// Jest Snapshot v1, https://goo.gl/fbAQLP exports[`LiveStreaming Stack Test 1`] = ` { Description: (SO0109) Live Streaming on AWS with Amazon S3 Solution %%VERSION%%, Mappings: { AnonymizedData: { SendAnonymizedData: { Data: Yes, }, }, }, Metadata: { AWS::CloudFormation::Interface: { ParameterGroups: [ { Label: { default: LIVE STREAM SOURCE, }, Parameters: [ InputType, ], }, { Label: { default: URL_PULL CONFIGURATION, }, Parameters: [ PullUrl, PullUser, PullPass, ], }, { Label: { default: RTP_PUSH / RTMP_PUSH CONFIGURATION, }, Parameters: [ InputCIDR, ], }, { Label: { default: INPUT_DEVICE CONFIGURATION, }, Parameters: [ InputDeviceId, ], }, { Label: { default: ENCODING OPTIONS, }, Parameters: [ EncodingProfile, ChannelStart, ], }, ], ParameterLabels: { ChannelStart: { default: Start MediaLive Channel, }, EncodingProfile: { default: Encoding Profile, }, InputCIDR: { default: Input Security Group CIDR Block (REQUIRED), }, InputDeviceId: { default: Elemental Link Input Device ID, }, InputType: { default: Source Input Type, }, PullUrl: { default: Source URL (REQUIRED), }, PullUser: { default: Source Username (OPTIONAL), }, pullPass: { default: Source Password (REQUIRED), }, }, }, }, Outputs: { AppRegistryConsole: { Description: AppRegistry, Export: { Name: { Fn::Join: [ , [ { Ref: AWS::StackName, }, -AppRegistry, ], ], }, }, Value: { Fn::Join: [ , [ https://, { Ref: AWS::Region, }, .console.aws.amazon.com/servicecatalog/home?#applications/, { Fn::GetAtt: [ AppRegistryApp5349BE86, Id, ], }, ], ], }, }, BucketMetrics: { Description: Bucket Request Metrics, Export: { Name: { Fn::Join: [ , [ { Ref: AWS::StackName, }, -BucketMetrics, ], ], }, }, Value: { Fn::Join: [ , [ https://, { Ref: AWS::Region, }, .console.aws.amazon.com/s3/bucket/, { Ref: CloudFrontToS3S3Bucket9CE6AB04, }, /metrics/bucket_metrics?region=, { Ref: AWS::Region, }, &tab=request&period=1h, ], ], }, }, LiveStreamBucket: { Description: Live Stream Destination Bucket, Export: { Name: { Fn::Join: [ , [ { Ref: AWS::StackName, }, -LiveStreamBucket, ], ], }, }, Value: { Fn::Join: [ , [ https://, { Ref: AWS::Region, }, .console.aws.amazon.com/s3/buckets/, { Ref: CloudFrontToS3S3Bucket9CE6AB04, }, ?region=, { Ref: AWS::Region, }, ], ], }, }, LiveStreamUrl: { Description: CloudFront Live Stream URL, Export: { Name: { Fn::Join: [ , [ { Ref: AWS::StackName, }, -LiveStreamUrl, ], ], }, }, Value: { Fn::Join: [ , [ https://, { Fn::GetAtt: [ CloudFrontToS3CloudFrontDistribution241D9866, DomainName, ], }, /stream/index.m3u8, ], ], }, }, MediaLiveChannelId: { Description: MediaLive Channel Id, Export: { Name: { Fn::Join: [ , [ { Ref: AWS::StackName, }, -MediaLiveChannelId, ], ], }, }, Value: { Fn::GetAtt: [ MediaLiveChannel, ChannelId, ], }, }, MediaLiveConsole: { Description: MediaLive Channel, Export: { Name: { Fn::Join: [ , [ { Ref: AWS::StackName, }, -MediaLiveConsole, ], ], }, }, Value: { Fn::Join: [ , [ https://, { Ref: AWS::Region, }, .console.aws.amazon.com/medialive/home?region=, { Ref: AWS::Region, }, #!