cloudformatious 0.7.0

AWSTemplateFormatVersion: '2010-09-09'
Description: Dependencies for CloudFormatious tests.

Resources:
  Policy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Grants the permissions needed to run CloudFormatious integration tests.
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: CloudFormationStackOperations
            Effect: Allow
            Action:
              - cloudformation:CreateChangeSet
              - cloudformation:DeleteStack
              - cloudformation:DescribeChangeSet
              - cloudformation:DescribeStackEvents
              - cloudformation:DescribeStacks
              - cloudformation:ExecuteChangeSet
            Resource: arn:aws:cloudformation:*:*:stack/cloudformatious-testing-*
          - Sid: TransformOperations
            Effect: Allow
            Action:
              - cloudformation:CreateChangeSet
            Resource: !Sub arn:aws:cloudformation:${AWS::Region}:aws:transform/Serverless-2016-10-31
          - Sid: CreateSubnet
            Effect: Allow
            Action:
              - ec2:CreateSubnet
            Resource:
              - !Sub arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${Vpc}
              - !Sub arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/*
          - Sid: SubnetOperations1
            Effect: Allow
            Action:
              - ec2:DeleteSubnet
            Resource: '*'
            Condition:
              StringEquals:
                ec2:Vpc: !Sub arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${Vpc}
          - Sid: SubnetOperations2
            Effect: Allow
            Action:
              - ec2:CreateTags
              - ec2:DescribeSubnets
            Resource: '*' # There is no way of restricting these operations to just our subnets
          - Sid: SecretsManagerOperations
            Effect: Allow
            Action:
              - secretsmanager:CreateSecret
              - secretsmanager:DeleteSecret
              - secretsmanager:TagResource
            Resource: !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:cloudformatious-testing-*
          - Sid: UseRoles
            Effect: Allow
            Action: iam:PassRole
            Resource:
              - !GetAtt Testing.Arn
              - !GetAtt DenyDeleteSubnet.Arn
          - Sid: DecodeAuthorizationMessage
            Effect: Allow
            Action:
              - sts:DecodeAuthorizationMessage
            Resource: '*'
      Roles:
        - !Ref Testing
        - !Ref DenyDeleteSubnet

  Vpc:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/24
      Tags:
        - Key: Name
          Value: !Ref AWS::StackName

  Testing:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: sts:AssumeRole
            Principal:
              Service: cloudformation.amazonaws.com
      RoleName: cloudformatious-testing

  DenyDeleteSubnet:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: sts:AssumeRole
            Principal:
              Service: cloudformation.amazonaws.com
      Policies:
        - PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: DenyDeleteSubnet
                Effect: Deny
                Action:
                  - ec2:DeleteSubnet
                Resource: '*'
          PolicyName: DenyDeleteSubnet
      RoleName: cloudformatious-testing-deny-delete-subnet

Outputs:
  PolicyArn:
    Value: !Ref Policy

  VpcId:
    Value: !Ref Vpc
    Export:
      Name: !Sub ${AWS::StackName}-VpcId