async function getEncryptionKey()

in src/consumer.js [202:279]

• 75 lines of code
• 14 McCabe index (conditional complexity)

async function getEncryptionKey(sourceName, taglist) {
  let identity = await sts.getCallerIdentity({}).promise();
  let aliasName = `alias/DRACO-${sourceName}`;
  if (DEBUG > 0) console.debug(`Getting key for resource '${sourceName}'...`);
  let key_id =  await getKeyFromAlias(aliasName);
  if (key_id !== undefined) {
    if (DEBUG > 0) console.debug(`Found existing key ${key_id}`);
    return key_id
  }
  if (DEBUG > 0) console.debug(`Key not found, allocating...`);

  let policy = {
    Version: '2012-10-17',
    Id: 'dr_key_policy',
    Statement:
      [
        {
          Sid: "DR Root account full access",
          Effect: "Allow",
          Principal: {
            AWS: `arn:aws:iam::${identity.Account}:root`
          },
          Action: "kms:*",
          Resource: '*'
        },
        {
          Sid: "Allow this Lambda to encrypt with the key",
          Effect: "Allow",
          Principal: {
            AWS: identity.Arn
          },
          Action: [
            'kms:Encrypt',
            'kms:ReEncrypt*',
            'kms:GenerateDataKey*',
            'kms:DescribeKey'
          ],
          Resource: '*'
        },
        {
          Sid: "Allow this Lambda to use this key with RDS and EC2",
          Effect: "Allow",
          Principal: {
            AWS: identity.Arn
          },
          Action: [
            "kms:CreateGrant",
            "kms:ListGrants",
            "kms:RevokeGrant"
          ],
          Resource: "*",
          Condition: {
            Bool: { "kms:GrantIsForAWSResource": "true"} }
        }
      ]
  }
  if (DEBUG > 2) console.debug(`Key Policy: ${JSON.stringify(policy)}`);
  let kmstags = taglist.filter(t => !t.Key.startsWith('Draco_Lifecycle')).map(e => ({ TagKey: e.Key, TagValue: e.Value } ))

  let p1 = {
    Policy: JSON.stringify(policy),
    Description: `DRACO key for ${sourceName}`,
    BypassPolicyLockoutSafetyCheck: true,
    Tags: kmstags
  };
  let rsp = await kms.createKey(p1).promise();
  if (DEBUG > 1) console.debug(`createKey: ${JSON.stringify(rsp)}`);
  key_id = rsp.KeyMetadata.KeyId;
  if (DEBUG > 0) console.debug(`created Key: ${key_id}`);
  rsp = await kms.enableKeyRotation({ KeyId: key_id }).promise();
  if (DEBUG > 1) console.debug(`enableKeyRotation: ${JSON.stringify(rsp)}`);
  if (DEBUG > 0) console.debug(`enabled Key Rotation for: ${key_id}`);
  rsp = await kms.createAlias({AliasName: aliasName, TargetKeyId: key_id}).promise();
  if (DEBUG > 1) console.debug(`createAlias: ${JSON.stringify(rsp)}`);
  if (DEBUG > 0) console.debug(`created Alias ${aliasName} -> ${key_id}`);

  return key_id;
}