# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

AWSTemplateFormatVersion: '2010-09-09'
Description: >
  This Template deloys a KMS customer managed CMK for AWS services. We also
  configure the KMS Key Policy and grant permissions use the key to our
  deployment roles.

Parameters:
  Service:
    Type: String
    Description: 'Which AWS service is allowed to use this CMK?'
    Default: ALL_SERVICES

  KeyName:
    Type: String
    Description: 'Name of the KMS Key'

  UserARN:
    Type: CommaDelimitedList
    Description: 'ARN of User Role for this particular Key access. Provide comma delimited values for multiple roles.'

Resources:
  KMSKey:
    Type: 'AWS::KMS::Key'
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: F19
            reason: "Supressing requirement for logging warning for testing purposes"
    Properties:
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
        - Sid: Allow cloudtrail use of the key
          Effect: Allow
          Principal:
            Service:
              "cloudtrail.amazonaws.com"
          Action:
            - "kms:Encrypt"
            - "kms:Decrypt"
            - "kms:GenerateDataKey*"
            - "kms:DescribeKey"
          Resource: '*'
        - Sid: Allow NLB use of the key
          Effect: Allow
          Principal:
            Service:
              "delivery.logs.amazonaws.com"
          Action:
          - "kms:EnableKeyRotation"
          - "kms:EnableKey"
          - "kms:Decrypt"
          - "kms:ListKeyPolicies"
          - "kms:PutKeyPolicy"
          - "kms:GetKeyPolicy"
          - "kms:DisableKey"
          - "kms:GenerateDataKeyPair"
          - "kms:DisableKeyRotation"
          - "kms:RetireGrant"
          - "kms:UpdateAlias"
          - "kms:ListKeys"
          - "kms:Encrypt"
          - "kms:GetKeyRotationStatus"
          - "kms:ScheduleKeyDeletion"
          - "kms:ListAliases"
          - "kms:RevokeGrant"
          - "kms:GenerateDataKey"
          - "kms:CreateAlias"
          - "kms:DescribeKey"
          - "kms:CreateKey"
          - "kms:DeleteAlias"
          - "kms:CreateGrant"
          Resource: '*'
        - Sid: Allow Management Roles use of the key
          Effect: Allow
          Principal:
            AWS: !Ref UserARN
          Action:
          - "kms:*"
          Resource: '*'


  KMSKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Sub 'alias/${KeyName}'
      TargetKeyId:
        Ref: KMSKey

Outputs:
  KMSKeyARN:
    Description: KMS Key ARN
    Value: !GetAtt KMSKey.Arn
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-KMS-ARN"

  KeyId:
    Description: 'Key id.'
    Value: !Ref KMSKey
    Export:
      Name: !Sub '${AWS::StackName}-KeyId'