AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template to create IAM roles. (qs-1nlkhq1oj)
Resources:
  CopyLambdaDeploymentRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
        Version: '2012-10-17'
      Policies:
        - PolicyDocument:
            Statement:
              - Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Effect: Allow
                Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*'
            Version: '2012-10-17'
          PolicyName: LambdaLogging
        - PolicyDocument:
            Statement:
              - Action:
                  - s3:PutObject
                  - s3:DeleteObject
                Effect: Allow
                Resource:
                  - !Join
                    - ''
                    - - !Ref 'RegionalLambdaBucketARN'
                      - /*
            Version: '2012-10-17'
          PolicyName: PutDeleteRegionalLambdaBucket
        - PolicyDocument:
            Statement:
              - Action:
                  - s3:ListBucket
                  - s3:GetObject
                Effect: Allow
                Resource: "*"
            Version: '2012-10-17'
          PolicyName: ListGetQSSBucket
    Type: AWS::IAM::Role
    Metadata:
      cfn-lint:
        config:
          ignore_checks:
            - EIAMPolicyWildcardResource
          ignore_reasons:
            - EIAMPolicyWildcardResource: "Scope is limited to least privilege"
  ElasticSearchLambdaIAMPolicy:
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - es:DescribeElasticsearchDomain
              - es:DescribeElasticsearchDomains
              - es:DescribeElasticsearchDomainConfig
              - es:ESHttpPost
              - es:ESHttpPut
              - es:ESHttpGet
            Effect: Allow
            Resource: !Join
              - ''
              - - 'arn:aws:es:'
                - !Ref 'AWS::Region'
                - ':'
                - !Ref 'AWS::AccountId'
                - :domain/
                - datalake-quickstart
                - '*'
        Version: '2012-10-17'
      PolicyName: ElasticsearchLambdaPolicy
      Roles:
        - !Ref 'RegisterKibanaDashboardRole'
        - !Ref 'LambdaRole'
    Type: AWS::IAM::Policy
  KinesisStreamBucketRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Condition:
              StringEquals:
                sts:ExternalId: !Ref 'AWS::AccountId'
            Effect: Allow
            Principal:
              Service: firehose.amazonaws.com
        Version: '2012-10-17'
      Policies:
        - PolicyDocument:
            Statement:
              - Action:
                  - s3:AbortMultipartUpload
                  - s3:GetBucketLocation
                  - s3:GetObject
                  - s3:ListBucket
                  - s3:ListBucketMultipartUploads
                  - s3:PutObject
                Effect: Allow
                Resource: !Join
                  - ''
                  - - !Ref 'SubmissionsBucketARN'
                    - '*'
            Version: '2012-10-17'
          PolicyName: KinesisBucketAccess
    Type: AWS::IAM::Role
  LambdaRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
        Version: '2012-10-17'
      Policies:
        - PolicyDocument:
            Statement:
              - Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Effect: Allow
                Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*'
            Version: '2012-10-17'
          PolicyName: LambdaLogging
        - PolicyDocument:
            Statement:
              - Action:
                  - s3:GetObject
                Effect: Allow
                Resource:
                  - !Join
                    - ''
                    - - !Ref 'SubmissionsBucketARN'
                      - /*
                  - !Join
                    - ''
                    - - !Ref 'CuratedDatasetsARN'
                      - /*
                  - !Join
                    - ''
                    - - !Ref 'PublishedDataARN'
                      - /*
            Version: '2012-10-17'
          PolicyName: GetObjectsDatalake
    Type: AWS::IAM::Role
  QSRedshiftRole:
    Condition: CreateRedshiftRole
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: redshift.amazonaws.com
        Version: '2012-10-17'
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSGlueConsoleFullAccess'
      Path: /
      Policies:
        - PolicyDocument:
            Statement:
              - Action:
                  - s3:PutObject
                  - s3:GetObject
                  - s3:ListBucket
                  - s3:GetBucketLocation
                Effect: Allow
                Resource:
                  - !Join
                    - ''
                    - - !Ref 'CuratedDatasetsARN'
                      - '*'
                  - !Join
                    - ''
                    - - !Ref 'PublishedDataARN'
                      - '*'
            Version: '2012-10-17'
          PolicyName: S3Access
    Type: AWS::IAM::Role
  RegisterKibanaDashboardRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
        Version: '2012-10-17'
      Policies:
        - PolicyDocument:
            Statement:
              - Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Effect: Allow
                Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*'
            Version: '2012-10-17'
          PolicyName: LambdaLogging
        - PolicyDocument:
            Statement:
              - Action:
                  - s3:GetObject
                Effect: Allow
                Resource:
                  - !Sub arn:${AWS::Partition}:s3:::aws-quickstart*/*
                  - !Sub
                    - arn:${AWS::Partition}:s3:::${S3Bucket}/*
                    - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
            Version: '2012-10-17'
