CustomResourceRole:
  Metadata:
    'aws:copilot:description': 'An IAM role {{- if .PermissionsBoundary}} with permissions boundary {{.PermissionsBoundary}} {{- end}} to manage certificates and Route53 hosted zones'
  Type: AWS::IAM::Role
  Condition: DelegateDNS
  Properties:
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        -
          Effect: Allow
          Principal:
            Service:
              - lambda.amazonaws.com
          Action:
            - sts:AssumeRole
    {{- if .PermissionsBoundary}}
    PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/{{.PermissionsBoundary}}'
    {{- end}}
    Path: /
    Policies:
      - PolicyName: "DNSandACMAccess"
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Action:
                - "acm:ListCertificates"
                - "acm:RequestCertificate"
                - "acm:DescribeCertificate"
                - "acm:GetCertificate"
                - "acm:DeleteCertificate"
                - "acm:AddTagsToCertificate"
                - "sts:AssumeRole"
                - "logs:*"
                - "route53:ChangeResourceRecordSets"
                - "route53:Get*"
                - "route53:Describe*"
                - "route53:ListResourceRecordSets"
                - "route53:ListHostedZonesByName"
              Resource:
                - "*"