AWSTemplateFormatVersion: '2010-09-09'
Description: Iam Roles for account running a static S3 website with cloudfront (IAMAdmin, Admin, S3Admin/User)
Metadata:
  License: magnet:?xt=urn:btih:1f739d935676111cfff4b4693e3816e664797050&dn=gpl-3.0.txt GPL-v3-or-Later

Resources:
  IAMAdmin:
    Type: AWS::IAM::Role
    Properties:
      RoleName: IAMAdmin
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
        - arn:aws:iam::aws:policy/IAMFullAccess
        - arn:aws:iam::aws:policy/ReadOnlyAccess
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: arn:aws:iam::212707113393:root
            Action: sts:AssumeRole
          - Effect: Allow
            Principal:
              Federated:
                - !Sub arn:aws:iam::${AWS::AccountId}:saml-provider/Google
            Action: sts:AssumeRoleWithSAML
            Condition:
              StringEquals:
                SAML:aud: https://signin.aws.amazon.com/saml
  Admin:
    Type: AWS::IAM::Role
    Properties:
      RoleName: Admin
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/ReadOnlyAccess
        - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
        - arn:aws:iam::aws:policy/AmazonS3FullAccess
        - arn:aws:iam::aws:policy/AmazonRoute53FullAccess
        - arn:aws:iam::aws:policy/CloudFrontFullAccess
        - arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: arn:aws:iam::212707113393:root
            Action: sts:AssumeRole
          - Effect: Allow
            Principal:
              Federated:
                - !Sub arn:aws:iam::${AWS::AccountId}:saml-provider/Google
            Action: sts:AssumeRoleWithSAML
            Condition:
              StringEquals:
                SAML:aud: https://signin.aws.amazon.com/saml
  User:
    Type: AWS::IAM::Role
    Properties:
      RoleName: User
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/ReadOnlyAccess
        - !Ref UserPolicy
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: arn:aws:iam::212707113393:root
            Action: sts:AssumeRole
          - Effect: Allow
            Principal:
              Federated:
                - !Sub arn:aws:iam::${AWS::AccountId}:saml-provider/Google
            Action: sts:AssumeRoleWithSAML
            Condition:
              StringEquals:
                SAML:aud: https://signin.aws.amazon.com/saml

  UserPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Grants Access to Created/Update/Delete S3 Objects & Clear Cloudfront caches
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - s3:DeleteObject
              - s3:PutObject
            Resource: 'arn:aws:s3:::*/*'

          - Effect: Allow
            Action: cloudfront:CreateInvalidation
            Resource: '*'