# Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
# ACM for Nitro Enclaves config.
#
# This is an example of setting up ACM, with Nitro Enclaves and nginx.
# You can take this file and then:
# - copy it to /etc/nitro_enclaves/acm.yaml;
# - fill in your ACM certificate ARN in the `certificate_arn` field below;
# - make sure /etc/nginx/nginx.conf is set up to:
#   - use the pkcs11 SSL engine, and;
#   - include the stanza file configured below (under `NginxStanza`)
#     somewhere in the nginx.conf `server` section;
# - start the nitro-enclaves-acm service.
#
# Enclave general configuration
enclave:
  # Number of vCPUs to be assigned to the enclave
  cpu_count: 2
  # Memory (in MiB) to be assigned to the enclave
  memory_mib: 256
tokens:
    # A label for this PKCS#11 token
  - label: nginx-acm-token
    # Configure a managed token, sourced from an ACM certificate.
    source:
      Acm:
        # The certificate ARN
        # Note: this certificate must have been associated with the
        #       IAM role assigned to the instance on which ACM for
        #       Nitro Enclaves is run.
        certificate_arn: "{cert_arn}"
    target:
      NginxStanza:
        # Path to the nginx stanza to be written by the ACM service whenever
        # the certificate configuration changes (e.g. after a certificate renewal).
        # This file must be included from the main nginx config `server` section,
        # as it will contain the TLS nginx configuration directives.
        path: /etc/pki/nginx/nginx-acm.conf
        # Stanza file owner (i.e. the user nginx is configured to run as).
        user: nginx