1 | AWSTemplateFormatVersion: '2010-09-09'
|
2 | Description: 'stack: {{stackName}} | deployed by Kes'
|
3 | Parameters:
|
4 | CreateDeploymentRole:
|
5 | Type: String
|
6 | AllowedValues:
|
7 | - true
|
8 | - false
|
9 | Default: true
|
10 | DeploymentUserName:
|
11 | Type: String
|
12 | Default: "n/a"
|
13 | DeploymentStackTemplateUrl:
|
14 | Type: String
|
15 | Default: "n/a"
|
16 | ResourcePrefix:
|
17 | Type: String
|
18 | Default: "template-cumulus"
|
19 | AlphaNumPrefix:
|
20 | Type: String
|
21 | Default: "TemplateCumulus"
|
22 | Resources:
|
23 | LambdaApiGatewayRole:
|
24 | Type: AWS::IAM::Role
|
25 | Properties:
|
26 | RoleName:
|
27 | Fn::Sub: "${ResourcePrefix}-lambda-api-gateway"
|
28 | AssumeRolePolicyDocument:
|
29 | Version: '2012-10-17'
|
30 | Statement:
|
31 | - Effect: Allow
|
32 | Principal:
|
33 | Service:
|
34 | - lambda.amazonaws.com
|
35 | Action:
|
36 | - sts:AssumeRole
|
37 | {{#if useNgapPermissionBoundary}}
|
38 | PermissionsBoundary:
|
39 | Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
|
40 | {{/if}}
|
41 | Path: "/"
|
42 | Policies:
|
43 | - PolicyName: LambdaApiGateway
|
44 | PolicyDocument:
|
45 | Version: '2012-10-17'
|
46 | Statement:
|
47 | - Effect: Allow
|
48 | Action: ecs:RunTask
|
49 | Resource:
|
50 | Fn::Sub: "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${ResourcePrefix}-AsyncOperationTaskDefinition-*"
|
51 |
|
52 | - Effect: Allow
|
53 | Action:
|
54 | - logs:DescribeLogStreams
|
55 | - logs:CreateLogGroup
|
56 | - logs:CreateLogStream
|
57 | - logs:PutLogEvents
|
58 | - lambda:GetFunction
|
59 | - lambda:invokeFunction
|
60 | - lambda:CreateEventSourceMapping
|
61 | - lambda:UpdateEventSourceMapping
|
62 | - lambda:DeleteEventSourceMapping
|
63 | - lambda:GetEventSourceMapping
|
64 | - lambda:ListEventSourceMappings
|
65 | - lambda:AddPermission
|
66 | - lambda:RemovePermission
|
67 | Resource: "*"
|
68 |
|
69 | - Effect: Allow
|
70 | Action:
|
71 | - dynamodb:DeleteItem
|
72 | - dynamodb:GetItem
|
73 | - dynamodb:PutItem
|
74 | - dynamodb:Query
|
75 | - dynamodb:Scan
|
76 | - dynamodb:UpdateItem
|
77 | Resource:
|
78 | Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
|
79 |
|
80 | - Effect: Allow
|
81 | Action:
|
82 | - dynamodb:GetRecords
|
83 | - dynamodb:GetShardIterator
|
84 | - dynamodb:DescribeStream
|
85 | - dynamodb:ListStreams
|
86 | Resource:
|
87 | Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*"
|
88 |
|
89 | - Effect: Allow
|
90 | Action:
|
91 | - dynamodb:ListTables
|
92 | Resource: '*'
|
93 |
|
94 | - Effect: Allow
|
95 | Action:
|
96 | - s3:GetAccelerateConfiguration
|
97 | - s3:GetLifecycleConfiguration
|
98 | - s3:GetReplicationConfiguration
|
99 | - s3:GetBucket*
|
100 | - s3:PutAccelerateConfiguration
|
101 | - s3:PutLifecycleConfiguration
|
102 | - s3:PutReplicationConfiguration
|
103 | - s3:PutBucket*
|
104 | - s3:ListBucket*
|
105 | Resource:
|
106 | {{#each buckets}}
|
107 | - arn:aws:s3:::{{this.name}}
