AWSTemplateFormatVersion: 2010-09-09 Description: >- Access Template is intended to deploy IAM roles for all BIG-IP Cloud Solutions (i.e. High-Availability or Autoscale) Secret Manager service.(qs-1p2474b65) Conditions: createS3Bucket: !Not - !Equals - !Ref s3Bucket - "" failover: !Equals - !Ref solutionType - failover Metadata: 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: IAM ROLES Parameters: - uniqueString - solutionType - s3Bucket - secretArn - cloudWatchLogGroup - metricNameSpace ParameterLabels: uniqueString: default: myBIGIP application: default: Application cost: default: Cost Center cloudWatchLogGroup: default: CloudWatch Log Group Name environment: default: Environment group: default: Group metricNameSpace: default: CloudWatch Metrics Namespace owner: default: Owner solutionType: default: Cloud Solution type s3Bucket: default: S3 bucket used as BIG-IP storage for Failover solution secretArn: default: ARN of Secrets Manager secret Version: 1.1.0.0 Outputs: stackName: Description: Access nested stack name Value: !Ref "AWS::StackName" bigIpInstanceProfile: Description: BIG-IP instance profile with applied IAM policy. Value: !If - failover - !Ref BigIpHighAvailabilityInstanceProfile - "" deleteBucketContentsRole: Description: Lambda function role with applied IAM policy. Value: !If - createS3Bucket - !GetAtt DeleteBucketContentsRole.Arn - "" Parameters: application: Default: f5app Description: Application Tag. Type: String cost: Default: f5cost Description: Cost Center Tag. Type: String cloudWatchLogGroup: Default: '' Description: Provides CloudWatch Log Group name used for telemetry Type: String environment: Default: f5env Description: Environment Tag. Type: String group: Default: f5group Description: Group Tag. Type: String metricNameSpace: Default: '' Description: CloudWatch namespace used for custom metrics. This should match the namespace defined in your telemetry services declaration within bigipRuntimInitConfig. Type: String owner: Default: f5owner Description: Owner Tag. Type: String s3Bucket: Default: '' Description: Provides BIG-IP S3 Bucket name Type: String secretArn: Default: '' Description: ARN of Secrets Manager secret Type: String solutionType: AllowedValues: - failover Default: failover Description: Defines solution type to select provision correct IAM role. MaxLength: 20 Type: String uniqueString: AllowedPattern: ^[a-zA-Z][a-zA-Z0-9]{1,11}$ ConstraintDescription: Must Contain between 1 and 12 alphanumeric characters with first character as a letter. Default: myUniqStr Description: Unique String used when creating object names or Tags. Type: String Resources: DeleteBucketContentsRole: Type: AWS::IAM::Role Condition: createS3Bucket Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole Version: 2012-10-17 ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' Path: / Policies: - PolicyDocument: Statement: - Action: - s3:GetObjectAcl - s3:GetObject - s3:DeleteObjectVersion - s3:ListBucketVersions - s3:GetObjectVersionAcl - s3:ListBucket - s3:GetBucketVersioning - s3:DeleteObject - s3:GetBucketAcl - s3:GetBucketLocation - s3:GetObjectVersion Effect: Allow Resource: - !Sub - 'arn:${AWS::Partition}:s3:::${bucket}' - bucket: !Ref s3Bucket - !Sub - 'arn:${AWS::Partition}:s3:::${bucket}/*' - bucket: !Ref s3Bucket Version: 2012-10-17 PolicyName: DeleteBucketContentsPolicy Tags: - Key: application Value: !Ref 'application' - Key: costcenter Value: !Ref 'cost' - Key: environment Value: !Ref 'environment' - Key: group Value: !Ref 'group' - Key: owner Value: !Ref 'owner' BigIpHighAvailabilityAccessRole: Condition: failover Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Effect: Allow Principal: Service: - ec2.amazonaws.com Version: 2012-10-17 ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' Path: / Policies: - PolicyDocument: Statement: - Action: - ec2:DescribeAddresses - ec2:DescribeInstances - ec2:DescribeInstanceStatus - ec2:DescribeNetworkInterfaces - ec2:DescribeNetworkInterfaceAttribute - ec2:DescribeTags Effect: Allow Resource: - '*' Condition: StringEquals: aws:RequestedRegion: !Ref AWS::Region aws:PrincipalAccount: !Ref AWS::AccountId - Action: - ec2:DescribeSubnets - ec2:DescribeRouteTables Effect: Allow Resource: - '*' Condition: StringEquals: aws:RequestedRegion: !Ref AWS::Region aws:PrincipalAccount: !Ref AWS::AccountId - Action: - ec2:AssociateAddress - ec2:DisassociateAddress - ec2:AssignPrivateIpAddresses - ec2:UnassignPrivateIpAddresses - ec2:AssignIpv6Addresses - ec2:UnassignIpv6Addresses - ec2:CreateRoute - ec2:ReplaceRoute Effect: Allow Resource: - '*' Condition: StringEquals: aws:RequestedRegion: !Ref AWS::Region aws:PrincipalAccount: !Ref AWS::AccountId - Action: - s3:ListAllMyBuckets Effect: Allow Resource: - '*' Condition: StringEquals: aws:RequestedRegion: !Ref AWS::Region aws:PrincipalAccount: !Ref AWS::AccountId - Action: - s3:ListBucket - s3:GetBucketLocation - s3:GetBucketTagging Effect: Allow Resource: !Join - '' - - 'arn:*:s3:::' - !Ref s3Bucket - Action: - s3:PutObject - s3:GetObject - s3:DeleteObject Effect: Allow Resource: !Join - '' - - 'arn:*:s3:::' - !Ref s3Bucket - /* - Action: - secretsmanager:DescribeSecret - secretsmanager:GetResourcePolicy - secretsmanager:GetSecretValue - secretsmanager:ListSecretVersionIds Effect: Allow Resource: !Ref secretArn - Action: - logs:DescribeLogGroups - logs:DescribeLogStreams - logs:PutLogEvents Effect: Allow Resource: - '*' Condition: StringLike: aws:ResourceTag/Name: !Ref cloudWatchLogGroup - Action: - 'cloudwatch:PutMetricData' Effect: Allow Resource: - '*' Condition: StringEquals: cloudwatch:namespace: !Ref metricNameSpace - Action: - cloudformation:ListStackResources - cloudformation:SignalResource Effect: Allow Resource: - !Ref AWS::StackId Version: 2012-10-17 PolicyName: !Join - '' - - !Ref uniqueString - '-BigipHighAvailabilityAcccessPolicy' Tags: - Key: Name Value: !Join - '' - - !Ref uniqueString - '-bigip-high-availability-access-role' - Key: application Value: !Ref application - Key: costcenter Value: !Ref cost - Key: environment Value: !Ref environment - Key: group Value: !Ref group - Key: owner Value: !Ref owner BigIpHighAvailabilityInstanceProfile: Condition: failover Type: 'AWS::IAM::InstanceProfile' Properties: Path: / Roles: - !Ref BigIpHighAvailabilityAccessRole