abacus-validator/cloudformation.yaml at main · 43z708/abacus-validator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
AWSTemplateFormatVersion: "2010-09-09"
Description: Definitions of S3, IAM User and KMS

# ------------------------------------------------------------#
# Input Parameters
# ------------------------------------------------------------#
Parameters:
    Chain:
        Default: ethereum
        Type: String
    ValidatorName:
        Default: "yourname"
        Type: String
        AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*"
        ConstraintDescription: "must begin with a letter and contain only alphanumeric characters."

Resources:
    # ------------------------------------------------------------#
    #  IAM
    # ------------------------------------------------------------#
    IAMUser:
        Type: AWS::IAM::User
        Properties:
            UserName: !Sub "abacus-validator-${Chain}"
            Tags:
                - Key: "Chain"
                  Value: !Ref Chain
                - Key: "Name"
                  Value: !Sub "abacus-validator-${Chain}"

    IAMUserAccessKey:
        Type: AWS::IAM::AccessKey
        DependsOn:
            - IAMUser
        Properties:
            UserName: !Sub "abacus-validator-${Chain}"
    # ------------------------------------------------------------#
    #  KMS
    # ------------------------------------------------------------#
    # Alias
    myAlias:
        Type: "AWS::KMS::Alias"
        Properties:
            AliasName: !Sub alias/abacus-validator-signer-${Chain}
            TargetKeyId: !Ref myKey

    # Key
    myKey:
        Type: "AWS::KMS::Key"
        DependsOn: "IAMUser"
        Properties:
            Description: ECC_SECG_P256K1 asymmetric KMS key for signing and verification
            KeySpec: ECC_SECG_P256K1
            KeyUsage: SIGN_VERIFY
            KeyPolicy:
                Version: "2012-10-17"
                Id: !Sub "key-policy-${Chain}"
                Statement:
                    - Sid: Enable IAM User Permissions
                      Effect: Allow
                      Principal:
                          AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
                      Action: "kms:*"
                      Resource: "*"
                    - Sid: Allow use of the key
                      Effect: Allow
                      Principal:
                          AWS: !GetAtt IAMUser.Arn
                      Action:
                          - "kms:GetPublicKey"
                          - "kms:Sign"
                      Resource: "*"
    # ------------------------------------------------------------#
    #  S3
    # ------------------------------------------------------------#
    # S3 Bucket

    myS3Bucket:
        Type: "AWS::S3::Bucket"
        # DeletionPolicy: "Retain"
        Properties:
            BucketName: !Sub "abacus-validator-signatures-${ValidatorName}-${Chain}"
            OwnershipControls:
                Rules:
                    - ObjectOwnership: BucketOwnerEnforced
            PublicAccessBlockConfiguration:
                BlockPublicAcls: True
                IgnorePublicAcls: True
            Tags:
                - Key: "Chain"
                  Value: !Ref Chain
                - Key: "Name"
                  Value: !Sub "abacus-validator-signatures-${ValidatorName}-${Chain}"

    # S3 Bucket Policy
    S3Policy:
        Type: AWS::S3::BucketPolicy
        DependsOn: "IAMUser"
        Properties:
            Bucket: !Ref "myS3Bucket"
            PolicyDocument:
                Version: "2012-10-17"
                Id: !Sub "abacus-validator-signatures-${ValidatorName}-${Chain}-policy"
                Statement:
                    - Sid: !Sub "abacus-validator-signatures-${ValidatorName}-${Chain}-anyone"
                      Effect: "Allow"
                      Principal: "*"
                      Action:
                          - "s3:GetObject"
                          - "s3:ListBucket"
                      Resource:
                          - !Sub "arn:aws:s3:::abacus-validator-signatures-${ValidatorName}-${Chain}"
                          - !Sub "arn:aws:s3:::abacus-validator-signatures-${ValidatorName}-${Chain}/*"
                    - Sid: !Sub "abacus-validator-signatures-${ValidatorName}-${Chain}-iam"
                      Effect: "Allow"
                      Principal:
                          AWS: !GetAtt IAMUser.Arn
                      Action:
                          - "s3:DeleteObject"
                          - "s3:PutObject"
                      Resource:
                          - !Sub "arn:aws:s3:::abacus-validator-signatures-${ValidatorName}-${Chain}/*"

# ------------------------------------------------------------#
# Output Parameters
# ------------------------------------------------------------#
Outputs:
    AwsAccessKeyId:
        Value: !Ref IAMUserAccessKey

    AwsSecretAccessKey:
        Value: !GetAtt IAMUserAccessKey.SecretAccessKey

    KmsKeyId:
        Value: !Ref myKey

    ValidatorName:
        Value: !Ref ValidatorName

    AbcValidatorCheckpointsyncerBucket:
        Value: !Ref myS3Bucket

    AbcValidatorRegion:
        Value: !Ref AWS::Region

    AbcValidatorCheckpointsyncerRegion:
        Value: !Ref AWS::Region

    AbcBaseValidatorRegion:
        Value: !Ref AWS::Region