AWSTemplateFormatVersion: "2010-09-09"
Description: This template creates an IAM Profile for subsequent use by the QSTACK template during cluster creation

Resources:
  QumuloAccessRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - "sts:AssumeRole"
      Path: /
      Policies:
        - PolicyName: QumuloAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "cloudwatch:DeleteAlarms"
                  - "cloudwatch:PutMetricAlarm"
                  - "ec2:DescribeInstances"
                  - "ec2:AssignPrivateIpAddresses"
                  - "ec2:UnassignPrivateIpAddresses"
                  - "kms:Decrypt"
                  - "kms:GenerateDataKeyWithoutPlaintext"
                  - "kms:ReEncryptFrom"
                  - "kms:ReEncryptTo"
                  - "kms:DescribeKey"
                  - "kms:CreateGrant"
                  - "logs:PutLogEvents"
                  - "logs:CreateLogStream"
                Resource: "*"

  QumuloAccessProfile:
    Type: "AWS::IAM::InstanceProfile"
    Properties:
      Path: /
      Roles:
        - Ref: QumuloAccessRole
Outputs:
  QumuloIAMProfile:
    Value: !Ref QumuloAccessProfile