AWSTemplateFormatVersion: 2010-09-09 Description: 'This template deploys required IAM resources as well as entries into Secrets Manager for use in the Sitecore deployment (qs-1qppe687f)' Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General configuration Parameters: - SitecoreS3Bucket - QSS3BucketName - QSS3KeyPrefix - LambdaZipsBucketName ParameterLabels: SitecoreS3Bucket: default: Sitecore Resources Bucket QSS3BucketName: default: Quick Start S3 Bucket QSS3KeyPrefix: default: Quick Start S3 Prefix LambdaZipsBucketName: default: Lambda Zips Bucket Name Parameters: SitecoreS3Bucket: Type: String Description: '' QSS3BucketName: Type: String Description: '' QSS3KeyPrefix: Type: String Description: '' LambdaZipsBucketName: Type: String Description: '' Resources: # Lambda IAM Policies ConvertCertificatesLambdaRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Policies: - PolicyName: Get-Certificate-S3 PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: s3:GetObject Resource: !Sub 'arn:${AWS::Partition}:s3:::${SitecoreS3Bucket}/*' - PolicyName: Get-BucketLocation PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: s3:GetBucketLocation Resource: !Sub 'arn:${AWS::Partition}:s3:::${SitecoreS3Bucket}' - PolicyName: Import-Delete-ACM PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - acm:ImportCertificate - acm:DeleteCertificate Resource: - !Sub 'arn:${AWS::Partition}:acm:*' - PolicyName: Get-Secret-Value PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: secretsmanager:GetSecretValue Resource: !Sub 'arn:${AWS::Partition}:secretsmanager:${AWS::Region}:*:secret:*' - PolicyName: Put-Delete-SSM-Parameter PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ssm:PutParameter - ssm:GetParameter - ssm:DeleteParameter Resource: !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:*:parameter/*' DeleteResourcesLambdaRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Policies: - PolicyName: Ec2-RemoveAMI PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ec2:DeregisterImage Resource: - !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/*' - PolicyName: SSM-ParameterStore PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ssm:DeleteParameter - ssm:GetParameter Resource: !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*' CopyZipsRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Policies: - PolicyName: lambda-copier PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: s3:GetObject Resource: !Sub 'arn:${AWS::Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*' - Effect: Allow Action: - s3:PutObject - s3:DeleteObject Resource: !Sub 'arn:${AWS::Partition}:s3:::${LambdaZipsBucketName}/${QSS3KeyPrefix}*' # IAM Role AMI Instance SCAMIInstanceRole: Type: 'AWS::IAM::Role' Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyWildcardResource - EIAMPolicyActionWildcard ignore_reasons: EIAMPolicyWildcardResource: Read-Only access required for all resources EIAMPolicyActionWildcard: Multiple message actions required Properties: AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Principal: Service: - ec2.amazonaws.com - ssm.amazonaws.com Effect: Allow Version: 2012-10-17 ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSSMAutomationRole' Policies: - PolicyName: S3Access PolicyDocument: Version: '2012-10-17' Statement: # CodeDeploy Access - Effect: 'Allow' Action: - s3:GetObject Resource: - !Sub 'arn:${AWS::Partition}:s3:::aws-codedeploy-${AWS::Region}/latest/codedeploy-agent.msi' # Quick Start bucket Access - Effect: 'Allow' Action: - s3:GetObject Resource: - !Sub 'arn:${AWS::Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*' - Effect: 'Allow' Action: - s3:ListBucket - s3:GetBucketLocation Resource: !Sub 'arn:${AWS::Partition}:s3:::${QSS3BucketName}' # Customer's S3 Bucket Access - Effect: 'Allow' Action: - s3:GetObject - s3:PutObject Resource: - !Sub 'arn:${AWS::Partition}:s3:::${SitecoreS3Bucket}/*' - Effect: 'Allow' Action: - s3:ListBucket - s3:GetBucketLocation Resource: - !Sub 'arn:${AWS::Partition}:s3:::${SitecoreS3Bucket}' - PolicyName: SSMAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: ssm:StartAutomationExecution Resource: - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:document/*:VersionId}' - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/*' - Effect: 'Allow' Action: ssm:GetAutomationExecution Resource: - !Sub 'arn:${AWS::Partition}:ssm:*' - PolicyName: CWAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogGroups - logs:DescribeLogStreams Resource: - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:*' - PolicyName: SECAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - secretsmanager:GetSecretValue Resource: - !Sub 'arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*' - PolicyName: EC2MessagesAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - ec2messages:* Resource: '*' - PolicyName: KMSAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - kms:Encrypt Resource: - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' - PolicyName: SSMMessagesAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - ssmmessages:* Resource: - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:*' SCAMIInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Roles: - !Ref SCAMIInstanceRole # IAM Role for Instances SCInstanceRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Principal: Service: - ec2.amazonaws.com Effect: Allow Version: 2012-10-17 ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMDirectoryServiceAccess' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' Policies: - PolicyName: S3Access PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - s3:GetObject - s3:ListBucket Resource: - !Sub 'arn:${AWS::Partition}:s3:::${QSS3BucketName}/*' - !Sub 'arn:${AWS::Partition}:s3:::${QSS3BucketName}' - Effect: 'Allow' Action: - s3:GetObject - s3:PutObject - s3:ListBucket Resource: - !Sub 'arn:${AWS::Partition}:s3:::${SitecoreS3Bucket}/*' - !Sub 'arn:${AWS::Partition}:s3:::${SitecoreS3Bucket}' - Effect: 'Allow' Action: - s3:GetBucketLocation Resource: - !Sub 'arn:${AWS::Partition}:s3:::*' - PolicyName: CWAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - logs:CreateLogStream - logs:DescribeLogGroups - logs:DescribeLogStreams - logs:PutLogEvents Resource: - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:log-stream:*' - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*' - Effect: 'Allow' Action: - logs:CreateLogGroup Resource: - !Sub 'arn:${AWS::Partition}:logs:*' - PolicyName: SSMParameters PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - ssm:GetParameter Resource: !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*' - Effect: 'Allow' Action: - ssm:DescribeParameters Resource: !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:*' - PolicyName: SECAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - secretsmanager:GetSecretValue Resource: - !Sub 'arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*' SCInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Roles: - !Ref SCInstanceRole # Create IAM Role for SSM Automation SCAutomationRole: Type: 'AWS::IAM::Role' Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyWildcardResource ignore_reasons: EIAMPolicyWildcardResource: Read-Only access required for all resources Properties: AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Principal: Service: - ssm.amazonaws.com Effect: Allow Version: 2012-10-17 ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSSMAutomationRole' Policies: - PolicyName: EC2Access PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - ec2:RebootInstances Resource: - !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*' - Effect: 'Allow' Action: - ec2:DescribeInstances - ec2:DescribeInstanceStatus Resource: '*' - PolicyName: RDSAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: ['rds:DescribeDBInstances'] Resource: '*' - PolicyName: SSMAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: ['ssm:PutParameter', 'ssm:GetParameter'] Resource: - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*' - PolicyName: CWAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogGroups - logs:DescribeLogStreams Resource: - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:*' - PolicyName: CFNAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Action: - cloudformation:SignalResource Resource: - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*/*' RDSEnhancedmonitoringRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Principal: Service: - monitoring.rds.amazonaws.com Effect: Allow Version: 2012-10-17 ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole' Outputs: SCAMIInstanceRoleARN: Description: ARN for the Instance Role. Value: !GetAtt SCAMIInstanceRole.Arn SCAMIInstanceProfileARN: Description: ARN for the Instance Profile. Value: !GetAtt SCAMIInstanceProfile.Arn SCAMIInstanceProfileName: Description: Name of the Instance Profile. Value: !Ref SCAMIInstanceProfile SCInstanceRoleARN: Description: ARN for the Instance Role. Value: !GetAtt SCInstanceRole.Arn SCInstanceProfileARN: Description: ARN for the Instance Profile. Value: !GetAtt SCInstanceProfile.Arn SCInstanceProfileName: Description: Name of the Instance Profile. Value: !Ref SCInstanceProfile SCAutomationRoleARN: Description: ARN for the Instance Role. Value: !GetAtt SCAutomationRole.Arn ConvertCertificatesLambdaRoleArn: Description: The role ARN for the Lambda function to convert and upload certs to ACM. Value: !GetAtt ConvertCertificatesLambdaRole.Arn DeleteResourcesLambdaRoleArn: Description: The role ARN for the Lambda function to remove resources when the stack is deleted. Value: !GetAtt DeleteResourcesLambdaRole.Arn CopyZipsRoleArn: Description: The role ARN for the Lambda function to copy Zip's to local S3 bucket for Lambda Functions. Value: !GetAtt CopyZipsRole.Arn RDSEnhancedMonitoringArn: Description: The role ARN for the Lambda function to copy Zip's to local S3 bucket for Lambda Functions. Value: !GetAtt RDSEnhancedmonitoringRole.Arn