UNPKG

30.1 kBYAMLView Raw
1AWSTemplateFormatVersion: '2010-09-09'
2Description: 'stack: {{stackName}} | deployed by Kes'
3Parameters:
4 CreateDeploymentRole:
5 Type: String
6 AllowedValues:
7 - true
8 - false
9 Default: true
10 DeploymentUserName:
11 Type: String
12 Default: "n/a"
13 DeploymentStackTemplateUrl:
14 Type: String
15 Default: "n/a"
16 ResourcePrefix:
17 Type: String
18 Default: "template-cumulus"
19 AlphaNumPrefix:
20 Type: String
21 Default: "TemplateCumulus"
22Resources:
23 LambdaApiGatewayRole:
24 Type: AWS::IAM::Role
25 Properties:
26 RoleName:
27 Fn::Sub: "${ResourcePrefix}-lambda-api-gateway"
28 AssumeRolePolicyDocument:
29 Version: '2012-10-17'
30 Statement:
31 - Effect: Allow
32 Principal:
33 Service:
34 - lambda.amazonaws.com
35 Action:
36 - sts:AssumeRole
37 {{#if useNgapPermissionBoundary}}
38 PermissionsBoundary:
39 Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
40 {{/if}}
41 Path: "/"
42 Policies:
43 - PolicyName: LambdaApiGateway
44 PolicyDocument:
45 Version: '2012-10-17'
46 Statement:
47 - Effect: Allow
48 Action: ecs:RunTask
49 Resource:
50 Fn::Sub: "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${ResourcePrefix}-AsyncOperationTaskDefinition-*"
51
52 - Effect: Allow
53 Action:
54 - logs:DescribeLogStreams
55 - logs:CreateLogGroup
56 - logs:CreateLogStream
57 - logs:PutLogEvents
58 - lambda:GetFunction
59 - lambda:invokeFunction
60 - lambda:CreateEventSourceMapping
61 - lambda:UpdateEventSourceMapping
62 - lambda:DeleteEventSourceMapping
63 - lambda:GetEventSourceMapping
64 - lambda:ListEventSourceMappings
65 - lambda:AddPermission
66 - lambda:RemovePermission
67 Resource: "*"
68
69 - Effect: Allow
70 Action:
71 - dynamodb:DeleteItem
72 - dynamodb:GetItem
73 - dynamodb:PutItem
74 - dynamodb:Query
75 - dynamodb:Scan
76 - dynamodb:UpdateItem
77 Resource:
78 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
79
80 - Effect: Allow
81 Action:
82 - dynamodb:GetRecords
83 - dynamodb:GetShardIterator
84 - dynamodb:DescribeStream
85 - dynamodb:ListStreams
86 Resource:
87 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*"
88
89 - Effect: Allow
90 Action:
91 - dynamodb:ListTables
92 Resource: '*'
93
94 - Effect: Allow
95 Action:
96 - s3:GetAccelerateConfiguration
97 - s3:GetLifecycleConfiguration
98 - s3:GetReplicationConfiguration
99 - s3:GetBucket*
100 - s3:PutAccelerateConfiguration
101 - s3:PutLifecycleConfiguration
102 - s3:PutReplicationConfiguration
103 - s3:PutBucket*
104 - s3:ListBucket*
105 Resource:
106 {{#each buckets}}
107 - arn:aws:s3:::{{this.name}}
108 {{/each}}
109
110 - Effect: Allow
111 Action:
112 - s3:GetObject*
113 - s3:PutObject*
114 - s3:ListMultipartUploadParts
115 - s3:DeleteObject
116 - s3:DeleteObjectVersion
117 Resource:
118 {{#each buckets}}
119 - arn:aws:s3:::{{this.name}}/*
120 {{/each}}
121
122 - Effect: Allow
123 Action:
124 - s3:ListAllMyBuckets
125 Resource: '*'
126
127 - Effect: Allow
128 Action:
129 - sns:publish
130 - sns:Subscribe
131 - sns:Unsubscribe
132 - sns:List*
133 Resource: '*'
134
135 - Effect: Allow
