# * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. # * # * Permission is hereby granted, free of charge, to any person obtaining a copy of this # * software and associated documentation files (the "Software"), to deal in the Software # * without restriction, including without limitation the rights to use, copy, modify, # * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to # * permit persons to whom the Software is furnished to do so. # * # * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, # * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A # * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT # * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION # * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE # * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. AWSTemplateFormatVersion: 2010-09-09 Description: Service Catalog Lab - Resources Parameters: PolicyName: Description: Service Catalog Product Policy Name Type: String DeploymentBucketName: Description: Name of S3 Deploymenbt Bucket Type: String PortfolioDescription: Description: Service Catalog Portfolio Description Type: String PortfolioName: Description: Service Catalog Portfolio Name Type: String DeploymentLambdaRoleName: Description: Deploymnet Lambda Function Role Name Type: String ProductSelectorLambdaRoleName: Description: Product Selector Lambda Function Role Name Type: String ResourceSelectorLambdaRoleName: Description: Resource Selector Lambda Function Role Name Type: String ResourceComplianceLambdaRoleName: Description: Resource Selector Lambda Function Role Name Type: String PipelineRoleName: Description: Pipeline Role Name Type: String PortfolioAccessRole: Description: Name of IAM role you want to grant access to portfolio Type: String Default: '' PortfolioAccessUser: Description: Name of IAM user you want to grant access to portfolio Type: String Default: '' UserName: Description: IAM User Name Type: String Conditions: HasAccessRole: !Not [!Equals [!Ref PortfolioAccessRole, '']] HasAccessUser: !Not [!Equals [!Ref PortfolioAccessUser, '']] Resources: PipelineRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Ref PipelineRoleName AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - codepipeline.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: "CodePipeline" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - s3:* Resource: - !Sub 'arn:aws:s3:::${DeploymentBucketName}/*' - !Sub 'arn:aws:s3:::${DeploymentBucketName}' - Effect: "Allow" Action: - servicecatalog:ListProvisioningArtifacts - servicecatalog:CreateProvisioningArtifact - servicecatalog:DescribeProvisioningArtifact - servicecatalog:DeleteProvisioningArtifact - servicecatalog:UpdateProduct Resource: "*" - Effect: "Allow" Action: - cloudformation:CreateStack - cloudformation:DeleteStack - cloudformation:DescribeStacks - cloudformation:UpdateStack - cloudformation:CreateChangeSet - cloudformation:DeleteChangeSet - cloudformation:DescribeChangeSet - cloudformation:ExecuteChangeSet - cloudformation:SetStackPolicy - cloudformation:ValidateTemplate Resource: "*" - Effect: "Allow" Action: - codepipeline:CreatePipeline - codepipeline:DeletePipeline Resource: "*" - Effect: Allow Action: - iam:PassRole Resource: "*" Condition: StringEquals: iam:PassedToService: "cloudformation.amazonaws.com" DeploymentLambdaRole: DependsOn: PipelineRole Type: 'AWS::IAM::Role' Properties: RoleName: !Ref DeploymentLambdaRoleName AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: "Lambda" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - s3:GetObject Resource: - !Sub 'arn:aws:s3:::${DeploymentBucketName}/*' - 'arn:aws:s3:::service-catalog-lab/*' - Effect: "Allow" Action: - cloudformation:CreateStack - cloudformation:ValidateTemplate - servicecatalog:* - codepipeline:GetPipeline - codepipeline:CreatePipeline - codepipeline:DeletePipeline - codepipeline:GetPipelineState - iam:GetRole - iam:CreateRole - iam:PutRolePolicy - iam:AttachRolePolicy - iam:DetachRolePolicy - iam:DeleteRole - iam:DeleteRolePolicy - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: "*" - Effect: Allow Action: - iam:PassRole Resource: "*" Condition: StringEquals: iam:PassedToService: "servicecatalog.amazonaws.com" - Effect: Allow Action: - iam:PassRole Resource: !GetAtt PipelineRole.Arn ProductSelectorLambdaRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Ref ProductSelectorLambdaRoleName AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: "Lambda" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - s3:GetObject Resource: - !Sub 'arn:aws:s3:::${DeploymentBucketName}/*' - Effect: "Allow" Action: - servicecatalog:ListProvisioningArtifacts - servicecatalog:SearchProductsAsAdmin - servicecatalog:SearchProducts - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: "*" ResourceComplianceLambdaRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Ref ResourceComplianceLambdaRoleName AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: "Lambda" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - sqs:TagQueue - kms:DescribeKey - lambda:AddPermission - s3:PutBucketNotification - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: "*" ResourceSelectorLambdaRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Ref ResourceSelectorLambdaRoleName AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: "Lambda" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - ec2:DescribeSubnets - ec2:DescribeVpcs - ec2:DescribeSecurityGroups - ec2:DescribeImages - kms:ListAliases - kms:ListKeys - kms:DescribeKey - iam:ListRoleTags - iam:ListPolicies - iam:ListRoles - acm:ListCertificates - acm:ListTagsForCertificate - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: "*" SCProductPolicy: Type: 'AWS::IAM::ManagedPolicy' Properties: ManagedPolicyName: !Ref PolicyName Description: "Policy for Service Catalog Product Resources" Path: "/" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "catalog-user:*" - "cloudformation:CreateStack" - "cloudformation:DeleteStack" - "cloudformation:DescribeStackEvents" - "cloudformation:DescribeStacks" - "cloudformation:GetTemplateSummary" - "cloudformation:SetStackPolicy" - "cloudformation:ValidateTemplate" - "cloudformation:UpdateStack" - "ec2:*" - "s3:GetObject" - "sns:*" Resource: "*" - Effect: "Allow" Action: - "lambda:InvokeFunction" Resource: - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:sc-product-selector' - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:sc-resource-selector' - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:sc-resource-compliance' Portfolio: Type: "AWS::ServiceCatalog::Portfolio" Properties: ProviderName: 'My Organization' Description: !Ref PortfolioDescription DisplayName: !Ref PortfolioName PortfolioDeveloperPermission: Type: AWS::ServiceCatalog::PortfolioPrincipalAssociation Properties: PortfolioId: !Ref Portfolio PrincipalARN: !Sub 'arn:aws:iam::${AWS::AccountId}:user/${UserName}' PrincipalType: IAM PortfolioRolePermission: Type: AWS::ServiceCatalog::PortfolioPrincipalAssociation Condition: HasAccessRole Properties: PortfolioId: !Ref Portfolio PrincipalARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${PortfolioAccessRole}' PrincipalType: IAM PortfolioUserPermission: Type: AWS::ServiceCatalog::PortfolioPrincipalAssociation Condition: HasAccessUser Properties: PortfolioId: !Ref Portfolio PrincipalARN: !Sub 'arn:aws:iam::${AWS::AccountId}:user/${PortfolioAccessUser}' PrincipalType: IAM Outputs: PolicyArn: Value: !Ref SCProductPolicy Export: Name: !Sub ${AWS::StackName}-PolicyArn PortfolioId: Value: !Ref Portfolio Export: Name: !Sub ${AWS::StackName}-PortfolioId DeploymentRoleArn: Value: !GetAtt DeploymentLambdaRole.Arn Export: Name: !Sub ${AWS::StackName}-DeploymentRoleArn ProductSelectorRoleArn: Value: !GetAtt ProductSelectorLambdaRole.Arn Export: Name: !Sub ${AWS::StackName}-ProductSelectorRoleArn ResourceSelectorRoleArn: Value: !GetAtt ResourceSelectorLambdaRole.Arn Export: Name: !Sub ${AWS::StackName}-ResourceSelectorRoleArn PipelineRoleArn: Value: !GetAtt PipelineRole.Arn Export: Name: !Sub ${AWS::StackName}-PipelineRoleArn