# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 AWSTemplateFormatVersion: 2010-09-09 Description: Creates a stack set execution IAM role in target accounts (staging, prod) for StackSet operations Parameters: EnvName: Type: String AllowedPattern: '[a-z0-9\-]*' Description: Please specify your data science environment/team name. Used as a suffix for environment resource names. EnvType: Description: System Environment (e.g. dev, staging, prod). Used as a suffix for environment resource names. Type: String Default: dev StackSetExecutionRoleName: Type: String Description: Name of the CloudFormation StackSet execution role. If empty, the name will be generated Default: '' AdministratorAccountId: Type: String Description: AWS Account Id of the account in which StackSets will be created (for multi-account deployment) MaxLength: 12 MinLength: 12 Outputs: StackSetExecutionRoleArn: Description: The ARN of the AWS CloudFormation StackSet execution role Value: !GetAtt SetupStackSetExecutionRole.Arn StackSetExecutionRoleName: Description: The name of the AWS CloudFormation StackSet execution role Value: !Select ['1', !Split [ '/', !Select ['5', !Split [':', !GetAtt SetupStackSetExecutionRole.Arn ]]]] Conditions: GenerateStackSetExecutionRoleName: !Equals [ !Ref StackSetExecutionRoleName, ''] Resources: # This role is used by StackSet operations in the target account to setup the infrastructure SetupStackSetExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: - !Ref AdministratorAccountId Action: - sts:AssumeRole Path: / RoleName: !If - GenerateStackSetExecutionRoleName - !Ref 'AWS::NoValue' - !Ref StackSetExecutionRoleName Policies: - PolicyName: !Sub "${EnvName}-${EnvType}-${AWS::Region}-stackset-execution-policy" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - 'cloudformation:Cancel*' - 'cloudformation:Continue*' - 'cloudformation:Create*' - 'cloudformation:Deactivate*' - 'cloudformation:Delete*' - 'cloudformation:Describe*' - 'cloudformation:Get*' - 'cloudformation:Detect*' - 'cloudformation:Execute*' - 'cloudformation:Estimate*' - 'cloudformation:List*' - 'cloudformation:Publish*' - 'cloudformation:Set*' - 'cloudformation:Register*' - 'cloudformation:Signal*' - 'cloudformation:Stop*' - 'cloudformation:Update*' - 'cloudformation:Validate*' - 'cloudformation:Test*' Resource: - !Sub 'arn:aws:cloudformation:*:${AWS::AccountId}:*' - Effect: Allow Action: - 's3:Get*' - 's3:List*' - 's3:Create*' - 's3:Head*' - 's3:Put*' - 's3:Upload*' Resource: - 'arn:aws:s3:::*' - Effect: Allow Action: - 'sns:Create*' - 'sns:Get*' - 'sns:List*' - 'sns:Publish' - 'sns:Set*' - 'sns:Subscribe' - 'sns:Tag*' - 'sns:Unsubscribe' - 'sns:Untag*' - 'sns:Add*' Resource: - 'arn:aws:sns:*:*:*' - Effect: Allow Action: - 'iam:Create*' - 'iam:Attach*' - 'iam:Add*' - 'iam:Delete*' - 'iam:Get*' - 'iam:Create*' - 'iam:List*' - 'iam:Put*' - 'iam:Tag*' - 'iam:Update*' - 'iam:Set*' - 'iam:Remove*' - 'iam:Detach*' Resource: - 'arn:*:iam::*:role/*StackSetExecution*' - 'arn:*:iam::*:role/*SageMakerModelExecution*' - Effect: Allow Action: - 'ec2:DescribeAvailabilityZones' - 'ec2:CreateTags' - 'ec2:DeleteTags' - 'ec2:DescribeTags' Resource: - '*' - Effect: Allow Action: - 'ssm:AddTagsToResource' - 'ssm:DeleteParameter' - 'ssm:GetParameter' - 'ssm:PutParameter' - 'ssm:RemoveTagsFromResource' Resource: - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:*' - Effect: Allow Action: - 'ssm:DeleteParameters' - 'ssm:GetParameters' Resource: - '*' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AmazonVPCFullAccess' Tags: - Key: EnvironmentName Value: !Ref EnvName - Key: EnvironmentType Value: !Ref EnvType