136 Action:
137 - sqs:GetQueueUrl
138 - sqs:GetQueueAttributes
139 - sqs:SendMessage
140 Resource:
141 Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*"
142
143 - Effect: Allow
144 Action:
145 - cloudwatch:List*
146 - cloudwatch:Get*
147 - cloudwatch:Describe*
148 Resource: '*'
149
150 - Effect: Allow
151 Action:
152 - apigateway:GET
153 Resource:
154 Fn::Sub: "arn:aws:apigateway:${AWS::Region}::/restapis/*/stages"
155
156 # allow adding/editing/deleting of rules associated with this deployment
157 - Effect: Allow
158 Action:
159 - events:DisableRule
160 - events:DeleteRule
161 - events:EnableRule
162 - events:ListRules
163 - events:PutRule
164 - events:DescribeRule
165 - events:PutTargets
166 - events:RemoveTargets
167 Resource:
168 Fn::Sub: "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/${ResourcePrefix}-*"
169
170 # Allow state machine interactions
171 - Effect: Allow
172 Action:
173 - states:DescribeExecution
174 - states:DescribeStateMachine
175 - states:GetExecutionHistory
176 Resource: arn:aws:states:*:*:*
177
178 # this is needed for running Lambda in a VPC
179 # This might not be needed in the NGAP environment
180 # if all lambdas are already running in a general VPC
181 # environment
182 - Effect: Allow
183 Action:
184 - ec2:CreateNetworkInterface
185 - ec2:DescribeNetworkInterfaces
186 - ec2:DeleteNetworkInterface
187 Resource: '*'
188
189 # role for Lambdas that are NOT used with APIGateway
190 LambdaProcessingRole:
191 Type: AWS::IAM::Role
192 Properties:
193 RoleName:
194 Fn::Sub: "${ResourcePrefix}-lambda-processing"
195 AssumeRolePolicyDocument:
196 Version: '2012-10-17'
197 Statement:
198 - Effect: Allow
199 Principal:
200 Service: lambda.amazonaws.com
201 Action: sts:AssumeRole
202 {{#if useNgapPermissionBoundary}}
203 PermissionsBoundary:
204 Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
205 {{/if}}
206 Path: "/"
207 Policies:
208 - PolicyName: ProcessingLambda
209 PolicyDocument:
210 Version: '2012-10-17'
211 Statement:
212 - Effect: Allow
213 Action:
214 - lambda:GetFunction
215 - lambda:invokeFunction
216 - logs:CreateLogGroup
217 - logs:CreateLogStream
218 - logs:DescribeLogStreams
219 - logs:PutLogEvents
220 Resource: "*"
221
222 # Allow access to kinesis
223 - Effect: Allow
224 Action:
225 - kinesis:GetRecords
226 - kinesis:GetShardIterator
227 - kinesis:DescribeStream
228 - kinesis:ListStreams
229 - kinesis:PutRecord
230 Resource: '*'
231
232 # Allow writing to ingest buckets
233 - Effect: Allow
234 Action:
235 - s3:GetAccelerateConfiguration
236 - s3:GetLifecycleConfiguration
237 - s3:GetReplicationConfiguration
238 - s3:GetBucket*
239 - s3:PutAccelerateConfiguration
240 - s3:PutLifecycleConfiguration
241 - s3:PutReplicationConfiguration
242 - s3:PutBucket*
243 - s3:ListBucket*
244 Resource:
245 {{#each buckets}}
246 - arn:aws:s3:::{{this.name}}
247 {{/each}}
248
249 - Effect: Allow
250 Action:
251 - s3:AbortMultipartUpload
252 - s3:GetObject*
253 - s3:PutObject*
254 - s3:ListMultipartUploadParts
255 - s3:DeleteObject
256 - s3:DeleteObjectVersion
