AWSTemplateFormatVersion: "2010-09-09"

# MIT License
#
# Copyright (c) 2021 Qumulo, Inc.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal 
# in the Software without restriction, including without limitation the rights 
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 
# copies of the Software, and to permit persons to whom the Software is 
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all 
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 
# SOFTWARE.

Description: This template creates an IAM Profile for subsequent use by the QSTACK template during cluster creation (qs-1s6n2i68d)
Metadata:
  cfn-lint:
    config:
      ignore_checks:
        - W9001
        - W9002
        - W9003
        - W9004
        - W9006

Parameters:
  QPermissionsBoundary:
    Type: String
  VolumesEncryptionKey:
    Type: String  

Conditions:
  ProvBoundary: !Not
    - !Equals
      - !Ref QPermissionsBoundary
      - ""

  ProvCMK: !Not
    - !Equals
      - !Ref VolumesEncryptionKey
      - ""

Resources:
  QumuloAccessRole:
    Type: "AWS::IAM::Role"
    Metadata:
      cfn-lint:
        config:
          ignore_checks:
            - EIAMPolicyWildcardResource
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - "sts:AssumeRole"
      Path: /
      PermissionsBoundary: !If [ProvBoundary, !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${QPermissionsBoundary}", !Ref "AWS::NoValue"]
      ManagedPolicyArns:
        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
      Policies:
        - PolicyName: QumuloAccess-EC2-CW-Logs
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "cloudwatch:DeleteAlarms"
                  - "cloudwatch:PutMetricAlarm"
                  - "ec2:DescribeInstances"
                  - "ec2:AssignPrivateIpAddresses"
                  - "ec2:UnassignPrivateIpAddresses"
                  - "ec2:DisassociateAddress"
                  - "logs:PutLogEvents"
                  - "logs:CreateLogStream"
                  - "kms:Decrypt"                  
                Resource: "*"
        - PolicyName: QumuloAccess-KMSCMK
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "kms:Decrypt"                     
                  - "kms:GenerateDataKeyWithoutPlaintext"
                  - "kms:ReEncryptFrom"
                  - "kms:ReEncryptTo"
                  - "kms:DescribeKey"
                  - "kms:CreateGrant"
                Resource: !If [ProvCMK, !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${VolumesEncryptionKey}", !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/ebs"]

  QumuloAccessProfile:
    Type: "AWS::IAM::InstanceProfile"
    Properties:
      Path: /
      Roles:
        - Ref: QumuloAccessRole
Outputs:
  QumuloIAMProfile:
    Value: !Ref QumuloAccessProfile