---
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation Secret Provider
Parameters:
  S3BucketPrefix:
    Type: String
    Default: 'binxio-public'
  CFNCustomProviderZipFileName:
    Type: String
    Default: 'lambdas/cfn-secret-provider-2.0.1.zip'
  IAMPermissionBoundaryARN:
    Type: String
    Default: ''
Conditions:
  HasPermissionBoundary: !Not [!Equals [ !Ref IAMPermissionBoundaryARN, '' ]]
Resources:
  LambdaPolicy:
    Type: AWS::IAM::Policy
    DependsOn:
      - LambdaRole
    Properties:
      PolicyName: CFNCustomSecretProviderPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - iam:CreateAccessKey
              - iam:DeleteAccessKey
              - iam:UpdateAccessKey
              - ssm:PutParameter
              - ssm:GetParameter
              - ssm:DeleteParameter
              - ec2:ImportKeyPair
              - ec2:DeleteKeyPair
              - secretsmanager:DeleteSecret
              - secretsmanager:CreateSecret
              - secretsmanager:UpdateSecret
            Effect: Allow
            Resource:
              - '*'
          - Action:
              - kms:Decrypt
            Effect: Allow
            Resource:
              - !GetAtt 'Key.Arn'
          - Action:
              - logs:*
            Effect: Allow
            Resource: arn:aws:logs:*:*:*
      Roles:
        - !Ref 'LambdaRole'
  LambdaRole:
    Type: AWS::IAM::Role
    Properties:
      PermissionsBoundary: !If [HasPermissionBoundary, !Ref IAMPermissionBoundaryARN, !Ref 'AWS::NoValue']
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
  Key:
    Type: AWS::KMS::Key
    Properties:
      Description: used for encryption of secrets in CloudFormation templates
      Enabled: True
      EnableKeyRotation: True
      KeyPolicy:
        Version: 2012-10-17
        Id: 'enable iam permissions'
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action: kms:*
            Resource: '*'

  KeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/cmk/cfn-secrets
      TargetKeyId: !GetAtt 'Key.Arn'

  CFNSecretProvider:
    Type: AWS::Lambda::Function
    DependsOn:
      - LambdaRole
    Properties:
      Description: CloudFormation Custom:Secret implementation
      Code:
        S3Bucket: !Sub '${S3BucketPrefix}-${AWS::Region}'
        S3Key: !Ref 'CFNCustomProviderZipFileName'
      FunctionName: 'binxio-cfn-secret-provider'
      Handler: secrets.handler
      MemorySize: 128
      Timeout: 30
      Role: !GetAtt 'LambdaRole.Arn'
      Runtime: python3.9