Secret_SecretsManager_CF.yaml

AWSTemplateFormatVersion: 2010-09-09
Description: enroll-ec2-mac credentials.
Parameters:
  JamfDomainNameOrIP:
    Type: String
    Description: The URL to your Jamf instance.
  JamfEnrollmentUser:
    Type: String
    Description: A Jamf user account with privileges to Create Computer Invitations.
  JamfEnrollmentUserPassword:
    Type: String
    NoEcho: true
    Description: The password for the Jamf account.
  LocalAdmin:
    Type: String
    Description: The local Mac administrator name (the default is ec2-user).
  LocalAdminPassword:
    Type: String
    NoEcho: true
    Description: The password for the local Mac administrator.
Resources:
  jamfSecret:
    Type: 'AWS::SecretsManager::Secret'
    Properties:
      Description: Secret with credentials for enroll-ec2-mac.
      # If using the non-default key for the region, uncomment below and replace with your key ID.
      # KmsKey: "replace_with_kms_key_id"
      SecretString: !Sub >
        {"jamfServerDomain":"${JamfDomainNameOrIP}","jamfEnrollmentUser":"${JamfEnrollmentUser}","jamfEnrollmentPassword":"${JamfEnrollmentUserPassword}","localAdmin":"${LocalAdmin}","localAdminPassword":"${LocalAdminPassword}"}
  MMSecretReadRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: MMReadSecrets
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'secretsmanager:GetResourcePolicy'
                  - 'secretsmanager:GetSecretValue'
                  - 'secretsmanager:DescribeSecret'
                  - 'secretsmanager:ListSecretVersionIds'
                  - 'secretsmanager:GetRandomPassword'
                  - 'secretsmanager:ListSecrets'
                Resource:
                  - !Ref jamfSecret
  MMInstanceProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Path: /
      Roles:
        - !Ref MMSecretReadRole
Outputs:
  SecretName:
    Value: !Ref jamfSecret
    Description: Secret ID