#
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
AWSTemplateFormatVersion: 2010-09-09
Description: >
  **WARNING**
  This template will create an EC2 instance profile and an associated IAM role which contain the permissions and
  policies required for the snapshot managment sample code. For production use the EC2 and SSM resources should
  be scoped down to just the instance ID that will have this EC2 profile attached.

Resources:
  Ec2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - !Ref Ec2InstanceProfileRole
      InstanceProfileName: 'SnapshotMgmt-Demo'

  Ec2InstanceProfileRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      RoleName: 'SnapshotMgmt-Demo'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM'
        - 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
        - 'arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess'
      Policies:
        - PolicyName: SnapshotMgmt
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - ssm:SendCommand
                Resource:
                  - arn:aws:ssm:*:*:document/AWS-RunPowerShellScript
                  - arn:aws:ssm:*:*:document/AWSEC2-ManageVssIO
                  - arn:aws:ssm:*:*:document/AWSEC2-CreateVssSnapshot
                  - arn:aws:ssm:*:*:document/AWS-ConfigureAWSPackage
                  - arn:aws:ec2:*:*:instance/*
                  - arn:aws:ssm:*:*:managed-instance/*
              - Effect: Allow
                Action:
                  - ec2:CreateSnapshot
                Resource:
                  - arn:aws:ec2:*::snapshot/*
                  - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:volume/*'
              - Effect: Allow
                Action:
                  - ec2:DescribeInstances
                  - ec2:DescribeInstanceAttribute
                  - ec2:DescribeSnapshots
                  - ssm:DescribeInstanceInformation
                  - ssm:GetAutomationExecution
                  - ssm:ListCommandInvocations
                  - ssm:ListCommands
                # These actions don't support resource level permissions
                # must use all reseources '*'
                Resource: '*'
              - Effect: Allow
                Action:
                  - ec2:DeleteTags
                  - ec2:CreateTags
                Resource:
                  - arn:aws:ec2:*::snapshot/*