All Products
Search

This Product

    CloudOps Orchestration Service:ACS-KMS-BulkySetDeletionProtection

    Document Center

    CloudOps Orchestration Service:ACS-KMS-BulkySetDeletionProtection

    Last Updated:Nov 22, 2024

    Template name

    ACS-KMS-BulkySetDeletionProtection

    Execute Now

    Template description

    Enables deletion protection for a customer master key (CMK).

    Template type

    Automated

    Owner

    Alibaba Cloud

    Input parameters

    Parameter

    Description

    Type

    Required

    Default value

    Limit

    keyId

    The key ID.

    String

    Yes

    regionId

    The region ID.

    String

    No

    {{ ACS::RegionId }}

    rateControl

    The rate control settings.

    Json

    No

    {'Mode': 'Concurrency', 'MaxErrors': 0, 'Concurrency': 10}

    OOSAssumeRole

    The RAM role that is assumed by CloudOps Orchestration Service (OOS).

    String

    No

    ""

    Output parameters

    None

    Permission policy that is required to execute the template

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:DescribeKey",
                "kms:SetDeletionProtection"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    References

    For more information, see ACS-KMS-BulkySetDeletionProtection.yml at GitHub.

    Template content

    FormatVersion: OOS-2019-06-01
Description:
  en: Enable deletion protection for CMK
   
  name-en: ACS-KMS-BulkySetDeletionProtection
   
  categories:
    - security
Parameters:
  regionId:
    Label:
      en: RegionId
       
    Type: String
    AssociationProperty: RegionId
    Default: '{{ ACS::RegionId }}'
  keyId:
    Label:
      en: The ids of key
       
    Type: String
  rateControl:
    Label:
      en: RateControl
       
    Type: Json
    AssociationProperty: RateControl
    Default:
      Mode: Concurrency
      MaxErrors: 0
      Concurrency: 10
  OOSAssumeRole:
    Label:
      en: OOSAssumeRole
       
    Type: String
    Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
  - Name: describeKey
    Action: ACS::ExecuteAPI
    Description:
      en: Query the arn of key
       
    Properties:
      Service: KMS
      API: DescribeKey
      Parameters:
        RegionId: '{{ regionId }}'
        KeyId: '{{ keyId }}'
    Outputs:
      arn:
        Type: List
        ValueSelector: '.KeyMetadata.Arn'
  - Name: setDeletionProtection
    Action: ACS::ExecuteAPI
    Description:
      en: Enable deletion protection for CMK.
       
    Properties:
      Service: KMS
      API: SetDeletionProtection
      Parameters:
        RegionId: '{{ regionId }}'
        ProtectedResourceArn: '{{ ACS::TaskLoopItem }}'
        EnableDeletionProtection: true
    Loop:
      RateControl: '{{ rateControl }}'
      Items: '{{ describeKey.arn }}'
Metadata:
  ALIYUN::OOS::Interface:
    ParameterGroups:
      - Parameters:
          - regionId
          - keyId
        Label:
          default:
             
            en: Select KMS Key
      - Parameters:
          - rateControl
          - OOSAssumeRole
        Label:
          default:
             
            en: Control Options