UNPKG

30.2 kBYAMLView Raw
1AWSTemplateFormatVersion: '2010-09-09'
2Description: 'stack: {{stackName}} | deployed by Kes'
3Parameters:
4 CreateDeploymentRole:
5 Type: String
6 AllowedValues:
7 - true
8 - false
9 Default: true
10 DeploymentUserName:
11 Type: String
12 Default: "n/a"
13 DeploymentStackTemplateUrl:
14 Type: String
15 Default: "n/a"
16 ResourcePrefix:
17 Type: String
18 Default: "template-cumulus"
19 AlphaNumPrefix:
20 Type: String
21 Default: "TemplateCumulus"
22Resources:
23 LambdaApiGatewayRole:
24 Type: AWS::IAM::Role
25 Properties:
26 RoleName:
27 Fn::Sub: "${ResourcePrefix}-lambda-api-gateway"
28 AssumeRolePolicyDocument:
29 Version: '2012-10-17'
30 Statement:
31 - Effect: Allow
32 Principal:
33 Service:
34 - lambda.amazonaws.com
35 Action:
36 - sts:AssumeRole
37 {{#if useNgapPermissionBoundary}}
38 PermissionsBoundary:
39 Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
40 {{/if}}
41 Path: "/"
42 Policies:
43 - PolicyName: LambdaApiGateway
44 PolicyDocument:
45 Version: '2012-10-17'
46 Statement:
47 - Effect: Allow
48 Action: ecs:RunTask
49 Resource:
50 Fn::Sub: "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${ResourcePrefix}-AsyncOperationTaskDefinition-*"
51
52 - Effect: Allow
53 Action:
54 - logs:DescribeLogStreams
55 - logs:CreateLogGroup
56 - logs:CreateLogStream
57 - logs:PutLogEvents
58 - lambda:GetFunction
59 - lambda:invokeFunction
60 - lambda:CreateEventSourceMapping
61 - lambda:UpdateEventSourceMapping
62 - lambda:DeleteEventSourceMapping
63 - lambda:GetEventSourceMapping
64 - lambda:ListEventSourceMappings
65 - lambda:AddPermission
66 - lambda:RemovePermission
67 Resource: "*"
68
69 - Effect: Allow
70 Action:
71 - dynamodb:DeleteItem
72 - dynamodb:GetItem
73 - dynamodb:PutItem
74 - dynamodb:Query
75 - dynamodb:Scan
76 - dynamodb:UpdateItem
77 Resource:
78 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
79
80 - Effect: Allow
81 Action:
82 - dynamodb:GetRecords
83 - dynamodb:GetShardIterator
84 - dynamodb:DescribeStream
85 - dynamodb:ListStreams
86 Resource:
87 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*"
88
89 - Effect: Allow
90 Action:
91 - dynamodb:ListTables
92 Resource: '*'
93
94 - Effect: Allow
95 Action:
96 - s3:GetAccelerateConfiguration
97 - s3:GetLifecycleConfiguration
98 - s3:GetReplicationConfiguration
99 - s3:GetBucket*
100 - s3:PutAccelerateConfiguration
101 - s3:PutLifecycleConfiguration
102 - s3:PutReplicationConfiguration
103 - s3:PutBucket*
104 - s3:ListBucket*
105 Resource:
106 {{#each buckets}}
107 - arn:aws:s3:::{{this.name}}
108 {{/each}}
109
110 - Effect: Allow
111 Action:
112 - s3:GetObject*
113 - s3:PutObject*
114 - s3:ListMultipartUploadParts
115 - s3:DeleteObject
116 - s3:DeleteObjectVersion
117 Resource:
118 {{#each buckets}}
119 - arn:aws:s3:::{{this.name}}/*
120 {{/each}}
121
122 - Effect: Allow
123 Action:
124 - s3:ListAllMyBuckets
125 Resource: '*'
126
127 - Effect: Allow
128 Action:
129 - sns:publish
130 - sns:Subscribe
131 - sns:Unsubscribe
132 - sns:List*
133 Resource: '*'
134
135 - Effect: Allow
136 Action:
