---
AWSTemplateFormatVersion: 2010-09-09
Description: "This template deploys a Secret containing an ssh key (qs-1snm79fe6)."
Metadata:
  LintSpellExclude:
    - Discngine
    - 3decision
Parameters:
  QSS3BucketName:
    Type: String
  QSS3KeyPrefix:
    Type: String
  SecretName:
    Type: String
Mappings:
  Config:
    Prefix: { Value: 'eks-quickstart' }
Resources:
  CopyZips:
    Type: Custom::CopyZips
    Properties:
      ServiceToken: !Sub ['arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${Prefix}-CopyZips', {Prefix: !FindInMap [Config, Prefix, Value]}]
      DestBucket: !Sub ['${Prefix}-lambdazips-${AWS::Region}-${AWS::AccountId}', {Prefix: !FindInMap [Config, Prefix, Value]}]
      SourceBucket: !Ref QSS3BucketName
      Prefix: !Ref 'QSS3KeyPrefix'
      Version: "1.0.0"
      RandomStr: ""
      Objects:
        - functions/packages/createKey/lambda.zip
  CreateKeyRole:
    Type: AWS::IAM::Role
    Metadata: { cfn-lint: { config: { ignore_checks: [ EIAMPolicyWildcardResource ] } } }
    Properties:
      RoleName: !Sub ['3dec-CreateKeyProfile-${id}', {id: !Select [2, !Split ['/', !Ref AWS::StackId]]}]
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      Path: "/"
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
      Policies:
        - PolicyName: ResourceTypePolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                - "secretsmanager:ListSecrets"
                - "secretsmanager:CreateSecret"
                Resource: "*"
  CreateKey:
    DependsOn: [ CopyZips, CreateKeyRole ]
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Sub ['3dec-CreateKey-${id}', {id: !Select [2, !Split ['/', !Ref AWS::StackId]]}]
      Handler: lambda_function.lambda_handler
      MemorySize: 512
      Role: !Sub ['arn:${AWS::Partition}:iam::${AWS::AccountId}:role/3dec-CreateKeyProfile-${id}', {id: !Select [2, !Split ['/', !Ref AWS::StackId]]}]
      Runtime: python3.9
      Timeout: 60
      Code:
        S3Bucket: !Sub ['${Prefix}-lambdazips-${AWS::Region}-${AWS::AccountId}', {Prefix: !FindInMap [Config, Prefix, Value]}]
        S3Key: !Sub '${QSS3KeyPrefix}functions/packages/createKey/lambda.zip'
  InvokeCreateKey:
    Type: Custom::CreateKey
    DependsOn: CreateKey
    Properties:
      ServiceToken: !Sub ['arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:3dec-CreateKey-${id}', {id: !Select [2, !Split ['/', !Ref AWS::StackId]]}]
      Version: "1.0.0"
      Name: !Ref SecretName