AWSTemplateFormatVersion: 2010-09-09
Description: AWS SaaS Factory Policy Engine Users and Roles for Proofs
Parameters:
  MultiTenantS3Bucket:
    Description: S3 bucket where you are storing your tenant folders
    Type: String
Resources:
  AssumingUser1:
    Description: User with no provided permissions.
    Type: AWS::IAM::User
    Properties:
      Policies:
        - PolicyName: inline-user-assume-role
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - sts:AssumeRole
                Resource: '*'
      UserName: assuming-user-1
  AssumingUser1AccessKey:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName:
        !Ref AssumingUser1
  IamAuthRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: role-for-assuming-policies
      Path: '/'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: !Sub ${AWS::StackName}-s3-tenant-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - s3:ListBucket
                Resource: !Sub arn:aws:s3:::${MultiTenantS3Bucket}
              - Effect: Allow
                Action:
                  - s3:GetObject
                  - s3:PutObject
                  - s3:DeleteObject
                Resource: !Sub arn:aws:s3:::${MultiTenantS3Bucket}/*
        - PolicyName: !Sub ${AWS::StackName}-dynamo-tenant-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - dynamodb:GetItem
                  - dynamodb:BatchGetItem
                  - dynamodb:Query
                  - dynamodb:DescribeTable
                Resource: !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/*
        - PolicyName: !Sub ${AWS::StackName}-sqs-tenant-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - sqs:DeleteMessageBatch
                  - sqs:SendMessageBatch
                  - sqs:SendMessage
                  - sqs:ReceiveMessage
                Resource: !Sub arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:*
        - PolicyName: !Sub ${AWS::StackName}-secretsmanager-tenant-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - secretsmanager:GetSecretValue
                Resource: !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*
        - PolicyName: !Sub ${AWS::StackName}-parameter-store-tenant-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - ssm:GetParameters
                Resource: !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter:*
        - PolicyName: !Sub ${AWS::StackName}-efs-tenant-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - elasticfilesystem:DescribeAccessPoints
                  - elasticfilesystem:ClientMount
                  - elasticfilesystem:ClientWrite
                Resource: !Sub arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point:*
Outputs:
  AccessKey:
    Value: !Ref AssumingUser1AccessKey
    Description: AWSAccessKeyId of new user
  SecretKey:
    Value: !GetAtt AssumingUser1AccessKey.SecretAccessKey
    Description: AWSSecretAccessKey of new user