# Copyright 2020-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
# ACM for Nitro Enclaves Apache HTTPD configuration
#
# This is an example of setting up ACM, with Nitro Enclaves and Apache Httpd.
# You can take this file and then:
# - Copy it to /etc/nitro_enclaves/acm.yaml
# - Fill in your ACM certificate ARN in the `certificate_arn` field below
# - Make sure `/etc/httpd/conf/httpd.conf` is set up to have the `IncludeOptional`
#   or `Include` directives to point to the virtual host configuration entries
# - Set the target `Conf` directive below to point to a virtual host
#   configuration location
# - Start the nitro-enclaves-acm service
#
# Enclave general configuration
enclave:
  # Number of vCPUs to be assigned to the enclave
  cpu_count: 2
  # Memory (in MiB) to be assigned to the enclave
  memory_mib: 256

# General options
options:
  # Service to manage
  service: "httpd"
  # If HTTPD is not running, force restart it
  force_start: true
  # The HTTPD reload timeout period (milliseconds)
  reload_wait_ms: 0
  # Certificate renewal check period (seconds)
  sync_interval_secs: 600

# Tokens general configuration
tokens:
  # A label for this PKCS#11 token
  - label: httpd-acm-token
    # Configure a managed token, sourced from an ACM certificate.
    source:
      Acm:
        # The certificate ARN
        # Note: this certificate must have been associated with the
        #       IAM role assigned to the instance on which ACM for
        #       Nitro Enclaves is run.
        certificate_arn: ""
    target:
      Conf:
        # Path to the server configuration file to be written by
        # the ACM service whenever the certificate configuration changes
        # (e.g. after a certificate renewal). The SSLCertificateKeyFile and
        # optionally the SSLCertificateFile directives shall be populated.
        path: /etc/httpd/conf.d/httpd-acm.conf
        # Configuration file owner (i.e. the user httpd is configured to run as).
        user: apache
    # Attestation period (seconds)
    refresh_interval_secs: 43200

# - label: httpd-acm-token-2
#   # Configure a managed token, sourced from an ACM certificate.
#   source:
#     Acm:
#       # The certificate ARN
#       # Note: this certificate must have been associated with the
#       #       IAM role assigned to the instance on which ACM for
#       #       Nitro Enclaves is run.
#       certificate_arn: ""
#   target:
#     Conf:
#       # Path to the server configuration file to be written by
#       # the ACM service whenever the certificate configuration changes
#       # (e.g. after a certificate renewal). The SSLCertificateKeyFile and
#       # optionally the SSLCertificateFile directives shall be populated.
#       path: /etc/httpd/confi.d/httpd-acm-2.conf
#       # Configuration file owner (i.e. the user httpd is configured to run as).
#       user: apache
#   # Attestation repeat period (seconds)
#   refresh_interval_secs: 43200