-
Notifications
You must be signed in to change notification settings - Fork 0
/
template.yml
179 lines (179 loc) · 6.06 KB
/
template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: JWT Issuer
Parameters:
KeyCustodianParameter:
Type: String
Description: |
The private key used for signing requests can either be stored in
Parameter Store or can be managed by KMS. The Parameter Store option
encrypts and stores a private key generated by this stack, where
the generated private key is decrypted and loaded into Lambda at runtime
when signing keys. The KMS option creates a key managed by KMS, where
Lambda makes calls to KMS for each JWT signing request but the private
key can never leave the KMS service. The Parameter Store option is faster
(because the key is in-memory) and costs less (because KMS is only called
during Lambda cold starts to decrypt the key). The KMS option is more
secure (because it's impossible for the key to leak) but it's
significantly more expensive due to KMS API calls for every signing
operation.
Default: ParameterStore
AllowedValues:
- KMS
- ParameterStore
LogLevelApplicationParameter:
Type: String
Description: |
Choose the log level for application logs that are sent to CloudWatch
Logs.
Default: ERROR
AllowedValues:
- DEBUG
- ERROR
LogLevelSystemParameter:
Type: String
Description: |
Choose the log level for Lambda system-generated logs that are sent to
CloudWatch Logs.
Default: WARN
AllowedValues:
- DEBUG
- INFO
- WARN
Conditions:
IsKeyCustodianKms: !Equals [!Ref KeyCustodianParameter, KMS]
IsKeyCustodianParameterStore:
!Equals [!Ref KeyCustodianParameter, ParameterStore]
Globals:
Function:
Runtime: provided.al2023
Handler: bootstrap
Timeout: 2
MemorySize: 128
Architectures: [arm64]
LoggingConfig:
ApplicationLogLevel: !Ref LogLevelApplicationParameter
LogFormat: JSON
SystemLogLevel: !Ref LogLevelSystemParameter
Environment:
Variables:
SIGNING_KEY_ARN: !If [IsKeyCustodianKms, !GetAtt Key.Arn, ""]
STACK_ARN: !Ref AWS::StackId
Resources:
Key:
Type: AWS::KMS::Key
Condition: IsKeyCustodianKms
Properties:
Description: JWT Issuer Signing Key
EnableKeyRotation: false
KeyPolicy:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
Action: kms:*
Resource: "*"
KeySpec: ECC_NIST_P256
KeyUsage: SIGN_VERIFY
KeyGeneratorParameterStoreCustomResource:
Type: Custom::KeyGeneratorParameterStoreCustomResource
Condition: IsKeyCustodianParameterStore
Properties:
ServiceToken: !GetAtt KeyGeneratorParameterStore.Arn
Version: "1"
KeyGeneratorParameterStore:
Type: AWS::Serverless::Function
Condition: IsKeyCustodianParameterStore
Properties:
CodeUri: ./bin/key_generator
Policies:
- Statement:
- Effect: Allow
Action:
- ssm:PutParameter
- ssm:DeleteParameters
Resource:
- !Sub
- arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/jwt-issuer/${StackPath}/private-key
- StackPath: !Select [5, !Split [":", !Ref AWS::StackId]]
- !Sub
- arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/jwt-issuer/${StackPath}/public-key
- StackPath: !Select [5, !Split [":", !Ref AWS::StackId]]
KeyInfoLoaderKmsCustomResource:
Type: Custom::KeyInfoLoaderKmsCustomResource
Condition: IsKeyCustodianKms
Properties:
KeyArn: !GetAtt Key.Arn
ServiceToken: !GetAtt KeyInfoLoaderKms.Arn
Version: "1"
KeyInfoLoaderKms:
Type: AWS::Serverless::Function
Condition: IsKeyCustodianKms
Properties:
CodeUri: ./bin/key_info_loader
Policies:
- Statement:
- Effect: Allow
Action:
- kms:GetPublicKey
Resource:
- !GetAtt Key.Arn
JwtIssuerKms:
Type: AWS::Serverless::Function
Condition: IsKeyCustodianKms
Properties:
CodeUri: ./bin/jwt_issuer_kms
MemorySize: 384
Policies:
- Statement:
- Effect: Allow
Action:
- kms:Sign
Resource:
- !GetAtt Key.Arn
JwtIssuerParameterStore:
Type: AWS::Serverless::Function
Condition: IsKeyCustodianParameterStore
Properties:
CodeUri: ./bin/jwt_issuer_parameter_store
Policies:
- Statement:
- Effect: Allow
Action:
- ssm:GetParameter
Resource:
- !Sub
- arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/jwt-issuer/${StackPath}/private-key
- StackPath: !Select [5, !Split [":", !Ref AWS::StackId]]
- !Sub
- arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/jwt-issuer/${StackPath}/public-key
- StackPath: !Select [5, !Split [":", !Ref AWS::StackId]]
Outputs:
JwtIssuerFunctionArn:
Value: !If
- IsKeyCustodianKms
- !GetAtt JwtIssuerKms.Arn
- !GetAtt JwtIssuerParameterStore.Arn
KeyArn:
Value: !If
- IsKeyCustodianKms
- !GetAtt KeyInfoLoaderKmsCustomResource.KeyArn
- !GetAtt KeyGeneratorParameterStoreCustomResource.KeyArn
KeyID:
Value: !If
- IsKeyCustodianKms
- !GetAtt KeyInfoLoaderKmsCustomResource.KeyID
- !GetAtt KeyGeneratorParameterStoreCustomResource.KeyID
PublicKeyPEMBase64:
Value: !If
- IsKeyCustodianKms
- !GetAtt KeyInfoLoaderKmsCustomResource.PublicKeyPEMBase64
- !GetAtt KeyGeneratorParameterStoreCustomResource.PublicKeyPEMBase64
SigningMethod:
Value: !If
- IsKeyCustodianKms
- !GetAtt KeyInfoLoaderKmsCustomResource.SigningMethod
- !GetAtt KeyGeneratorParameterStoreCustomResource.SigningMethod
Version:
Value: v1.0