AWSTemplateFormatVersion: '2010-09-09'
Description: IAM Role for CloudFormation Write operations via AssumeRole

Parameters:
  AdminPrincipalArns:
    Type: List<String>
    Description: List of IAM Identity Center Role ARNs allowed to assume this role.

Resources:
  CloudFormationWriteRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: CloudFormationWriteRole
      Description: Role for performing CloudFormation write operations. Intended to be assumed manually or by CI/CD, not attached to Permission Sets.
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Ref AdminPrincipalArns
            Action: sts:AssumeRole
      Policies:
        - PolicyName: ECRImport
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - ecr:DescribeRepositories
                  - ecr:GetRepositoryPolicy
                  - ecr:DeleteRepositoryPolicy
                  - ecr:PutImageScanningConfiguration
                Resource:
                  - !Sub arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*
        - PolicyName: RoleWrite
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - iam:PutRolePolicy
                  - iam:DeleteRolePolicy
                Resource:
                  - !Sub arn:aws:iam::${AWS::AccountId}:role/*
        - PolicyName: PolicyWrite
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - iam:CreatePolicyVersion
                  - iam:DeletePolicyVersion
                Resource:
                  - !Sub arn:aws:iam::${AWS::AccountId}:policy/*

      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/ReadOnlyAccess
        - !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite