## Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
## SPDX-License-Identifier: MIT-0

AWSTemplateFormatVersion: '2010-09-09'
Description: Setup AWS CloudProvider for Spinnaker
Parameters:
  AuthArn:
    Description: ARN which Spinnaker is using. It should be the ARN either of the IAM user or the EC2 Instance Role, which is used by Spinnaker in Managing Account
    Type: String
  ManagingAccountId:
    Description: AWS Account number, in which Spinnaker is running
    Type: String

Resources:

  SpinnakerManagedRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: SpinnakerManaged
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              AWS: !Ref AuthArn
        Version: '2012-10-17'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/PowerUserAccess

  SpinnakerManagedPolicy:
    Type: AWS::IAM::Policy
    Properties:
      Roles:
        - !Ref SpinnakerManagedRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action: iam:PassRole
            Effect: Allow
            Resource: "*" # You should restrict this only to certain set of roles, if required
      PolicyName: SpinnakerPassRole

  SpinnakerBaseIAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: BaseIAMRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"

  SpinnakerBaseInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
      - !Ref SpinnakerBaseIAMRole
      InstanceProfileName: BaseIAMRole

Outputs:

  SpinnakerManagedRole:
    Description: Spinnaker Managed Role
    Value: !Ref SpinnakerManagedRole

  SpinnakerManagedPolicy:
    Description: Spinnaker Managed Policy
    Value: !Ref SpinnakerManagedPolicy