#  Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
#  the License. A copy of the License is located at
#      http://aws.amazon.com/apache2.0/
#  or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
#  CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
#  limitations under the License.

AWSTemplateFormatVersion: '2010-09-09'
Description: Roles to be assumed by CodePipeline service and Custom Lambda resource cross account
Parameters:
  S3Bucket:
    Description: S3 Bucket in Tools Account, which holds the artifacts built by codebuild & codepipeline
    Type: String
  ToolsAccount:
    Description: AWS AccountNumber for Tools Account
    Type: Number
  NonProdAccount:
    Description: AWS AccountNumber for the Non Prod Account that needs to assume these role
    Type: Number
  CMKARN:
    Description: ARN of the KMS CMK created in Tools account; required to decrypt data in S3Bucket
    Type: String
Resources:
  CodePipelineActionServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              AWS:
                - !Ref ToolsAccount
            Action:
              - sts:AssumeRole
      Path: /
  CodePipelineActionServicePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: !Sub ${AWS::StackName}-CodePipelineActionServicePolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Action:
              - cloudformation:*
              - s3:*
              - iam:PassRole
            Resource: "*"
          -
            Effect: Allow
            Action:
              - kms:*
            Resource: !Ref CMKARN
      Roles:
        -
          !Ref CodePipelineActionServiceRole
  CloudFormationServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - cloudformation.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
  CloudFormationServicePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: !Sub ${AWS::StackName}-CloudFormationServicePolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Action:
              - lambda:AddPermission
              - lambda:CreateFunction
              - lambda:DeleteFunction
              - lambda:InvokeFunction
              - lambda:RemovePermission
              - lambda:UpdateFunctionCode
              - lambda:GetFunctionConfiguration
              - lambda:GetFunction
              - lambda:UpdateFunctionConfiguration
              - events:*
              - iam:CreateRole
              - iam:CreatePolicy
              - iam:GetRole
              - iam:DeleteRole
              - iam:PassRole
              - iam:PutRolePolicy
              - iam:DeleteRolePolicy
              - iam:AttachRolePolicy
              - iam:DetachRolePolicy
              - cloudformation:*
              - sns:CreateTopic
              - sns:DeleteTopic
              - sns:Subscribe
              - sns:Unsubscribe
              - sns:GetTopicAttributes
              - sns:SetTopicAttributes
              - sns:ListSubscriptionsByTopic
              - dynamodb:CreateTable
              - dynamodb:DeleteTable
              - dynamodb:DescribeTable
              - apigateway:*
              - s3:*
            Resource: "*"
          -
            Effect: Allow
            Action:
              - s3:PutObject
              - s3:GetBucketPolicy
              - s3:GetObject
              - s3:ListBucket
            Resource:
             - !Join ['',['arn:aws:s3:::',!Ref S3Bucket, '/*']]
             - !Join ['',['arn:aws:s3:::',!Ref S3Bucket]]
          -
            Effect: Allow
            Action:
              - sns:ListSubscriptionsByTopic
            Resource:
             - !Sub arn:aws:sns:${AWS::Region}:${NonProdAccount}:*
      Roles:
        -
          !Ref CloudFormationServiceRole
  CustomCrossAccountServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${NonProdAccount}:root
            Action:
              - sts:AssumeRole
      Path: /
  CustomCrossAccountServicePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: !Sub ${AWS::StackName}-CustomCrossAccountServicePolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Action:
              - cloudformation:*
            Resource: "*"
          -
            Effect: Allow
            Action:
              - logs:*
            Resource: "arn:aws:logs:*:*:*"
      Roles:
        -
          !Ref CustomCrossAccountServiceRole

Outputs:
  CodePipelineActionServiceRole:
    Value: !GetAtt CodePipelineActionServiceRole.Arn
    Export:
        Name: !Sub ${AWS::StackName}-CodePipelineActionServiceRole
  CloudFormationServiceRole:
    Value: !GetAtt CloudFormationServiceRole.Arn
    Export:
        Name: !Sub ${AWS::StackName}-CloudFormationServiceRole
  CustomCrossAccountServiceRole:
    Value: !GetAtt CustomCrossAccountServiceRole.Arn
    Export:
        Name: !Sub ${AWS::StackName}-CustomCrossAccountServiceRole