in cdk/lib/image-copier-kms.ts [9:70]
constructor(scope: App, id: string, props: GuStackProps) {
super(scope, id, props);
const key = new Key(this, "KmsKey", {
removalPolicy: RemovalPolicy.RETAIN,
enableKeyRotation: true,
policy: new PolicyDocument({
statements: [
new PolicyStatement({
sid: "Enable IAM User Permissions",
effect: Effect.ALLOW,
principals: [new ArnPrincipal(`arn:aws:iam::${this.account}:root`)],
actions: ["kms:*"],
resources: ["*"],
}),
new PolicyStatement({
sid: "Allow use of the key",
effect: Effect.ALLOW,
principals: [
new ArnPrincipal(
`arn:aws:iam::${this.account}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling`
),
],
actions: [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:CreateGrant",
],
resources: ["*"],
}),
new PolicyStatement({
sid: "Allow attachment of persistent resources",
effect: Effect.ALLOW,
principals: [
new ArnPrincipal(
`arn:aws:iam::${this.account}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling`
),
],
actions: ["kms:CreateGrant"],
resources: ["*"],
conditions: {
Bool: { "kms:GrantIsForAWSResource": true },
},
}),
],
}),
});
this.overrideLogicalId(key, {
reason: "to preserve key",
logicalId: "KmsKey",
});
new CfnOutput(this, "AmigoImageCopierKey", {
description: "Amigo image copier key arn",
value: key.keyArn,
exportName: "amigo-imagecopier-key",
});
}