257 Resource:
258 {{#each buckets}}
259 - arn:aws:s3:::{{this.name}}/*
260 {{/each}}
261
262 - Effect: Allow
263 Action:
264 - s3:ListAllMyBuckets
265 Resource: '*'
266
267 # Used for testing bucket policies
268 - Effect: Allow
269 Action:
270 - s3:PutBucketPolicy
271 Resource:
272 - Fn::Sub: "arn:aws:s3:::${ResourcePrefix}-*"
273
274 # Allow access to dynamoDB
275 - Effect: Allow
276 Action:
277 - dynamodb:DeleteItem
278 - dynamodb:GetItem
279 - dynamodb:PutItem
280 - dynamodb:Query
281 - dynamodb:Scan
282 - dynamodb:UpdateItem
283 - dynamodb:BatchWriteItem
284 - dynamodb:UpdateContinuousBackups
285 - dynamodb:DescribeContinuousBackups
286 Resource:
287 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
288
289 - Effect: Allow
290 Action:
291 - dynamodb:GetRecords
292 - dynamodb:GetShardIterator
293 - dynamodb:DescribeStream
294 - dynamodb:ListStreams
295 Resource:
296 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*"
297
298 - Effect: Allow
299 Action:
300 - dynamodb:ListTables
301 Resource: '*'
302
303 # Allow access to SQS
304 - Effect: Allow
305 Action:
306 - sqs:SendMessage
307 - sqs:ReceiveMessage
308 - sqs:ChangeMessageVisibility
309 - sqs:DeleteMessage
310 - sqs:GetQueueUrl
311 - sqs:GetQueueAttributes
312 Resource:
313 Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*"
314
315 # Allow state machine interactions
316 - Effect: Allow
317 Action:
318 - states:SendTaskFailure
319 - states:SendTaskSuccess
320 - states:GetActivityTask
321 - states:GetExecutionHistory
322 - states:DescribeActivity
323 - states:DescribeExecution
324 - states:StartExecution
325 - states:StopExecution
326 - states:ListStateMachines
327 Resource: arn:aws:states:*:*:*
328
329 # allow adding/editing/deleting of rules associated with this deployment
330 - Effect: Allow
331 Action:
332 - events:DisableRule
333 - events:EnableRule
334 - events:ListRules
335 - events:PutRule
336 - events:DeleteRule
337 - events:DescribeRule
338 Resource: '*'
339
340 # this is needed for running Lambda in a VPC
341 # This might not be needed in the NGAP environment
342 # if all lambdas are already running in a general VPC
343 # environment
344 - Effect: Allow
345 Action:
346 - ec2:CreateNetworkInterface
347 - ec2:DescribeNetworkInterfaces
348 - ec2:DeleteNetworkInterface
349 Resource: '*'
350
351 # allow publishing to SNS
352 - Effect: Allow
353 Action:
354 - sns:publish
355 - sns:List*
356 Resource: '*'
357
358 # Needed for AWS integration tests
359 - Effect: Allow
360 Action:
361 - cloudformation:DescribeStacks
362 Resource: '*'
363
364 # Role with additional permissions for migrations
365 MigrationProcessingRole:
366 Type: AWS::IAM::Role
367 Properties:
368 RoleName:
369 Fn::Sub: "${ResourcePrefix}-migration-processing"
370 AssumeRolePolicyDocument:
371 Version: '2012-10-17'
372 Statement:
373 - Effect: Allow
374 Principal:
375 Service: lambda.amazonaws.com
376 Action: sts:AssumeRole
377 {{#if useNgapPermissionBoundary}}
378 PermissionsBoundary:
379 Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
380 {{/if}}
