Limess/role.yaml

## role.yaml
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'IAM role for a my-lambda at runtime'
Resources:
  LambdaRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: ApplicationRoleFor_my-lambda
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        - Ref: ChangeRequestApiApplicationPolicy
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service: lambda.amazonaws.com
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/DeployUserFor_my-lambda
            Action:
              - "sts:AssumeRole"

# can omit this if the lambda doesn't need any AWS permissions at runtime
  LambdaRolePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: 'IAM policy for the Change Request API'
      ManagedPolicyName: FTApplicationPolicyFor_change-request-api
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
#         everything here is what's needed at runtime. Probably don't need much, e.g. sqs stuff if writing to queues

## user.yaml
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'IAM user for deploying serverless resources'
Resources:
  DeployUser:
    Type: AWS::IAM::User
    Properties:
      UserName: DeployUserFor_my-lambda
      Path: "/"

  DeployPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: 'IAM policy for the deployment of serverless resources'
      ManagedPolicyName: DeployPolicyFor_my-lambda
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
#         useful for testing locally with the correct role but not necessary
          - Effect: Allow
            Action:
              - sts:AssumeRole
            Resource:
              - !Sub arn:aws:iam::${AWS::AccountId}:role/ApplicationRoleFor_MyLambda*


#         essential, this gets passed to the lambda which uses it at runtime
          - Effect: Allow
            Action:
              - iam:PassRole
            Resource:
              - !Sub arn:aws:iam::${AWS::AccountId}:role/ApplicationRoleFor_MyLambda*


#         resource varies based on function name prefix (service)
          - Effect: Allow
            Action:
              - lambda:*
            Resource:
              - !Sub arn:aws:lambda:*:${AWS::AccountId}:function:my-lambda*


#         if using kinesis and a few other things
          - Effect: Allow
            Action:
              - lambda:*EventSourceMapping
            Resource: '*'


#         if using sqs
          - Effect: Allow
            Action:
              - sqs:AddPermission
              - sqs:ChangeMessageVisibility
              - sqs:CreateQueue
              - sqs:DeleteQueue
              - sqs:GetQueueAttributes
              - sqs:GetQueueUrl
              - sqs:ListDeadLetterSourceQueues
              - sqs:ListQueues
              - sqs:ListQueueTags
              - sqs:RemovePermission
              - sqs:SetQueueAttributes
              - sqs:TagQueue
              - sqs:UntagQueue
            Resource:
              - !Sub arn:aws:sqs:*:${AWS::AccountId}:my-sqs-queue*

# permissions to do the actual S3 upload of lambda code
          - Effect: Allow
            Action:
              - s3:*
            Resource:
              - !Sub arn:aws:s3:::artefacts.my-lambda.${AWS::AccountId}*
              - !Sub arn:aws:s3:::artefacts.my-lambda.${AWS::AccountId}*/*

# permissions to do the CF deploy. Resourcee varies based on function name prefix (service)
          - Effect: Allow
            Action:
              - cloudformation:CreateStack
              - cloudformation:UpdateStack
              - cloudformation:DeleteStack
              - cloudformation:CreateChangeSet
              - cloudformation:ExecuteChangeSet
            Resource:
              - !Sub arn:aws:cloudformation:*:${AWS::AccountId}:stack/my-lambda*/*

          - Effect: Allow
            Action:
              - cloudformation:Describe*
              - cloudformation:List*
              - cloudformation:Get*
              - cloudformation:PreviewStackUpdate
              - cloudformation:ValidateTemplate
            Resource: '*'

# allow the setup of API gateway backends
          - Effect: Allow
            Action:
              - apigateway:GET
              - apigateway:POST
            Resource: 'arn:aws:apigateway:*::/restapis'

          - Effect: Allow
            Action:
              - apigateway:*
            Resource:
              - 'arn:aws:apigateway:*::/restapis/*'