/channels, ], ], }, }, MediaLivePushEndpoint: { Description: The MediaLive Input ingress endpoint for push input types, Export: { Name: { Fn::Join: [ , [ { Ref: AWS::StackName, }, -MediaLiveEndpoint, ], ], }, }, Value: { Fn::GetAtt: [ MediaLiveInput, EndPoint, ], }, }, }, Parameters: { ChannelStart: { AllowedValues: [ Yes, No, ], Default: No, Description: If your source is ready to stream select true, this wil start the MediaLive Channel as part of the deployment. If you select false you will need to manually start the MediaLive Channel when your source is ready., Type: String, }, EncodingProfile: { AllowedValues: [ HD-1080p, HD-720p, SD-540p, ], Default: HD-720p, Description: Select an encoding profile. HD 1080p [1920x1080, 1280x720, 960x540, 768x432, 640x360, 512x288] HD 720p [1280x720, 960x540, 768x432, 640x360, 512x288] SD 540p [960x540, 768x432, 640x360, 512x288] See the implementation guide for details https://docs.aws.amazon.com/solutions/latest/live-streaming/considerations.html, Type: String, }, InputCIDR: { Default: , Description: For RTP and RTMP PUSH input types ONLY, specify the CIDR Block for the MediaLive SecurityGroup. Input security group restricts access to the input and prevents unauthorized third parties from pushing content into a channel that is associated with that input., Type: String, }, InputDeviceId: { Default: , Description: Specify the ID for your Elemental Link Input device (please note a Link device can only be attached to one input at a time), Type: String, }, InputType: { AllowedValues: [ RTP_PUSH, RTMP_PUSH, URL_PULL, INPUT_DEVICE, ], Default: URL_PULL, Description: Specify the input type for MediaLive (default parameters are for the demo video). For details on setting up each input type, see https://docs.aws.amazon.com/solutions/latest/live-streaming-on-aws-with-amazon-s3/appendix-a.html., Type: String, }, PullPass: { Default: , Description: For URL PULL input type ONLY, if basic authentication is enabled on the source stream enter the password, Type: String, }, PullUrl: { Default: https://d15an60oaeed9r.cloudfront.net/live_stream_v2/sports_reel_with_markers.m3u8, Description: For URL PULL input type ONLY, specify the primary source URL, this should be a HTTP or HTTPS link to the stream manifest file., Type: String, }, PullUser: { Default: , Description: For URL PULL input type ONLY, if basic authentication is enabled on the source stream enter the username, Type: String, }, }, Resources: { AnonymizedMetric: { DeletionPolicy: Delete, Properties: { ChannelStart: { Ref: ChannelStart, }, Cidr: { Ref: InputCIDR, }, EncodingProfile: { Ref: EncodingProfile, }, SendAnonymizedMetric: { Fn::FindInMap: [ AnonymizedData, SendAnonymizedData, Data, ], }, ServiceToken: { Fn::GetAtt: [ CustomResource8CDCD7A7, Arn, ], }, SolutionId: SO0109, Type: { Ref: InputType, }, UUID: { Fn::GetAtt: [ UUID, UUID, ], }, Version: %%VERSION%%, }, Type: AWS::CloudFormation::CustomResource, UpdateReplacePolicy: Delete, }, AppRegistryApp5349BE86: { Properties: { Description: Service Catalog application to track and manage all your resources. The SolutionId is SO0109 and SolutionVersion is %%VERSION%%., Name: { Fn::Join: [ , [ live-streaming-on-aws-with-amazon-s3-, { Ref: AWS::Region, }, -, { Ref: AWS::AccountId, }, -, { Ref: AWS::StackName, }, ], ], }, Tags: { SolutionId: SO0109, Solutions:ApplicationType: AWS-Solutions, Solutions:SolutionID: SO0109, Solutions:SolutionName: Live Streaming on AWS with Amazon S3, Solutions:SolutionVersion: %%VERSION%%, }, }, Type: AWS::ServiceCatalogAppRegistry::Application, }, AppRegistryAssociation: { Properties: { Application: { Fn::GetAtt: [ AppRegistryApp5349BE86, Id, ], }, Resource: { Ref: AWS::StackId, }, ResourceType: CFN_STACK, }, Type: AWS::ServiceCatalogAppRegistry::ResourceAssociation, }, AppRegistryAttributeGroup7AF07446: { Properties: { Attributes: { ApplicationType: AWS-Solutions, SolutionID: SO0109, SolutionVersion: %%VERSION%%, }, Description: Attribute group for solution information., Name: { Fn::Join: [ , [ { Ref: AWS::Region, }, -, { Ref: AWS::StackName, }, ], ], }, Tags: { SolutionId: SO0109, }, }, Type: AWS::ServiceCatalogAppRegistry::AttributeGroup, }, AppRegistryAttributeGroupApplicationAttributeGroupAssociation33c998cf729fE18E7E86: { Properties: { Application: { Fn::GetAtt: [ AppRegistryApp5349BE86, Id, ], }, AttributeGroup: { Fn::GetAtt: [ AppRegistryAttributeGroup7AF07446, Id, ], }, }, Type: AWS::ServiceCatalogAppRegistry::AttributeGroupAssociation, }, CachePolicy26D8A535: { Properties: { CachePolicyConfig: { DefaultTTL: 86400, MaxTTL: 31536000, MinTTL: 0, Name: { Fn::Join: [ , [ CachePolicy-, { Ref: AWS::StackName, }, -, { Ref: AWS::Region, }, ], ], }, ParametersInCacheKeyAndForwardedToOrigin: { CookiesConfig: { CookieBehavior: none, }, EnableAcceptEncodingBrotli: false, EnableAcceptEncodingGzip: false, HeadersConfig: { HeaderBehavior: whitelist, Headers: [ Origin, ], }, QueryStringsConfig: { QueryStringBehavior: none, }, }, }, }, Type: AWS::CloudFront::CachePolicy, }, CloudFrontToS3CloudFrontDistribution241D9866: { Metadata: { cdk_nag: { rules_to_suppress: [ { id: AwsSolutions-CFR1, reason: Use case does not warrant CloudFront Geo restriction, }, { id: AwsSolutions-CFR2, reason: Use case does not warrant CloudFront integration with AWS WAF, }, { id: AwsSolutions-CFR4, reason: CloudFront automatically sets the security policy to TLSv1 when the distribution uses the CloudFront domain name, }, ], }, cfn_nag: { rules_to_suppress: [ { id: W70, reason: Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion, }, ], }, }, Properties: { DistributionConfig: { CustomErrorResponses: [ { ErrorCachingMinTTL: 1, ErrorCode: 400, }, { ErrorCachingMinTTL: 1, ErrorCode: 403, }, { ErrorCachingMinTTL: 1, ErrorCode: 404, }, { ErrorCachingMinTTL: 1, ErrorCode: 405, }, { ErrorCachingMinTTL: 1, ErrorCode: 414, }, { ErrorCachingMinTTL: 1, ErrorCode: 416, }, { ErrorCachingMinTTL: 1, ErrorCode: 500, }, { ErrorCachingMinTTL: 1, ErrorCode: 501, }, { ErrorCachingMinTTL: 1, ErrorCode: 502, }, { ErrorCachingMinTTL: 1, ErrorCode: 503, }, { ErrorCachingMinTTL: 1, ErrorCode: 504, }, ], DefaultCacheBehavior: { CachePolicyId: { Ref: CachePolicy26D8A535, }, Compress: true, TargetOriginId: LiveStreamingCloudFrontToS3CloudFrontDistributionOrigin1940508AB, ViewerProtocolPolicy: redirect-to-https, }, DefaultRootObject: index.html, Enabled: true, HttpVersion: http2, IPV6Enabled: true, Logging: { Bucket: { Fn::GetAtt: [ CloudFrontToS3CloudfrontLoggingBucket8350BE9B, RegionalDomainName, ], }, }, Origins: [ { DomainName: { Fn::GetAtt: [ CloudFrontToS3S3Bucket9CE6AB04, RegionalDomainName, ], }, Id: LiveStreamingCloudFrontToS3CloudFrontDistributionOrigin1940508AB, S3OriginConfig: { OriginAccessIdentity: { Fn::Join: [ , [ origin-access-identity/cloudfront/, { Ref: CloudFrontToS3CloudFrontDistributionOrigin1S3OriginB0637B8F, }, ], ], }, }, }, ], }, Tags: [ { Key: SolutionId, Value: SO0109, }, ], }, Type: AWS::CloudFront::Distribution, }, CloudFrontToS3CloudFrontDistributionOrigin1S3OriginB0637B8F: { Properties: { CloudFrontOriginAccessIdentityConfig: { Comment: Identity for LiveStreamingCloudFrontToS3CloudFrontDistributionOrigin1940508AB, }, }, Type: AWS::CloudFront::CloudFrontOriginAccessIdentity, }, CloudFrontToS3CloudfrontLoggingBucket8350BE9B: { DeletionPolicy: Retain, Metadata: { cdk_nag: { rules_to_suppress: [ { id: AwsSolutions-S1, reason: Used to store access logs for other buckets, }, ], }, cfn_nag: { rules_to_suppress: [ { id: W35, reason: This S3 bucket is used as the access logging bucket for CloudFront Distribution, }, ], }, }, Properties: { AccessControl: LogDeliveryWrite, BucketEncryption: { ServerSideEncryptionConfiguration: [ { ServerSideEncryptionByDefault: { SSEAlgorithm: AES256, }, }, ], }, OwnershipControls: { Rules: [ { ObjectOwnership: ObjectWriter, }, ], }, PublicAccessBlockConfiguration: { BlockPublicAcls: true, BlockPublicPolicy: true, IgnorePublicAcls: true, RestrictPublicBuckets: true, }, Tags: [ { Key: SolutionId, Value: SO0109, }, ], VersioningConfiguration: { Status: Enabled, }, }, Type: AWS::S3::Bucket, UpdateReplacePolicy: Retain, }, CloudFrontToS3CloudfrontLoggingBucketPolicy416B82D9: { Properties: { Bucket: { Ref: CloudFrontToS3CloudfrontLoggingBucket8350BE9B, }, PolicyDocument: { Statement: [ { Action: s3:*, Condition: { Bool: { aws:SecureTransport: false, }, }, Effect: Deny, Principal: { AWS: *, }, Resource: [ { Fn::GetAtt: [ CloudFrontToS3CloudfrontLoggingBucket8350BE9B, Arn, ], }, { Fn::Join: [ , [ { Fn::GetAtt: [ CloudFrontToS3CloudfrontLoggingBucket8350BE9B, Arn, ], }, /*, ], ], }, ], }, ], Version: 2012-10-17, }, }, Type: AWS::S3::BucketPolicy, }, CloudFrontToS3S3Bucket9CE6AB04: { DeletionPolicy: Retain, Properties: { BucketEncryption: { ServerSideEncryptionConfiguration: [ { ServerSideEncryptionByDefault: { SSEAlgorithm: AES256, }, }, ], }, LifecycleConfiguration: { Rules: [ { NoncurrentVersionTransitions: [ { StorageClass: GLACIER, TransitionInDays: 90, }, ], Status: Enabled, }, ], }, LoggingConfiguration: { DestinationBucketName: { Ref: CloudFrontToS3S3LoggingBucketEF5CD8B2, }, }, MetricsConfigurations: [ { Id: EntireBucket, }, ], OwnershipControls: { Rules: [ { ObjectOwnership: ObjectWriter, }, ], }, PublicAccessBlockConfiguration: { BlockPublicAcls: true, BlockPublicPolicy: true, IgnorePublicAcls: true, RestrictPublicBuckets: true, }, Tags: [ { Key: SolutionId, Value: SO0109, }, ], VersioningConfiguration: { Status: Enabled, }, }, Type: AWS::S3::Bucket, UpdateReplacePolicy: Retain, }, CloudFrontToS3S3BucketPolicy2495300D: { Metadata: { cfn_nag: { rules_to_suppress: [ { id: F16, reason: Public website bucket policy requires a wildcard principal, }, ], }, }, Properties: { Bucket: { Ref: CloudFrontToS3S3Bucket9CE6AB04, }, PolicyDocument: { Statement: [ { Action: s3:*, Condition: { Bool: { aws:SecureTransport: false, }, }, Effect: Deny, Principal: { AWS: *, }, Resource: [ { Fn::GetAtt: [ CloudFrontToS3S3Bucket9CE6AB04, Arn, ], }, { Fn::Join: [ , [ { Fn::GetAtt: [ CloudFrontToS3S3Bucket9CE6AB04, Arn, ], }, /*, ], ], }, ], }, { Action: s3:GetObject, Effect: Allow, Principal: { CanonicalUser: { Fn::GetAtt: [ CloudFrontToS3CloudFrontDistributionOrigin1S3OriginB0637B8F, S3CanonicalUserId, ], }, }, Resource: { Fn::Join: [ , [ { Fn::GetAtt: [ CloudFrontToS3S3Bucket9CE6AB04, Arn, ], }, /*, ], ], }, }, ], Version: 2012-10-17, }, }, Type: AWS::S3::BucketPolicy, }, CloudFrontToS3S3LoggingBucketEF5CD8B2: { DeletionPolicy: Retain, Metadata: { cdk_nag: { rules_to_suppress: [ { id: AwsSolutions-S1, reason: Used to store access logs for other buckets, }, ], }, cfn_nag: { rules_to_suppress: [ { id: W35, reason: This S3 bucket is used as the access logging bucket for another bucket, }, ], }, }, Properties: { BucketEncryption: { ServerSideEncryptionConfiguration: [ { ServerSideEncryptionByDefault: { SSEAlgorithm: AES256, }, }, ], }, OwnershipControls: { Rules: [ { ObjectOwnership: ObjectWriter, }, ], }, PublicAccessBlockConfiguration: { BlockPublicAcls: true, BlockPublicPolicy: true, IgnorePublicAcls: true, RestrictPublicBuckets: true, }, Tags: [ { Key: SolutionId, Value: SO0109, }, ], VersioningConfiguration: { Status: Enabled, }, }, Type: AWS::S3::Bucket, UpdateReplacePolicy: Retain, }, CloudFrontToS3S3LoggingBucketPolicy360F3875: { Properties: { Bucket: { Ref: CloudFrontToS3S3LoggingBucketEF5CD8B2, }, PolicyDocument: { Statement: [ { Action: s3:*, Condition: { Bool: { aws:SecureTransport: false, }, }, Effect: Deny, Principal: { AWS: *, }, Resource: [ { Fn::GetAtt: [ CloudFrontToS3S3LoggingBucketEF5CD8B2, Arn, ], }, { Fn::Join: [ , [ { Fn::GetAtt: [ CloudFrontToS3S3LoggingBucketEF5CD8B2, Arn, ], }, /*, ], ], }, ], }, { Action: s3:PutObject, Condition: { ArnLike: { aws:SourceArn: { Fn::GetAtt: [ CloudFrontToS3S3Bucket9CE6AB04, Arn, ], }, }, StringEquals: { aws:SourceAccount: { Ref: AWS::AccountId, }, }, }, Effect: Allow, Principal: { Service: logging.s3.amazonaws.com, }, Resource: { Fn::Join: [ , [ { Fn::GetAtt: [ CloudFrontToS3S3LoggingBucketEF5CD8B2, Arn, ], }, /*, ], ], }, }, ], Version: 2012-10-17, }, }, Type: AWS::S3::BucketPolicy, }, CustomResource8CDCD7A7: { DependsOn: [ CustomResourcePolicy79526710, CustomResourceRoleAB1EF463, ], Metadata: { cdk_nag: { rules_to_suppress: [ { id: AwsSolutions-L1, reason: nodejs 18 lambda runtime does not support javascript SDK v2, }, ], }, cfn_nag: { rules_to_suppress: [ { id: W58, reason: Invalid warning: function has access to cloudwatch, }, { id: W89, reason: This CustomResource does not need to be deployed inside a VPC, }, { id: W92, reason: This CustomResource does not need to define ReservedConcurrentExecutions to reserve simultaneous executions, }, ], }, }, Properties: { Code: { S3Bucket: { Fn::Sub: cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}, }, S3Key: 7979c599bcee0b5200b4cc720683b7858f1dc21b62e0c86d08ee2c2f226117b5.zip, }, Description: CFN Custom resource to copy assets to S3 and get the MediaConvert endpoint, Environment: { Variables: { SOLUTION_IDENTIFIER: AwsSolution/SO0109/%%VERSION%%, }, }, Handler: index.handler, Role: { Fn::GetAtt: [ CustomResourceRoleAB1EF463, Arn, ], }, Runtime: nodejs16.x, Tags: [ { Key: SolutionId, Value: SO0109, }, ], Timeout: 30, }, Type: AWS::Lambda::Function, }, CustomResourcePolicy79526710: { Metadata: { cdk_nag: { rules_to_suppress: [ { id: AwsSolutions-IAM5, reason: Resource ARNs are not generated at the time of policy creation, }, ], }, }, Properties: { PolicyDocument: { Statement: [ { Action: [ medialive:DescribeInputSecurityGroup, medialive:createInputSecurityGroup, medialive:describeInput, medialive:createInput, medialive:deleteInput, medialive:stopChannel, medialive:createChannel, medialive:deleteChannel, medialive:deleteInputSecurityGroup, medialive:describeChannel, medialive:startChannel, medialive:createTags, medialive:deleteTags, ], Effect: Allow, Resource: { Fn::Join: [ , [ arn:, { Ref: AWS::Partition, }, :medialive:, { Ref: AWS::Region, }, :, { Ref: AWS::AccountId, }, :*, ], ], }, }, { Action: ssm:PutParameter, Effect: Allow, Resource: { Fn::Join: [ , [ arn:, { Ref: AWS::Partition, }, :ssm:, { Ref: AWS::Region, }, :, { Ref: AWS::AccountId, }, :parameter/*, ], ], }, }, { Action: iam:PassRole, Effect: Allow, Resource: { Fn::GetAtt: [ MediaLiveRole1149D189, Arn, ], }, }, ], Version: 2012-10-17, }, PolicyName: CustomResourcePolicy79526710, Roles: [ { Ref: CustomResourceRoleAB1EF463, }, ], }, Type: AWS::IAM::Policy, }, CustomResourceRoleAB1EF463: { Properties: { AssumeRolePolicyDocument: { Statement: [ { Action: sts:AssumeRole, Effect: Allow, Principal: { Service: lambda.amazonaws.com, }, }, ], Version: 2012-10-17, }, Tags: [ { Key: SolutionId, Value: SO0109, }, ], }, Type: AWS::IAM::Role, }, MediaLiveChannel: { DeletionPolicy: Delete, DependsOn: [ CloudFrontToS3CloudFrontDistributionOrigin1S3OriginB0637B8F, CloudFrontToS3CloudFrontDistribution241D9866, CloudFrontToS3CloudfrontLoggingBucketPolicy416B82D9, CloudFrontToS3CloudfrontLoggingBucket8350BE9B, CloudFrontToS3S3BucketPolicy2495300D, CloudFrontToS3S3Bucket9CE6AB04, CloudFrontToS3S3LoggingBucketPolicy360F3875, CloudFrontToS3S3LoggingBucketEF5CD8B2, ], Properties: { Codec: AVC, EncodingProfile: { Ref: EncodingProfile, }, InputId: { Fn::GetAtt: [ MediaLiveInput, Id, ], }, Role: { Fn::GetAtt: [ MediaLiveRole1149D189, Arn, ], }, S3Bucket: { Ref: CloudFrontToS3S3Bucket9CE6AB04, }, ServiceToken: { Fn::GetAtt: [ CustomResource8CDCD7A7, Arn, ], }, StreamName: { Ref: AWS::StackName, }, Type: { Ref: InputType, }, }, Type: AWS::CloudFormation::CustomResource, UpdateReplacePolicy: Delete, }, MediaLiveChannelStart: { DeletionPolicy: Delete, Properties: { ChannelId: { Fn::GetAtt: [ MediaLiveChannel, ChannelId, ], }, ChannelStart: { Ref: ChannelStart, }, ServiceToken: { Fn::GetAtt: [ CustomResource8CDCD7A7, Arn, ], }, }, Type: AWS::CloudFormation::CustomResource, UpdateReplacePolicy: Delete, }, MediaLiveInput: { DeletionPolicy: Delete, Properties: { Cidr: { Ref: InputCIDR, }, InputDeviceId: { Ref: InputDeviceId, }, PullPass: { Ref: PullPass, }, PullUrl: { Ref: PullUrl, }, PullUser: { Ref: PullUser, }, ServiceToken: { Fn::GetAtt: [ CustomResource8CDCD7A7, Arn, ], }, StreamName: { Ref: AWS::StackName, }, Type: { Ref: InputType, }, }, Type: AWS::CloudFormation::CustomResource, UpdateReplacePolicy: Delete, }, MediaLiveRole1149D189: { Properties: { AssumeRolePolicyDocument: { Statement: [ { Action: sts:AssumeRole, Effect: Allow, Principal: { Service: medialive.amazonaws.com, }, }, ], Version: 2012-10-17, }, Tags: [ { Key: SolutionId, Value: SO0109, }, ], }, Type: AWS::IAM::Role, }, UUID: { DeletionPolicy: Delete, Properties: { ServiceToken: { Fn::GetAtt: [ CustomResource8CDCD7A7, Arn, ], }, }, Type: AWS::CloudFormation::CustomResource, UpdateReplacePolicy: Delete, }, mediaLivePolicyA0AA0DF7: { Metadata: { cdk_nag: { rules_to_suppress: [ { id: AwsSolutions-IAM5, reason: Resource ARNs are not generated at the time of policy creation, }, ], }, }, Properties: { PolicyDocument: { Statement: [ { Action: [ s3:ListBucket, s3:PutObject, s3:GetObject, s3:DeleteObject, ], Condition: { StringEquals: { s3:ResourceAccount: { Ref: AWS::AccountId, }, }, }, Effect: Allow, Resource: { Fn::Join: [ , [ arn:aws:s3:::, { Ref: CloudFrontToS3S3Bucket9CE6AB04, }, /*, ], ], }, }, { Action: [ ssm:DescribeParameters, ssm:GetParameter, ssm:GetParameters, ssm:PutParameter, ], Effect: Allow, Resource: { Fn::Join: [ , [ arn:, { Ref: AWS::Partition, }, :ssm:, { Ref: AWS::Region, }, :, { Ref: AWS::AccountId, }, :parameter/*, ], ], }, }, { Action: [ mediaconnect:ManagedDescribeFlow, mediaconnect:ManagedAddOutput, mediaconnect:ManagedRemoveOutput, ], Effect: Allow, Resource: { Fn::Join: [ , [ arn:, { Ref: AWS::Partition, }, :mediaconnect:, { Ref: AWS::Region, }, :, { Ref: AWS::AccountId, }, :*, ], ], }, }, { Action: [ ec2:describeSubnets, ec2:describeNetworkInterfaces, ec2:createNetworkInterface, ec2:createNetworkInterfacePermission, ec2:deleteNetworkInterface, ec2:deleteNetworkInterfacePermission, ec2:describeSecurityGroups, ], Effect: Allow, Resource: { Fn::Join: [ , [ arn:, { Ref: AWS::Partition, }, :ec2:, { Ref: AWS::Region, }, :, { Ref: AWS::AccountId, }, :*, ], ], }, }, { Action: [ logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents, logs:DescribeLogStreams, logs:DescribeLogGroups, ], Effect: Allow, Resource: { Fn::Join: [ , [ arn:, { Ref: AWS::Partition, }, :logs:*:*:*, ], ], }, }, ], Version: 2012-10-17, }, PolicyName: mediaLivePolicyA0AA0DF7, Roles: [ { Ref: MediaLiveRole1149D189, }, ], }, Type: AWS::IAM::Policy, }, }, } `;