AWSTemplateFormatVersion: "2010-09-09" Description: Template to generate minimum required permissions to run serverless domain manager plugin Outputs: ServerlessDomainManagerDeployPolicyArn: Description: Serverless domain manager deployment iam policy arn Value: Ref: ServerlessDomainManagerDeployPolicy Parameters: HostedZoneId: AllowedPattern: '[A-Za-z0-9]+' Description: ID of the hosted zone to grant permissions to Type: String Resources: ServerlessDomainManagerDeployPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - apigateway:AddCertificateToDomain - apigateway:RemoveCertificateFromDomain Resource: !Sub arn:aws:apigateway:${AWS::Region}::/domainnames* - Effect: Allow Action: - apigateway:DELETE - apigateway:GET - apigateway:PATCH - apigateway:POST Resource: !Sub arn:aws:apigateway:${AWS::Region}::/apis* !Sub arn:aws:apigateway:${AWS::Region}::/domainnames* !Sub arn:aws:apigateway:${AWS::Region}::/restapis* - Effect: Allow Action: - cloudfront:UpdateDistribution Resource: '*' - Effect: Allow Action: - route53:ListHostedZones Resource: '*' - Effect: Allow Action: - acm:ListCertificates - acm:DescribeCertificate Resource: '*' - Effect: Allow Action: - route53:ChangeResourceRecordSets - route53:GetHostedZone - route53:ListResourceRecordSets Resource: !Sub arn:aws:route53:::hostedzone/${HostedZoneId} - Effect: Allow Action: - iam:CreateServiceLinkedRole Resource: - !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway