AWSTemplateFormatVersion: '2010-09-09'
Description: >
  This Template deloys a KMS customer managed CMK for AWS services. We also
  configure the KMS Key Policy and grant permissions use the key to our
  deployment roles.

Parameters:
  KeyAlias:
    Description: 'Name of the KMS Key'
    Type: String
    Default: 'alias/CassisKMS'

  PipelineStackerRolesStack:
    Description: The deploy pipeline role Stack for CodePipeline Deployments
    Type: String
    Default: cassis-pipeline-role

  PipelineStack:
    Description: Name of the deployed CodePipeline Stack
    Type: String
    Default: cassis-codepipeline

Resources:
  CassisKey:
    Type: 'AWS::KMS::Key'
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: F19
            reason: "Supressing requirement for logging warning for testing purposes"
    Properties:
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
        - Sid: Allow cloudtrail use of the key
          Effect: Allow
          Principal:
            Service:
              "cloudtrail.amazonaws.com"
          Action:
            - "kms:Encrypt"
            - "kms:Decrypt"
            - "kms:GenerateDataKey*"
            - "kms:DescribeKey"
          Resource: '*'
        - Sid: Allow NLB use of the key
          Effect: Allow
          Principal:
            Service:
              "delivery.logs.amazonaws.com"
          Action:
          - "kms:EnableKeyRotation"
          - "kms:EnableKey"
          - "kms:Decrypt"
          - "kms:ListKeyPolicies"
          - "kms:PutKeyPolicy"
          - "kms:GetKeyPolicy"
          - "kms:DisableKey"
          - "kms:GenerateDataKeyPair"
          - "kms:DisableKeyRotation"
          - "kms:RetireGrant"
          - "kms:UpdateAlias"
          - "kms:ListKeys"
          - "kms:Encrypt"
          - "kms:GetKeyRotationStatus"
          - "kms:ScheduleKeyDeletion"
          - "kms:ListAliases"
          - "kms:RevokeGrant"
          - "kms:GenerateDataKey"
          - "kms:CreateAlias"
          - "kms:DescribeKey"
          - "kms:CreateKey"
          - "kms:DeleteAlias"
          - "kms:CreateGrant"
          Resource: '*'
        - Sid: Allow Management Roles use of the key
          Effect: Allow
          Principal:
            AWS:
              - !Sub 'arn:aws:iam::${AWS::AccountId}:root'
              - Fn::ImportValue: !Sub "${PipelineStackerRolesStack}-stacker-execution-role-arn"
              - Fn::ImportValue: !Sub "${PipelineStack}-CFN-Lint-CodeBuild-Role-ARN"
              - Fn::ImportValue: !Sub "${PipelineStack}-CFN-Nag-CodeBuild-Role-ARN"
              - Fn::ImportValue: !Sub "${PipelineStack}-CodePipeline-Role-ARN"
              - Fn::ImportValue: !Sub "${PipelineStack}-CodeBuild-Service-Role-ARN"
          Action:
          - "kms:EnableKeyRotation"
          - "kms:EnableKey"
          - "kms:Decrypt"
          - "kms:ListKeyPolicies"
          - "kms:PutKeyPolicy"
          - "kms:GetKeyPolicy"
          - "kms:DisableKey"
          - "kms:GenerateDataKeyPair"
          - "kms:DisableKeyRotation"
          - "kms:RetireGrant"
          - "kms:UpdateAlias"
          - "kms:ListKeys"
          - "kms:Encrypt"
          - "kms:GetKeyRotationStatus"
          - "kms:ScheduleKeyDeletion"
          - "kms:ListAliases"
          - "kms:RevokeGrant"
          - "kms:GenerateDataKey"
          - "kms:CreateAlias"
          - "kms:DescribeKey"
          - "kms:CreateKey"
          - "kms:DeleteAlias"
          - "kms:CreateGrant"
          Resource: '*'


  CassisKMSAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Ref KeyAlias
      TargetKeyId:
        Ref: CassisKey

Outputs:
  KMSKeyARN:
    Description: KMS Key ARN
    Value: !GetAtt CassisKey.Arn
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-KMS-ARN"