---
AWSTemplateFormatVersion: "2010-09-09"

Resources:
  SSMDocumentRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
              - events.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /     # optional
      Policies:                # optional, list of Policy
        - PolicyName: ssmroot
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: ssm:SendCommand
                Resource: "*"
      RoleName: SSM-DOCUMENT-ROLE     # optional

  EventRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
              - events.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /    # optional
      Policies:                # optional, list of Policy
        - PolicyName: eventroot
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: AllowCloudwatchAccess
                Effect: Allow
                Action: cloudwatch:*
                Resource: "*"
              - Sid: IAMPass
                Effect: Allow
                Action: iam:PassRole
                Resource: "*"
      RoleName: EVENT-RULE-ROLE