You need to upload packaged resource handler (wrzasqpl-aws-passwordpolicy.zip
from GitHub Releases) to your S3 bucket. Afterwards you can just execute following template:
Resources: LogGroup: Type: "AWS::Logs::LogGroup" Properties: LogGroupName: "/aws/cloudformation/type/WrzasqPl-AWS-PasswordPolicy/" RetentionInDays: 14 ExecutionRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "resources.cloudformation.amazonaws.com" Action: "sts:AssumeRole" Policies: - PolicyName: "ResourceTypePolicy" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "iam:DeleteAccountPasswordPolicy" - "iam:GetAccountPasswordPolicy" - "iam:UpdateAccountPasswordPolicy" Resource: - "*" LoggingRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "resources.cloudformation.amazonaws.com" Action: "sts:AssumeRole" Policies: - PolicyName: "AllowSendingMetrics" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "cloudwatch:ListMetrics" - "cloudwatch:PutMetricData" - "logs:CreateLogGroup" - "logs:CreateLogStream" - "logs:DescribeLogGroups" - "logs:DescribeLogStreams" - "logs:PutLogEvents" Resource: - "*" PasswordPolicyHandler: Type: "AWS::CloudFormation::ResourceVersion" Properties: ExecutionRoleArn: !GetAtt "ExecutionRole.Arn" LoggingConfig: LogGroupName: !Ref "LogGroup" LogRoleArn: !GetAtt "LoggingRole.Arn" SchemaHandlerPackage: "s3://your-bucket-name/wrzasqpl-aws-passwordpolicy.zip" TypeName: "WrzasqPl::AWS::PasswordPolicy" PasswordPolicyVersion: Type: "AWS::CloudFormation::ResourceDefaultVersion" Properties: TypeVersionArn: !Ref "PasswordPolicyHandler"
The easiest way to distribute such package would be AWS Serverless Repository, but unfortunately it doesn’t support AWS::CloudFormation::ResourceVersion
and AWS::CloudFormation::ResourceDefaultVersion
resource types.