137 - sqs:GetQueueUrl
138 - sqs:GetQueueAttributes
139 - sqs:SendMessage
140 Resource:
141 Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*"
142
143 - Effect: Allow
144 Action:
145 - cloudwatch:List*
146 - cloudwatch:Get*
147 - cloudwatch:Describe*
148 Resource: '*'
149
150 - Effect: Allow
151 Action:
152 - apigateway:GET
153 Resource:
154 Fn::Sub: "arn:aws:apigateway:${AWS::Region}::/restapis/*/stages"
155
156 # allow adding/editing/deleting of rules associated with this deployment
157 - Effect: Allow
158 Action:
159 - events:DisableRule
160 - events:DeleteRule
161 - events:EnableRule
162 - events:ListRules
163 - events:PutRule
164 - events:DescribeRule
165 - events:PutTargets
166 - events:RemoveTargets
167 Resource:
168 Fn::Sub: "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/${ResourcePrefix}-*"
169
170 # Allow state machine interactions
171 - Effect: Allow
172 Action:
173 - states:DescribeExecution
174 - states:DescribeStateMachine
175 - states:GetExecutionHistory
176 Resource: arn:aws:states:*:*:*
177
178 # this is needed for running Lambda in a VPC
179 # This might not be needed in the NGAP environment
180 # if all lambdas are already running in a general VPC
181 # environment
182 - Effect: Allow
183 Action:
184 - ec2:CreateNetworkInterface
185 - ec2:DescribeNetworkInterfaces
186 - ec2:DeleteNetworkInterface
187 Resource: '*'
188
189 # role for Lambdas that are NOT used with APIGateway
190 LambdaProcessingRole:
191 Type: AWS::IAM::Role
192 Properties:
193 RoleName:
194 Fn::Sub: "${ResourcePrefix}-lambda-processing"
195 AssumeRolePolicyDocument:
196 Version: '2012-10-17'
197 Statement:
198 - Effect: Allow
199 Principal:
200 Service: lambda.amazonaws.com
201 Action: sts:AssumeRole
202 {{#if useNgapPermissionBoundary}}
203 PermissionsBoundary:
204 Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
205 {{/if}}
206 Path: "/"
207 Policies:
208 - PolicyName: ProcessingLambda
209 PolicyDocument:
210 Version: '2012-10-17'
211 Statement:
212 - Effect: Allow
213 Action:
214 - lambda:GetFunction
215 - lambda:invokeFunction
216 - logs:CreateLogGroup
217 - logs:CreateLogStream
218 - logs:DescribeLogStreams
219 - logs:PutLogEvents
220 Resource: "*"
221
222 # Allow access to kinesis
223 - Effect: Allow
224 Action:
225 - kinesis:GetRecords
226 - kinesis:GetShardIterator
227 - kinesis:DescribeStream
228 - kinesis:ListStreams
229 - kinesis:PutRecord
230 Resource: '*'
231
232 # Allow writing to ingest buckets
233 - Effect: Allow
234 Action:
235 - s3:GetAccelerateConfiguration
236 - s3:GetLifecycleConfiguration
237 - s3:GetReplicationConfiguration
238 - s3:GetBucket*
239 - s3:PutAccelerateConfiguration
240 - s3:PutLifecycleConfiguration
241 - s3:PutReplicationConfiguration
242 - s3:PutBucket*
243 - s3:ListBucket*
244 Resource:
245 {{#each buckets}}
246 - arn:aws:s3:::{{this.name}}
247 {{/each}}
248
249 - Effect: Allow
250 Action:
251 - s3:AbortMultipartUpload
252 - s3:GetObject*
253 - s3:PutObject*
254 - s3:ListMultipartUploadParts
255 - s3:DeleteObject
256 - s3:DeleteObjectVersion
257 Resource:
258 {{#each buckets}}