          PolicyName: GetQSS3Bucket
    Type: AWS::IAM::Role
    Metadata:
      cfn-lint:
        config:
          ignore_checks:
            - EIAMPolicyWildcardResource
          ignore_reasons:
            - EIAMPolicyWildcardResource: "Scope is limited to least privilege"
  SageMakerExecutionRole:
    Type: AWS::IAM::Role
    Metadata:
      cfn-lint:
        config:
          ignore_checks:
            - EIAMPolicyWildcardResource
            - EIAMPolicyActionWildcard
          ignore_reasons:
            - EIAMPolicyWildcardResource: "Scope is limited to least privilege"
            - EIAMPolicyActionWildcard: "Scope is limited to appropriate resource"
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - sagemaker.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSageMakerFullAccess'
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchLogsFullAccess'
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonS3ReadOnlyAccess'
      Path: /service-role/
      Policies:
        - PolicyName: CuratedBucketS3BucketAccess
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - s3:*
                Resource:
                  - !Sub '${CuratedDatasetsARN}*'
        - PolicyName: SageMakerS3Access
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: 'VisualEditor0'
                Effect: Allow
                Action: s3:ListBucket
                Resource: !Sub 'arn:${AWS::Partition}:s3:::SageMaker'
              - Sid: 'VisualEditor1'
                Effect: Allow
                Action:
                  - s3:GetLifecycleConfiguration
                  - s3:ListBucketByTags
                  - s3:GetBucketTagging
                  - s3:GetInventoryConfiguration
                  - s3:GetObjectVersionTagging
                  - s3:GetBucketLogging
                  - s3:ListBucketVersions
                  - s3:GetAccelerateConfiguration
                  - s3:ListBucket
                  - s3:GetBucketPolicy
                  - s3:GetEncryptionConfiguration
                  - s3:GetObjectAcl
                  - s3:GetObjectVersionTorrent
                  - s3:GetBucketRequestPayment
                  - s3:GetObjectVersionAcl
                  - s3:GetObjectTagging
                  - s3:GetMetricsConfiguration
                  - s3:GetIpConfiguration
                  - s3:ListBucketMultipartUploads
                  - s3:GetBucketWebsite
                  - s3:GetBucketVersioning
                  - s3:GetBucketAcl
                  - s3:GetBucketNotification
                  - s3:GetReplicationConfiguration
                  - s3:ListMultipartUploadParts
                  - s3:GetObject
                  - s3:GetObjectTorrent
                  - s3:GetBucketCORS
                  - s3:GetAnalyticsConfiguration
                  - s3:GetObjectVersionForReplication
                  - s3:GetBucketLocation
                  - s3:GetObjectVersio
                Resource: !Sub 'arn:${AWS::Partition}:s3:::SageMaker/*'
              - Sid: 'VisualEditor2'
                Effect: Allow
                Action:
                  - s3:ListAllMyBuckets
                  - s3:HeadBucket
                Resource: '*'
  CreateNotebookFunctionExecuteRole:
    Type: AWS::IAM::Role
    Metadata:
      cfn-lint:
        config:
          ignore_checks:
            - EIAMPolicyActionWildcard
          ignore_reasons:
            - EIAMPolicyActionWildcard: "Scope limited by resource"
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
      Policies:
        - PolicyName: CreateNotebookFunctionPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*'
              - Effect: Allow
                Action:
                  - sagemaker:*
                Resource: '*'
              - Effect: Allow
                Action:
                  - iam:PassRole
                Resource: !GetAtt 'SageMakerExecutionRole.Arn'
              - Effect: Allow
                Action:
                  - ec2:*
                Resource: '*'
              - Effect: Allow
                Action:
                  - s3:*
                Resource:
                  - !Sub 'arn:${AWS::Partition}:s3:::${QSS3BucketName}*'
Conditions:
  CreateRedshiftRole: !Equals
    - !Ref 'EnableRedshift'
    - 'yes'
  UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart']
Parameters:
  EnableRedshift:
    AllowedValues:
      - 'yes'
      - 'no'
    Default: 'no'
    Description: Enable Redshift
    Type: String
  CuratedDatasetsARN:
    Description: CuratedDatasets bucket ARN
    Type: String
  PublishedDataARN:
    Description: PublishedData bucket ARN
    Type: String
  QSS3BucketName:
    Description: Quick Start S3 bucket name
    Type: String
  QSS3BucketRegion:
    Description: Quick Start S3 bucket region
    Type: String
  RegionalLambdaBucketARN:
    Description: RegionalLambdaBucket bucket ARN
    Type: String
  SubmissionsBucketARN:
    Description: SubmissionsBucket bucket ARN
    Type: String
Outputs:
  LambdaRoleARN:
    Description: ARN of LambdaRole
    Value: !GetAtt 'LambdaRole.Arn'
  CopyLambdaDeploymentRoleARN:
    Description: ARN of CopyLambdaDeploymentRole
    Value: !GetAtt 'CopyLambdaDeploymentRole.Arn'
  QSRedshiftRoleARN:
    Description: ARN of QSRedshiftRole
    Condition: CreateRedshiftRole
    Value: !GetAtt 'QSRedshiftRole.Arn'
  RegisterKibanaDashboardRoleARN:
    Description: ARN of RegisterKibanaDashboardRole
    Value: !GetAtt 'RegisterKibanaDashboardRole.Arn'
  KinesisStreamBucketRoleARN:
    Description: ARN of KinesisStreamBucketRole
    Value: !GetAtt 'KinesisStreamBucketRole.Arn'
  SageMakerExecutionRoleARN:
    Description: Sage Maker Execution Role ARN
    Value: !GetAtt 'SageMakerExecutionRole.Arn'
  CreateNotebookFunctionExecuteRoleARN:
    Description: Sage Maker Execution Role ARN
    Value: !GetAtt 'CreateNotebookFunctionExecuteRole.Arn'