---
AWSTemplateFormatVersion: 2010-09-09
Description: >
  Create required cross-account IAM role for SCP alternative solution in Management account.
Parameters:
  SecurityAccountID:
    Type: String
    Description: Enter the Security Account ID
    AllowedPattern: (\d{12}|^$)
    ConstraintDescription: Must be a valid AWS account ID.
  ManagementAccountAccessRoleName:
    Type: String
    Default: scp-cross-account-access-role-for-lambda
    Description: Enter IAM role name for cross-account access for Lambda in Security Account.
  OrganizationAccessRoleName:
    Type: String
    Description: Enter the AWS Organization Access Role Name used to assume to member accounts.
    Default: OrganizationAccountAccessRole
Resources:
  SCPAccountRole:
      Type: "AWS::IAM::Role"
      Properties:
        RoleName: !Ref ManagementAccountAccessRoleName
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
              Effect: "Allow"
              Principal:
                AWS:
                  - !Sub arn:${AWS::Partition}:iam::${SecurityAccountID}:role/scp-iam-event-dispatcher-role
                  - !Sub arn:${AWS::Partition}:iam::${SecurityAccountID}:role/scp-s3-event-dispatcher-role
                  - !Sub arn:${AWS::Partition}:iam::${SecurityAccountID}:role/scp-account-register-role
              Action:
                - sts:AssumeRole
        Path: "/"
        Policies:
        - PolicyDocument:
            Statement:
            - Action:
              - sts:AssumeRole
              Effect: Allow
              Resource: !Sub 'arn:${AWS::Partition}:iam::*:role/${OrganizationAccessRoleName}'
            Version: '2012-10-17'
          PolicyName: !Sub '${ManagementAccountAccessRoleName}-policy'