259 - arn:aws:s3:::{{this.name}}/*
260 {{/each}}
261
262 - Effect: Allow
263 Action:
264 - s3:ListAllMyBuckets
265 Resource: '*'
266
267 # Used for testing bucket policies
268 - Effect: Allow
269 Action:
270 - s3:PutBucketPolicy
271 Resource:
272 - Fn::Sub: "arn:aws:s3:::${ResourcePrefix}-*"
273
274 # Allow access to dynamoDB
275 - Effect: Allow
276 Action:
277 - dynamodb:DeleteItem
278 - dynamodb:GetItem
279 - dynamodb:PutItem
280 - dynamodb:Query
281 - dynamodb:Scan
282 - dynamodb:UpdateItem
283 - dynamodb:BatchWriteItem
284 - dynamodb:UpdateContinuousBackups
285 - dynamodb:DescribeContinuousBackups
286 Resource:
287 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
288
289 - Effect: Allow
290 Action:
291 - dynamodb:GetRecords
292 - dynamodb:GetShardIterator
293 - dynamodb:DescribeStream
294 - dynamodb:ListStreams
295 Resource:
296 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*"
297
298 - Effect: Allow
299 Action:
300 - dynamodb:ListTables
301 Resource: '*'
302
303 # Allow access to SQS
304 - Effect: Allow
305 Action:
306 - sqs:SendMessage
307 - sqs:ReceiveMessage
308 - sqs:ChangeMessageVisibility
309 - sqs:DeleteMessage
310 - sqs:GetQueueUrl
311 - sqs:GetQueueAttributes
312 Resource:
313 Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*"
314
315 # Allow state machine interactions
316 - Effect: Allow
317 Action:
318 - states:SendTaskFailure
319 - states:SendTaskSuccess
320 - states:GetActivityTask
321 - states:GetExecutionHistory
322 - states:DescribeActivity
323 - states:DescribeExecution
324 - states:StartExecution
325 - states:StopExecution
326 - states:ListStateMachines
327 Resource: arn:aws:states:*:*:*
328
329 # allow adding/editing/deleting of rules associated with this deployment
330 - Effect: Allow
331 Action:
332 - events:DisableRule
333 - events:EnableRule
334 - events:ListRules
335 - events:PutRule
336 - events:DeleteRule
337 - events:DescribeRule
338 Resource: '*'
339
340 # this is needed for running Lambda in a VPC
341 # This might not be needed in the NGAP environment
342 # if all lambdas are already running in a general VPC
343 # environment
344 - Effect: Allow
345 Action:
346 - ec2:CreateNetworkInterface
347 - ec2:DescribeNetworkInterfaces
348 - ec2:DeleteNetworkInterface
349 Resource: '*'
350
351 # allow publishing to SNS
352 - Effect: Allow
353 Action:
354 - sns:publish
355 - sns:List*
356 Resource: '*'
357
358 # Needed for AWS integration tests
359 - Effect: Allow
360 Action:
361 - cloudformation:DescribeStacks
362 Resource: '*'
363
364 # Role with additional permissions for migrations
365 MigrationProcessingRole:
366 Type: AWS::IAM::Role
367 Properties:
368 RoleName:
369 Fn::Sub: "${ResourcePrefix}-migration-processing"
370 AssumeRolePolicyDocument:
371 Version: '2012-10-17'
372 Statement:
373 - Effect: Allow
374 Principal:
375 Service: lambda.amazonaws.com
376 Action: sts:AssumeRole
377 {{#if useNgapPermissionBoundary}}
378 PermissionsBoundary:
379 Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
380 {{/if}}
381 Path: "/"
382 Policies:
383 - PolicyName: MigrationProcessingLambda
