AWSTemplateFormatVersion: 2010-09-09
Description: |
  Create an AWS Secrets Manager secret with user-supplied name/value, and an IAM user with read-only access to just that secret.
  Important: Secrets Manager charges a small monthly fee per secret.

Parameters:
  SecretName:
    Type: String
    Description: Secret name (must use allowed characters; no spaces)
    AllowedPattern: ^[a-zA-Z0-9/_+=.@-]+$
    ConstraintDescription: must use only letters, numbers, /, _, +, =, ., @, or -; no spaces

  SecretValue:
    Type: String
    Description: Secret value (sensitive)
    NoEcho: true

  GenerateAccessKey:
    Type: String
    Default: "true"
    AllowedValues:
      - "true"
      - "false"
    Description: This template will create an output with the connection string to use in the Unraid Auto Unlock plugin. This connection string contains the IAM user's access key and secret key. This is probably acceptable to most users since the IAM user only has read access to the single piece, if you are uncomfortable with this you can set the "GenerateAccessKey" parameter to false, which will skip creating the access key. In that case, you will need to manually create an access key for the IAM user after stack creation, and replace the placeholders "ACCESS_KEY_ID" and "ACCESS_KEY_SECRET" in the connection string output with the actual values.
Conditions:
  GenerateAccessKeyCondition: !Equals
    - !Ref GenerateAccessKey
    - "true"
Resources:
  Secret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Ref SecretName
      Description: Secret for auto-unlock
      SecretString: !Ref SecretValue

  SecretReadOnlyUser:
    Type: AWS::IAM::User
    Properties:
      Tags:
        - Key: SecretsManagerSecret
          Value: !Ref SecretName
      Policies:
        - PolicyName: SecretReadOnlyAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - secretsmanager:GetSecretValue
                Resource: !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretName}*

  SecretReadOnlyUserAccessKey:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref SecretReadOnlyUser
    Condition: GenerateAccessKeyCondition

Outputs:
  SecretConnectionString:
    Description: |
      aws-secrets connection string in the form: aws-secrets://accesskey:secretkey@region/secret-name
    Value: !If
      - GenerateAccessKeyCondition
      - !Sub |
        aws-secrets://${SecretReadOnlyUserAccessKey}:${SecretReadOnlyUserAccessKey.SecretAccessKey}@${AWS::Region}/${SecretName}
      - !Sub |
        aws-secrets://ACCESS_KEY_ID:ACCESS_KEY_SECRET@${AWS::Region}/${SecretName}