AWSTemplateFormatVersion: '2010-09-09' Description: 'stack: {{stackName}} | deployed by Kes' Parameters: CreateDeploymentRole: Type: String AllowedValues: - true - false Default: true DeploymentUserName: Type: String Default: "n/a" DeploymentStackTemplateUrl: Type: String Default: "n/a" ResourcePrefix: Type: String Default: "template-cumulus" AlphaNumPrefix: Type: String Default: "TemplateCumulus" Resources: LambdaApiGatewayRole: Type: AWS::IAM::Role Properties: RoleName: Fn::Sub: "${ResourcePrefix}-lambda-api-gateway" AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole {{#if useNgapPermissionBoundary}} PermissionsBoundary: Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary {{/if}} Path: "/" Policies: - PolicyName: LambdaApiGateway PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: ecs:RunTask Resource: Fn::Sub: "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${ResourcePrefix}-AsyncOperationTaskDefinition-*" - Effect: Allow Action: - logs:DescribeLogStreams - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - lambda:GetFunction - lambda:invokeFunction - lambda:CreateEventSourceMapping - lambda:UpdateEventSourceMapping - lambda:DeleteEventSourceMapping - lambda:GetEventSourceMapping - lambda:ListEventSourceMappings - lambda:AddPermission - lambda:RemovePermission Resource: "*" - Effect: Allow Action: - dynamodb:DeleteItem - dynamodb:GetItem - dynamodb:PutItem - dynamodb:Query - dynamodb:Scan - dynamodb:UpdateItem Resource: Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*" - Effect: Allow Action: - dynamodb:GetRecords - dynamodb:GetShardIterator - dynamodb:DescribeStream - dynamodb:ListStreams Resource: Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*" - Effect: Allow Action: - dynamodb:ListTables Resource: '*' - Effect: Allow Action: - s3:GetAccelerateConfiguration - s3:GetLifecycleConfiguration - s3:GetReplicationConfiguration - s3:GetBucket* - s3:PutAccelerateConfiguration - s3:PutLifecycleConfiguration - s3:PutReplicationConfiguration - s3:PutBucket* - s3:ListBucket* Resource: {{#each buckets}} - arn:aws:s3:::{{this.name}} {{/each}} - Effect: Allow Action: - s3:GetObject* - s3:PutObject* - s3:ListMultipartUploadParts - s3:DeleteObject - s3:DeleteObjectVersion Resource: {{#each buckets}} - arn:aws:s3:::{{this.name}}/* {{/each}} - Effect: Allow Action: - s3:ListAllMyBuckets Resource: '*' - Effect: Allow Action: - sns:publish - sns:Subscribe - sns:Unsubscribe - sns:List* Resource: '*' - Effect: Allow Action: - sqs:GetQueueUrl - sqs:GetQueueAttributes - sqs:SendMessage Resource: Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*" - Effect: Allow Action: - cloudwatch:List* - cloudwatch:Get* - cloudwatch:Describe* Resource: '*' - Effect: Allow Action: - apigateway:GET Resource: Fn::Sub: "arn:aws:apigateway:${AWS::Region}::/restapis/*/stages" # allow adding/editing/deleting of rules associated with this deployment - Effect: Allow Action: - events:DisableRule - events:DeleteRule - events:EnableRule - events:ListRules - events:PutRule - events:DescribeRule - events:PutTargets - events:RemoveTargets Resource: Fn::Sub: "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/${ResourcePrefix}-*" # Allow state machine interactions - Effect: Allow Action: - states:DescribeExecution - states:DescribeStateMachine - states:GetExecutionHistory Resource: arn:aws:states:*:*:* # this is needed for running Lambda in a VPC # This might not be needed in the NGAP environment # if all lambdas are already running in a general VPC # environment - Effect: Allow Action: - ec2:CreateNetworkInterface - ec2:DescribeNetworkInterfaces - ec2:DeleteNetworkInterface Resource: '*' # role for Lambdas that are NOT used with APIGateway LambdaProcessingRole: Type: AWS::IAM::Role Properties: RoleName: Fn::Sub: "${ResourcePrefix}-lambda-processing" AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole {{#if useNgapPermissionBoundary}} PermissionsBoundary: Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary {{/if}} Path: "/" Policies: - PolicyName: ProcessingLambda PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - lambda:GetFunction - lambda:invokeFunction - logs:CreateLogGroup - logs:CreateLogStream - logs:DescribeLogStreams - logs:PutLogEvents Resource: "*" # Allow access to kinesis - Effect: Allow Action: - kinesis:GetRecords - kinesis:GetShardIterator - kinesis:DescribeStream - kinesis:ListStreams - kinesis:PutRecord Resource: '*' # Allow writing to ingest buckets - Effect: Allow Action: - s3:GetAccelerateConfiguration - s3:GetLifecycleConfiguration - s3:GetReplicationConfiguration - s3:GetBucket* - s3:PutAccelerateConfiguration - s3:PutLifecycleConfiguration - s3:PutReplicationConfiguration - s3:PutBucket* - s3:ListBucket* Resource: {{#each buckets}} - arn:aws:s3:::{{this.name}} {{/each}} - Effect: Allow Action: - s3:AbortMultipartUpload - s3:GetObject* - s3:PutObject* - s3:ListMultipartUploadParts - s3:DeleteObject - s3:DeleteObjectVersion Resource: {{#each buckets}} - arn:aws:s3:::{{this.name}}/* {{/each}} - Effect: Allow Action: - s3:ListAllMyBuckets Resource: '*' # Used for testing bucket policies - Effect: Allow Action: - s3:PutBucketPolicy Resource: - Fn::Sub: "arn:aws:s3:::${ResourcePrefix}-*" # Allow access to dynamoDB - Effect: Allow Action: - dynamodb:DeleteItem - dynamodb:GetItem - dynamodb:PutItem - dynamodb:Query - dynamodb:Scan - dynamodb:UpdateItem - dynamodb:BatchWriteItem - dynamodb:UpdateContinuousBackups - dynamodb:DescribeContinuousBackups Resource: Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*" - Effect: Allow Action: - dynamodb:GetRecords - dynamodb:GetShardIterator - dynamodb:DescribeStream - dynamodb:ListStreams Resource: Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*" - Effect: Allow Action: - dynamodb:ListTables Resource: '*' # Allow access to SQS - Effect: Allow Action: - sqs:SendMessage - sqs:ReceiveMessage - sqs:ChangeMessageVisibility - sqs:DeleteMessage - sqs:GetQueueUrl - sqs:GetQueueAttributes Resource: Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*" # Allow state machine interactions - Effect: Allow Action: - states:SendTaskFailure - states:SendTaskSuccess - states:GetActivityTask - states:GetExecutionHistory - states:DescribeActivity - states:DescribeExecution - states:StartExecution - states:StopExecution - states:ListStateMachines Resource: arn:aws:states:*:*:* # allow adding/editing/deleting of rules associated with this deployment - Effect: Allow Action: - events:DisableRule - events:EnableRule - events:ListRules - events:PutRule - events:DeleteRule - events:DescribeRule Resource: '*' # this is needed for running Lambda in a VPC # This might not be needed in the NGAP environment # if all lambdas are already running in a general VPC # environment - Effect: Allow Action: - ec2:CreateNetworkInterface - ec2:DescribeNetworkInterfaces - ec2:DeleteNetworkInterface Resource: '*' # allow publishing to SNS - Effect: Allow Action: - sns:publish - sns:List* Resource: '*' # Needed for AWS integration tests - Effect: Allow Action: - cloudformation:DescribeStacks Resource: '*' # Role with additional permissions for migrations MigrationProcessingRole: Type: AWS::IAM::Role Properties: RoleName: Fn::Sub: "${ResourcePrefix}-migration-processing" AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole {{#if useNgapPermissionBoundary}} PermissionsBoundary: Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary {{/if}} Path: "/" Policies: - PolicyName: MigrationProcessingLambda PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - lambda:GetFunction - lambda:invokeFunction - lambda:CreateEventSourceMapping - lambda:ListEventSourceMappings - logs:CreateLogGroup - logs:CreateLogStream - logs:DescribeLogStreams - logs:PutLogEvents Resource: "*" # Allow access to kinesis - Effect: Allow Action: - kinesis:GetRecords - kinesis:GetShardIterator - kinesis:DescribeStream - kinesis:ListStreams - kinesis:PutRecord Resource: '*' # Allow writing to ingest buckets - Effect: Allow Action: - s3:GetAccelerateConfiguration - s3:GetLifecycleConfiguration - s3:GetReplicationConfiguration - s3:GetBucket* - s3:PutAccelerateConfiguration - s3:PutLifecycleConfiguration - s3:PutReplicationConfiguration - s3:PutBucket* - s3:ListBucket* Resource: {{#each buckets}} - arn:aws:s3:::{{this.name}} {{/each}} - Effect: Allow Action: - s3:AbortMultipartUpload - s3:GetObject* - s3:PutObject* - s3:ListMultipartUploadParts - s3:DeleteObject - s3:DeleteObjectVersion Resource: {{#each buckets}} - arn:aws:s3:::{{this.name}}/* {{/each}} - Effect: Allow Action: - s3:ListAllMyBuckets Resource: '*' # Used for testing bucket policies - Effect: Allow