#    __author__ = "Amazon Detective"
#    __copyright__ = "Amazon 2020"
#    __credits__ = "Amazon Detective"
#    __license__ = "Apache"
#    __version__ = "1.1.0"
#    __maintainer__ = "Amazon Detective"
#    __email__ = "detective-demo-requests@amazon.com"
#    __status__ = "Production"
AWSTemplateFormatVersion: 2010-09-09
Description: Creates a new role to allow an administrator account to enable and manage Detective.

Parameters:
  AdministratorAccountId:
    Type: String
    Description: AWS Account Id of the administrator account (the account in which will recieve Detective findings from member accounts).
    MaxLength: 12
    MinLength: 12
  RoleName:
    Type: String
    Default: "ManageDetective"
    Description: RoleName to create IAM Role in the administrator account and each member account.
  CreateInstanceRole:
    Type: String
    Description: Select Yes to create an EC2 instance role that can be attached to an instance in the administrator account which will allow the instance to assume the exection role.  Select No if you plan to run the script locally or are creating the stack in a member account.
    AllowedValues: ["Yes", "No"]
Conditions:
  CreateInstanceRole: !Equals [!Ref CreateInstanceRole, "Yes"]
Resources:
  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref RoleName
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Ref AdministratorAccountId
            Action:
              - sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonDetectiveFullAccess
  InstanceRole:
    Type: AWS::IAM::Role
    Condition: CreateInstanceRole
    Properties:
      RoleName: !Join
                - ''
                - - !Ref RoleName
                  - 'InstanceRole'
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement: 
          - 
            Effect: "Allow"
            Principal: 
              Service: 
                - "ec2.amazonaws.com"
            Action: 
              - "sts:AssumeRole"
      Policies:
      -
        PolicyName: !Join
                    - ''
                    - - !Ref RoleName
                      - 'Policy'
        PolicyDocument: 
          Version: "2012-10-17"
          Statement: 
            - 
              Effect: "Allow"
              Action: "sts:AssumeRole"
              Resource: !Join ["", ["arn:aws:iam::*:role/",!Ref ExecutionRole]]
  InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Condition: CreateInstanceRole
    Properties: 
      Path: /
      Roles:
        - !Ref InstanceRole
      InstanceProfileName: EnableDetective