-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathpanther-stackset-iam-admin-role.yml
51 lines (46 loc) · 1.95 KB
/
panther-stackset-iam-admin-role.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# Copyright (C) 2022 Panther Labs, Inc.
#
# The Panther SaaS is licensed under the terms of the Panther Enterprise Subscription
# Agreement available at https://panther.com/enterprise-subscription-agreement/.
# All intellectual property rights in and to the Panther SaaS, including any and all
# rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement.
AWSTemplateFormatVersion: 2010-09-09
Description: >
Panther IAM Role for creating and managing StackSets. The purpose of this role is to assume
the execution IAM roles in each target account for configuring various Panther infrastructure.
Parameters:
MasterAccountRegion:
Type: String
Default: ''
Conditions:
UseCurrentRegion: !Equals ['', !Ref MasterAccountRegion]
Resources:
CloudFormationStackSetAdminRole:
Type: AWS::IAM::Role
Properties:
RoleName: !If
- UseCurrentRegion
- !Sub PantherCloudFormationStackSetAdminRole-${AWS::Region}
- !Sub PantherCloudFormationStackSetAdminRole-${MasterAccountRegion}
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: cloudformation.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: AssumeRolesInTargetAccounts
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: sts:AssumeRole
Resource: !If
- UseCurrentRegion
- !Sub arn:${AWS::Partition}:iam::*:role/PantherCloudFormationStackSetExecutionRole-${AWS::Region}
- !Sub arn:${AWS::Partition}:iam::*:role/PantherCloudFormationStackSetExecutionRole-${MasterAccountRegion}
Outputs:
CloudFormationStackSetAdminRoleArn:
Description: The Arn of the CloudFormation StackSet IAM Role for sending data to Panther.
Value: !GetAtt CloudFormationStackSetAdminRole.Arn