AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation Write-Only Managed Policy for Deployment Operations

Resources:
  CloudFormationWritePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: CloudFormationWrite
      Description: Minimal CloudFormation write permissions for deployment operations. Intended for use via AssumeRole, not attached to Permission Sets.
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - cloudformation:CreateStack
              - cloudformation:UpdateStack
              - cloudformation:DeleteStack
              - cloudformation:CreateUploadBucket
              - cloudformation:CreateChangeSet
              - cloudformation:ExecuteChangeSet
              - cloudformation:DescribeStacks
              - cloudformation:DescribeStackEvents
              - cloudformation:DescribeChangeSet
              - cloudformation:ListStacks
              - cloudformation:ListChangeSets
              - cloudformation:DetectStackDrift
              - cloudformation:DetectStackResourceDrift
              - cloudformation:DescribeStackDriftDetectionStatus
              - cloudformation:ImportStacksToStackSet
              - cloudformation:ContinueUpdateRollback
            Resource: "*"

          - Effect: Allow
            Action:
              - tag:TagResources
              - tag:UntagResources
            Resource: "*"

          - Effect: Allow
            Action:
              - s3:PutObject
            Resource: "*"