Description: ALB Secrets Resources: TheRoomWhereItHappens: Type: AWS::EC2::VPC Properties: CidrBlock: 10.99.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true InstanceTenancy: default Tags: - Key: Name Value: ALBSecretsStack/TheRoomWhereItHappens UpdateReplacePolicy: Delete DeletionPolicy: Delete TheRoomWhereItHappenspublic1Subnet1Subnet: Type: AWS::EC2::Subnet Properties: CidrBlock: 10.99.0.0/24 VpcId: Ref: TheRoomWhereItHappens AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: public1 - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: ALBSecretsStack/TheRoomWhereItHappens/public1Subnet1 TheRoomWhereItHappenspublic1Subnet1RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: TheRoomWhereItHappens Tags: - Key: Name Value: ALBSecretsStack/TheRoomWhereItHappens/public1Subnet1 TheRoomWhereItHappenspublic1Subnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: TheRoomWhereItHappenspublic1Subnet1RouteTable SubnetId: Ref: TheRoomWhereItHappenspublic1Subnet1Subnet TheRoomWhereItHappenspublic1Subnet1DefaultRoute: Type: AWS::EC2::Route Properties: RouteTableId: Ref: TheRoomWhereItHappenspublic1Subnet1RouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: TheRoomWhereItHappensIGW DependsOn: - TheRoomWhereItHappensVPCGW TheRoomWhereItHappenspublic1Subnet2Subnet: Type: AWS::EC2::Subnet Properties: CidrBlock: 10.99.1.0/24 VpcId: Ref: TheRoomWhereItHappens AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: "" MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: public1 - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: ALBSecretsStack/TheRoomWhereItHappens/public1Subnet2 TheRoomWhereItHappenspublic1Subnet2RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: TheRoomWhereItHappens Tags: - Key: Name Value: ALBSecretsStack/TheRoomWhereItHappens/public1Subnet2 TheRoomWhereItHappenspublic1Subnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: TheRoomWhereItHappenspublic1Subnet2RouteTable SubnetId: Ref: TheRoomWhereItHappenspublic1Subnet2Subnet TheRoomWhereItHappenspublic1Subnet2DefaultRoute: Type: AWS::EC2::Route Properties: RouteTableId: Ref: TheRoomWhereItHappenspublic1Subnet2RouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: TheRoomWhereItHappensIGW DependsOn: - TheRoomWhereItHappensVPCGW TheRoomWhereItHappenspublic2Subnet1Subnet: Type: AWS::EC2::Subnet Properties: CidrBlock: 10.99.2.0/24 VpcId: Ref: TheRoomWhereItHappens AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: public2 - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: ALBSecretsStack/TheRoomWhereItHappens/public2Subnet1 TheRoomWhereItHappenspublic2Subnet1RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: TheRoomWhereItHappens Tags: - Key: Name Value: ALBSecretsStack/TheRoomWhereItHappens/public2Subnet1 TheRoomWhereItHappenspublic2Subnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: TheRoomWhereItHappenspublic2Subnet1RouteTable SubnetId: Ref: TheRoomWhereItHappenspublic2Subnet1Subnet TheRoomWhereItHappenspublic2Subnet1DefaultRoute: Type: AWS::EC2::Route Properties: RouteTableId: Ref: TheRoomWhereItHappenspublic2Subnet1RouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: TheRoomWhereItHappensIGW DependsOn: - TheRoomWhereItHappensVPCGW TheRoomWhereItHappenspublic2Subnet2Subnet: Type: AWS::EC2::Subnet Properties: CidrBlock: 10.99.3.0/24 VpcId: Ref: TheRoomWhereItHappens AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: "" MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: public2 - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: ALBSecretsStack/TheRoomWhereItHappens/public2Subnet2 TheRoomWhereItHappenspublic2Subnet2RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: TheRoomWhereItHappens Tags: - Key: Name Value: ALBSecretsStack/TheRoomWhereItHappens/public2Subnet2 TheRoomWhereItHappenspublic2Subnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: TheRoomWhereItHappenspublic2Subnet2RouteTable SubnetId: Ref: TheRoomWhereItHappenspublic2Subnet2Subnet TheRoomWhereItHappenspublic2Subnet2DefaultRoute: Type: AWS::EC2::Route Properties: RouteTableId: Ref: TheRoomWhereItHappenspublic2Subnet2RouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: TheRoomWhereItHappensIGW DependsOn: - TheRoomWhereItHappensVPCGW TheRoomWhereItHappensIGW: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: ALBSecretsStack/TheRoomWhereItHappens TheRoomWhereItHappensVPCGW: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: Ref: TheRoomWhereItHappens InternetGatewayId: Ref: TheRoomWhereItHappensIGW sampleAlb: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: LoadBalancerAttributes: - Key: deletion_protection.enabled Value: "false" Scheme: internet-facing SecurityGroups: - Fn::GetAtt: - sampleAlbSecurityGroup - GroupId Subnets: - Ref: TheRoomWhereItHappenspublic1Subnet1Subnet - Ref: TheRoomWhereItHappenspublic1Subnet2Subnet - Ref: TheRoomWhereItHappenspublic2Subnet1Subnet - Ref: TheRoomWhereItHappenspublic2Subnet2Subnet Type: application DependsOn: - TheRoomWhereItHappenspublic1Subnet1DefaultRoute - TheRoomWhereItHappenspublic1Subnet2DefaultRoute - TheRoomWhereItHappenspublic2Subnet1DefaultRoute - TheRoomWhereItHappenspublic2Subnet2DefaultRoute sampleAlbSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Automatically created Security Group for ELB ALBSecretsStacksampleAlb6FC49C32 SecurityGroupEgress: - CidrIp: 255.255.255.255/32 Description: Disallow all traffic FromPort: 252 IpProtocol: icmp ToPort: 86 SecurityGroupIngress: - CidrIp: 0.0.0.0/0 Description: Internet access ALB 80 FromPort: 80 IpProtocol: tcp ToPort: 80 VpcId: Ref: TheRoomWhereItHappens sampleAlbtcp: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - FixedResponseConfig: ContentType: text/plain StatusCode: "403" Type: fixed-response LoadBalancerArn: Ref: sampleAlb Port: 80 Protocol: HTTP sampleAlbtcp80xAwsApiKeyRule: Type: AWS::ElasticLoadBalancingV2::ListenerRule Properties: Actions: - TargetGroupArn: Ref: sampleTg Type: forward Conditions: - Field: http-header HttpHeaderConfig: HttpHeaderName: X-AWS-API-Key Values: - Ejbah2w6lT4sJFBk ListenerArn: Ref: sampleAlbtcp Priority: 1 sampleTg: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: sample Port: 80 Protocol: HTTP TargetType: instance VpcId: Ref: TheRoomWhereItHappens ApiKeys: Type: AWS::SecretsManager::Secret Properties: Description: ApiKeys Name: alb-apikeys SecretString: '{"key1": "Ejbah2w6lT4sJFBk", "key2": "Zp5Dh3dSX8xqxCk6", "key3": "9zM9AAtH1xmTZ0tY"}' ApiKeysRotator: Type: AWS::Lambda::Function Properties: Code: S3Bucket: Ref: AssetParametersS3Bucket S3Key: Fn::Join: - "" - - Fn::Select: - 0 - Fn::Split: - "||" - Ref: AssetParametersS3VersionKey - Fn::Select: - 1 - Fn::Split: - "||" - Ref: AssetParametersS3VersionKey Role: Fn::Join: - "" - - "arn:aws:iam::" - Ref: AWS::AccountId - :role/alb-apikeys-rotator FunctionName: alb_apikeys_rotator Handler: alb_apikeys_rotator.lambda_handler Runtime: python3.8 Timeout: 300 ApiKeysRotationSchedule: Type: AWS::SecretsManager::RotationSchedule Properties: SecretId: Ref: ApiKeys RotationLambdaARN: Fn::GetAtt: - ApiKeysRotator - Arn RotationRules: AutomaticallyAfterDays: 1 Parameters: AssetParametersS3Bucket: Type: String Description: S3 bucket for lambda function asset AssetParametersS3VersionKey: Type: String Description: S3 key for lambda function asset version