381 Path: "/"
382 Policies:
383 - PolicyName: MigrationProcessingLambda
384 PolicyDocument:
385 Version: '2012-10-17'
386 Statement:
387 - Effect: Allow
388 Action:
389 - lambda:GetFunction
390 - lambda:invokeFunction
391 - lambda:CreateEventSourceMapping
392 - lambda:ListEventSourceMappings
393 - logs:CreateLogGroup
394 - logs:CreateLogStream
395 - logs:DescribeLogStreams
396 - logs:PutLogEvents
397 Resource: "*"
398
399 # Allow access to kinesis
400 - Effect: Allow
401 Action:
402 - kinesis:GetRecords
403 - kinesis:GetShardIterator
404 - kinesis:DescribeStream
405 - kinesis:ListStreams
406 - kinesis:PutRecord
407 Resource: '*'
408
409 # Allow writing to ingest buckets
410 - Effect: Allow
411 Action:
412 - s3:GetAccelerateConfiguration
413 - s3:GetLifecycleConfiguration
414 - s3:GetReplicationConfiguration
415 - s3:GetBucket*
416 - s3:PutAccelerateConfiguration
417 - s3:PutLifecycleConfiguration
418 - s3:PutReplicationConfiguration
419 - s3:PutBucket*
420 - s3:ListBucket*
421 Resource:
422 {{#each buckets}}
423 - arn:aws:s3:::{{this.name}}
424 {{/each}}
425
426 - Effect: Allow
427 Action:
428 - s3:AbortMultipartUpload
429 - s3:GetObject*
430 - s3:PutObject*
431 - s3:ListMultipartUploadParts
432 - s3:DeleteObject
433 - s3:DeleteObjectVersion
434 Resource:
435 {{#each buckets}}
436 - arn:aws:s3:::{{this.name}}/*
437 {{/each}}
438
439 - Effect: Allow
440 Action:
441 - s3:ListAllMyBuckets
442 Resource: '*'
443
444 # Used for testing bucket policies
445 - Effect: Allow
446 Action:
447 - s3:PutBucketPolicy
448 Resource:
449 - Fn::Sub: "arn:aws:s3:::${ResourcePrefix}-*"
450
451 # Allow access to dynamoDB
452 - Effect: Allow
453 Action:
454 - dynamodb:DeleteItem
455 - dynamodb:GetItem
456 - dynamodb:PutItem
457 - dynamodb:Query
458 - dynamodb:Scan
459 - dynamodb:UpdateItem
460 - dynamodb:BatchWriteItem
461 - dynamodb:UpdateContinuousBackups
462 - dynamodb:DescribeContinuousBackups
463 Resource:
464 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
465
466 - Effect: Allow
467 Action:
468 - dynamodb:GetRecords
469 - dynamodb:GetShardIterator
470 - dynamodb:DescribeStream
471 - dynamodb:ListStreams
472 Resource:
473 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*"
474
475 - Effect: Allow
476 Action:
477 - dynamodb:ListTables
478 Resource: '*'
479
480 # Allow access to SQS
481 - Effect: Allow
482 Action:
483 - sqs:SendMessage
484 - sqs:ReceiveMessage
485 - sqs:ChangeMessageVisibility
486 - sqs:DeleteMessage
487 - sqs:GetQueueUrl
488 - sqs:GetQueueAttributes
489 Resource:
490 Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*"
491
492 # Allow state machine interactions
493 - Effect: Allow
494 Action:
495 - states:SendTaskFailure
496 - states:SendTaskSuccess
497 - states:GetActivityTask
498 - states:GetExecutionHistory
499 - states:DescribeActivity
500 - states:DescribeExecution
501 - states:StartExecution
502 - states:StopExecution
503 - states:ListStateMachines
504 Resource: arn:aws:states:*:*:*
505
506 # allow adding/editing/deleting of rules associated with this deployment
507 - Effect: Allow
