-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathcf-origin-verify-sm-only.yaml
244 lines (232 loc) · 8.66 KB
/
cf-origin-verify-sm-only.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
---
## This is a sample template for demonstration purposes.
## Edit according to your requirements prior to deployment.
## It creates a Secrets Manager secret, Lambda function and IAM resources
##
## **TEMPLATE REQUIREMENTS**
## This template REQUIRES the following exisitng configuration:
##
## 1. An existing CloudFront distribution configured with an AWS regional WAF protected
## origin that is internet accessible.
##
## 2. The CloudFront distribution has been prerconfigured with the origin custom header
## you plan to use for this template. This value must match the HeaderName value below.
##
## 3. Add the Url for the origin resource (ALB/APIGW) below that is associated with the
## WAF ACL Id provided below for the WAFAclId parameter.
##
## 4. Additional IAM permissions may be required if other rules are in scope for the target
## regional WAF web ACL update; see lines 218 - 221.
##
## 5. Upload artifacts to in-region S3 location and update ArtifactsBucket and ArtifactsPrefix
## parameters.
##
## Changelog:
## - Initial sample
##
## Dependencies:
## CF, WAF, SM, Lambda
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::SecretsManager-2020-07-23'
Description: CloudFront - WAF - Secrets Manager - Demo
## Parameters
Parameters:
WAFAclId:
AllowedPattern: ".+"
Description: Web ACL Id for REGIONAL AWS WAF that IS Associate with your CloudFront origin resource configured in the CFDistroId below.
Type: String
WAFRulePriority:
Default: "0"
Description: Rule number to use for regional WAF web ACL. 0 is recommended.
Type: Number
WAFAclName:
AllowedPattern: ".+"
Description: Web ACL Name for REGIONAL AWS WAF
Type: String
CFDistroId:
AllowedPattern: ".+"
Description: Cloudfront distribution Id with origin already containing custom header.
Type: String
OriginUrl:
AllowedPattern: ".+"
Description: Origin URL being protected by the regional AWS WAF. e.g. https://www.example.com
Type: String
RotateInterval:
Default: "7"
Description: Rotation interval in days for origin secret value. Full rotation requires 2 intervals.
Type: Number
MinValue: "1"
HeaderName:
Default: X-Origin-Verify
Description: Header name for secret string.
Type: String
ArtifactsBucket:
Description: S3 bucket with artifact files (Lambda functions, templates, html files, etc.).
Type: String
AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-.]*[0-9a-zA-Z])*$
ConstraintDescription: ArtifactsBucket S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-).
It cannot start or end with a hyphen (-).
ArtifactsPrefix:
Description: Path in the S3 bucket containing artifact files. Must be in-region.
Type: String
Default: /
AllowedPattern: ^[0-9a-zA-Z-/_]*$
ConstraintDescription: ArtifactsPrefix key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-),
and forward slash (/). Must be in-region.
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Main Configuration
Parameters:
- WAFAclName
- WAFAclId
- WAFRulePriority
- CFDistroId
- OriginUrl
- HeaderName
- RotateInterval
- Label:
default: Artifact Configuration
Parameters:
- ArtifactsBucket
- ArtifactsPrefix
ParameterLabels:
RotateInterval:
Description: Rotation interval in days for origin secret value. Full rotation requires 2 intervals.
HeaderName:
Description: Header name for secret string.
WAFAclName:
Description: Web ACL Name for REGIONAL AWS WAF
CFDistroId:
Description: Cloudfront distribution Id with origin already containing custom header.
OriginUrl:
Description: Origin URL being protected by the regional AWS WAF. e.g. http://www.example.com
WAFRulePriority:
Description: Rule number to use for regional WAF web ACL. 0 is recommended.
ArtifactsBucket:
Description: S3 bucket with artifact files (Lambda functions, templates, html files, etc.).
ArtifactsPrefix:
Description: Path in the S3 bucket containing artifact files.
