Description: "ServiceCatalog Serverless Launch Role. (fdp-1p5s1035k)"
Resources:
  SCServerlessLaunchRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: SCServerlessLaunchRole 
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - servicecatalog.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: SCLaunchPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: SCLaunchPolicySID
                Action:
                  - "apigateway:*"
                  - "cloudformation:CancelUpdateStack"
                  - "cloudformation:ContinueUpdateRollback"
                  - "cloudformation:CreateChangeSet"
                  - "cloudformation:CreateStack"
                  - "cloudformation:CreateUploadBucket"
                  - "cloudformation:DeleteStack"
                  - "cloudformation:Describe*"
                  - "cloudformation:EstimateTemplateCost"
                  - "cloudformation:ExecuteChangeSet"
                  - "cloudformation:Get*"
                  - "cloudformation:List*"
                  - "cloudformation:PreviewStackUpdate"
                  - "cloudformation:UpdateStack"
                  - "cloudformation:UpdateTerminationProtection"
                  - "cloudformation:ValidateTemplate"
                  - "dynamodb:CreateTable"
                  - "dynamodb:DeleteTable"
                  - "dynamodb:DescribeTable"
                  - "ec2:AttachInternetGateway"
                  - "ec2:AuthorizeSecurityGroupIngress"
                  - "ec2:CreateInternetGateway"
                  - "ec2:CreateNetworkAcl"
                  - "ec2:CreateNetworkAclEntry"
                  - "ec2:CreateRouteTable"
                  - "ec2:CreateSecurityGroup"
                  - "ec2:CreateSubnet"
                  - "ec2:CreateTags"
                  - "ec2:CreateVpc"
                  - "ec2:DeleteInternetGateway"
                  - "ec2:DeleteNetworkAcl"
                  - "ec2:DeleteNetworkAclEntry"
                  - "ec2:DeleteRouteTable"
                  - "ec2:DeleteSecurityGroup"
                  - "ec2:DeleteSubnet"
                  - "ec2:DeleteVpc"
                  - "ec2:Describe*"
                  - "ec2:DetachInternetGateway"
                  - "ec2:ModifyVpcAttribute"
                  - "events:DeleteRule"
                  - "events:DescribeRule"
                  - "events:ListRuleNamesByTarget"
                  - "events:ListRules"
                  - "events:ListTargetsByRule"
                  - "events:PutRule"
                  - "events:PutTargets"
                  - "events:RemoveTargets"
                  - "iam:CreateRole"
                  - "iam:DeleteRole"
                  - "iam:DeleteRolePolicy"
                  - "iam:GetRole"
                  - "iam:PassRole"
                  - "iam:PutRolePolicy"
                  - "iot:CreateTopicRule"
                  - "iot:DeleteTopicRule"
                  - "iot:DisableTopicRule"
                  - "iot:EnableTopicRule"
                  - "iot:ReplaceTopicRule"
                  - "kinesis:CreateStream"
                  - "kinesis:DeleteStream"
                  - "kinesis:DescribeStream"
                  - "lambda:*"
                  - "logs:CreateLogGroup"
                  - "logs:DeleteLogGroup"
                  - "logs:DescribeLogGroups"
                  - "logs:DescribeLogStreams"
                  - "logs:FilterLogEvents"
                  - "logs:GetLogEvents"
                  - "s3:CreateBucket"
                  - "s3:DeleteBucket"
                  - "s3:DeleteBucketPolicy"
                  - "s3:DeleteObject"
                  - "s3:DeleteObjectVersion"
                  - "s3:GetObject"
                  - "s3:GetObjectVersion"
                  - "s3:ListAllMyBuckets"
                  - "s3:ListBucket"
                  - "s3:PutBucketNotification"
                  - "s3:PutBucketPolicy"
                  - "s3:PutBucketTagging"
                  - "s3:PutBucketWebsite"
                  - "s3:PutEncryptionConfiguration"
                  - "s3:PutObject"
                  - "sns:CreateTopic"
                  - "sns:DeleteTopic"
                  - "sns:GetSubscriptionAttributes"
                  - "sns:GetTopicAttributes"
                  - "sns:ListSubscriptions"
                  - "sns:ListSubscriptionsByTopic"
                  - "sns:ListTopics"
                  - "sns:SetSubscriptionAttributes"
                  - "sns:SetTopicAttributes"
                  - "sns:Subscribe"
                  - "sns:Unsubscribe"
                  - "states:CreateStateMachine"
                  - "states:DeleteStateMachine"
                Resource: '*'
                Effect: "Allow"        
Outputs:
    LaunchRoleArn:
        Value: !GetAtt SCServerlessLaunchRole.Arn
    LaunchRoleName:
        Value: !Ref SCServerlessLaunchRole