|
108 | {{/each}}
|
109 |
|
110 | - Effect: Allow
|
111 | Action:
|
112 | - s3:GetObject*
|
113 | - s3:PutObject*
|
114 | - s3:ListMultipartUploadParts
|
115 | - s3:DeleteObject
|
116 | - s3:DeleteObjectVersion
|
117 | Resource:
|
118 | {{#each buckets}}
|
119 | - arn:aws:s3:::{{this.name}}/*
|
120 | {{/each}}
|
121 |
|
122 | - Effect: Allow
|
123 | Action:
|
124 | - s3:ListAllMyBuckets
|
125 | Resource: '*'
|
126 |
|
127 | - Effect: Allow
|
128 | Action:
|
129 | - sns:publish
|
130 | - sns:Subscribe
|
131 | - sns:Unsubscribe
|
132 | - sns:List*
|
133 | Resource: '*'
|
134 |
|
135 | - Effect: Allow
|
136 | Action:
|
137 | - sqs:GetQueueUrl
|
138 | - sqs:GetQueueAttributes
|
139 | - sqs:SendMessage
|
140 | Resource:
|
141 | Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*"
|
142 |
|
143 | - Effect: Allow
|
144 | Action:
|
145 | - cloudwatch:List*
|
146 | - cloudwatch:Get*
|
147 | - cloudwatch:Describe*
|
148 | Resource: '*'
|
149 |
|
150 | - Effect: Allow
|
151 | Action:
|
152 | - apigateway:GET
|
153 | Resource:
|
154 | Fn::Sub: "arn:aws:apigateway:${AWS::Region}::/restapis/*/stages"
|
155 |
|
156 |
|
157 | - Effect: Allow
|
158 | Action:
|
159 | - events:DisableRule
|
160 | - events:DeleteRule
|
161 | - events:EnableRule
|
162 | - events:ListRules
|
163 | - events:PutRule
|
164 | - events:DescribeRule
|
165 | - events:PutTargets
|
166 | - events:RemoveTargets
|
167 | Resource:
|
168 | Fn::Sub: "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/${ResourcePrefix}-*"
|
169 |
|
170 |
|
171 | - Effect: Allow
|
172 | Action:
|
173 | - states:DescribeExecution
|
174 | - states:DescribeStateMachine
|
175 | - states:GetExecutionHistory
|
176 | Resource: arn:aws:states:*:*:*
|
177 |
|
178 |
|
179 |
|
180 |
|
181 |
|
182 | - Effect: Allow
|
183 | Action:
|
184 | - ec2:CreateNetworkInterface
|
185 | - ec2:DescribeNetworkInterfaces
|
186 | - ec2:DeleteNetworkInterface
|
187 | Resource: '*'
|
188 |
|
189 |
|
190 | LambdaProcessingRole:
|
191 | Type: AWS::IAM::Role
|
192 | Properties:
|
193 | RoleName:
|
194 | Fn::Sub: "${ResourcePrefix}-lambda-processing"
|
195 | AssumeRolePolicyDocument:
|
196 | Version: '2012-10-17'
|
197 | Statement:
|
198 | - Effect: Allow
|
199 | Principal:
|
200 | Service: lambda.amazonaws.com
|
201 | Action: sts:AssumeRole
|
202 | {{#if useNgapPermissionBoundary}}
|
203 | PermissionsBoundary:
|
204 | Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
|
205 | {{/if}}
|
206 | Path: "/"
|
207 | Policies:
|
208 | - PolicyName: ProcessingLambda
|
209 | PolicyDocument:
|
210 | Version: '2012-10-17'
|
211 | Statement:
|
212 | - Effect: Allow
|
213 | Action:
|
214 | - lambda:GetFunction
|
215 | - lambda:invokeFunction
|
216 | - logs:CreateLogGroup
|
217 | - logs:CreateLogStream
|
218 | - logs:DescribeLogStreams
|
219 | - logs:PutLogEvents
|
220 | Resource: "*"
|
221 |
|
222 |
|
223 | - Effect: Allow
|
224 | Action:
|
225 | - kinesis:GetRecords
|
226 | - kinesis:GetShardIterator
