AWSTemplateFormatVersion: 2010-09-09
Parameters:
  LicenseKey:
    Type: String
    Description: The New Relic account license key
    NoEcho: true
  SecretName:
    Type: String
    Description: The friendly name for the license key secret
    Default: NEW_RELIC_LICENSE_KEY
  PolicyName:
    Type: String
    Description: Policy name of the policy to use to allow access to the license key secret.
    Default: NewRelic-ViewLicenseKey
  LicenseKeySecretExportName:
    Type: String
    Default: NewRelic-LicenseKeySecretARN
  ViewPolicyExportName:
    Type: String
    Default: NewRelic-ViewLicenseKeyPolicyARN
  Region:
    Type: String

Resources:
  LicenseKeySecret:
    Type: 'AWS::SecretsManager::Secret'
    Properties:
      Description: The New Relic license key, for sending telemetry
      Name: !Sub "${SecretName}"
      SecretString: !Sub '{ "LicenseKey": "${LicenseKey}" }'
  ViewNewRelicLicenseKeyPolicy:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      ManagedPolicyName: !Sub
        - ${PolicyName}-${Region}
        - { PolicyName: !Ref PolicyName, Region: !Ref Region }
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 'secretsmanager:GetSecretValue'
            Resource: !Ref LicenseKeySecret

Outputs:
  LicenseKeySecretARN:
    Description: The ARN of the LicenseKey Secret
    Value: !Ref LicenseKeySecret
    Export:
      Name: !Sub "${AWS::StackName}-${LicenseKeySecretExportName}"
  ViewPolicyARN:
    Description: The ARN of the LicenseKey Secret's view policy
    Value: !Ref ViewNewRelicLicenseKeyPolicy
    Export:
      Name: !Sub "${AWS::StackName}-${ViewPolicyExportName}"