## Resources
Resources:
OriginVerifySecret:
Type: 'AWS::SecretsManager::Secret'
Properties:
GenerateSecretString:
SecretStringTemplate: !Sub '{"HEADERVALUE": "RandomPassword"}'
GenerateStringKey: "HEADERVALUE"
ExcludePunctuation: true
RotateFunctionInvokePermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !Ref OriginSecretRotateFunction
Action: lambda:InvokeFunction
Principal: 'secretsmanager.amazonaws.com'
OriginVerifyRotateSchedule:
Type: AWS::SecretsManager::RotationSchedule
Properties:
RotationLambdaARN: !GetAtt OriginSecretRotateFunction.Arn
RotationRules:
AutomaticallyAfterDays: !Ref RotateInterval
SecretId: !Ref OriginVerifySecret
PythonRequestsLayer:
Type: AWS::Lambda::LayerVersion
Properties:
CompatibleRuntimes:
- python3.9
Content:
S3Bucket: !Ref ArtifactsBucket
S3Key: !Sub ${ArtifactsPrefix}python-requests-lambda-layer.zip
Description: Python requests module and deps
LayerName: python-requests
OriginSecretRotateFunction:
Type: AWS::Lambda::Function
Properties:
Description: Serets Manager Rotation Lambda
Handler: lambda_function.lambda_handler
Runtime: python3.9
Layers:
- !Ref PythonRequestsLayer
Environment:
Variables:
WAFACLID: !Ref WAFAclId
WAFACLNAME: !Ref WAFAclName
WAFRULEPRI: !Ref WAFRulePriority
CFDISTROID: !Ref CFDistroId
HEADERNAME: !Ref HeaderName
ORIGINURL: !Ref OriginUrl
STACKNAME: !Ref AWS::StackName
AWSREGION: !Ref AWS::Region
Role: !GetAtt OriginSecretRotateExecutionRole.Arn
Timeout: 300
Code:
S3Bucket: !Ref ArtifactsBucket
S3Key: !Sub ${ArtifactsPrefix}origin-secret-rotate.zip
OriginSecretRotateExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: OriginVerifyRotatePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogStreams
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*OriginSecretRotateFunction*'
- Effect: Allow
Action:
- secretsmanager:DescribeSecret
- secretsmanager:GetSecretValue
- secretsmanager:PutSecretValue
- secretsmanager:UpdateSecretVersionStage
Resource: !Ref OriginVerifySecret
- Effect: Allow
Action:
- secretsmanager:GetRandomPassword
Resource: '*'
- Effect: Allow
Action:
- cloudfront:GetDistribution
- cloudfront:GetDistributionConfig
- cloudfront:ListDistributions
- cloudfront:UpdateDistribution
Resource: !Sub 'arn:aws:cloudfront::${AWS::AccountId}:distribution/${CFDistroId}'
- Effect: Allow
Action:
- wafv2:*
Resource: !Sub 'arn:aws:wafv2:${AWS::Region}:${AWS::AccountId}:regional/webacl/${WAFAclName}/${WAFAclId}'
## Outputs
Outputs:
accountId:
Description: AWS account number
Value: !Ref AWS::AccountId
Region:
Description: AWS region
Value: !Ref AWS::Region
originUrl:
Description: Origin URL protected but regional WAF
Value: !Ref OriginUrl
OriginSecretRotateFunction:
Value: !Sub https://console.aws.amazon.com/lambda/home?region=${AWS::Region}#/functions/${OriginSecretRotateFunction}
Description: Secrets Manager Rotation Lambda Function
cfDistro:
Description: CloudFront distribution associated with orgin URL
Value: !Sub https://console.aws.amazon.com/cloudfront/home?region=${AWS::Region}#distribution-settings:${CFDistroId}
OriginVerifySecret:
Description: Secrets Manager Secret for Origin Validation
Value: !Sub https://console.aws.amazon.com/secretsmanager/home?region=${AWS::Region}#/secret?name=${OriginVerifySecret}
wafWebACLR:
Description: Regional WAF Web ACL associated with origin
Value: !Join ['', ['https://console.aws.amazon.com/wafv2/homev2/web-acl/', !Ref 'WAFAclName', '/', !Ref WAFAclId, '/overview?region=', !Sub '${AWS::Region}']]