# Needed if creating API keys and usage plans. Probably don't need this
          - Effect: Allow
            Action:
              - apigateway:GET
              - apigateway:DELETE
              - apigateway:PATCH
            Resource:
              - 'arn:aws:apigateway:*::/apikeys'
              - 'arn:aws:apigateway:*::/apikeys/*'
              - 'arn:aws:apigateway:*::/usageplans/*'

          - Effect: Allow
            Action:
              - apigateway:POST
            Resource:
              - 'arn:aws:apigateway:*::/apikeys'
              - 'arn:aws:apigateway:*::/usageplans/*/keys/*'
              - 'arn:aws:apigateway:*::/usageplans/*/keys'
              - 'arn:aws:apigateway:*::/usageplans'

          # End API key creation

# Probably want this to allow logs
          - Effect: Allow
            Action:
              - logs:DescribeLogGroups
            Resource: !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group::log-stream:*'

          - Effect: Allow
            Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:DeleteLogGroup
              - logs:DeleteLogStream
              - logs:DescribeLogStreams
              - logs:FilterLogEvents
              - logs:PutRetentionPolicy
              - logs:PutSubscriptionFilter
              - logs:DeleteSubscriptionFilter
            Resource:
              - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/my-lambda*:log-stream:*'

# create cloudwatch alarms/metrics
          - Effect: Allow
            Action:
              - cloudwatch:PutMetricAlarm
              - cloudwatch:DeleteAlarms
              - cloudwatch:PutMetricData
            Resource: '*'

# allow creation of scheduled events, e.g. lambda warmup cron
          - Effect: Allow
            Action:
              - events:*
            Resource:
              - !Sub arn:aws:events:*:${AWS::AccountId}:rule/change-request-api*

      Users:
        - Ref: DeployUser
	---
	AWSTemplateFormatVersion: '2010-09-09'
	Description: 'IAM role for a my-lambda at runtime'
	Resources:
	LambdaRole:
	Type: AWS::IAM::Role
	Properties:
	RoleName: ApplicationRoleFor_my-lambda
	ManagedPolicyArns:
	- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
	- Ref: ChangeRequestApiApplicationPolicy
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: "Allow"
	Principal:
	Service: lambda.amazonaws.com
	AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/DeployUserFor_my-lambda
	Action:
	- "sts:AssumeRole"

	# can omit this if the lambda doesn't need any AWS permissions at runtime
	LambdaRolePolicy:
	Type: AWS::IAM::ManagedPolicy
	Properties:
	Description: 'IAM policy for the Change Request API'
	ManagedPolicyName: FTApplicationPolicyFor_change-request-api
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	# everything here is what's needed at runtime. Probably don't need much, e.g. sqs stuff if writing to queues
	---
	AWSTemplateFormatVersion: '2010-09-09'
	Description: 'IAM user for deploying serverless resources'
	Resources:
	DeployUser:
	Type: AWS::IAM::User
	Properties:
	UserName: DeployUserFor_my-lambda
	Path: "/"

	DeployPolicy:
	Type: AWS::IAM::ManagedPolicy
	Properties:
	Description: 'IAM policy for the deployment of serverless resources'
	ManagedPolicyName: DeployPolicyFor_my-lambda
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	# useful for testing locally with the correct role but not necessary
	- Effect: Allow
	Action:
	- sts:AssumeRole
	Resource:
	- !Sub arn:aws:iam::${AWS::AccountId}:role/ApplicationRoleFor_MyLambda*


	# essential, this gets passed to the lambda which uses it at runtime
	- Effect: Allow
	Action:
	- iam:PassRole
	Resource:
	- !Sub arn:aws:iam::${AWS::AccountId}:role/ApplicationRoleFor_MyLambda*


	# resource varies based on function name prefix (service)
	- Effect: Allow
	Action:
	- lambda:*
	Resource:
	- !Sub arn:aws:lambda::${AWS::AccountId}:function:my-lambda


