AWSTemplateFormatVersion: '2010-09-09'
Description: 'Allows a Role/user to call the lambda to generate a URL for SageMaker Notebook'
Parameters:
  URLLambdaARN:
    Type: String
  URLLambdaRole:
    Type: String
  AdminRole:
    Type: String
    Default: IibsAdminAccess-DO-NOT-DELETE

Resources:
  #This is the entry that allows Developer to pass role to URLInstanciatorLambdaRoleExecution
  DeveloperPassRolePolicy:
    Type: AWS::IAM::Policy
    DependsOn: DeveloperRole
    Properties:
      PolicyName : 'DeveloperPassRoleToSageMakerNotebookManagedPolicy'
      Roles:
        - 'Developer'
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
            - iam:GetRole
            - iam:PassRole
            Resource: !Ref 'URLLambdaARN'
          - Effect: Allow
            Action:
            - lambda:CreateFunction
            - lambda:InvokeFunction
            Resource: "*"
          - Effect: Allow
            Action:
            - iam:GetRole
            - iam:PassRole
            Resource: !Ref 'URLLambdaRole'
          - Effect: Allow
            Action:
            - cloudformation:Describe*
            Resource: '*'

  DeveloperRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: 'Developer'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: 
                - 'servicecatalog.amazonaws.com'
            Action:
              - sts:AssumeRole
          - Effect: Allow
            Principal:
              AWS: 
                - !Ref 'AdminRole'
            Action:
              - sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
        - "arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess"
        - "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
        - "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser"
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
        - "arn:aws:iam::aws:policy/AWSLambda_ReadOnlyAccess"

Outputs:
  DeveloperRole:
    Description: Developer Role
    Value: !GetAtt 'DeveloperRole.Arn'
    Export:
      Name: 'Developer-ARN'