384 PolicyDocument:
385 Version: '2012-10-17'
386 Statement:
387 - Effect: Allow
388 Action:
389 - lambda:GetFunction
390 - lambda:invokeFunction
391 - lambda:CreateEventSourceMapping
392 - lambda:ListEventSourceMappings
393 - logs:CreateLogGroup
394 - logs:CreateLogStream
395 - logs:DescribeLogStreams
396 - logs:PutLogEvents
397 Resource: "*"
398
399 # Allow access to kinesis
400 - Effect: Allow
401 Action:
402 - kinesis:GetRecords
403 - kinesis:GetShardIterator
404 - kinesis:DescribeStream
405 - kinesis:ListStreams
406 - kinesis:PutRecord
407 Resource: '*'
408
409 # Allow writing to ingest buckets
410 - Effect: Allow
411 Action:
412 - s3:GetAccelerateConfiguration
413 - s3:GetLifecycleConfiguration
414 - s3:GetReplicationConfiguration
415 - s3:GetBucket*
416 - s3:PutAccelerateConfiguration
417 - s3:PutLifecycleConfiguration
418 - s3:PutReplicationConfiguration
419 - s3:PutBucket*
420 - s3:ListBucket*
421 Resource:
422 {{#each buckets}}
423 - arn:aws:s3:::{{this.name}}
424 {{/each}}
425
426 - Effect: Allow
427 Action:
428 - s3:AbortMultipartUpload
429 - s3:GetObject*
430 - s3:PutObject*
431 - s3:ListMultipartUploadParts
432 - s3:DeleteObject
433 - s3:DeleteObjectVersion
434 Resource:
435 {{#each buckets}}
436 - arn:aws:s3:::{{this.name}}/*
437 {{/each}}
438
439 - Effect: Allow
440 Action:
441 - s3:ListAllMyBuckets
442 Resource: '*'
443
444 # Used for testing bucket policies
445 - Effect: Allow
446 Action:
447 - s3:PutBucketPolicy
448 Resource:
449 - Fn::Sub: "arn:aws:s3:::${ResourcePrefix}-*"
450
451 # Allow access to dynamoDB
452 - Effect: Allow
453 Action:
454 - dynamodb:DeleteItem
455 - dynamodb:GetItem
456 - dynamodb:PutItem
457 - dynamodb:Query
458 - dynamodb:Scan
459 - dynamodb:UpdateItem
460 - dynamodb:BatchWriteItem
461 - dynamodb:UpdateContinuousBackups
462 - dynamodb:DescribeContinuousBackups
463 Resource:
464 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
465
466 - Effect: Allow
467 Action:
468 - dynamodb:GetRecords
469 - dynamodb:GetShardIterator
470 - dynamodb:DescribeStream
471 - dynamodb:ListStreams
472 Resource:
473 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*/stream/*"
474
475 - Effect: Allow
476 Action:
477 - dynamodb:ListTables
478 Resource: '*'
479
480 # Allow access to SQS
481 - Effect: Allow
482 Action:
483 - sqs:SendMessage
484 - sqs:ReceiveMessage
485 - sqs:ChangeMessageVisibility
486 - sqs:DeleteMessage
487 - sqs:GetQueueUrl
488 - sqs:GetQueueAttributes
489 Resource:
490 Fn::Sub: "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${ResourcePrefix}-*"
491
492 # Allow state machine interactions
493 - Effect: Allow
494 Action:
495 - states:SendTaskFailure
496 - states:SendTaskSuccess
497 - states:GetActivityTask
498 - states:GetExecutionHistory
499 - states:DescribeActivity
500 - states:DescribeExecution
501 - states:StartExecution
502 - states:StopExecution
503 - states:ListStateMachines
504 Resource: arn:aws:states:*:*:*
505
506 # allow adding/editing/deleting of rules associated with this deployment
507 - Effect: Allow
508 Action:
509 - events:DisableRule
