InstanceRole:
  Metadata:
    'aws:copilot:description': 'An IAM role {{- if .PermissionsBoundary}} with permissions boundary {{.PermissionsBoundary}} {{- end}} to control permissions for the containers in your service'
  Type: AWS::IAM::Role
  Properties:
  {{- if .NestedStack}}{{$stackName := .NestedStack.StackName}}
    {{- if gt (len .NestedStack.PolicyOutputs) 0}}
    ManagedPolicyArns:
    {{- range $managedPolicy := .NestedStack.PolicyOutputs}}
    - Fn::GetAtt: [{{$stackName}}, Outputs.{{$managedPolicy}}]
    {{- end}}
    {{- end}}
  {{- end}}
  {{- if .PermissionsBoundary}}
    PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/{{.PermissionsBoundary}}'
  {{- end}}
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Principal:
            Service:
              - tasks.apprunner.amazonaws.com
          Action: 'sts:AssumeRole'
    Policies:
      - PolicyName: 'DenyIAMExceptTaggedRoles'
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: 'Deny'
              Action: 'iam:*'
              Resource: '*'
            - Effect: 'Allow'
              Action: 'sts:AssumeRole'
              Resource:
                - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/*'
              Condition:
                StringEquals:
                  'iam:ResourceTag/copilot-application': !Sub '${AppName}'
                  'iam:ResourceTag/copilot-environment': !Sub '${EnvName}'
      {{- if hasSecrets .}}
      - PolicyName: 'AccessCopilotTaggedSecrets'
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: 'Allow'
              Action:
                - 'ssm:GetParameters'
              Resource:
                - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*'
              Condition:
                StringEquals:
                  'ssm:ResourceTag/copilot-application': !Sub '${AppName}'
                  'ssm:ResourceTag/copilot-environment': !Sub '${EnvName}'
            - Effect: 'Allow'
              Action:
                - 'secretsmanager:GetSecretValue'
              Resource:
                - !Sub 'arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*'
              Condition:
                StringEquals:
                  'secretsmanager:ResourceTag/copilot-application': !Sub '${AppName}'
                  'secretsmanager:ResourceTag/copilot-environment': !Sub '${EnvName}'
            - Effect: 'Allow'
              Action:
                - 'kms:Decrypt'
              Resource:
                - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*'
      {{- end }}
      {{- if .Publish }}
      {{- if .Publish.Topics }}
      - PolicyName: 'Publish2SNS'
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: 'Allow'
              Action: 'sns:Publish'
              Resource:
              {{- range $topic := .Publish.Topics }}
              - !Ref {{logicalIDSafe $topic.Name}}SNSTopic
              {{- end }}
      {{- end }}
      {{- end }}
      {{- if eq .Observability.Tracing "AWSXRAY"}}
      - PolicyName: 'EnableAWSXRayTracing'
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: 'Allow'
              Action: 
                - 'xray:PutTraceSegments'
                - 'xray:PutTelemetryRecords'
                - 'xray:GetSamplingRules'
                - 'xray:GetSamplingTargets'
                - 'xray:GetSamplingStatisticSummaries'
                - 'ssm:GetParameters'
              Resource: '*'
      {{- end}}