{
  "version": 3,
  "sources": ["../../../src/fragments/kms-key.ts"],
  "sourcesContent": ["import type {AWSKMSKey} from '../__generated__/json-schemas/serverless-application-model.ts';\n\nexport function makeKmsKey(): AWSKMSKey {\n  return {\n    Properties: {\n      KeyPolicy: {\n        Statement: [\n          {\n            Action: ['kms:Decrypt', 'kms:GenerateDataKey'],\n            Effect: 'Allow',\n            Principal: {\n              Service: 'events.amazonaws.com',\n            },\n            Resource: '*',\n            Sid: 'Allow EventBridge to use the Key',\n          },\n          {\n            Action: [\n              'kms:Create*',\n              'kms:Describe*',\n              'kms:Enable*',\n              'kms:List*',\n              'kms:Put*',\n              'kms:Update*',\n              'kms:Revoke*',\n              'kms:Disable*',\n              'kms:Get*',\n              'kms:Delete*',\n              'kms:ScheduleKeyDeletion',\n              'kms:CancelKeyDeletion',\n            ],\n            Effect: 'Allow',\n            Principal: {\n              AWS: {\n                // eslint-disable-next-line no-template-curly-in-string\n                'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:root',\n              },\n            },\n            Resource: '*',\n            Sid: 'Allow administration of the key',\n          },\n          {\n            Action: [\n              'kms:Encrypt',\n              'kms:Decrypt',\n              'kms:ReEncrypt*',\n              'kms:GenerateDataKey*',\n              'kms:CreateGrant',\n              'kms:DescribeKey',\n            ],\n            Condition: {\n              StringEquals: {\n                'kms:CallerAccount': {\n                  // eslint-disable-next-line no-template-curly-in-string\n                  'Fn::Sub': '${AWS::AccountId}',\n                },\n                'kms:ViaService': 'sqs.us-east-1.amazonaws.com',\n              },\n            },\n            Effect: 'Allow',\n            Principal: {\n              AWS: '*',\n            },\n            Resource: '*',\n            Sid: 'Allow authorized SQS callers to access the key',\n          },\n          {\n            Action: [\n              'kms:Describe*',\n              'kms:Get*',\n              'kms:List*',\n              'kms:RevokeGrant',\n            ],\n            Effect: 'Allow',\n            Principal: {\n              AWS: {\n                // eslint-disable-next-line no-template-curly-in-string\n                'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:root',\n              },\n            },\n            Resource: '*',\n            Sid: 'Allow direct access to key metadata to the account',\n          },\n        ],\n        Version: '2012-10-17',\n      },\n      PendingWindowInDays: 7,\n    },\n    Type: 'AWS::KMS::Key',\n  };\n}\n"],
  "mappings": ";AAEO,SAAS,aAAwB;AACtC,SAAO;AAAA,IACL,YAAY;AAAA,MACV,WAAW;AAAA,QACT,WAAW;AAAA,UACT;AAAA,YACE,QAAQ,CAAC,eAAe,qBAAqB;AAAA,YAC7C,QAAQ;AAAA,YACR,WAAW;AAAA,cACT,SAAS;AAAA,YACX;AAAA,YACA,UAAU;AAAA,YACV,KAAK;AAAA,UACP;AAAA,UACA;AAAA,YACE,QAAQ;AAAA,cACN;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,YACF;AAAA,YACA,QAAQ;AAAA,YACR,WAAW;AAAA,cACT,KAAK;AAAA;AAAA,gBAEH,WAAW;AAAA,cACb;AAAA,YACF;AAAA,YACA,UAAU;AAAA,YACV,KAAK;AAAA,UACP;AAAA,UACA;AAAA,YACE,QAAQ;AAAA,cACN;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,YACF;AAAA,YACA,WAAW;AAAA,cACT,cAAc;AAAA,gBACZ,qBAAqB;AAAA;AAAA,kBAEnB,WAAW;AAAA,gBACb;AAAA,gBACA,kBAAkB;AAAA,cACpB;AAAA,YACF;AAAA,YACA,QAAQ;AAAA,YACR,WAAW;AAAA,cACT,KAAK;AAAA,YACP;AAAA,YACA,UAAU;AAAA,YACV,KAAK;AAAA,UACP;AAAA,UACA;AAAA,YACE,QAAQ;AAAA,cACN;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,YACF;AAAA,YACA,QAAQ;AAAA,YACR,WAAW;AAAA,cACT,KAAK;AAAA;AAAA,gBAEH,WAAW;AAAA,cACb;AAAA,YACF;AAAA,YACA,UAAU;AAAA,YACV,KAAK;AAAA,UACP;AAAA,QACF;AAAA,QACA,SAAS;AAAA,MACX;AAAA,MACA,qBAAqB;AAAA,IACvB;AAAA,IACA,MAAM;AAAA,EACR;AACF;",
  "names": []
}