|
227 | - kinesis:DescribeStream
|
228 | - kinesis:ListStreams
|
229 | - kinesis:PutRecord
|
230 | Resource: '*'
|
231 |
|
232 |
|
233 | - Effect: Allow
|
234 | Action:
|
235 | - s3:GetAccelerateConfiguration
|
236 | - s3:GetLifecycleConfiguration
|
237 | - s3:GetReplicationConfiguration
|
238 | - s3:GetBucket*
|
239 | - s3:PutAccelerateConfiguration
|
240 | - s3:PutLifecycleConfiguration
|
241 | - s3:PutReplicationConfiguration
|
242 | - s3:PutBucket*
|
243 | - s3:ListBucket*
|
244 | Resource:
|
245 | {{#each buckets}}
|
246 | - arn:aws:s3:::{{this.name}}
|
247 | {{/each}}
|
248 |
|
249 | - Effect: Allow
|
250 | Action:
|
251 | - s3:AbortMultipartUpload
|
252 | - s3:GetObject*
|
253 | - s3:PutObject*
|
254 | - s3:ListMultipartUploadParts
|
255 | - s3:DeleteObject
|
256 | - s3:DeleteObjectVersion
|
257 | Resource:
|
258 | {{#each buckets}}
|
259 | - arn:aws:s3:::{{this.name}}/*
|
260 | {{/each}}
|
261 |
|
262 | - Effect: Allow
|
263 | Action:
|
264 | - s3:ListAllMyBuckets
|
265 | Resource: '*'
|
266 |
|
267 |
|
268 | - Effect: Allow
|
269 | Action:
|
270 | - s3:PutBucketPolicy
|
271 | Resource:
|
272 | - Fn::Sub: "arn:aws:s3:::${ResourcePrefix}-*"
|
273 |
|
274 |
|
275 | - Effect: Allow
|
276 | Action:
|
277 | - dynamodb:DeleteItem
|
278 | - dynamodb:GetItem
|
279 | - dynamodb:PutItem
|
280 | - dynamodb:Query
|
281 | - dynamodb:Scan
|
282 | - dynamodb:UpdateItem
|
283 | - dynamodb:BatchWriteItem
|
284 | - dynamodb:UpdateContinuousBackups
|
285 | - dynamodb:DescribeContinuousBackups
|
286 | Resource:
|
287 | Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
|
288 |
|
289 | - Effect: Allow
|
290 | Action:
|
291 | - dynamodb:GetRecords
|
292 | - dynamodb:GetShardIterator
|
293 | - dynamodb:DescribeStream
|
294 | - dynamodb:ListStreams
|
295 | Resource:
|
296 | Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*"
|
297 |
|
298 | - Effect: Allow
|
299 | Action:
|
300 | - dynamodb:ListTables
|
301 | Resource: '*'
|
302 |
|
303 |
|
304 | - Effect: Allow
|
305 | Action:
|
306 | - sqs:SendMessage
|
307 | - sqs:ReceiveMessage
|
308 | - sqs:ChangeMessageVisibility
|
309 | - sqs:DeleteMessage
|
310 | - sqs:GetQueueUrl
|
311 | - sqs:GetQueueAttributes
|
312 | Resource:
|
313 | Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*"
|
314 |
|
315 |
|
316 | - Effect: Allow
|
317 | Action:
|
318 | - states:SendTaskFailure
|
319 | - states:SendTaskSuccess
|
320 | - states:GetActivityTask
|
321 | - states:GetExecutionHistory
|
322 | - states:DescribeActivity
|
323 | - states:DescribeExecution
|
324 | - states:StartExecution
|
325 | - states:StopExecution
|
326 | - states:ListStateMachines
|
327 | Resource: arn:aws:states:*:*:*
|
328 |
|
329 |
|
330 | - Effect: Allow
|
331 | Action:
|
332 | - events:DisableRule
|
333 | - events:EnableRule
|
334 | - events:ListRules
|
335 | - events:PutRule
|
336 | - events:DeleteRule
|
337 | - events:DescribeRule
|
338 | Resource: '*'
|
339 |
|
340 |
|
341 |
|
