---
AWSTemplateFormatVersion: '2010-09-09'
Description: Create a KMS Key. There needs to be an IAM user created named ceoa.
Parameters: 
  MyUser: 
    Type: String 
    Description: "IAM Username. See https://console.aws.amazon.com/iam/home#/users" 
    Default: "ceoa"
Resources:
  S3Key:
    Type: AWS::KMS::Key
    Properties:
      Description: S3 Key
      Enabled: true
      EnableKeyRotation: true
      PendingWindowInDays: 7
      KeyPolicy:
        Version: 2012-10-17
        Id: AllowIAMUserPermissions
        Statement:
          - Sid: EnableIAMUserPermissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action:
              - kms:*
            Resource: '*'
          - Sid: AllowKeyAdministration
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${AWS::AccountId}:user/${MyUser}
            Action:
              - kms:Create*
              - kms:Describe*
              - kms:Enable*
              - kms:List*
              - kms:Put*
              - kms:Update*
              - kms:Revoke*
              - kms:Disable*
              - kms:Get*
              - kms:Delete*
              - kms:TagResource
              - kms:UntagResource
            Resource: '*'
          - Sid: AllowKeyUse
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${AWS::AccountId}:user/${MyUser}
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: '*'
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName}-S3Key
  S3Alias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Sub alias/${AWS::StackName}
      TargetKeyId:
        Ref: S3Key
Outputs:
  KeyId:
    Value:
      Ref: S3Key
    Description: Key ID