ChildAccountRole.template.yaml

AWSTemplateFormatVersion: "2010-09-09"
Description: >
  (qs-1ph8neha1) 
  Serverless CICD Quick Start
  Initial roles for child accounts
Metadata:
  AWS::CloudFormation::Interface:
    ParameterLabels:
      CentralAwsAccountId:
        default: Shared Services account ID
      ChildAccountRoleName:
        default: Child account role name
Parameters:
  CentralAwsAccountId:
    Description: The AWS account ID of the shared services account, from step 1.3. For guidance, see Finding Your AWS Account ID in the AWS documentation.
    Type: String
    AllowedPattern: (\d{12}|^$)
    ConstraintDescription: must be an AWS account ID
  ChildAccountRoleName:
    Description: The name of the role to create in the development account. This name must be unique in the development account.
    Default: ChildAccountRole
    Type: String
Resources:
  ChildAccountRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref ChildAccountRoleName
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            AWS: !Ref CentralAwsAccountId
          Action: sts:AssumeRole
      Path: /
      Policies:
      - PolicyName: CfnStackAssumeRole
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - cloudformation:CreateStack
            - cloudformation:DeleteStack
            - cloudformation:DescribeStacks
            - cloudformation:DeleteStack
            - cloudformation:UpdateStack
            Resource: "*"
          - Effect: Allow
            Action:
            - iam:CreateRole
            - iam:DeleteRole
            - iam:GetRole
            - iam:DetachRolePolicy
            - iam:AttachRolePolicy
            - iam:PutRolePolicy
            - iam:DeleteRolePolicy
            Resource:
            - !Sub arn:aws:iam::${AWS::AccountId}:role/SampleLambdaRole-*
            - !Sub arn:aws:iam::${AWS::AccountId}:role/CodePipelineDeploymentRole-*
            - !Sub arn:aws:iam::${AWS::AccountId}:role/CodePipelineServiceRole-*
Outputs:
  RemoteAccountRole:
    Value: !GetAtt ChildAccountRole.Arn
  RemoteAccountRoleName:
    Value: !Ref ChildAccountRoleName