AWSTemplateFormatVersion: "2010-09-09"
Description: >
  This CloudFormation template creates a role assumed by CloudFormation
  during CRUDL operations to mutate resources on behalf of the customer.

Resources:
  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      MaxSessionDuration: 8400
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: resources.cloudformation.amazonaws.com
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                aws:SourceAccount:
                  Ref: AWS::AccountId
              StringLike:
                aws:SourceArn:
                  Fn::Sub: arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:type/resource/AWS-FraudDetector-Detector/*
      Path: "/"
      Policies:
        - PolicyName: ResourceTypePolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                - "frauddetector:CreateDetectorVersion"
                - "frauddetector:CreateRule"
                - "frauddetector:CreateVariable"
                - "frauddetector:DeleteDetector"
                - "frauddetector:DeleteDetectorVersion"
                - "frauddetector:DeleteEntityType"
                - "frauddetector:DeleteEventType"
                - "frauddetector:DeleteLabel"
                - "frauddetector:DeleteOutcome"
                - "frauddetector:DeleteRule"
                - "frauddetector:DeleteVariable"
                - "frauddetector:DescribeDetector"
                - "frauddetector:GetDetectorVersion"
                - "frauddetector:GetDetectors"
                - "frauddetector:GetEntityTypes"
                - "frauddetector:GetEventTypes"
                - "frauddetector:GetExternalModels"
                - "frauddetector:GetLabels"
                - "frauddetector:GetModelVersion"
                - "frauddetector:GetOutcomes"
                - "frauddetector:GetRules"
                - "frauddetector:GetVariables"
                - "frauddetector:ListTagsForResource"
                - "frauddetector:PutDetector"
                - "frauddetector:PutEntityType"
                - "frauddetector:PutEventType"
                - "frauddetector:PutLabel"
                - "frauddetector:PutOutcome"
                - "frauddetector:TagResource"
                - "frauddetector:UntagResource"
                - "frauddetector:UpdateDetectorVersion"
                - "frauddetector:UpdateDetectorVersionMetadata"
                - "frauddetector:UpdateDetectorVersionStatus"
                - "frauddetector:UpdateRuleMetadata"
                - "frauddetector:UpdateRuleVersion"
                - "frauddetector:UpdateVariable"
                Resource: "*"
Outputs:
  ExecutionRoleArn:
    Value:
      Fn::GetAtt: ExecutionRole.Arn