#  Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
#  the License. A copy of the License is located at
#      http://aws.amazon.com/apache2.0/
#  or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
#  CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
#  limitations under the License.

AWSTemplateFormatVersion: '2010-09-09'
Description: Cross Account Role to Allow Access to CodePipeline in Tools Account
Parameters:
  ToolsAccount:
    Description: AWS AccountNumber for tools account
    Type: Number
  CMKARN:
    Description: ARN of the KMS CMK creates in Tools account
    Type: String
Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ToolsAcctCodePipelineCodeCommitRole
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              AWS:
                - !Ref ToolsAccount
            Action:
              - sts:AssumeRole
      Path: /

  Policy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: !Sub ToolsAcctCodePipelineCodeCommitPolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Action:
              - codecommit:BatchGetRepositories
              - codecommit:Get*
              - codecommit:GitPull
              - codecommit:List*
              - codecommit:CancelUploadArchive
              - codecommit:UploadArchive
              - s3:*
            Resource: "*"
          -
            Effect: Allow
            Action:
              - kms:*
            Resource: !Ref CMKARN
      Roles:
        -
          !Ref Role