-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathactivate.template
121 lines (112 loc) · 3.97 KB
/
activate.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
AWSTemplateFormatVersion: "2010-09-09"
Description: Template to activate ConfluentCloud::IAM::ServiceAccount resource type in the account.
Parameters:
PublicTypeArn:
Type: String
AllowedPattern: "none|^arn:aws[A-Za-z0-9-]{0,64}:cloudformation:[A-Za-z0-9-]{1,64}::type/.+/[0-9a-zA-Z]{12,40}/.+"
Default: none
Description: The Public Resource ARN to activate.
PermissionsBoundaryArn:
Type: String
Default: none
Description: Whether the IAM roles should have an IAM Policy as Permissions Boundary
ExecutionRoleArn:
Type: String
AllowedPattern: "^none$|^arn:aws[A-Za-z0-9-]{0,64}:iam::[0-9]{12}:role/.+$"
Description: Use an existing IAM Role linked to AWS CFN that will invoke API calls on your behalf.
Default: none
LoggingRoleArn:
Type: String
AllowedPattern: "^none$|^arn:aws[A-Za-z0-9-]{0,64}:iam::[0-9]{12}:role/.+$"
Description: Use an existing IAM Role linked to AWS CFN that allows to write logs to CloudWatch
Default: none
Conditions:
NoBoundary: !Equals [ !Ref PermissionsBoundaryArn, "none" ]
PublicTypeArnOverride: !Not [ !Equals [ !Ref PublicTypeArn, "none" ] ]
CreateExecRole: !Equals [ !Ref ExecutionRoleArn, "none" ]
CreateLoggingRole: !Equals [ !Ref LoggingRoleArn, "none" ]
Resources:
ExecutionRole:
Condition: CreateExecRole
Type: AWS::IAM::Role
Properties:
PermissionsBoundary: !If
- NoBoundary
- !Ref AWS::NoValue
- !Ref PermissionsBoundaryArn
MaxSessionDuration: 8400
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: !Sub "resources.cloudformation.${AWS::URLSuffix}"
Action: sts:AssumeRole
Path: "/"
Policies:
- PolicyName: ResourceTypePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: "SecretsManagerAccess"
Action:
- "secretsmanager:GetSecretValue"
Resource: "*"
Effect: Allow
LogAndMetricsDeliveryRole:
Type: AWS::IAM::Role
Condition: CreateLoggingRole
Properties:
PermissionsBoundary: !If
- NoBoundary
- !Ref AWS::NoValue
- !Ref PermissionsBoundaryArn
MaxSessionDuration: 43200
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- !Sub "resources.cloudformation.${AWS::URLSuffix}"
- !Sub "hooks.cloudformation.${AWS::URLSuffix}"
Action: sts:AssumeRole
Condition:
StringEquals:
aws:SourceAccount:
Ref: AWS::AccountId
Path: "/"
Policies:
- PolicyName: LogAndMetricsDeliveryRolePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
- cloudwatch:ListMetrics
- cloudwatch:PutMetricData
Resource: "*"
ResourceActivation:
Type: AWS::CloudFormation::TypeActivation
Properties:
AutoUpdate: true
ExecutionRoleArn: !If
- CreateExecRole
- !GetAtt ExecutionRole.Arn
- !Ref ExecutionRoleArn
LoggingConfig:
LogGroupName: cfn/types/resource/public/confluentcloud-iam-serviceaccount
LogRoleArn: !If
- CreateLoggingRole
- !GetAtt LogAndMetricsDeliveryRole.Arn
- !Ref LoggingRoleArn
PublicTypeArn: !If
- PublicTypeArnOverride
- !Ref PublicTypeArn
- !Sub "arn:aws:cloudformation:${AWS::Region}::type/resource/9331cf547939e23b9c7f24086db031317893be87/ConfluentCloud-IAM-ServiceAccount"
VersionBump: MINOR