	# if using kinesis and a few other things
	- Effect: Allow
	Action:
	- lambda:*EventSourceMapping
	Resource: '*'


	# if using sqs
	- Effect: Allow
	Action:
	- sqs:AddPermission
	- sqs:ChangeMessageVisibility
	- sqs:CreateQueue
	- sqs:DeleteQueue
	- sqs:GetQueueAttributes
	- sqs:GetQueueUrl
	- sqs:ListDeadLetterSourceQueues
	- sqs:ListQueues
	- sqs:ListQueueTags
	- sqs:RemovePermission
	- sqs:SetQueueAttributes
	- sqs:TagQueue
	- sqs:UntagQueue
	Resource:
	- !Sub arn:aws:sqs::${AWS::AccountId}:my-sqs-queue

	# permissions to do the actual S3 upload of lambda code
	- Effect: Allow
	Action:
	- s3:*
	Resource:
	- !Sub arn:aws:s3:::artefacts.my-lambda.${AWS::AccountId}*
	- !Sub arn:aws:s3:::artefacts.my-lambda.${AWS::AccountId}/

	# permissions to do the CF deploy. Resourcee varies based on function name prefix (service)
	- Effect: Allow
	Action:
	- cloudformation:CreateStack
	- cloudformation:UpdateStack
	- cloudformation:DeleteStack
	- cloudformation:CreateChangeSet
	- cloudformation:ExecuteChangeSet
	Resource:
	- !Sub arn:aws:cloudformation::${AWS::AccountId}:stack/my-lambda/*

	- Effect: Allow
	Action:
	- cloudformation:Describe*
	- cloudformation:List*
	- cloudformation:Get*
	- cloudformation:PreviewStackUpdate
	- cloudformation:ValidateTemplate
	Resource: '*'

	# allow the setup of API gateway backends
	- Effect: Allow
	Action:
	- apigateway:GET
	- apigateway:POST
	Resource: 'arn:aws:apigateway:*::/restapis'

	- Effect: Allow
	Action:
	- apigateway:*
	Resource:
	- 'arn:aws:apigateway:::/restapis/'

	# Needed if creating API keys and usage plans. Probably don't need this
	- Effect: Allow
	Action:
	- apigateway:GET
	- apigateway:DELETE
	- apigateway:PATCH
	Resource:
	- 'arn:aws:apigateway:*::/apikeys'
	- 'arn:aws:apigateway:::/apikeys/'
	- 'arn:aws:apigateway:::/usageplans/'

	- Effect: Allow
	Action:
	- apigateway:POST
	Resource:
	- 'arn:aws:apigateway:*::/apikeys'
	- 'arn:aws:apigateway:::/usageplans//keys/*'
	- 'arn:aws:apigateway:::/usageplans//keys'
	- 'arn:aws:apigateway:*::/usageplans'

	# End API key creation

	# Probably want this to allow logs
	- Effect: Allow
	Action:
	- logs:DescribeLogGroups
	Resource: !Sub 'arn:aws:logs::${AWS::AccountId}:log-group::log-stream:'

	- Effect: Allow
	Action:
	- logs:CreateLogGroup
	- logs:CreateLogStream
	- logs:DeleteLogGroup
	- logs:DeleteLogStream
	- logs:DescribeLogStreams
	- logs:FilterLogEvents
	- logs:PutRetentionPolicy
	- logs:PutSubscriptionFilter
	- logs:DeleteSubscriptionFilter
	Resource:
	- !Sub 'arn:aws:logs::${AWS::AccountId}:log-group:/aws/lambda/my-lambda:log-stream:*'

	# create cloudwatch alarms/metrics
	- Effect: Allow
	Action:
	- cloudwatch:PutMetricAlarm
	- cloudwatch:DeleteAlarms
	- cloudwatch:PutMetricData
	Resource: '*'

	# allow creation of scheduled events, e.g. lambda warmup cron
	- Effect: Allow
	Action:
	- events:*
	Resource:
	- !Sub arn:aws:events::${AWS::AccountId}:rule/change-request-api

	Users:
	- Ref: DeployUser