342 |
|
343 |
|
344 | - Effect: Allow
|
345 | Action:
|
346 | - ec2:CreateNetworkInterface
|
347 | - ec2:DescribeNetworkInterfaces
|
348 | - ec2:DeleteNetworkInterface
|
349 | Resource: '*'
|
350 |
|
351 |
|
352 | - Effect: Allow
|
353 | Action:
|
354 | - sns:publish
|
355 | - sns:List*
|
356 | Resource: '*'
|
357 |
|
358 |
|
359 | - Effect: Allow
|
360 | Action:
|
361 | - cloudformation:DescribeStacks
|
362 | Resource: '*'
|
363 |
|
364 |
|
365 | MigrationProcessingRole:
|
366 | Type: AWS::IAM::Role
|
367 | Properties:
|
368 | RoleName:
|
369 | Fn::Sub: "${ResourcePrefix}-migration-processing"
|
370 | AssumeRolePolicyDocument:
|
371 | Version: '2012-10-17'
|
372 | Statement:
|
373 | - Effect: Allow
|
374 | Principal:
|
375 | Service: lambda.amazonaws.com
|
376 | Action: sts:AssumeRole
|
377 | {{#if useNgapPermissionBoundary}}
|
378 | PermissionsBoundary:
|
379 | Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
|
380 | {{/if}}
|
381 | Path: "/"
|
382 | Policies:
|
383 | - PolicyName: MigrationProcessingLambda
|
384 | PolicyDocument:
|
385 | Version: '2012-10-17'
|
386 | Statement:
|
387 | - Effect: Allow
|
388 | Action:
|
389 | - lambda:GetFunction
|
390 | - lambda:invokeFunction
|
391 | - lambda:CreateEventSourceMapping
|
392 | - lambda:ListEventSourceMappings
|
393 | - logs:CreateLogGroup
|
394 | - logs:CreateLogStream
|
395 | - logs:DescribeLogStreams
|
396 | - logs:PutLogEvents
|
397 | Resource: "*"
|
398 |
|
399 |
|
400 | - Effect: Allow
|
401 | Action:
|
402 | - kinesis:GetRecords
|
403 | - kinesis:GetShardIterator
|
404 | - kinesis:DescribeStream
|
405 | - kinesis:ListStreams
|
406 | - kinesis:PutRecord
|
407 | Resource: '*'
|
408 |
|
409 |
|
410 | - Effect: Allow
|
411 | Action:
|
412 | - s3:GetAccelerateConfiguration
|
413 | - s3:GetLifecycleConfiguration
|
414 | - s3:GetReplicationConfiguration
|
415 | - s3:GetBucket*
|
416 | - s3:PutAccelerateConfiguration
|
417 | - s3:PutLifecycleConfiguration
|
418 | - s3:PutReplicationConfiguration
|
419 | - s3:PutBucket*
|
420 | - s3:ListBucket*
|
421 | Resource:
|
422 | {{#each buckets}}
|
423 | - arn:aws:s3:::{{this.name}}
|
424 | {{/each}}
|
425 |
|
426 | - Effect: Allow
|
427 | Action:
|
428 | - s3:AbortMultipartUpload
|
429 | - s3:GetObject*
|
430 | - s3:PutObject*
|
431 | - s3:ListMultipartUploadParts
|
432 | - s3:DeleteObject
|
433 | - s3:DeleteObjectVersion
|
434 | Resource:
|
435 | {{#each buckets}}
|
436 | - arn:aws:s3:::{{this.name}}/*
|
437 | {{/each}}
|
438 |
|
439 | - Effect: Allow
|
440 | Action:
|
441 | - s3:ListAllMyBuckets
|
442 | Resource: '*'
|
443 |
|
444 |
|
445 | - Effect: Allow
|
446 | Action:
|
447 | - s3:PutBucketPolicy
|
448 | Resource:
|
449 | - Fn::Sub: "arn:aws:s3:::${ResourcePrefix}-*"
|
450 |
|
451 |
|
452 | - Effect: Allow
|
453 | Action:
|
454 | - dynamodb:DeleteItem
|
455 | - dynamodb:GetItem
|
456 | - dynamodb:PutItem
|
457 | - dynamodb:Query
|
458 | - dynamodb:Scan
|
459 | - dynamodb:UpdateItem
|
