IAM Template

This deploys all the IAM Users and Roles used for the lab.

---
---
AWSTemplateFormatVersion: '2010-09-09'
Description: MGMT312 IAM Role
Resources:
  EC2InstanceRole: 
    Type : AWS::IAM::Role
    Properties:
      Policies:
        - PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Action:
                  - s3:GetObject
                Resource: 
                  - !Sub 'arn:aws:s3:::aws-ssm-${AWS::Region}/*'
                  - !Sub 'arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*'
                  - !Sub 'arn:aws:s3:::amazon-ssm-${AWS::Region}/*'
                  - !Sub 'arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*'
                  - !Sub 'arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*'
                  - !Sub 'arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*'
                Effect: Allow
          PolicyName: ssm-custom-s3-policy
      Path: /
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess'
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: "Allow"
          Principal:
            Service:
            - "ec2.amazonaws.com"
            - "ssm.amazonaws.com"
            - "servicecatalog.amazonaws.com"
            - "lambda.amazonaws.com"
          Action: "sts:AssumeRole"
  EC2InstanceProfile:
    Type: "AWS::IAM::InstanceProfile"
    Properties:
      Roles:
      - !Ref EC2InstanceRole 
  SCEndUserRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess
        - arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: ''
            Effect: Allow
            Principal:
              AWS: !Sub '${AWS::AccountId}'
            Action: sts:AssumeRole
      Policies:
        - PolicyName: ServiceActionsPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: S3LaunchPolicySID
                Effect: Allow
                Action:
                  - servicecatalog:ListServiceActionsForProvisioningArtifact
                  - servicecatalog:ExecuteprovisionedProductServiceAction
                  - ssm:DescribeDocument
                  - ec2:*
                  - ssm:GetAutomationExecution
                  - ssm:StartAutomationExecution
                  - ssm:StopAutomationExecution
                  - cloudformation:ListStackResources
                Resource: '*'
      RoleName: !Sub 'mgt312_sc_end_user_${AWS::StackName}'
  SwitchRoleSCEndUserRole:
    Type: AWS::SSM::Parameter
    Properties: 
      Description: URL to Switch to the SC End User Role
      Name: SwitchRoleSCEndUser
      Type: String
      Value: !Join
        - ''
        - - !Sub 'https://signin.aws.amazon.com/switchrole?account=${AWS::AccountId}&roleName='
          - !Select
            - 1
            - !Split
              - /
              - !GetAtt 'SCEndUserRole.Arn'
          - '&displayName=ServiceCatalogEndUser'
Outputs:
  EC2InstanceProfileName:
    Description: Name of the Instance Profile
    Value: !Ref 'EC2InstanceProfile'
  EC2InstanceProfileArn:
    Description: Instance Role Arn
    Value: !GetAtt 'EC2InstanceProfile.Arn'
  EC2InstanceRoleArn:
    Description: Instance Profile Arn
    Value: !GetAtt 'EC2InstanceRole.Arn'
  SwitchRoleSCEndUserRole:
    Value: !Join
      - ''
      - - !Sub 'https://signin.aws.amazon.com/switchrole?account=${AWS::AccountId}&roleName='
        - !Select
          - 1
          - !Split
            - /
            - !GetAtt 'SCEndUserRole.Arn'
        - '&displayName=ServiceCatalogEndUser'