andrepearce · August 13, 2019 01:13
diff --git a/certbot_iam.yaml b/certbot_iam.yaml
 AWSTemplateFormatVersion: '2010-09-09'
 Description: AWS IAM account & policy CloudFormation template for Certbot Route53 plugin

 Parameters:

    CertbotServiceUserName:
        Type: String
        Description: Certbot service user name
        Default: service.certbot
        AllowedPattern: \S+
        ConstraintDescription: Parameter requires at least one non-whitespace character

    CertbotManagedHZ:
        Type: String
        Description: Hosted Zone ID pattern that the Certbot service account will be given access to
        AllowedPattern: \S+
        ConstraintDescription: Parameter requires at least one non-whitespace character

 Resources:

    CertbotServiceUser:
        Type: AWS::IAM::User
        Properties:
            UserName: !Ref CertbotServiceUserName
            Policies:
            - PolicyName: CertbotHostedZoneAccess
              PolicyDocument:
                  Version: '2012-10-17'
                  Statement:
                  - Effect: Allow
                    Action:
                    - route53:ListHostedZones
                    - route53:GetChange
                    Resource:
                    - '*'
                  - Effect: Allow
                    Action:
                    - route53:ChangeResourceRecordSets
                    Resource:
                    - !Sub 'arn:aws:route53:::hostedzone/${CertbotManagedHZ}'

    CertbotAccessKey:
        Type: AWS::IAM::AccessKey
        DependsOn: CertbotServiceUser
        Properties:
            UserName: !Ref CertbotServiceUserName

 Outputs:

    CertbotAccessKeyId:
        Description: Access Key ID for the Certbot service account
        Value: !Ref CertbotAccessKey

    CertbotSecretAccessKey:
        Description: Secret Access Key for the Certbot service account
        Value: !GetAtt CertbotAccessKey.SecretAccessKey
	AWSTemplateFormatVersion: '2010-09-09'
	Description: AWS IAM account & policy CloudFormation template for Certbot Route53 plugin

	Parameters:

	CertbotServiceUserName:
	Type: String
	Description: Certbot service user name
	Default: service.certbot
	AllowedPattern: \S+
	ConstraintDescription: Parameter requires at least one non-whitespace character

	CertbotManagedHZ:
	Type: String
	Description: Hosted Zone ID pattern that the Certbot service account will be given access to
	AllowedPattern: \S+
	ConstraintDescription: Parameter requires at least one non-whitespace character

	Resources:

	CertbotServiceUser:
	Type: AWS::IAM::User
	Properties:
	UserName: !Ref CertbotServiceUserName
	Policies:
	- PolicyName: CertbotHostedZoneAccess
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Action:
	- route53:ListHostedZones
	- route53:GetChange
	Resource:
	- '*'
	- Effect: Allow
	Action:
	- route53:ChangeResourceRecordSets
	Resource:
	- !Sub 'arn:aws:route53:::hostedzone/${CertbotManagedHZ}'

	CertbotAccessKey:
	Type: AWS::IAM::AccessKey
	DependsOn: CertbotServiceUser
	Properties:
	UserName: !Ref CertbotServiceUserName

	Outputs:

	CertbotAccessKeyId:
	Description: Access Key ID for the Certbot service account
	Value: !Ref CertbotAccessKey

	CertbotSecretAccessKey:
	Description: Secret Access Key for the Certbot service account
	Value: !GetAtt CertbotAccessKey.SecretAccessKey