510 - events:EnableRule
511 - events:ListRules
512 - events:PutRule
513 - events:DeleteRule
514 - events:DescribeRule
515 Resource: '*'
516
517 # this is needed for running Lambda in a VPC
518 # This might not be needed in the NGAP environment
519 # if all lambdas are already running in a general VPC
520 # environment
521 - Effect: Allow
522 Action:
523 - ec2:CreateNetworkInterface
524 - ec2:DescribeNetworkInterfaces
525 - ec2:DeleteNetworkInterface
526 Resource: '*'
527
528 # allow publishing to SNS
529 - Effect: Allow
530 Action:
531 - sns:publish
532 - sns:List*
533 Resource: '*'
534
535 # Needed for AWS integration tests
536 - Effect: Allow
537 Action:
538 - cloudformation:DescribeStacks
539 Resource: '*'
540
541 StepRole:
542 Type: AWS::IAM::Role
543 Properties:
544 RoleName:
545 Fn::Sub: "${ResourcePrefix}-steprole"
546 AssumeRolePolicyDocument:
547 Version: '2012-10-17'
548 Statement:
549 - Effect: Allow
550 Principal:
551 Service:
552 - Fn::Sub: states.${AWS::Region}.amazonaws.com
553 Action: sts:AssumeRole
554 {{#if useNgapPermissionBoundary}}
555 PermissionsBoundary:
556 Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
557 {{/if}}
558 Path: "/"
559 Policies:
560 - PolicyName: StepRole
561 PolicyDocument:
562 Version: '2012-10-17'
563 Statement:
564 - Effect: Allow
565 Action:
566 - lambda:InvokeFunction
567 Resource: '*'
568 - Effect: Allow
569 Action:
570 - ecr:*
571 - cloudtrail:LookupEvents
572 Resource: '*'
573 - Effect: Allow
574 Action:
575 - ecs:RunTask
576 Resource: '*'
577 - Effect: Allow
578 Action:
579 - ecs:StopTask
580 - ecs:DescribeTasks
581 Resource: "*"
582 - Effect: Allow
583 Action:
584 - events:PutTargets
585 - events:PutRule
586 - events:DescribeRule
587 Resource:
588 Fn::Sub: "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForECSTaskRule"
589 - Effect: Allow
590 Action:
591 - autoscaling:Describe*
592 - cloudwatch:*
593 - logs:*
594 - sns:*
595 - iam:GetPolicy
596 - iam:GetPolicyVersion
597 - iam:GetRole
598 Resource: "*"
599
600 ECSRole:
601 Type: AWS::IAM::Role
602 Properties:
603 RoleName:
604 Fn::Sub: "${ResourcePrefix}-ecs"
605 AssumeRolePolicyDocument:
606 Version: '2012-10-17'
607 Statement:
608 - Effect: Allow
609 Principal:
610 Service: ec2.amazonaws.com
611 Action: sts:AssumeRole
612 {{#if useNgapPermissionBoundary}}
613 PermissionsBoundary:
614 Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
615 {{/if}}
616 Path: "/"
617 Policies:
618 - PolicyName: ECSRole
619 PolicyDocument:
620 Version: '2012-10-17'
621 Statement:
622 - Effect: Allow
623 Action: dynamodb:UpdateItem
624 Resource:
625 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-AsyncOperationsTable"
626 - Effect: Allow
627 Action:
628 - autoscaling:CompleteLifecycleAction
629 - autoscaling:DescribeAutoScalingInstances
630 - autoscaling:DescribeLifecycleHooks
631 - autoscaling:RecordLifecycleActionHeartbeat
632 - cloudwatch:GetMetricStatistics
633 - ec2:DescribeInstances
634 - ecr:BatchCheckLayerAvailability
635 - ecr:BatchGetImage
636 - ecr:GetAuthorizationToken
637 - ecr:GetDownloadUrlForLayer
