Create letslambda.yaml

letslambda.yaml

@@ -0,0 +1,150 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: A template for letslambda - 0.1
+Parameters:
+  Bucket:
+    Description: S3 Bucket name (not arn)
+    Type: String
+  Region:
+    Description: 'Region short code name where the S3 bucket is located (ie: eu-west-1)'
+    Type: String
+  KmsEncryptionKeyArn:
+    Description: Default KMS Encryption Key (arn) used to securely store your SSL
+      private keys. Use 'AES256' for S3 automatic encryption
+    Type: String
+    Default: AES256
+Conditions:
+  KmsArnProvided: !Not [!Equals [!Ref 'KmsEncryptionKeyArn', AES256]]
+Resources:
+  DenyUnEncryptedPrivKeyUploadsBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref 'Bucket'
+      PolicyDocument:
+        Statement:
+        - Sid: DenyUnEncryptedPrivKeyUploads
+          Action:
+          - s3:PutObject
+          Effect: Deny
+          Resource:
+          - !Join ['', ['arn:aws:s3:::', !Ref 'Bucket', /*.key.pem]]
+          - !Join ['', ['arn:aws:s3:::', !Ref 'Bucket', /*.key.rsa]]
+          Principal: '*'
+          Condition:
+            'Null':
+              s3:x-amz-server-side-encryption: 'true'
+  LetsLambdaKmsKeyManagedPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Allow lambda and selected EC2 instances to access the letslambda
+        KMS key
+      Path: /
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Action:
+          - kms:Decrypt
+          - kms:DescribeKey
+          - kms:Encrypt
+          - kms:GenerateDataKey*
+          - kms:ReEncrypt*
+          Resource:
+          - !If [KmsArnProvided, !Ref 'KmsEncryptionKeyArn', !Join ['', ['arn:aws:kms:',
+                !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':key/12345678-1234-1234-1234-123456789012']]]
+  LetsLambdaS3WriteManagedPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Allow lambda to save cryptographic material into user selected
+        S3 bucket
+      Path: /
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Action:
+          - s3:putObject
+          Resource:
+          - !Join ['', ['arn:aws:s3:::', !Ref 'Bucket', /*]]
+  LetsLambdaS3ReadManagedPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Allow lambda and selected EC2 instances to access cryptographic
+        material
+      Path: /
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Action:
+          - s3:getObject
+          - s3:ListBucket
+          Resource:
+          - !Join ['', ['arn:aws:s3:::', !Ref 'Bucket']]
+          - !Join ['', ['arn:aws:s3:::', !Ref 'Bucket', /*]]
+  LetsLambdaManagedPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Allow lambda to access Route53, ELB and IAM services
+      Path: /
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Action:
+          - logs:CreateLogGroup
+          - logs:CreateLogStream
+          - logs:PutLogEvents
+          - logs:DescribeLogStreams
+          - iam:DeleteServerCertificate
+          - iam:ListServerCertificates
+          - iam:UploadServerCertificate
+          - elasticloadbalancing:DescribeLoadBalancers
+          - elasticloadbalancing:SetLoadBalancerListenerSSLCertificate
+          - route53:GetChange
+          - route53:ListHostedZonesByName
+          - route53:ListResourceRecordSets
+          - route53:ChangeResourceRecordSets
+          Resource:
+          - '*'
+  LambdaExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      ManagedPolicyArns:
+      - !Ref 'LetsLambdaManagedPolicy'
+      - !Ref 'LetsLambdaS3WriteManagedPolicy'
+      - !Ref 'LetsLambdaS3ReadManagedPolicy'
+      - !Ref 'LetsLambdaKmsKeyManagedPolicy'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service:
+            - lambda.amazonaws.com
+          Action:
+          - sts:AssumeRole
+  LetsLambdaFunction:
+    Type: AWS::Lambda::Function
+    Properties:
+      Description: Renew all certificates from configuration via letsencrypt ACME
+      Handler: letslambda.lambda_handler
+      MemorySize: 128
+      Role: !GetAtt [LambdaExecutionRole, Arn]
+      Runtime: python2.7
+      Timeout: '240'
+      Code:
+        S3Bucket: !Ref 'Bucket'
+        S3Key: letslambda.zip
+  Scheduler:
+    Type: AWS::Events::Rule
+    Properties:
+      Description: Monthly scheduler for certificate renewal
+      Name: LetsLambda-Scheduler
+      ScheduleExpression: rate(30 days)
+      State: ENABLED
+      Targets:
+      - Arn: !GetAtt [LetsLambdaFunction, Arn]
+        Id: LetsLambdaTarget
+        Input: !Join ['', ['{"bucket": "', !Ref 'Bucket', '", "region": "', !Ref 'Region',
+            '", "defaultkey": "', !Ref 'KmsEncryptionKeyArn', '"}']]
+Outputs: {}