-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcloudformation.yaml
executable file
·135 lines (134 loc) · 4.35 KB
/
cloudformation.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
AWSTemplateFormatVersion: '2010-09-09'
Description: Lambda function to rotate SSH keys
Parameters:
TagName:
AllowedPattern: ^[a-zA-Z][-a-zA-Z0-9]*$
Default: RotateSSH
Description: Tag Name to locate Worker EC2 Instances to update with SSH Public
Keys
MaxLength: 255
MinLength: 1
Type: String
TagValue:
Default: 'true'
Description: Tag Value to locate Worker EC2 Instances to update with SSH Public
Keys
MaxLength: 255
MinLength: 1
Type: String
Usernames:
AllowedPattern: ^([a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$))+(,([a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)))*$
Default: ec2-user,ubuntu # FIXME: Usernames for the Linux User that is used to log into the Workers
Description: Usernames for the Linux user that is used to log into the Workers
MaxLength: 64
MinLength: 1
Type: String
S3Bucket:
Default: 'deploy' # FIXME: Add the bucket name here. This S3 bucket will hold the public key
Description: Bucket to keep the public key
MaxLength: 255
MinLength: 1
Type: String
S3File:
Default: 'ssh/dev/public_key' # FIXME: S3 key of SSH public key
Description: s3 path of the public key
MaxLength: 255
MinLength: 1
Type: String
Resources:
InvokePermission:
Properties:
Action: lambda:InvokeFunction
FunctionName:
Ref: RotateSSH
Principal: secretsmanager.amazonaws.com
Type: AWS::Lambda::Permission
RotateSSH:
Properties:
CodeUri: s3://lambda-codes/rotate_ssh.zip # FIXME: S3 URI of the lambda code
Description: Rotates SSH Keys
Environment:
Variables:
TAGNAME:
Ref: TagName
TAGVALUE:
Ref: TagValue
USERNAMES:
Ref: Usernames
S3_BUCKET:
Ref: S3Bucket
S3_FILE:
Ref: S3File
FunctionName: RotateSSH
Handler: rotate.lambda_handler
MemorySize: 1536
Policies:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess
- Statement:
- Action:
- secretsmanager:DescribeSecret
- secretsmanager:GetSecretValue
- secretsmanager:PutSecretValue
- secretsmanager:UpdateSecretVersionStage
Condition:
StringEquals:
secretsmanager:resource/AllowRotationLambdaArn:
Fn::Sub: arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:RotateSSH
Effect: Allow
Resource:
Fn::Sub: arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/dev/ssh*
Sid: SecretsManagerActions
- Action:
- s3:PutObject
Effect: Allow
Resource:
Fn::Sub: arn:aws:s3:::deploy/* # FIXME: Add the bucket ARN here. This S3 bucket will hold the public key
Sid: S3Actions
- Action:
- "kms:Describe*"
- kms:Decrypt
- kms:GenerateDataKey
Effect: Allow
Resource:
Fn::Sub: "*"
Sid: KMSActions
- Action:
- ssm:SendCommand
Effect: Allow
Resource:
- Fn::Sub: arn:aws:ssm:${AWS::Region}::document/AWS-RunShellScript
Sid: SSMRunShellScriptDocument
- Action:
- ssm:SendCommand
Condition:
StringEquals:
ssm:resourceTag/RotateSSHKeys:
Ref: TagValue
Effect: Allow
Resource:
- Fn::Sub: arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*
Sid: SSMRunShellScriptOnTaggedInstances
- Action:
- ssm:ListCommandInvocations
- ssm:GetCommandInvocation
- ssm:ListCommands
- ssm:DescribeInstanceInformation
Effect: Allow
Resource: '*'
Sid: SSMTrackCommands
- Action:
- ec2:DescribeInstances
Effect: Allow
Resource: '*'
Sid: EC2DescribeInstances
Version: '2012-10-17'
Runtime: python3.6
Timeout: 300
VpcConfig:
SecurityGroupIds:
- 'sg-XXXXXXXXX' # FIXME: Security Group IDs of the Lambda function
SubnetIds:
- 'subnet-XXXXXXXXXX' # FIXME: Security Group Ids of the Lambda function
Type: AWS::Serverless::Function
Transform: AWS::Serverless-2016-10-31