508 Action:
509 - events:DisableRule
510 - events:EnableRule
511 - events:ListRules
512 - events:PutRule
513 - events:DeleteRule
514 - events:DescribeRule
515 Resource: '*'
516
517 # this is needed for running Lambda in a VPC
518 # This might not be needed in the NGAP environment
519 # if all lambdas are already running in a general VPC
520 # environment
521 - Effect: Allow
522 Action:
523 - ec2:CreateNetworkInterface
524 - ec2:DescribeNetworkInterfaces
525 - ec2:DeleteNetworkInterface
526 Resource: '*'
527
528 # allow publishing to SNS
529 - Effect: Allow
530 Action:
531 - sns:publish
532 - sns:List*
533 Resource: '*'
534
535 # Needed for AWS integration tests
536 - Effect: Allow
537 Action:
538 - cloudformation:DescribeStacks
539 Resource: '*'
540
541 StepRole:
542 Type: AWS::IAM::Role
543 Properties:
544 RoleName:
545 Fn::Sub: "${ResourcePrefix}-steprole"
546 AssumeRolePolicyDocument:
547 Version: '2012-10-17'
548 Statement:
549 - Effect: Allow
550 Principal:
551 Service:
552 - Fn::Sub: states.${AWS::Region}.amazonaws.com
553 Action: sts:AssumeRole
554 {{#if useNgapPermissionBoundary}}
555 PermissionsBoundary:
556 Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
557 {{/if}}
558 Path: "/"
559 Policies:
560 - PolicyName: StepRole
561 PolicyDocument:
562 Version: '2012-10-17'
563 Statement:
564 - Effect: Allow
565 Action:
566 - lambda:InvokeFunction
567 Resource: '*'
568 - Effect: Allow
569 Action:
570 - ecr:*
571 - cloudtrail:LookupEvents
572 Resource: '*'
573 - Effect: Allow
574 Action:
575 - ecs:RunTask
576 Resource: '*'
577 - Effect: Allow
578 Action:
579 - ecs:StopTask
580 - ecs:DescribeTasks
581 Resource: "*"
582 - Effect: Allow
583 Action:
584 - events:PutTargets
585 - events:PutRule
586 - events:DescribeRule
587 Resource:
588 Fn::Sub: "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForECSTaskRule"
589 - Effect: Allow
590 Action:
591 - autoscaling:Describe*
592 - cloudwatch:*
593 - logs:*
594 - sns:*
595 - iam:GetPolicy
596 - iam:GetPolicyVersion
597 - iam:GetRole
598 Resource: "*"
599
600 ECSRole:
601 Type: AWS::IAM::Role
602 Properties:
603 RoleName:
604 Fn::Sub: "${ResourcePrefix}-ecs"
605 AssumeRolePolicyDocument:
606 Version: '2012-10-17'
607 Statement:
608 - Effect: Allow
609 Principal:
610 Service: ec2.amazonaws.com
611 Action: sts:AssumeRole
612 {{#if useNgapPermissionBoundary}}
613 PermissionsBoundary:
614 Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
615 {{/if}}
616 Path: "/"
617 Policies:
618 - PolicyName: ECSRole
619 PolicyDocument:
620 Version: '2012-10-17'
621 Statement:
622 - Effect: Allow
623 Action: dynamodb:UpdateItem
624 Resource:
625 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-AsyncOperationsTable"
626 - Effect: Allow
627 Action:
628 - autoscaling:CompleteLifecycleAction
629 - autoscaling:DescribeAutoScalingInstances
630 - autoscaling:DescribeLifecycleHooks
631 - autoscaling:RecordLifecycleActionHeartbeat
632 - cloudwatch:GetMetricStatistics
633 - ec2:DescribeInstances
634 - ecr:BatchCheckLayerAvailability
635 - ecr:BatchGetImage
636 - ecr:GetAuthorizationToken
637 - ecr:GetDownloadUrlForLayer
638 - ecs:DeregisterContainerInstance
639 - ecs:DescribeClusters
640 - ecs:DescribeContainerInstances
641 - ecs:DescribeServices
642 - ecs:DiscoverPollEndpoint
643 - ecs:ListContainerInstances
644 - ecs:ListServices
645 - ecs:ListTaskDefinitions
646 - ecs:ListTasks
647 - ecs:Poll
648 - ecs:RegisterContainerInstance
649 - ecs:RunTask
650 - ecs:StartTelemetrySession
651 - ecs:Submit*
652 - ecs:UpdateContainerInstancesState
653 - lambda:GetFunction
654 - lambda:invokeFunction
655 - lambda:GetLayerVersion
656 - logs:CreateLogGroup
657 - logs:CreateLogStream
658 - logs:DescribeLogStreams
659 - logs:PutLogEvents
660 - ssm:GetParameter
661 Resource: "*"
662
663 # Allow state machine interactions
664 - Effect: Allow
665 Action:
666 - states:SendTaskFailure
667 - states:SendTaskSuccess
668 - states:GetActivityTask
669 - states:DescribeActivity
670 - states:GetExecutionHistory
671 Resource: arn:aws:states:*:*:*
672
673 # Allow writing to ingest buckets
674 - Effect: Allow
675 Action:
676 - s3:GetAccelerateConfiguration
677 - s3:GetLifecycleConfiguration
678 - s3:GetReplicationConfiguration
679 - s3:GetBucket*
680 - s3:PutAccelerateConfiguration
681 - s3:PutLifecycleConfiguration
682 - s3:PutReplicationConfiguration
683 - s3:PutBucket*
684 - s3:ListBucket*
685 Resource:
686 {{#each buckets}}
687 - arn:aws:s3:::{{this.name}}
688 {{/each}}
689
690 - Effect: Allow
691 Action:
692 - s3:AbortMultipartUpload
693 - s3:GetObject*
694 - s3:PutObject*
695 - s3:ListMultipartUploadParts
696 - s3:DeleteObject
697 - s3:DeleteObjectVersion
698 Resource:
699 {{#each buckets}}
700 - arn:aws:s3:::{{this.name}}/*
701 {{/each}}
702
703 - Effect: Allow
704 Action:
705 - dynamodb:Scan
706 Resource:
707 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
708
709 - Effect: Allow
710 Action:
711 - s3:ListAllMyBuckets
712 Resource: '*'
713
714 - Effect: Allow
715 Action:
716 - es:ESHttpDelete
717 - es:ESHttpGet
718 - es:ESHttpHead
719 - es:ESHttpPost
720 - es:ESHttpPut
721 Resource:
722 Fn::Sub: "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ResourcePrefix}-*"
723
724 DistributionApiRole:
725 Type: AWS::IAM::Role
726 Properties:
727 RoleName:
728 Fn::Sub: "${ResourcePrefix}-distribution-api-lambda"
729 AssumeRolePolicyDocument:
730 Version: '2012-10-17'
731 Statement:
732 - Effect: Allow
733 Principal:
734 Service: lambda.amazonaws.com
735 Action:
736 - sts:AssumeRole
737 {{#if useNgapPermissionBoundary}}
738 PermissionsBoundary:
739 Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
740 {{/if}}
741 Path: "/"
742 Policies:
743 - PolicyName: DistributionApiGateway
744 PolicyDocument:
745 Version: '2012-10-17'
746 Statement:
747 - Effect: Allow
748 Action:
749 - dynamodb:GetItem
750 - dynamodb:PutItem
751 Resource:
752 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-AccessTokensTable"
753
754 - Effect: Allow
755 Action:
756 - logs:DescribeLogStreams
757 - logs:CreateLogGroup
758 - logs:CreateLogStream
759 - logs:PutLogEvents
760 - lambda:GetFunction