Action: - s3:PutBucketPolicy Resource: - Fn::Sub: "arn:aws:s3:::${ResourcePrefix}-*" # Allow access to dynamoDB - Effect: Allow Action: - dynamodb:DeleteItem - dynamodb:GetItem - dynamodb:PutItem - dynamodb:Query - dynamodb:Scan - dynamodb:UpdateItem - dynamodb:BatchWriteItem - dynamodb:UpdateContinuousBackups - dynamodb:DescribeContinuousBackups Resource: Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*" - Effect: Allow Action: - dynamodb:GetRecords - dynamodb:GetShardIterator - dynamodb:DescribeStream - dynamodb:ListStreams Resource: Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*" - Effect: Allow Action: - dynamodb:ListTables Resource: '*' # Allow access to SQS - Effect: Allow Action: - sqs:SendMessage - sqs:ReceiveMessage - sqs:ChangeMessageVisibility - sqs:DeleteMessage - sqs:GetQueueUrl - sqs:GetQueueAttributes Resource: Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*" # Allow state machine interactions - Effect: Allow Action: - states:SendTaskFailure - states:SendTaskSuccess - states:GetActivityTask - states:GetExecutionHistory - states:DescribeActivity - states:DescribeExecution - states:StartExecution - states:StopExecution - states:ListStateMachines Resource: arn:aws:states:*:*:* # allow adding/editing/deleting of rules associated with this deployment - Effect: Allow Action: - events:DisableRule - events:EnableRule - events:ListRules - events:PutRule - events:DeleteRule - events:DescribeRule Resource: '*' # this is needed for running Lambda in a VPC # This might not be needed in the NGAP environment # if all lambdas are already running in a general VPC # environment - Effect: Allow Action: - ec2:CreateNetworkInterface - ec2:DescribeNetworkInterfaces - ec2:DeleteNetworkInterface Resource: '*' # allow publishing to SNS - Effect: Allow Action: - sns:publish - sns:List* Resource: '*' # Needed for AWS integration tests - Effect: Allow Action: - cloudformation:DescribeStacks Resource: '*' StepRole: Type: AWS::IAM::Role Properties: RoleName: Fn::Sub: "${ResourcePrefix}-steprole" AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - Fn::Sub: states.${AWS::Region}.amazonaws.com Action: sts:AssumeRole {{#if useNgapPermissionBoundary}} PermissionsBoundary: Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary {{/if}} Path: "/" Policies: - PolicyName: StepRole PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - lambda:InvokeFunction Resource: '*' - Effect: Allow Action: - ecr:* - cloudtrail:LookupEvents Resource: '*' - Effect: Allow Action: - ecs:RunTask Resource: '*' - Effect: Allow Action: - ecs:StopTask - ecs:DescribeTasks Resource: "*" - Effect: Allow Action: - events:PutTargets - events:PutRule - events:DescribeRule Resource: Fn::Sub: "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForECSTaskRule" - Effect: Allow Action: - autoscaling:Describe* - cloudwatch:* - logs:* - sns:* - iam:GetPolicy - iam:GetPolicyVersion - iam:GetRole Resource: "*" ECSRole: Type: AWS::IAM::Role Properties: RoleName: Fn::Sub: "${ResourcePrefix}-ecs" AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: sts:AssumeRole {{#if useNgapPermissionBoundary}} PermissionsBoundary: Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary {{/if}} Path: "/" Policies: - PolicyName: ECSRole PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: dynamodb:UpdateItem Resource: Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-AsyncOperationsTable" - Effect: Allow Action: - autoscaling:CompleteLifecycleAction - autoscaling:DescribeAutoScalingInstances - autoscaling:DescribeLifecycleHooks - autoscaling:RecordLifecycleActionHeartbeat - cloudwatch:GetMetricStatistics - ec2:DescribeInstances - ecr:BatchCheckLayerAvailability - ecr:BatchGetImage - ecr:GetAuthorizationToken - ecr:GetDownloadUrlForLayer - ecs:DeregisterContainerInstance - ecs:DescribeClusters - ecs:DescribeContainerInstances - ecs:DescribeServices - ecs:DiscoverPollEndpoint - ecs:ListContainerInstances - ecs:ListServices - ecs:ListTaskDefinitions - ecs:ListTasks - ecs:Poll - ecs:RegisterContainerInstance - ecs:RunTask - ecs:StartTelemetrySession - ecs:Submit* - ecs:UpdateContainerInstancesState - lambda:GetFunction - lambda:invokeFunction - lambda:GetLayerVersion - logs:CreateLogGroup - logs:CreateLogStream - logs:DescribeLogStreams - logs:PutLogEvents - ssm:GetParameter Resource: "*" # Allow state machine interactions - Effect: Allow Action: - states:SendTaskFailure - states:SendTaskSuccess - states:GetActivityTask - states:DescribeActivity - states:GetExecutionHistory Resource: arn:aws:states:*:*:* # Allow writing to ingest buckets - Effect: Allow Action: - s3:GetAccelerateConfiguration - s3:GetLifecycleConfiguration - s3:GetReplicationConfiguration - s3:GetBucket* - s3:PutAccelerateConfiguration - s3:PutLifecycleConfiguration - s3:PutReplicationConfiguration - s3:PutBucket* - s3:ListBucket* Resource: {{#each buckets}} - arn:aws:s3:::{{this.name}} {{/each}} - Effect: Allow Action: - s3:AbortMultipartUpload - s3:GetObject* - s3:PutObject* - s3:ListMultipartUploadParts - s3:DeleteObject - s3:DeleteObjectVersion Resource: {{#each buckets}} - arn:aws:s3:::{{this.name}}/* {{/each}} - Effect: Allow Action: - dynamodb:Scan - dynamodb:GetItem - dynamodb:UpdateItem Resource: Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*" - Effect: Allow Action: - s3:ListAllMyBuckets Resource: '*' - Effect: Allow Action: - es:ESHttpDelete - es:ESHttpGet - es:ESHttpHead - es:ESHttpPost - es:ESHttpPut Resource: Fn::Sub: "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ResourcePrefix}-*" DistributionApiRole: Type: AWS::IAM::Role Properties: RoleName: Fn::Sub: "${ResourcePrefix}-distribution-api-lambda" AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: - sts:AssumeRole {{#if useNgapPermissionBoundary}} PermissionsBoundary: Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary {{/if}} Path: "/" Policies: - PolicyName: DistributionApiGateway PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - dynamodb:GetItem - dynamodb:PutItem Resource: Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-AccessTokensTable" - Effect: Allow Action: - logs:DescribeLogStreams - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - lambda:GetFunction - lambda:invokeFunction - lambda:CreateEventSourceMapping - lambda:UpdateEventSourceMapping - lambda:DeleteEventSourceMapping - lambda:GetEventSourceMapping - lambda:ListEventSourceMappings Resource: "*" - Effect: Allow Action: - s3:GetAccelerateConfiguration - s3:GetLifecycleConfiguration - s3:GetReplicationConfiguration - s3:GetBucket* - s3:PutAccelerateConfiguration - s3:PutLifecycleConfiguration - s3:PutReplicationConfiguration - s3:PutBucket* - s3:ListBucket* Resource: {{#each buckets}} {{#BucketIsType this "protected,public"}} - arn:aws:s3:::{{this.name}} {{/BucketIsType}} {{/each}} - Effect: Allow Action: - s3:GetObject* - s3:PutObject* - s3:ListMultipartUploadParts - s3:DeleteObject - s3:DeleteObjectVersion Resource: {{#each buckets}} {{#BucketIsType this "protected,public"}} - arn:aws:s3:::{{this.name}}/* {{/BucketIsType}} {{/each}} - Effect: Allow Action: - s3:ListAllMyBuckets Resource: '*' - Effect: Allow Action: - ec2:CreateNetworkInterface - ec2:DescribeNetworkInterfaces - ec2:DeleteNetworkInterface Resource: '*' ScalingRole: Type: 'AWS::IAM::Role' Properties: RoleName: Fn::Sub: "${ResourcePrefix}-scaling-role" AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: application-autoscaling.amazonaws.com Action: sts:AssumeRole {{#if useNgapPermissionBoundary}} PermissionsBoundary: Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary {{/if}} Path: '/' Policies: - PolicyName: ScalingPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - "application-autoscaling:*" - cloudwatch:DeleteAlarms - cloudwatch:DescribeAlarms - cloudwatch:GetMetricStatistics - cloudwatch:PutMetricAlarm - cloudwatch:SetAlarmState - dynamodb:DescribeTable - dynamodb:UpdateTable - ecs:DescribeServices - ecs:UpdateService Resource: '*' CumulusInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: InstanceProfileName: Fn::Sub: "${ResourcePrefix}-ecs" Path: "/" Roles: - Ref: ECSRole Outputs: CumulusInstanceProfileArn: Value: Fn::GetAtt: - CumulusInstanceProfile - Arn EcsRoleArn: Value: Fn::GetAtt: - ECSRole - Arn LambdaApiGatewayRoleArn: Value: Fn::GetAtt: - LambdaApiGatewayRole - Arn LambdaProcessingRoleArn: Value: Fn::GetAtt: - LambdaProcessingRole - Arn MigrationProcessingRoleArn: Value: Fn::GetAtt: - MigrationProcessingRole - Arn DistributionRoleArn: Value: Fn::GetAtt: - DistributionApiRole - Arn StepRoleArn: Value: Fn::GetAtt: - StepRole - Arn ScalingRoleArn: Value: Fn::GetAtt: - ScalingRole - Arn