# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: CC-BY-SA-4.0

AWSTemplateFormatVersion: '2010-09-09'

Description: |
  Creates IAM service role for EC2 and an EC2 instance profile to support "no-ingress EC2 instance" for Cloud9
  https://docs.aws.amazon.com/cloud9/latest/user-guide/ec2-ssm.html

Parameters:
  pPermissionsBoundaryName:
    Description: |
      Name (not ARN) of the permissions boundary policy to attach to the role
    Type: String

Resources:
  AWSCloud9SSMAccessRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: AWSCloud9SSMAccessRole
        Description: Service role for Cloud9 access
        Path: /service-role/
        PermissionsBoundary: !Sub "arn:aws:iam::${AWS::AccountId}:policy/${pPermissionsBoundaryName}"
        ManagedPolicyArns:
          - arn:aws:iam::aws:policy/AWSCloud9SSMInstanceProfile
        AssumeRolePolicyDocument: |
          {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Principal": {
                  "Service": [
                    "ec2.amazonaws.com",
                    "cloud9.amazonaws.com"
                  ]
                },
                "Action": "sts:AssumeRole"
              }
            ]
          }

  AWSCloud9SSMInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: AWSCloud9SSMInstanceProfile
      Path: /cloud9/
      Roles:
        - !Ref AWSCloud9SSMAccessRole