AWSTemplateFormatVersion: 2010-09-09 Parameters: AccountId: Type: String ExternalId: Type: String IntegrationUrl: Type: String Outputs: Role: Value: !GetAtt ConsoleRole.Arn Resources: ConsoleRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Action: sts:AssumeRole Principal: { AWS: !Ref AccountId } Condition: { StringEquals: { "sts:ExternalId": !Ref ExternalId } } ManagedPolicyArns: - arn:aws:iam::aws:policy/AdministratorAccess Path: /convox/ Notifier: Type: AWS::CloudFormation::CustomResource Version: "1.0" Properties: ServiceToken: !GetAtt NotifierHandler.Arn IntegrationUrl: !Ref IntegrationUrl Role: !GetAtt ConsoleRole.Arn NotifierHandler: Type: AWS::Lambda::Function Properties: Code: ZipFile: | var https = require('https'); var url = require('url'); exports.handler = function(event, context) { var body = JSON.stringify({ role: event.ResourceProperties.Role }) var options = require('url').parse(event.ResourceProperties.IntegrationUrl); options.method = 'PUT' if (event.RequestType == 'Delete') { options.method = 'DELETE' } options.headers = {'Content-Type': 'application/json', 'Content-Length': body.length}; var req = https.request(options, function(res) { console.log('status', res.statusCode); respond(event, context, 'SUCCESS', {}) }); req.on('error', function(err) { console.log('err', err); respond(event, context, 'FAILURE', {}) }); req.write(body); req.end(); } function respond(event, context, status, data) { var body = JSON.stringify({ Status: status, PhysicalResourceId: event.ResourceProperties.Role, StackId: event.StackId, RequestId: event.RequestId, LogicalResourceId: event.LogicalResourceId, Data: data }); var options = url.parse(event.ResponseURL); options.method = 'PUT' options.headers = { 'Content-Type': '', 'Content-Length': body.length } var req = https.request(options, function(res) { console.log('status', res.statusCode); context.done(); }); req.on('error', function(err) { console.log('err', err); context.done(); }); req.write(body); req.end(); } Handler: index.handler Role: !GetAtt NotifierHandlerRole.Arn Runtime: nodejs16.x Timeout: 60 NotifierHandlerRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: { Service: lambda.amazonaws.com } Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Path: /convox/ Policies: - PolicyName: NotifierHandlerRole PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: lambda:GetFunction Resource: '*'