761 - lambda:invokeFunction
762 - lambda:CreateEventSourceMapping
763 - lambda:UpdateEventSourceMapping
764 - lambda:DeleteEventSourceMapping
765 - lambda:GetEventSourceMapping
766 - lambda:ListEventSourceMappings
767 Resource: "*"
768
769 - Effect: Allow
770 Action:
771 - s3:GetAccelerateConfiguration
772 - s3:GetLifecycleConfiguration
773 - s3:GetReplicationConfiguration
774 - s3:GetBucket*
775 - s3:PutAccelerateConfiguration
776 - s3:PutLifecycleConfiguration
777 - s3:PutReplicationConfiguration
778 - s3:PutBucket*
779 - s3:ListBucket*
780 Resource:
781 {{#each buckets}}
782 {{#BucketIsType this "protected,public"}}
783 - arn:aws:s3:::{{this.name}}
784 {{/BucketIsType}}
785 {{/each}}
786
787 - Effect: Allow
788 Action:
789 - s3:GetObject*
790 - s3:PutObject*
791 - s3:ListMultipartUploadParts
792 - s3:DeleteObject
793 - s3:DeleteObjectVersion
794 Resource:
795 {{#each buckets}}
796 {{#BucketIsType this "protected,public"}}
797 - arn:aws:s3:::{{this.name}}/*
798 {{/BucketIsType}}
799 {{/each}}
800
801 - Effect: Allow
802 Action:
803 - s3:ListAllMyBuckets
804 Resource: '*'
805
806 - Effect: Allow
807 Action:
808 - ec2:CreateNetworkInterface
809 - ec2:DescribeNetworkInterfaces
810 - ec2:DeleteNetworkInterface
811 Resource: '*'
812
813 ScalingRole:
814 Type: 'AWS::IAM::Role'
815 Properties:
816 RoleName:
817 Fn::Sub: "${ResourcePrefix}-scaling-role"
818 AssumeRolePolicyDocument:
819 Version: '2012-10-17'
820 Statement:
821 - Effect: Allow
822 Principal:
823 Service: application-autoscaling.amazonaws.com
824 Action: sts:AssumeRole
825 {{#if useNgapPermissionBoundary}}
826 PermissionsBoundary:
827 Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
828 {{/if}}
829 Path: '/'
830 Policies:
831 - PolicyName: ScalingPolicy
832 PolicyDocument:
833 Version: '2012-10-17'
834 Statement:
835 - Effect: Allow
836 Action:
837 - "application-autoscaling:*"
838 - cloudwatch:DeleteAlarms
839 - cloudwatch:DescribeAlarms
840 - cloudwatch:GetMetricStatistics
841 - cloudwatch:PutMetricAlarm
842 - cloudwatch:SetAlarmState
843 - dynamodb:DescribeTable
844 - dynamodb:UpdateTable
845 - ecs:DescribeServices
846 - ecs:UpdateService
847 Resource: '*'
848
849
850 CumulusInstanceProfile:
851 Type: AWS::IAM::InstanceProfile
852 Properties:
853 InstanceProfileName:
854 Fn::Sub: "${ResourcePrefix}-ecs"
855 Path: "/"
856 Roles:
857 - Ref: ECSRole
858
859Outputs:
860 CumulusInstanceProfileArn:
861 Value:
862 Fn::GetAtt:
863 - CumulusInstanceProfile
864 - Arn
865 EcsRoleArn:
866 Value:
867 Fn::GetAtt:
868 - ECSRole
869 - Arn
870 LambdaApiGatewayRoleArn:
871 Value:
872 Fn::GetAtt:
873 - LambdaApiGatewayRole
874 - Arn
875 LambdaProcessingRoleArn:
876 Value:
877 Fn::GetAtt:
878 - LambdaProcessingRole
879 - Arn
880 MigrationProcessingRoleArn:
881 Value:
882 Fn::GetAtt:
883 - MigrationProcessingRole
884 - Arn
885 DistributionRoleArn:
886 Value:
887 Fn::GetAtt:
888 - DistributionApiRole
889 - Arn
890 StepRoleArn:
891 Value:
892 Fn::GetAtt:
893 - StepRole
894 - Arn
895 ScalingRoleArn:
896 Value:
897 Fn::GetAtt:
898 - ScalingRole
899 - Arn