460 | - dynamodb:BatchWriteItem
|
461 | - dynamodb:UpdateContinuousBackups
|
462 | - dynamodb:DescribeContinuousBackups
|
463 | Resource:
|
464 | Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
|
465 |
|
466 | - Effect: Allow
|
467 | Action:
|
468 | - dynamodb:GetRecords
|
469 | - dynamodb:GetShardIterator
|
470 | - dynamodb:DescribeStream
|
471 | - dynamodb:ListStreams
|
472 | Resource:
|
473 | Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*"
|
474 |
|
475 | - Effect: Allow
|
476 | Action:
|
477 | - dynamodb:ListTables
|
478 | Resource: '*'
|
479 |
|
480 |
|
481 | - Effect: Allow
|
482 | Action:
|
483 | - sqs:SendMessage
|
484 | - sqs:ReceiveMessage
|
485 | - sqs:ChangeMessageVisibility
|
486 | - sqs:DeleteMessage
|
487 | - sqs:GetQueueUrl
|
488 | - sqs:GetQueueAttributes
|
489 | Resource:
|
490 | Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*"
|
491 |
|
492 |
|
493 | - Effect: Allow
|
494 | Action:
|
495 | - states:SendTaskFailure
|
496 | - states:SendTaskSuccess
|
497 | - states:GetActivityTask
|
498 | - states:GetExecutionHistory
|
499 | - states:DescribeActivity
|
500 | - states:DescribeExecution
|
501 | - states:StartExecution
|
502 | - states:StopExecution
|
503 | - states:ListStateMachines
|
504 | Resource: arn:aws:states:*:*:*
|
505 |
|
506 |
|
507 | - Effect: Allow
|
508 | Action:
|
509 | - events:DisableRule
|
510 | - events:EnableRule
|
511 | - events:ListRules
|
512 | - events:PutRule
|
513 | - events:DeleteRule
|
514 | - events:DescribeRule
|
515 | Resource: '*'
|
516 |
|
517 |
|
518 |
|
519 |
|
520 |
|
521 | - Effect: Allow
|
522 | Action:
|
523 | - ec2:CreateNetworkInterface
|
524 | - ec2:DescribeNetworkInterfaces
|
525 | - ec2:DeleteNetworkInterface
|
526 | Resource: '*'
|
527 |
|
528 |
|
529 | - Effect: Allow
|
530 | Action:
|
531 | - sns:publish
|
532 | - sns:List*
|
533 | Resource: '*'
|
534 |
|
535 |
|
536 | - Effect: Allow
|
537 | Action:
|
538 | - cloudformation:DescribeStacks
|
539 | Resource: '*'
|
540 |
|
541 | StepRole:
|
542 | Type: AWS::IAM::Role
|
543 | Properties:
|
544 | RoleName:
|
545 | Fn::Sub: "${ResourcePrefix}-steprole"
|
546 | AssumeRolePolicyDocument:
|
547 | Version: '2012-10-17'
|
548 | Statement:
|
549 | - Effect: Allow
|
550 | Principal:
|
551 | Service:
|
552 | - Fn::Sub: states.${AWS::Region}.amazonaws.com
|
553 | Action: sts:AssumeRole
|
554 | {{#if useNgapPermissionBoundary}}
|
555 | PermissionsBoundary:
|
556 | Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
|
557 | {{/if}}
|
558 | Path: "/"
|
559 | Policies:
|
560 | - PolicyName: StepRole
|
561 | PolicyDocument:
|
562 | Version: '2012-10-17'
|
563 | Statement:
|
564 | - Effect: Allow
|
565 | Action:
|
566 | - lambda:InvokeFunction
|
567 | Resource: '*'
|
568 | - Effect: Allow
|
569 | Action:
|
570 | - ecr:*
|
571 | - cloudtrail:LookupEvents
|
572 | Resource: '*'
|
573 | - Effect: Allow
|
574 | Action:
|
575 | - ecs:RunTask
|
576 | Resource: '*'
|
577 | - Effect: Allow
|
