Skip to content

Resource: awsSignerSigningProfilePermission

Creates a Signer Signing Profile Permission. That is, a cross-account permission for a signing profile.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsSignerSigningProfileProdSp =
  new aws.signerSigningProfile.SignerSigningProfile(this, "prod_sp", {
    namePrefix: "prod_sp_",
    platformId: "AWSLambda-SHA384-ECDSA",
    signatureValidityPeriod: {
      type: "YEARS",
      value: 5,
    },
    tags: {
      tag1: "value1",
      tag2: "value2",
    },
  });
new aws.signerSigningProfilePermission.SignerSigningProfilePermission(
  this,
  "sp_permission_1",
  {
    action: "signer:StartSigningJob",
    principal: "${var.aws_account}",
    profileName: awsSignerSigningProfileProdSp.name,
  }
);
new aws.signerSigningProfilePermission.SignerSigningProfilePermission(
  this,
  "sp_permission_2",
  {
    action: "signer:GetSigningProfile",
    principal: "${var.aws_team_role_arn}",
    profileName: awsSignerSigningProfileProdSp.name,
    statementId: "ProdAccountStartSigningJob_StatementId",
  }
);
new aws.signerSigningProfilePermission.SignerSigningProfilePermission(
  this,
  "sp_permission_3",
  {
    action: "signer:RevokeSignature",
    principal: "123456789012",
    profileName: awsSignerSigningProfileProdSp.name,
    profileVersion: awsSignerSigningProfileProdSp.version,
    statementIdPrefix: "version-permission-",
  }
);

Argument Reference

  • profileName - (Required) Name of the signing profile to add the cross-account permissions.
  • action - (Required) An AWS Signer action permitted as part of cross-account permissions. Valid values: signer:startSigningJob, signer:getSigningProfile, or signer:revokeSignature.
  • principal - (Required) The AWS principal to be granted a cross-account permission.
  • profileVersion - (Optional) The signing profile version that a permission applies to.
  • statementId - (Optional) A unique statement identifier. By default generated by Terraform.
  • statementIdPrefix - (Optional) A statement identifier prefix. Terraform will generate a unique suffix. Conflicts with statementId.

Attributes Reference

No additional attributes are exported.

Import

Signer signing profile permission statements can be imported using profile_name/statement_id, e.g.,

$ terraform import aws_signer_signing_profile_permission.test_signer_signing_profile_permission prod_profile_DdW3Mk1foYL88fajut4mTVFGpuwfd4ACO6ANL0D1uIj7lrn8adK/ProdAccountStartSigningJobStatementId