638 - ecs:DeregisterContainerInstance
639 - ecs:DescribeClusters
640 - ecs:DescribeContainerInstances
641 - ecs:DescribeServices
642 - ecs:DiscoverPollEndpoint
643 - ecs:ListContainerInstances
644 - ecs:ListServices
645 - ecs:ListTaskDefinitions
646 - ecs:ListTasks
647 - ecs:Poll
648 - ecs:RegisterContainerInstance
649 - ecs:RunTask
650 - ecs:StartTelemetrySession
651 - ecs:Submit*
652 - ecs:UpdateContainerInstancesState
653 - lambda:GetFunction
654 - lambda:invokeFunction
655 - lambda:GetLayerVersion
656 - logs:CreateLogGroup
657 - logs:CreateLogStream
658 - logs:DescribeLogStreams
659 - logs:PutLogEvents
660 - ssm:GetParameter
661 Resource: "*"
662
663 # Allow state machine interactions
664 - Effect: Allow
665 Action:
666 - states:SendTaskFailure
667 - states:SendTaskSuccess
668 - states:GetActivityTask
669 - states:DescribeActivity
670 - states:GetExecutionHistory
671 Resource: arn:aws:states:*:*:*
672
673 # Allow writing to ingest buckets
674 - Effect: Allow
675 Action:
676 - s3:GetAccelerateConfiguration
677 - s3:GetLifecycleConfiguration
678 - s3:GetReplicationConfiguration
679 - s3:GetBucket*
680 - s3:PutAccelerateConfiguration
681 - s3:PutLifecycleConfiguration
682 - s3:PutReplicationConfiguration
683 - s3:PutBucket*
684 - s3:ListBucket*
685 Resource:
686 {{#each buckets}}
687 - arn:aws:s3:::{{this.name}}
688 {{/each}}
689
690 - Effect: Allow
691 Action:
692 - s3:AbortMultipartUpload
693 - s3:GetObject*
694 - s3:PutObject*
695 - s3:ListMultipartUploadParts
696 - s3:DeleteObject
697 - s3:DeleteObjectVersion
698 Resource:
699 {{#each buckets}}
700 - arn:aws:s3:::{{this.name}}/*
701 {{/each}}
702
703 - Effect: Allow
704 Action:
705 - dynamodb:Scan
706 - dynamodb:GetItem
707 - dynamodb:UpdateItem
708 Resource:
709 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-*"
710
711 - Effect: Allow
712 Action:
713 - s3:ListAllMyBuckets
714 Resource: '*'
715
716 - Effect: Allow
717 Action:
718 - es:ESHttpDelete
719 - es:ESHttpGet
720 - es:ESHttpHead
721 - es:ESHttpPost
722 - es:ESHttpPut
723 Resource:
724 Fn::Sub: "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${ResourcePrefix}-*"
725
726 DistributionApiRole:
727 Type: AWS::IAM::Role
728 Properties:
729 RoleName:
730 Fn::Sub: "${ResourcePrefix}-distribution-api-lambda"
731 AssumeRolePolicyDocument:
732 Version: '2012-10-17'
733 Statement:
734 - Effect: Allow
735 Principal:
736 Service: lambda.amazonaws.com
737 Action:
738 - sts:AssumeRole
739 {{#if useNgapPermissionBoundary}}
740 PermissionsBoundary:
741 Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
742 {{/if}}
743 Path: "/"
744 Policies:
745 - PolicyName: DistributionApiGateway
746 PolicyDocument:
747 Version: '2012-10-17'
748 Statement:
749 - Effect: Allow
750 Action:
751 - dynamodb:GetItem
752 - dynamodb:PutItem
753 Resource:
754 Fn::Sub: "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefix}-AccessTokensTable"
755
756 - Effect: Allow
757 Action:
758 - logs:DescribeLogStreams
759 - logs:CreateLogGroup
760 - logs:CreateLogStream
761 - logs:PutLogEvents
762 - lambda:GetFunction