578 | Action:
|
579 | - ecs:StopTask
|
580 | - ecs:DescribeTasks
|
581 | Resource: "*"
|
582 | - Effect: Allow
|
583 | Action:
|
584 | - events:PutTargets
|
585 | - events:PutRule
|
586 | - events:DescribeRule
|
587 | Resource:
|
588 | Fn::Sub: "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForECSTaskRule"
|
589 | - Effect: Allow
|
590 | Action:
|
591 | - autoscaling:Describe*
|
592 | - cloudwatch:*
|
593 | - logs:*
|
594 | - sns:*
|
595 | - iam:GetPolicy
|
596 | - iam:GetPolicyVersion
|
597 | - iam:GetRole
|
598 | Resource: "*"
|
599 |
|
600 | ECSRole:
|
601 | Type: AWS::IAM::Role
|
602 | Properties:
|
603 | RoleName:
|
604 | Fn::Sub: "${ResourcePrefix}-ecs"
|
605 | AssumeRolePolicyDocument:
|
606 | Version: '2012-10-17'
|
607 | Statement:
|
608 | - Effect: Allow
|
609 | Principal:
|
610 | Service: ec2.amazonaws.com
|
611 | Action: sts:AssumeRole
|
612 | {{#if useNgapPermissionBoundary}}
|
613 | PermissionsBoundary:
|
614 | Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
|
615 | {{/if}}
|
616 | Path: "/"
|
617 | Policies:
|
618 | - PolicyName: ECSRole
|
619 | PolicyDocument:
|
620 | Version: '2012-10-17'
|
621 | Statement:
|
622 | - Effect: Allow
|
623 | Action: dynamodb:UpdateItem
|
624 | Resource:
|
625 | Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-AsyncOperationsTable"
|
626 | - Effect: Allow
|
627 | Action:
|
628 | - autoscaling:CompleteLifecycleAction
|
629 | - autoscaling:DescribeAutoScalingInstances
|
630 | - autoscaling:DescribeLifecycleHooks
|
631 | - autoscaling:RecordLifecycleActionHeartbeat
|
632 | - cloudwatch:GetMetricStatistics
|
633 | - ec2:DescribeInstances
|
634 | - ecr:BatchCheckLayerAvailability
|
635 | - ecr:BatchGetImage
|
636 | - ecr:GetAuthorizationToken
|
637 | - ecr:GetDownloadUrlForLayer
|
638 | - ecs:DeregisterContainerInstance
|
639 | - ecs:DescribeClusters
|
640 | - ecs:DescribeContainerInstances
|
641 | - ecs:DescribeServices
|
642 | - ecs:DiscoverPollEndpoint
|
643 | - ecs:ListContainerInstances
|
644 | - ecs:ListServices
|
645 | - ecs:ListTaskDefinitions
|
646 | - ecs:ListTasks
|
647 | - ecs:Poll
|
648 | - ecs:RegisterContainerInstance
|
649 | - ecs:RunTask
|
650 | - ecs:StartTelemetrySession
|
651 | - ecs:Submit*
|
652 | - ecs:UpdateContainerInstancesState
|
653 | - lambda:GetFunction
|
654 | - lambda:invokeFunction
|
655 | - lambda:GetLayerVersion
|
656 | - logs:CreateLogGroup
|
657 | - logs:CreateLogStream
|
658 | - logs:DescribeLogStreams
|
659 | - logs:PutLogEvents
|
660 | - ssm:GetParameter
|
661 | Resource: "*"
|
662 |
|
663 |
|
664 | - Effect: Allow
|
665 | Action:
|
666 | - states:SendTaskFailure
|
667 | - states:SendTaskSuccess
|
668 | - states:GetActivityTask
|
669 | - states:DescribeActivity
|
670 | - states:GetExecutionHistory
|
671 | Resource: arn:aws:states:*:*:*
|
672 |
|
673 |
|
674 | - Effect: Allow
|
675 | Action:
|
676 | - s3:GetAccelerateConfiguration
|
677 | - s3:GetLifecycleConfiguration
|
678 | - s3:GetReplicationConfiguration
