From ebd5d751e2d219eeb23b4baae1a83b9b66070561 Mon Sep 17 00:00:00 2001
From: Daisuke <nakada0907@outlook.com>
Date: Fri, 2 Jan 2026 16:45:03 +0900
Subject: [PATCH] Add AWS MCP policy and expand CloudFormation role permissions

- Add new AWS MCP managed policy with permissions for MCP tool invocation
- Extend IAM permissions: add AttachRolePolicy and CreatePolicy actions
- Add ELB permissions for target group modification
- Add ECS permissions for task definition management (register/deregister/tag)
---
 policies/aws-mcp-policy.yaml         | 18 ++++++++++++++++++
 roles/cloudformation-write-role.yaml | 22 ++++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 policies/aws-mcp-policy.yaml

diff --git a/policies/aws-mcp-policy.yaml b/policies/aws-mcp-policy.yaml
new file mode 100644
index 0000000..f2cf085
--- /dev/null
+++ b/policies/aws-mcp-policy.yaml
@@ -0,0 +1,18 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: AWS MCP Managed Policy
+
+Resources:
+  AWSMCPPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: AWSMCPPolicy
+      Description: AWS MCP permissions for invoking MCP tools
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Action:
+              - aws-mcp:InvokeMcp
+              - aws-mcp:CallReadOnlyTool
+              - aws-mcp:CallReadWriteTool
+            Resource: "*"
diff --git a/roles/cloudformation-write-role.yaml b/roles/cloudformation-write-role.yaml
index ebee1cd..5458750 100644
--- a/roles/cloudformation-write-role.yaml
+++ b/roles/cloudformation-write-role.yaml
@@ -43,6 +43,7 @@ Resources:
                   - iam:DeleteRole
                   - iam:PutRolePolicy
                   - iam:DeleteRolePolicy
+                  - iam:AttachRolePolicy
                   - iam:PassRole
                 Resource:
                   - !Sub arn:aws:iam::${AWS::AccountId}:role/*
@@ -52,6 +53,7 @@ Resources:
             Statement:
               - Effect: Allow
                 Action:
+                  - iam:CreatePolicy
                   - iam:CreatePolicyVersion
                   - iam:DeletePolicyVersion
                 Resource:
@@ -96,6 +98,26 @@ Resources:
                   - events:RemoveTargets
                 Resource:
                   - !Sub "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*"
+        - PolicyName: EbPolicies
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - elasticloadbalancing:ModifyTargetGroup
+                Resource:
+                  - !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/*"
+        - PolicyName: EcsPolicies
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - ecs:RegisterTaskDefinition
+                  - ecs:DeregisterTaskDefinition
+                  - ecs:TagResource
+                Resource:
+                  - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*"
       ManagedPolicyArns:
         - arn:aws:iam::aws:policy/ReadOnlyAccess
         - !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite