AWSTemplateFormatVersion: 2010-09-09
Description: >-
  Configure the AWSCloudFormationStackSetExecutionRole to enable use of your
  account as a target instance in AWS CloudFormation StackSet.
Parameters:
  ManagementAccountId:
    Type: String
    Description: Organization Management account Id where StackSet will be created
    MaxLength: 12
    MinLength: 12
  OrgAdminRoleName:
    Type: String
    Default: AWSCloudFormationStackSetExecutionRole
    Description: Organization admin role name
Resources:
  ExecutionRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !Ref OrgAdminRoleName
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Ref ManagementAccountId
            Action:
              - 'sts:AssumeRole'
      Path: /
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess'