Description: "ServiceCatalog Glue Launch Role. (fdp-1p5rtglue)"
Resources:
  GlueLaunchRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - servicecatalog.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: GlueLaunchPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: GluePolicy
                Effect: Allow
                Action:
                  - catalog-user:*
                  - cloudformation:CreateStack
                  - cloudformation:DeleteStack
                  - cloudformation:DescribeStackEvents
                  - cloudformation:DescribeStacks
                  - cloudformation:GetTemplateSummary
                  - cloudformation:SetStackPolicy
                  - cloudformation:ValidateTemplate
                  - cloudformation:UpdateStack
                  - s3:GetObject
                  - glue:*Crawler
                  - glue:*Database
                Resource: '*'
              - Sid: PassRole
                Effect: Allow
                Action: iam:PassRole
                Resource:  
                  - arn:aws:iam::*:role/*Glue*
                Condition:
                  ForAnyValue:StringEqualsIfExists:
                    iam:PassedToService:
                    - glue.amazonaws.com
Outputs:
    LaunchRoleArn:
        Value: !GetAtt GlueLaunchRole.Arn
    LaunchRoleName:
        Value: !Ref GlueLaunchRole