true, "SecurityGroupIds": Array [ Object { "Fn::GetAtt": Array [ "newVpcAndEndpointsVPCKMSEndpointSecurityGroup095F70B2", "GroupId", ], }, ], "ServiceName": Object { "Fn::Join": Array [ "", Array [ "com.amazonaws.", Object { "Ref": "AWS::Region", }, ".kms", ], ], }, "SubnetIds": Array [ Object { "Ref": "newVpcAndEndpointsVPCapplicationSubnet1SubnetC27AAA86", }, Object { "Ref": "newVpcAndEndpointsVPCapplicationSubnet2Subnet66C7C06B", }, ], "VpcEndpointType": "Interface", "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::VPCEndpoint", }, "newVpcAndEndpointsVPCKMSEndpointSecurityGroup095F70B2": Object { "Properties": Object { "GroupDescription": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/KMSEndpoint/SecurityGroup", "SecurityGroupEgress": Array [ Object { "CidrIp": "0.0.0.0/0", "Description": "Allow all outbound traffic by default", "IpProtocol": "-1", }, ], "SecurityGroupIngress": Array [ Object { "CidrIp": Object { "Fn::GetAtt": Array [ "newVpcAndEndpointsVPCB9C41036", "CidrBlock", ], }, "Description": Object { "Fn::Join": Array [ "", Array [ "from ", Object { "Fn::GetAtt": Array [ "newVpcAndEndpointsVPCB9C41036", "CidrBlock", ], }, ":443", ], ], }, "FromPort": 443, "IpProtocol": "tcp", "ToPort": 443, }, ], "Tags": Array [ Object { "Key": "Name", "Value": "SampleVPCStack VPC", }, ], "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::SecurityGroup", }, "newVpcAndEndpointsVPCSecretsManagerEndpoint81EE4C6F": Object { "Properties": Object { "PrivateDnsEnabled": true, "SecurityGroupIds": Array [ Object { "Fn::GetAtt": Array [ "newVpcAndEndpointsVPCSecretsManagerEndpointSecurityGroup6BEB1F9D", "GroupId", ], }, ], "ServiceName": Object { "Fn::Join": Array [ "", Array [ "com.amazonaws.", Object { "Ref": "AWS::Region", }, ".secretsmanager", ], ], }, "SubnetIds": Array [ Object { "Ref": "newVpcAndEndpointsVPCapplicationSubnet1SubnetC27AAA86", }, Object { "Ref": "newVpcAndEndpointsVPCapplicationSubnet2Subnet66C7C06B", }, ], "VpcEndpointType": "Interface", "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::VPCEndpoint", }, "newVpcAndEndpointsVPCSecretsManagerEndpointSecurityGroup6BEB1F9D": Object { "Properties": Object { "GroupDescription": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/SecretsManagerEndpoint/SecurityGroup", "SecurityGroupEgress": Array [ Object { "CidrIp": "0.0.0.0/0", "Description": "Allow all outbound traffic by default", "IpProtocol": "-1", }, ], "SecurityGroupIngress": Array [ Object { "CidrIp": Object { "Fn::GetAtt": Array [ "newVpcAndEndpointsVPCB9C41036", "CidrBlock", ], }, "Description": Object { "Fn::Join": Array [ "", Array [ "from ", Object { "Fn::GetAtt": Array [ "newVpcAndEndpointsVPCB9C41036", "CidrBlock", ], }, ":443", ], ], }, "FromPort": 443, "IpProtocol": "tcp", "ToPort": 443, }, ], "Tags": Array [ Object { "Key": "Name", "Value": "SampleVPCStack VPC", }, ], "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::SecurityGroup", }, "newVpcAndEndpointsVPCVPCGW167579E5": Object { "Properties": Object { "InternetGatewayId": Object { "Ref": "newVpcAndEndpointsVPCIGW4FD796B6", }, "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::VPCGatewayAttachment", }, "newVpcAndEndpointsVPCapplicationSubnet1DefaultRoute80B7EFE1": Object { "Properties": Object { "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": Object { "Ref": "newVpcAndEndpointsVPCingressSubnet1NATGatewayED515B51", }, "RouteTableId": Object { "Ref": "newVpcAndEndpointsVPCapplicationSubnet1RouteTableE743C18E", }, }, "Type": "AWS::EC2::Route", }, "newVpcAndEndpointsVPCapplicationSubnet1RouteTableAssociation3DB708CE": Object { "Properties": Object { "RouteTableId": Object { "Ref": "newVpcAndEndpointsVPCapplicationSubnet1RouteTableE743C18E", }, "SubnetId": Object { "Ref": "newVpcAndEndpointsVPCapplicationSubnet1SubnetC27AAA86", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", }, "newVpcAndEndpointsVPCapplicationSubnet1RouteTableE743C18E": Object { "Properties": Object { "Tags": Array [ Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/applicationSubnet1", }, ], "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::RouteTable", }, "newVpcAndEndpointsVPCapplicationSubnet1SubnetC27AAA86": Object { "Properties": Object { "AvailabilityZone": Object { "Fn::Select": Array [ 0, Object { "Fn::GetAZs": "", }, ], }, "CidrBlock": "172.31.2.0/24", "MapPublicIpOnLaunch": false, "Tags": Array [ Object { "Key": "aws-cdk:subnet-name", "Value": "application", }, Object { "Key": "aws-cdk:subnet-type", "Value": "Private", }, Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/applicationSubnet1", }, ], "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::Subnet", }, "newVpcAndEndpointsVPCapplicationSubnet2DefaultRoute4236CE93": Object { "Properties": Object { "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": Object { "Ref": "newVpcAndEndpointsVPCingressSubnet2NATGatewayA5A51F4F", }, "RouteTableId": Object { "Ref": "newVpcAndEndpointsVPCapplicationSubnet2RouteTable3F55D166", }, }, "Type": "AWS::EC2::Route", }, "newVpcAndEndpointsVPCapplicationSubnet2RouteTable3F55D166": Object { "Properties": Object { "Tags": Array [ Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/applicationSubnet2", }, ], "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::RouteTable", }, "newVpcAndEndpointsVPCapplicationSubnet2RouteTableAssociation646BFF43": Object { "Properties": Object { "RouteTableId": Object { "Ref": "newVpcAndEndpointsVPCapplicationSubnet2RouteTable3F55D166", }, "SubnetId": Object { "Ref": "newVpcAndEndpointsVPCapplicationSubnet2Subnet66C7C06B", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", }, "newVpcAndEndpointsVPCapplicationSubnet2Subnet66C7C06B": Object { "Properties": Object { "AvailabilityZone": Object { "Fn::Select": Array [ 1, Object { "Fn::GetAZs": "", }, ], }, "CidrBlock": "172.31.3.0/24", "MapPublicIpOnLaunch": false, "Tags": Array [ Object { "Key": "aws-cdk:subnet-name", "Value": "application", }, Object { "Key": "aws-cdk:subnet-type", "Value": "Private", }, Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/applicationSubnet2", }, ], "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::Subnet", }, "newVpcAndEndpointsVPCingressSubnet1DefaultRoute5160F750": Object { "DependsOn": Array [ "newVpcAndEndpointsVPCVPCGW167579E5", ], "Properties": Object { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": Object { "Ref": "newVpcAndEndpointsVPCIGW4FD796B6", }, "RouteTableId": Object { "Ref": "newVpcAndEndpointsVPCingressSubnet1RouteTable5C16BDFD", }, }, "Type": "AWS::EC2::Route", }, "newVpcAndEndpointsVPCingressSubnet1EIPA64600DB": Object { "Properties": Object { "Domain": "vpc", "Tags": Array [ Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/ingressSubnet1", }, ], }, "Type": "AWS::EC2::EIP", }, "newVpcAndEndpointsVPCingressSubnet1NATGatewayED515B51": Object { "Properties": Object { "AllocationId": Object { "Fn::GetAtt": Array [ "newVpcAndEndpointsVPCingressSubnet1EIPA64600DB", "AllocationId", ], }, "SubnetId": Object { "Ref": "newVpcAndEndpointsVPCingressSubnet1Subnet1DBA746B", }, "Tags": Array [ Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/ingressSubnet1", }, ], }, "Type": "AWS::EC2::NatGateway", }, "newVpcAndEndpointsVPCingressSubnet1RouteTable5C16BDFD": Object { "Properties": Object { "Tags": Array [ Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/ingressSubnet1", }, ], "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::RouteTable", }, "newVpcAndEndpointsVPCingressSubnet1RouteTableAssociation904DDA16": Object { "Properties": Object { "RouteTableId": Object { "Ref": "newVpcAndEndpointsVPCingressSubnet1RouteTable5C16BDFD", }, "SubnetId": Object { "Ref": "newVpcAndEndpointsVPCingressSubnet1Subnet1DBA746B", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", }, "newVpcAndEndpointsVPCingressSubnet1Subnet1DBA746B": Object { "Properties": Object { "AvailabilityZone": Object { "Fn::Select": Array [ 0, Object { "Fn::GetAZs": "", }, ], }, "CidrBlock": "172.31.0.0/24", "MapPublicIpOnLaunch": true, "Tags": Array [ Object { "Key": "aws-cdk:subnet-name", "Value": "ingress", }, Object { "Key": "aws-cdk:subnet-type", "Value": "Public", }, Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/ingressSubnet1", }, ], "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::Subnet", }, "newVpcAndEndpointsVPCingressSubnet2DefaultRoute46105FD6": Object { "DependsOn": Array [ "newVpcAndEndpointsVPCVPCGW167579E5", ], "Properties": Object { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": Object { "Ref": "newVpcAndEndpointsVPCIGW4FD796B6", }, "RouteTableId": Object { "Ref": "newVpcAndEndpointsVPCingressSubnet2RouteTable94B9615D", }, }, "Type": "AWS::EC2::Route", }, "newVpcAndEndpointsVPCingressSubnet2EIPAC597823": Object { "Properties": Object { "Domain": "vpc", "Tags": Array [ Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/ingressSubnet2", }, ], }, "Type": "AWS::EC2::EIP", }, "newVpcAndEndpointsVPCingressSubnet2NATGatewayA5A51F4F": Object { "Properties": Object { "AllocationId": Object { "Fn::GetAtt": Array [ "newVpcAndEndpointsVPCingressSubnet2EIPAC597823", "AllocationId", ], }, "SubnetId": Object { "Ref": "newVpcAndEndpointsVPCingressSubnet2SubnetD8B5013C", }, "Tags": Array [ Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/ingressSubnet2", }, ], }, "Type": "AWS::EC2::NatGateway", }, "newVpcAndEndpointsVPCingressSubnet2RouteTable94B9615D": Object { "Properties": Object { "Tags": Array [ Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/ingressSubnet2", }, ], "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::RouteTable", }, "newVpcAndEndpointsVPCingressSubnet2RouteTableAssociation907BC38A": Object { "Properties": Object { "RouteTableId": Object { "Ref": "newVpcAndEndpointsVPCingressSubnet2RouteTable94B9615D", }, "SubnetId": Object { "Ref": "newVpcAndEndpointsVPCingressSubnet2SubnetD8B5013C", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", }, "newVpcAndEndpointsVPCingressSubnet2SubnetD8B5013C": Object { "Properties": Object { "AvailabilityZone": Object { "Fn::Select": Array [ 1, Object { "Fn::GetAZs": "", }, ], }, "CidrBlock": "172.31.1.0/24", "MapPublicIpOnLaunch": true, "Tags": Array [ Object { "Key": "aws-cdk:subnet-name", "Value": "ingress", }, Object { "Key": "aws-cdk:subnet-type", "Value": "Public", }, Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/ingressSubnet2", }, ], "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::Subnet", }, "newVpcAndEndpointsVPCrdsSubnet1RouteTableAssociationE9F2A32A": Object { "Properties": Object { "RouteTableId": Object { "Ref": "newVpcAndEndpointsVPCrdsSubnet1RouteTableDD7EC174", }, "SubnetId": Object { "Ref": "newVpcAndEndpointsVPCrdsSubnet1SubnetAAF23892", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", }, "newVpcAndEndpointsVPCrdsSubnet1RouteTableDD7EC174": Object { "Properties": Object { "Tags": Array [ Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/rdsSubnet1", }, ], "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::RouteTable", }, "newVpcAndEndpointsVPCrdsSubnet1SubnetAAF23892": Object { "Properties": Object { "AvailabilityZone": Object { "Fn::Select": Array [ 0, Object { "Fn::GetAZs": "", }, ], }, "CidrBlock": "172.31.4.0/28", "MapPublicIpOnLaunch": false, "Tags": Array [ Object { "Key": "aws-cdk:subnet-name", "Value": "rds", }, Object { "Key": "aws-cdk:subnet-type", "Value": "Isolated", }, Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/rdsSubnet1", }, ], "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::Subnet", }, "newVpcAndEndpointsVPCrdsSubnet2RouteTableAssociation0B75C48C": Object { "Properties": Object { "RouteTableId": Object { "Ref": "newVpcAndEndpointsVPCrdsSubnet2RouteTableD3A4CA88", }, "SubnetId": Object { "Ref": "newVpcAndEndpointsVPCrdsSubnet2SubnetA06161AB", }, }, "Type": "AWS::EC2::SubnetRouteTableAssociation", }, "newVpcAndEndpointsVPCrdsSubnet2RouteTableD3A4CA88": Object { "Properties": Object { "Tags": Array [ Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/rdsSubnet2", }, ], "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::RouteTable", }, "newVpcAndEndpointsVPCrdsSubnet2SubnetA06161AB": Object { "Properties": Object { "AvailabilityZone": Object { "Fn::Select": Array [ 1, Object { "Fn::GetAZs": "", }, ], }, "CidrBlock": "172.31.4.16/28", "MapPublicIpOnLaunch": false, "Tags": Array [ Object { "Key": "aws-cdk:subnet-name", "Value": "rds", }, Object { "Key": "aws-cdk:subnet-type", "Value": "Isolated", }, Object { "Key": "Name", "Value": "commonSecretsAndIamPolicyStack/newVpcAndEndpoints/VPC/rdsSubnet2", }, ], "VpcId": Object { "Ref": "newVpcAndEndpointsVPCB9C41036", }, }, "Type": "AWS::EC2::Subnet", }, }, "Rules": Object { "CheckBootstrapVersion": Object { "Assertions": Array [ Object { "Assert": Object { "Fn::Not": Array [ Object { "Fn::Contains": Array [ Array [ "1", "2", "3", "4", "5", ], Object { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`Test onPrem IAM ROle Anywhere Stack 1`] = ` Object { "Outputs": Object { "PrivateInternalCertificateAuthorityAuthorityArn9C514295": Object { "Description": "Private CA ARN for roles.anywhere.rootca", "Export": Object { "Name": "PrivateCertificateAuthorityArnForRolesAnywhereRootca", }, "Value": Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthorityPrivateCertificateAuthority85E7647E", "Arn", ], }, }, "PrivateInternalCertificateAuthoritySelfSignedCertificateArn85EB68E3": Object { "Description": "Private CA self-signed certificate ARN for roles.anywhere.rootca", "Export": Object { "Name": "PrivateCertificateAuthoritySelfSignedCertificateArnForRolesAnywhereRootca", }, "Value": Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthoritySelfSignedActivationCertificate019E2C7F", "Arn", ], }, }, }, "Parameters": Object { "BootstrapVersion": Object { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": Object { "IAMRoleARNStringParameterEA2072D6": Object { "DependsOn": Array [ "onPremAppRole", ], "Properties": Object { "Description": "SSM Parameter to store PCA ARN foranIdForMyApp", "Name": "/anIdForMyApp/api/dev/myAppSecrets-onPremAppRoleSsmParam", "Type": "String", "Value": Object { "Fn::GetAtt": Array [ "onPremAppRole", "Arn", ], }, }, "Type": "AWS::SSM::Parameter", }, "PCAARNStringParameter25558648": Object { "DependsOn": Array [ "PrivateInternalCertificateAuthorityAcmPcaPermission11EB8395", "PrivateInternalCertificateAuthorityCertificateAuthorityActivationE72889AA", "PrivateInternalCertificateAuthorityCrlBucketPolicyAC998358", "PrivateInternalCertificateAuthorityCrlBucket50E75510", "PrivateInternalCertificateAuthorityLoggingBucketPolicy94D7B562", "PrivateInternalCertificateAuthorityLoggingBucketB426DCFB", "PrivateInternalCertificateAuthorityPrivateCertificateAuthority85E7647E", "PrivateInternalCertificateAuthoritySelfSignedActivationCertificate019E2C7F", ], "Properties": Object { "Description": "SSM Parameter to store PCA ARN foranIdForMyApp", "Name": "/anIdForMyApp/api/dev/myAppSecrets-pcaArnSsmParam", "Type": "String", "Value": Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthorityPrivateCertificateAuthority85E7647E", "Arn", ], }, }, "Type": "AWS::SSM::Parameter", }, "PrivateInternalCertificateAuthorityAcmPcaPermission11EB8395": Object { "Properties": Object { "Actions": Array [ "IssueCertificate", "GetCertificate", "ListPermissions", ], "CertificateAuthorityArn": Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthorityPrivateCertificateAuthority85E7647E", "Arn", ], }, "Principal": "acm.amazonaws.com", }, "Type": "AWS::ACMPCA::Permission", }, "PrivateInternalCertificateAuthorityCertificateAuthorityActivationE72889AA": Object { "Properties": Object { "Certificate": Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthoritySelfSignedActivationCertificate019E2C7F", "Certificate", ], }, "CertificateAuthorityArn": Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthorityPrivateCertificateAuthority85E7647E", "Arn", ], }, }, "Type": "AWS::ACMPCA::CertificateAuthorityActivation", }, "PrivateInternalCertificateAuthorityCrlBucket50E75510": Object { "DeletionPolicy": "Retain", "Properties": Object { "BucketEncryption": Object { "ServerSideEncryptionConfiguration": Array [ Object { "ServerSideEncryptionByDefault": Object { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": Object { "DestinationBucketName": Object { "Ref": "PrivateInternalCertificateAuthorityLoggingBucketB426DCFB", }, }, "VersioningConfiguration": Object { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Retain", }, "PrivateInternalCertificateAuthorityCrlBucketPolicyAC998358": Object { "Properties": Object { "Bucket": Object { "Ref": "PrivateInternalCertificateAuthorityCrlBucket50E75510", }, "PolicyDocument": Object { "Statement": Array [ Object { "Action": "s3:*", "Condition": Object { "Bool": Object { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": Object { "AWS": "*", }, "Resource": Array [ Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthorityCrlBucket50E75510", "Arn", ], }, Object { "Fn::Join": Array [ "", Array [ Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthorityCrlBucket50E75510", "Arn", ], }, "/*", ], ], }, ], }, Object { "Action": Array [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetBucketAcl", "s3:GetBucketLocation", ], "Effect": "Allow", "Principal": Object { "Service": "acm-pca.amazonaws.com", }, "Resource": Array [ Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthorityCrlBucket50E75510", "Arn", ], }, Object { "Fn::Join": Array [ "", Array [ Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthorityCrlBucket50E75510", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "PrivateInternalCertificateAuthorityLoggingBucketB426DCFB": Object { "DeletionPolicy": "Retain", "Properties": Object { "AccessControl": "LogDeliveryWrite", "BucketEncryption": Object { "ServerSideEncryptionConfiguration": Array [ Object { "ServerSideEncryptionByDefault": Object { "SSEAlgorithm": "AES256", }, }, ], }, "LifecycleConfiguration": Object { "Rules": Array [ Object { "ExpirationInDays": 3650, "NoncurrentVersionExpiration": Object { "NoncurrentDays": 3650, }, "Status": "Enabled", }, ], }, "VersioningConfiguration": Object { "Status": "Enabled", }, }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Retain", }, "PrivateInternalCertificateAuthorityLoggingBucketPolicy94D7B562": Object { "Properties": Object { "Bucket": Object { "Ref": "PrivateInternalCertificateAuthorityLoggingBucketB426DCFB", }, "PolicyDocument": Object { "Statement": Array [ Object { "Action": "s3:*", "Condition": Object { "Bool": Object { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": Object { "AWS": "*", }, "Resource": Array [ Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthorityLoggingBucketB426DCFB", "Arn", ], }, Object { "Fn::Join": Array [ "", Array [ Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthorityLoggingBucketB426DCFB", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "PrivateInternalCertificateAuthorityPrivateCertificateAuthority85E7647E": Object { "DependsOn": Array [ "PrivateInternalCertificateAuthorityCrlBucketPolicyAC998358", ], "Properties": Object { "KeyAlgorithm": "RSA_2048", "RevocationConfiguration": Object { "CrlConfiguration": Object { "CustomCname": "roles.anywhere.rootca", "Enabled": true, "ExpirationInDays": 30, "S3BucketName": Object { "Ref": "PrivateInternalCertificateAuthorityCrlBucket50E75510", }, "S3ObjectAcl": "BUCKET_OWNER_FULL_CONTROL", }, }, "SigningAlgorithm": "SHA256WITHRSA", "Subject": Object { "CommonName": "roles.anywhere.rootca", "Country": "AU", "Locality": "Sydney", "Organization": "AwesomeExampleAtWork", "OrganizationalUnit": "AwesomeTeamAtWork", "State": "NSW", }, "Type": "ROOT", }, "Type": "AWS::ACMPCA::CertificateAuthority", }, "PrivateInternalCertificateAuthoritySelfSignedActivationCertificate019E2C7F": Object { "Properties": Object { "CertificateAuthorityArn": Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthorityPrivateCertificateAuthority85E7647E", "Arn", ], }, "CertificateSigningRequest": Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthorityPrivateCertificateAuthority85E7647E", "CertificateSigningRequest", ], }, "SigningAlgorithm": "SHA256WITHRSA", "TemplateArn": Object { "Fn::Join": Array [ "", Array [ "arn:", Object { "Ref": "AWS::Partition", }, ":acm-pca:::template/RootCACertificate/V1", ], ], }, "Validity": Object { "Type": "YEARS", "Value": 3, }, }, "Type": "AWS::ACMPCA::Certificate", }, "TrustAnchor": Object { "DependsOn": Array [ "PrivateInternalCertificateAuthorityAcmPcaPermission11EB8395", "PrivateInternalCertificateAuthorityCertificateAuthorityActivationE72889AA", "PrivateInternalCertificateAuthorityCrlBucketPolicyAC998358", "PrivateInternalCertificateAuthorityCrlBucket50E75510", "PrivateInternalCertificateAuthorityLoggingBucketPolicy94D7B562", "PrivateInternalCertificateAuthorityLoggingBucketB426DCFB", "PrivateInternalCertificateAuthorityPrivateCertificateAuthority85E7647E", "PrivateInternalCertificateAuthoritySelfSignedActivationCertificate019E2C7F", ], "Properties": Object { "Enabled": true, "Name": "onPremAppTrustAnchor", "Source": Object { "SourceData": Object { "AcmPcaArn": Object { "Fn::GetAtt": Array [ "PrivateInternalCertificateAuthorityPrivateCertificateAuthority85E7647E", "Arn", ], }, }, "SourceType": "AWS_ACM_PCA", }, }, "Type": "AWS::RolesAnywhere::TrustAnchor", }, "managedpolicyid28DFA06F": Object { "Properties": Object { "Description": "ABAC IAM Policy that will allows Secret access for anIdForMyApp", "Path": "/", "PolicyDocument": Object { "Statement": Array [ Object { "Action": Array [ "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecret", "secretsmanager:DeleteSecret", ], "Condition": Object { "StringEquals": Object { "secretsmanager:ResourceTag/appenv": "\${aws:PrincipalTag/appenv}", "secretsmanager:ResourceTag/appfunc": "\${aws:PrincipalTag/appfunc}", "secretsmanager:ResourceTag/appid": "\${aws:PrincipalTag/appid}", }, }, "Effect": "Allow", "Resource": "*", "Sid": "AccessBasedOnResourceTags", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::ManagedPolicy", }, "onPremAppRole": Object { "Properties": Object { "AssumeRolePolicyDocument": Object { "Statement": Array [ Object { "Action": Array [ "sts:AssumeRole", "sts:TagSession", "sts:SetSourceIdentity", ], "Effect": "Allow", "Principal": Object { "Service": "rolesanywhere.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Description": "Role that grants secrets fetch powered by ABAC", "ManagedPolicyArns": Array [ Object { "Ref": "managedpolicyid28DFA06F", }, ], "Tags": Array [ Object { "Key": "appenv", "Value": "dev", }, Object { "Key": "appfunc", "Value": "api", }, Object { "Key": "appid", "Value": "anIdForMyApp", }, ], }, "Type": "AWS::IAM::Role", }, "rolesAnywhereProfile": Object { "DependsOn": Array [ "onPremAppRole", ], "Properties": Object { "DurationSeconds": 900, "Enabled": true, "ManagedPolicyArns": Array [ Object { "Ref": "managedpolicyid28DFA06F", }, ], "Name": "onPremAppProfile", "RoleArns": Array [ Object { "Fn::GetAtt": Array [ "onPremAppRole", "Arn", ], }, ], }, "Type": "AWS::RolesAnywhere::Profile", }, "rolesAnywhereProfileStringParameter52592FD3": Object { "DependsOn": Array [ "rolesAnywhereProfile", ], "Properties": Object { "Description": "SSM Parameter to store Roles Anywhere Profile ARN foranIdForMyApp", "Name": "/anIdForMyApp/api/dev/myAppSecrets-rolesAnywhereProfileSsmParam", "Type": "String", "Value": Object { "Fn::GetAtt": Array [ "rolesAnywhereProfile", "ProfileArn", ], }, }, "Type": "AWS::SSM::Parameter", }, "rolesAnywhereTrustAnchorStringParameterA56BC246": Object { "DependsOn": Array [ "TrustAnchor", ], "Properties": Object { "Description": "SSM Parameter to store Trust Anchor ARN foranIdForMyApp", "Name": "/anIdForMyApp/api/dev/myAppSecrets-rolesAnywhereTrustAnchorSsmParam", "Type": "String", "Value": Object { "Fn::GetAtt": Array [ "TrustAnchor", "TrustAnchorArn", ], }, }, "Type": "AWS::SSM::Parameter", }, }, "Rules": Object { "CheckBootstrapVersion": Object { "Assertions": Array [ Object { "Assert": Object { "Fn::Not": Array [ Object { "Fn::Contains": Array [ Array [ "1", "2", "3", "4", "5", ], Object { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `;