cloudar_acm_plus/cfn.yaml at main · WeAreCloudar/cloudar_acm_plus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
AWSTemplateFormatVersion: "2010-09-09"
Description: >
    This template deploys a custom resource and acm certificate.
Parameters:

  DomainName:
    Description: the domainname for the env
    Type: String
  ArtifactBucket:
    Description: the artifact bucket
    Type: String


  DnsService:
    Description: "Route53, MenAndMice"
    Type: String
    AllowedValues:
      - Route53
      - MenAndMice

  # Only needed if DnsService is Route53
  HostedZoneId:
    Description: The hostedzone id for the env domain
    Type: String
    Default: ""

  # Only needed if DnsService is not Route53
  HostedZoneName:
    Type: String
    Default: ""
  DnsApiCredentialLocation:
    Type: String
    Default: "/menandmice/"

Resources:

  CreateCertificatesFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Join ["/", ["/aws/lambda", !Ref CreateCertificatesFunction]]
      RetentionInDays: 7

  CreateCertificatesFunction:
    Type: AWS::Lambda::Function
    Properties:
      Handler: index.handler
      Timeout: 800
      Role: !GetAtt CreateCertificatesFunctionExecutionRole.Arn
      Runtime: python3.7
      Code:
        S3Bucket: !Sub ${ArtifactBucket}
        S3Key: "cloudar-acm-plus-custom-resource.zip"
      # VPC Config is only needed if you want to run this lambda in your VPC
      # VpcConfig:
      #   SecurityGroupIds:
      #     - <YOUR Security Group>
      #   SubnetIds:
      #     - <YOUR SUBNET A>
      #     - <YOUR SUBNET B>
      #     - <YOUR SUBNET C>

  CreateCertificatesFunctionExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Effect: Allow
          Principal:
            Service: [lambda.amazonaws.com]
          Action: ['sts:AssumeRole']
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess
        - arn:aws:iam::aws:policy/AmazonRoute53FullAccess
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
        - arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess
      Policies:
        - PolicyName: ssmAccess
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Action:
                  - ssm:GetParametersByPath
                  - ssm:GetParameter
                Effect: Allow
                Resource:
                  - !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/menandmice/
                  - !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/menandmice/*

  CreateCertificateCustomResource:
    Type: Custom::CreateCertificates
    Properties:
      ServiceToken: !GetAtt CreateCertificatesFunction.Arn
      DnsService: !Ref DnsService
      DomainName: !Ref DomainName
      ValidationDomain: !Ref DomainName
      HostedZoneId: !Ref HostedZoneId
      CertificateRegion: !Ref AWS::Region
      IdempotencyToken: CreateCertificateCustomResource
      CertificateTags:
        - Key: Name
          Value: !Ref DomainName

Outputs:
  CreateCertificateCustomResource:
    Description: The arn of the certificate created by CreateCertificateCustomResource
    Value: !GetAtt CreateCertificateCustomResource.certificate_arn