# * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. # * # * Permission is hereby granted, free of charge, to any person obtaining a copy of this # * software and associated documentation files (the "Software"), to deal in the Software # * without restriction, including without limitation the rights to use, copy, modify, # * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to # * permit persons to whom the Software is furnished to do so. # * # * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, # * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A # * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT # * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION # * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE # * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. AWSTemplateFormatVersion: 2010-09-09 Description: Create Service Catalog Resources Parameters: PolicyName: Description: Service Catalog Product Policy Name Type: String DeploymentBucketName: Description: Name of S3 Deploymenbt Bucket Type: String PortfolioDescription: Description: Service Catalog Portfolio Description Type: String PortfolioName: Description: Service Catalog Portfolio Name Type: String AccessRoleName: Description: Name of IAM Role that will have access to products in portfolio Type: String Default: '' AccessUserName: Description: Name of IAM User that will have access to products in portfolio Type: String Default: '' Conditions: HasAccessRole: !Not [!Equals [!Ref AccessRoleName, '']] HasAccessUser: !Not [!Equals [!Ref AccessUserName, '']] Resources: SCProductPolicy: Type: 'AWS::IAM::ManagedPolicy' Properties: ManagedPolicyName: !Ref PolicyName Description: "Policy for Service Catalog Product Resources" Path: "/" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "catalog-user:*" - "cloudformation:CreateStack" - "cloudformation:DeleteStack" - "cloudformation:DescribeStackEvents" - "cloudformation:DescribeStacks" - "cloudformation:GetTemplateSummary" - "cloudformation:SetStackPolicy" - "cloudformation:ValidateTemplate" - "cloudformation:UpdateStack" - "ec2:*" - "s3:GetObject" - "sns:*" Resource: "*" - Effect: "Allow" Action: - "lambda:InvokeFunction" Resource: - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:sc-product-selector' - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:sc-resource-selector' - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:sc-resource-compliance' Portfolio: Type: "AWS::ServiceCatalog::Portfolio" Properties: ProviderName: 'My Organization' Description: !Ref PortfolioDescription DisplayName: !Ref PortfolioName PortfolioAccessRole: Type: "AWS::ServiceCatalog::PortfolioPrincipalAssociation" Condition: HasAccessRole Properties: PrincipalARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${AccessRoleName}' PortfolioId: !Ref Portfolio PrincipalType: IAM PortfolioAccessUser: Type: "AWS::ServiceCatalog::PortfolioPrincipalAssociation" Condition: HasAccessUser Properties: PrincipalARN: !Sub 'arn:aws:iam::${AWS::AccountId}:user/${AccessUserName}' PortfolioId: !Ref Portfolio PrincipalType: IAM Outputs: PolicyArn: Value: !Ref SCProductPolicy Export: Name: !Sub ${AWS::StackName}-PolicyArn PortfolioId: Value: !Ref Portfolio Export: Name: !Sub ${AWS::StackName}-PortfolioId