|
679 | - s3:GetBucket*
|
680 | - s3:PutAccelerateConfiguration
|
681 | - s3:PutLifecycleConfiguration
|
682 | - s3:PutReplicationConfiguration
|
683 | - s3:PutBucket*
|
684 | - s3:ListBucket*
|
685 | Resource:
|
686 | {{#each buckets}}
|
687 | - arn:aws:s3:::{{this.name}}
|
688 | {{/each}}
|
689 |
|
690 | - Effect: Allow
|
691 | Action:
|
692 | - s3:AbortMultipartUpload
|
693 | - s3:GetObject*
|
694 | - s3:PutObject*
|
695 | - s3:ListMultipartUploadParts
|
696 | - s3:DeleteObject
|
697 | - s3:DeleteObjectVersion
|
698 | Resource:
|
699 | {{#each buckets}}
|
700 | - arn:aws:s3:::{{this.name}}/*
|
701 | {{/each}}
|
702 |
|
703 | - Effect: Allow
|
704 | Action:
|
705 | - dynamodb:Scan
|
706 | - dynamodb:GetItem
|
707 | - dynamodb:UpdateItem
|
708 | Resource:
|
709 | Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
|
710 |
|
711 | - Effect: Allow
|
712 | Action:
|
713 | - s3:ListAllMyBuckets
|
714 | Resource: '*'
|
715 |
|
716 | - Effect: Allow
|
717 | Action:
|
718 | - es:ESHttpDelete
|
719 | - es:ESHttpGet
|
720 | - es:ESHttpHead
|
721 | - es:ESHttpPost
|
722 | - es:ESHttpPut
|
723 | Resource:
|
724 | Fn::Sub: "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ResourcePrefix}-*"
|
725 |
|
726 | DistributionApiRole:
|
727 | Type: AWS::IAM::Role
|
728 | Properties:
|
729 | RoleName:
|
730 | Fn::Sub: "${ResourcePrefix}-distribution-api-lambda"
|
731 | AssumeRolePolicyDocument:
|
732 | Version: '2012-10-17'
|
733 | Statement:
|
734 | - Effect: Allow
|
735 | Principal:
|
736 | Service: lambda.amazonaws.com
|
737 | Action:
|
738 | - sts:AssumeRole
|
739 | {{#if useNgapPermissionBoundary}}
|
740 | PermissionsBoundary:
|
741 | Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
|
742 | {{/if}}
|
743 | Path: "/"
|
744 | Policies:
|
745 | - PolicyName: DistributionApiGateway
|
746 | PolicyDocument:
|
747 | Version: '2012-10-17'
|
748 | Statement:
|
749 | - Effect: Allow
|
750 | Action:
|
751 | - dynamodb:GetItem
|
752 | - dynamodb:PutItem
|
753 | Resource:
|
754 | Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-AccessTokensTable"
|
755 |
|
756 | - Effect: Allow
|
757 | Action:
|
758 | - logs:DescribeLogStreams
|
759 | - logs:CreateLogGroup
|
760 | - logs:CreateLogStream
|
761 | - logs:PutLogEvents
|
762 | - lambda:GetFunction
|
763 | - lambda:invokeFunction
|
764 | - lambda:CreateEventSourceMapping
|
765 | - lambda:UpdateEventSourceMapping
|
766 | - lambda:DeleteEventSourceMapping
|
767 | - lambda:GetEventSourceMapping
|
768 | - lambda:ListEventSourceMappings
|
769 | Resource: "*"
|
770 |
|
771 | - Effect: Allow
|
772 | Action:
|
773 | - s3:GetAccelerateConfiguration
|
774 | - s3:GetLifecycleConfiguration
|
775 | - s3:GetReplicationConfiguration
|
776 | - s3:GetBucket*
|
777 | - s3:PutAccelerateConfiguration
|
778 | - s3:PutLifecycleConfiguration
|
779 | - s3:PutReplicationConfiguration
|
780 | - s3:PutBucket*
|
781 | - s3:ListBucket*
|
782 | Resource:
|
783 | {{#each buckets}}
