-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.yml
122 lines (115 loc) · 3.85 KB
/
template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
---
AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: An Auth0 client secret rotator for the Cimpress Mass Customization Platform.
Metadata:
AWS::ServerlessRepo::Application:
Name: platform-client-secret-rotator
Description: >-
A Secrets Manager rotation Lambda Function which can rotate the client secret
for clients on the Cimpress Mass Customization Platform.
Author: Christopher Osborn
SpdxLicenseId: Apache-2.0
LicenseUrl: ./LICENSE
ReadmeUrl: ./README.md
Labels:
- auth0
- cimpress
- authentication
- lambda
- secrets-manager
- rotate
- rotation
- rotator
- client-secret
HomePageUrl: https://github.com/Cimpress-MCP/Platform-Client-Secret-Rotator
SemanticVersion: 2.2.1
SourceCodeUrl: https://github.com/Cimpress-MCP/Platform-Client-Secret-Rotator
Parameters:
Audience:
Description: The audience which this client is a member of, authenticationally.
Type: String
Default: https://api.cimpress.io/
Endpoint:
Type: String
Description: The Secrets Manager endpoint to contact.
FunctionName:
Type: String
Description: The name of the Lambda Function to create.
InvokingServicePrincipal:
Type: String
Description: The service principal of the invoking service.
Default: secretsmanager.amazonaws.com
Issuer:
Description: The source of tokens and the issuer of claims.
Type: String
Default: https://oauth.cimpress.io/
AllowedPattern: ^https:\/\/.+
ConstraintDescription: Issuer must be an HTTPS URL.
KmsKeyArn:
Type: String
Description: The KMS key used to encrypt the secret being rotated.
Default: ''
OverlapDuration:
Type: String
Description: >-
The amount of time after rotation for which a previous client secret will be active.
This value should be taken into account when determining rotation cadence, as it
could keep a client secret active longer than is compliant.
Default: P1D
AllowedPattern: ^\+?P
ConstraintDescription: Must be a valid positive ISO duration. (P1D, PT8H, PT1H30M, etc.)
ClientSecretKey:
Type: String
Description: The key for looking up the client secret within the Secrets Manager Secret.
Default: secret
ClientIdKey:
Type: String
Description: The key for looking up the client ID within the Secrets Manager Secret.
Default: id
Conditions:
KmsKeyArnExists: !Not [ !Equals [ '', !Ref KmsKeyArn ] ]
Resources:
SecretsManagerAuth0ClientSecretRotation:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Ref FunctionName
Description: Conducts an AWS Secrets Manager rotation for OAuth2 Client Secret
Handler: rotator.lambda_handler
Runtime: python3.10
CodeUri: ./rotator/
Timeout: 30
Policies:
- AWSSecretsManagerRotationPolicy:
FunctionName: !Ref FunctionName
- !If
- KmsKeyArnExists
- Version: 2012-10-17
Statement:
Effect: Allow
Action:
- kms:Decrypt
- kms:DescribeKey
- kms:GenerateDataKey
Resource: !Ref KmsKeyArn
- !Ref AWS::NoValue
Environment:
Variables:
AUDIENCE: !Ref Audience
ISSUER: !Ref Issuer
OVERLAP_DURATION: !Ref OverlapDuration
SECRETS_MANAGER_ENDPOINT: !Ref Endpoint
CLIENT_SECRET_KEY: !Ref ClientSecretKey
CLIENT_ID_KEY: !Ref ClientIdKey
Tags:
SecretsManagerLambda: Rotation
Permission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt SecretsManagerAuth0ClientSecretRotation.Arn
Principal: !Ref InvokingServicePrincipal
Outputs:
RotationLambdaARN:
Description: The ARN of the rotation lambda
Value: !GetAtt SecretsManagerAuth0ClientSecretRotation.Arn