763 - lambda:invokeFunction
764 - lambda:CreateEventSourceMapping
765 - lambda:UpdateEventSourceMapping
766 - lambda:DeleteEventSourceMapping
767 - lambda:GetEventSourceMapping
768 - lambda:ListEventSourceMappings
769 Resource: "*"
770
771 - Effect: Allow
772 Action:
773 - s3:GetAccelerateConfiguration
774 - s3:GetLifecycleConfiguration
775 - s3:GetReplicationConfiguration
776 - s3:GetBucket*
777 - s3:PutAccelerateConfiguration
778 - s3:PutLifecycleConfiguration
779 - s3:PutReplicationConfiguration
780 - s3:PutBucket*
781 - s3:ListBucket*
782 Resource:
783 {{#each buckets}}
784 {{#BucketIsType this "protected,public"}}
785 - arn:aws:s3:::{{this.name}}
786 {{/BucketIsType}}
787 {{/each}}
788
789 - Effect: Allow
790 Action:
791 - s3:GetObject*
792 - s3:PutObject*
793 - s3:ListMultipartUploadParts
794 - s3:DeleteObject
795 - s3:DeleteObjectVersion
796 Resource:
797 {{#each buckets}}
798 {{#BucketIsType this "protected,public"}}
799 - arn:aws:s3:::{{this.name}}/*
800 {{/BucketIsType}}
801 {{/each}}
802
803 - Effect: Allow
804 Action:
805 - s3:ListAllMyBuckets
806 Resource: '*'
807
808 - Effect: Allow
809 Action:
810 - ec2:CreateNetworkInterface
811 - ec2:DescribeNetworkInterfaces
812 - ec2:DeleteNetworkInterface
813 Resource: '*'
814
815 ScalingRole:
816 Type: 'AWS::IAM::Role'
817 Properties:
818 RoleName:
819 Fn::Sub: "${ResourcePrefix}-scaling-role"
820 AssumeRolePolicyDocument:
821 Version: '2012-10-17'
822 Statement:
823 - Effect: Allow
824 Principal:
825 Service: application-autoscaling.amazonaws.com
826 Action: sts:AssumeRole
827 {{#if useNgapPermissionBoundary}}
828 PermissionsBoundary:
829 Fn::Sub: arn:aws:iam::${AWS::AccountId}:policy/NGAPShRoleBoundary
830 {{/if}}
831 Path: '/'
832 Policies:
833 - PolicyName: ScalingPolicy
834 PolicyDocument:
835 Version: '2012-10-17'
836 Statement:
837 - Effect: Allow
838 Action:
839 - "application-autoscaling:*"
840 - cloudwatch:DeleteAlarms
841 - cloudwatch:DescribeAlarms
842 - cloudwatch:GetMetricStatistics
843 - cloudwatch:PutMetricAlarm
844 - cloudwatch:SetAlarmState
845 - dynamodb:DescribeTable
846 - dynamodb:UpdateTable
847 - ecs:DescribeServices
848 - ecs:UpdateService
849 Resource: '*'
850
851
852 CumulusInstanceProfile:
853 Type: AWS::IAM::InstanceProfile
854 Properties:
855 InstanceProfileName:
856 Fn::Sub: "${ResourcePrefix}-ecs"
857 Path: "/"
858 Roles:
859 - Ref: ECSRole
860
861Outputs:
862 CumulusInstanceProfileArn:
863 Value:
864 Fn::GetAtt:
865 - CumulusInstanceProfile
866 - Arn
867 EcsRoleArn:
868 Value:
869 Fn::GetAtt:
870 - ECSRole
871 - Arn
872 LambdaApiGatewayRoleArn:
873 Value:
874 Fn::GetAtt:
875 - LambdaApiGatewayRole
876 - Arn
877 LambdaProcessingRoleArn:
878 Value:
879 Fn::GetAtt:
880 - LambdaProcessingRole
881 - Arn
882 MigrationProcessingRoleArn:
883 Value:
884 Fn::GetAtt:
885 - MigrationProcessingRole
886 - Arn
887 DistributionRoleArn:
888 Value:
889 Fn::GetAtt:
890 - DistributionApiRole
891 - Arn
892 StepRoleArn:
893 Value:
894 Fn::GetAtt:
895 - StepRole
896 - Arn
897 ScalingRoleArn:
898 Value:
899 Fn::GetAtt:
900 - ScalingRole
901 - Arn