From 531ddd79210ca73f7090178a0939cca2d093a053 Mon Sep 17 00:00:00 2001
From: Joris Conijn <jorisconijn@binx.io>
Date: Thu, 13 Jan 2022 15:48:16 +0100
Subject: [PATCH 1/3] feat: encrypt sns topic using the ADF CMK KMS Key

Because ADF already has a KMS key that is used for encryption. It makes sense to use that key for the SNS notifications as well.

Issue: #422
---
 .../adf-bootstrap/deployment/global.yml              | 12 +++++++++++-
 .../shared/cdk/cdk_constructs/adf_notifications.py   |  4 +++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
index f7708e2d5..9178b18d3 100644
--- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
+++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
@@ -117,6 +117,16 @@ Resources:
             Condition:
               StringEquals:
                 aws:PrincipalOrgID: !Ref OrganizationId
+          - Action:
+              - kms:Decrypt
+              - kms:GenerateDataKey
+            Effect: Allow
+            Principal:
+              Service:
+                - sns.amazonaws.com
+                - events.amazonaws.com
+                - codecommit.amazonaws.com
+            Resource: "*"
   KMSAlias:
     Type: AWS::KMS::Alias
     Properties:
@@ -1137,7 +1147,7 @@ Resources:
                               "IntervalSeconds": 1,
                               "MaxAttempts": 10
                             }
-                          ]                          
+                          ]
                         }
                       }
                     },
diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_notifications.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_notifications.py
index ef5ef1390..7d53c10be 100644
--- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_notifications.py
+++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_notifications.py
@@ -9,6 +9,7 @@
     aws_lambda as _lambda,
     aws_sns as _sns,
     aws_iam as _iam,
+    aws_kms as _kms,
     aws_lambda_event_sources as _event_sources,
     core
 )
@@ -34,7 +35,8 @@ def __init__(
             f'arn:{stack.partition}:lambda:{ADF_DEPLOYMENT_REGION}:'
             f'{ADF_DEPLOYMENT_ACCOUNT_ID}:function:SendSlackNotification'
         )
-        _topic = _sns.Topic(self, "PipelineTopic")
+        kms_alias = _kms.Alias.from_alias_name(self, 'KMSAlias', f"alias/codepipeline-{ADF_DEPLOYMENT_ACCOUNT_ID}")
+        _topic = _sns.Topic(self, 'PipelineTopic', master_key=kms_alias)
         _statement = _iam.PolicyStatement(
             actions=["sns:Publish"],
             effect=_iam.Effect.ALLOW,

From ef15b0c04894d3c92a32ce295fe74839ba21a536 Mon Sep 17 00:00:00 2001
From: Joris Conijn <jorisconijn@binx.io>
Date: Thu, 13 Jan 2022 15:51:10 +0100
Subject: [PATCH 2/3] style: use same quote style

---
 .../adf-build/shared/cdk/cdk_constructs/adf_notifications.py  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_notifications.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_notifications.py
index 7d53c10be..ac45247ff 100644
--- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_notifications.py
+++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_notifications.py
@@ -35,8 +35,8 @@ def __init__(
             f'arn:{stack.partition}:lambda:{ADF_DEPLOYMENT_REGION}:'
             f'{ADF_DEPLOYMENT_ACCOUNT_ID}:function:SendSlackNotification'
         )
-        kms_alias = _kms.Alias.from_alias_name(self, 'KMSAlias', f"alias/codepipeline-{ADF_DEPLOYMENT_ACCOUNT_ID}")
-        _topic = _sns.Topic(self, 'PipelineTopic', master_key=kms_alias)
+        kms_alias = _kms.Alias.from_alias_name(self, "KMSAlias", f"alias/codepipeline-{ADF_DEPLOYMENT_ACCOUNT_ID}")
+        _topic = _sns.Topic(self, "PipelineTopic", master_key=kms_alias)
         _statement = _iam.PolicyStatement(
             actions=["sns:Publish"],
             effect=_iam.Effect.ALLOW,

From 5c453b81d16d482ecfd5f64d415b14089845c37b Mon Sep 17 00:00:00 2001
From: Joris Conijn <jorisconijn@binx.io>
Date: Tue, 1 Feb 2022 13:11:57 +0100
Subject: [PATCH 3/3] Update
 src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml

Co-authored-by: Simon Kok <sbkok@users.noreply.github.com>
---
 .../bootstrap_repository/adf-bootstrap/deployment/global.yml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
index 9178b18d3..8b899c118 100644
--- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
+++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml
@@ -119,7 +119,7 @@ Resources:
                 aws:PrincipalOrgID: !Ref OrganizationId
           - Action:
               - kms:Decrypt
-              - kms:GenerateDataKey
+              - kms:GenerateDataKey*
             Effect: Allow
             Principal:
               Service: