AWSTemplateFormatVersion: 2010-09-09 Resources: CFServiceRolePolicy: Type: 'AWS::IAM::ManagedPolicy' Properties: Description: Policy for test roles PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - cloudformation:CreateChangeSet - cloudformation:CreateStack Resource: '*' - Effect: Allow Action: - sqs:CreateQueue - sqs:DeleteQueue - sqs:GetQueueAttributes - sqs:SetQueueAttributes Resource: '*' - Effect: Allow Action: - sns:Subscribe - sns:Unsubscribe Resource: '*' - Effect: Allow Action: - iam:AttachRolePolicy - iam:CreateRole - iam:DeleteRole - iam:DetachRolePolicy - iam:GetRole - iam:PassRole Resource: '*' - Effect: Allow Action: - lambda:CreateEventSourceMapping - lambda:CreateFunction - lambda:DeleteEventSourceMapping - lambda:DeleteFunction - lambda:GetEventSourceMapping - lambda:GetFunction - lambda:TagResource Resource: '*' BillingDataProtectionRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - cloudformation.amazonaws.com Action: - 'sts:AssumeRole' ManagedPolicyArns: - !Ref CFServiceRolePolicy SchedulingDataProtectionRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - cloudformation.amazonaws.com Action: - 'sts:AssumeRole' ManagedPolicyArns: - !Ref CFServiceRolePolicy Outputs: BillingRoleExport: Description: 'Use this billing role for subscriptions to topic' Value: !GetAtt BillingDataProtectionRole.Arn Export: Name: "BillingRoleExportDataProtectionDemo" SchedulingRoleExport: Description: 'Use this scheduling role for subscriptions to topic' Value: !GetAtt SchedulingDataProtectionRole.Arn Export: Name: "SchedulingRoleExportDataProtectionDemo"