|
784 | {{#BucketIsType this "protected,public"}}
|
785 | - arn:aws:s3:::{{this.name}}
|
786 | {{/BucketIsType}}
|
787 | {{/each}}
|
788 |
|
789 | - Effect: Allow
|
790 | Action:
|
791 | - s3:GetObject*
|
792 | - s3:PutObject*
|
793 | - s3:ListMultipartUploadParts
|
794 | - s3:DeleteObject
|
795 | - s3:DeleteObjectVersion
|
796 | Resource:
|
797 | {{#each buckets}}
|
798 | {{#BucketIsType this "protected,public"}}
|
799 | - arn:aws:s3:::{{this.name}}/*
|
800 | {{/BucketIsType}}
|
801 | {{/each}}
|
802 |
|
803 | - Effect: Allow
|
804 | Action:
|
805 | - s3:ListAllMyBuckets
|
806 | Resource: '*'
|
807 |
|
808 | - Effect: Allow
|
809 | Action:
|
810 | - ec2:CreateNetworkInterface
|
811 | - ec2:DescribeNetworkInterfaces
|
812 | - ec2:DeleteNetworkInterface
|
813 | Resource: '*'
|
814 |
|
815 | ScalingRole:
|
816 | Type: 'AWS::IAM::Role'
|
817 | Properties:
|
818 | RoleName:
|
819 | Fn::Sub: "${ResourcePrefix}-scaling-role"
|
820 | AssumeRolePolicyDocument:
|
821 | Version: '2012-10-17'
|
822 | Statement:
|
823 | - Effect: Allow
|
824 | Principal:
|
825 | Service: application-autoscaling.amazonaws.com
|
826 | Action: sts:AssumeRole
|
827 | {{#if useNgapPermissionBoundary}}
|
828 | PermissionsBoundary:
|
829 | Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
|
830 | {{/if}}
|
831 | Path: '/'
|
832 | Policies:
|
833 | - PolicyName: ScalingPolicy
|
834 | PolicyDocument:
|
835 | Version: '2012-10-17'
|
836 | Statement:
|
837 | - Effect: Allow
|
838 | Action:
|
839 | - "application-autoscaling:*"
|
840 | - cloudwatch:DeleteAlarms
|
841 | - cloudwatch:DescribeAlarms
|
842 | - cloudwatch:GetMetricStatistics
|
843 | - cloudwatch:PutMetricAlarm
|
844 | - cloudwatch:SetAlarmState
|
845 | - dynamodb:DescribeTable
|
846 | - dynamodb:UpdateTable
|
847 | - ecs:DescribeServices
|
848 | - ecs:UpdateService
|
849 | Resource: '*'
|
850 |
|
851 |
|
852 | CumulusInstanceProfile:
|
853 | Type: AWS::IAM::InstanceProfile
|
854 | Properties:
|
855 | InstanceProfileName:
|
856 | Fn::Sub: "${ResourcePrefix}-ecs"
|
857 | Path: "/"
|
858 | Roles:
|
859 | - Ref: ECSRole
|
860 |
|
861 | Outputs:
|
862 | CumulusInstanceProfileArn:
|
863 | Value:
|
864 | Fn::GetAtt:
|
865 | - CumulusInstanceProfile
|
866 | - Arn
|
867 | EcsRoleArn:
|
868 | Value:
|
869 | Fn::GetAtt:
|
870 | - ECSRole
|
871 | - Arn
|
872 | LambdaApiGatewayRoleArn:
|
873 | Value:
|
874 | Fn::GetAtt:
|
875 | - LambdaApiGatewayRole
|
876 | - Arn
|
877 | LambdaProcessingRoleArn:
|
878 | Value:
|
879 | Fn::GetAtt:
|
880 | - LambdaProcessingRole
|
881 | - Arn
|
882 | MigrationProcessingRoleArn:
|
883 | Value:
|
884 | Fn::GetAtt:
|
885 | - MigrationProcessingRole
|
886 | - Arn
|
887 | DistributionRoleArn:
|
888 | Value:
|
889 | Fn::GetAtt:
|
890 | - DistributionApiRole
|
891 | - Arn
|
892 | StepRoleArn:
|
893 | Value:
|
894 | Fn::GetAtt:
|
895 | - StepRole
|
896 | - Arn
|
897 | ScalingRoleArn:
|
898 | Value:
|
899 | Fn::GetAtt:
|
900 | - ScalingRole
|
901 | - Arn
|