{
   "AWSTemplateFormatVersion":"2010-09-09",
   "Description":"Please do not modify or delete this stack.  This CloudFormation template creates one IAM role and policy to enable the CloudHealth billing platform.",
   "Parameters":
   {
    "DBRBucketName" : {
         "Type" : "String",
         "Description" : "Enter the S3 bucket name where AWS DBR files are saved. If it is not already enabled, please refer to the CloudHealth Help Center article: https://help.cloudhealthtech.com/administration/enable-aws-account.html#consolidated-step-1.",
         "MaxLength" : "63"
      },      
      "CURBucketName" : {
         "Type" : "String",
         "Description" : "Enter the S3 bucket name where AWS CUR files are saved. Please ensure resource IDs are checked and the hourly interval is selected. For set up instructions, please refer to the CloudHealth Help Center artcile: https://help.cloudhealthtech.com/administration/enable-aws-account.html#consolidated-step-3.",
         "MaxLength" : "63"
   },
         "CURBucketPath" : {
         "Type" : "String",
         "Description" : "Enter the S3 bucket path where AWS CUR files are stored before the dates (e.g. cost-and-usage/curdata/20191101-20191201; you will fill in just cost-and-usage/curdata)",
         "MaxLength" : "90"
   },
      "CloudTrailBucketName" : {
         "Type" : "String",
         "Description" : "Enter the S3 bucket name where AWS CloudTrail logs are saved. If CloudTrail is not enabled, please enable it Globally.",
         "MaxLength" : "63"
      },
      "CloudTrailBucketPath" : {
         "Type" : "String",
         "Description" : "Enter the S3 bucket path where AWS CloudTrail logs are saved. If CloudTrail is not enabled, please enable it Globally.",
         "MaxLength" : "63"
        },
        "CustomerExternalID" : {
           "Type" : "String",
           "Description" : "REQUIRED: Enter the ExternalID provided to you by CloudHealth.",
           "MinLength" : "30",
           "MaxLength" : "30"
      },
         "AccountFriendlyName" : {
           "Type" : "String",
           "Description" : "REQUIRED: Enter a friendly name of the account for CloudHealth (e.g. AcmeCorp - Production - 12345).",
           "MinLength" : "1",
           "MaxLength" : "90"
      }
   },
   "Resources":{
      "Policy":{
         "Type":"AWS::IAM::ManagedPolicy",
         "Properties":{
            "ManagedPolicyName":"CloudHealth-CF-Policy-AUTO",
            "Description":"CloudHealth Billing and Reporting",
            "PolicyDocument":{
               "Version":"2012-10-17",
               "Statement":[
                  {
                     "Effect":"Allow",
                     "Action":[
					        "autoscaling:Describe*",
							"aws-portal:ViewBilling",
							"aws-portal:ViewUsage",
							"cloudformation:ListStacks",
							"cloudformation:ListStackResources",
							"cloudformation:DescribeStacks",
							"cloudformation:DescribeStackEvents",
							"cloudformation:DescribeStackResources",
							"cloudformation:GetTemplate",
							"cloudfront:Get*",
							"cloudfront:List*",
							"cloudtrail:DescribeTrails",
							"cloudtrail:GetEventSelectors",
							"cloudtrail:ListTags",
							"cloudwatch:Describe*",
							"cloudwatch:Get*",
							"cloudwatch:List*",
							"config:Get*",
							"config:Describe*",
							"config:Deliver*",
							"config:List*",
							"cur:Describe*",
							"dms:Describe*",
							"dms:List*",
							"dynamodb:DescribeTable",
							"dynamodb:List*",
							"ec2:Describe*",
							"ec2:GetReservedInstancesExchangeQuote",
							"ecs:List*",
							"ecs:Describe*",
							"elasticache:Describe*",
							"elasticache:ListTagsForResource",
							"elasticbeanstalk:Check*",
							"elasticbeanstalk:Describe*",
							"elasticbeanstalk:List*",
							"elasticbeanstalk:RequestEnvironmentInfo",
							"elasticbeanstalk:RetrieveEnvironmentInfo",
							"elasticfilesystem:Describe*",
							"elasticloadbalancing:Describe*",
							"elasticmapreduce:Describe*",
							"elasticmapreduce:List*",
							"es:List*",
							"es:Describe*",
							"firehose:ListDeliveryStreams",
							"firehose:DescribeDeliveryStream",
							"firehose:ListTagsForDeliveryStream",
							"iam:List*",
							"iam:Get*",
							"iam:GenerateCredentialReport",
							"kinesis:Describe*",
							"kinesis:List*",
							"kms:DescribeKey",
							"kms:GetKeyRotationStatus",
							"kms:ListKeys",
							"lambda:List*",
							"logs:Describe*",
							"organizations:ListAccounts",
							"organizations:ListTagsForResource",
							"organizations:DescribeOrganization",
							"redshift:Describe*",
							"route53:Get*",
							"route53:List*",
							"rds:Describe*",
							"rds:ListTagsForResource",
							"s3:GetBucketAcl",
							"s3:GetBucketLocation",
							"s3:GetBucketLogging",
							"s3:GetBucketPolicyStatus",
							"s3:GetBucketPublicAccessBlock",
							"s3:GetAccountPublicAccessBlock",
							"s3:GetBucketTagging",
							"s3:GetBucketVersioning",
							"s3:GetBucketWebsite",
							"s3:List*",
							"sagemaker:Describe*",
							"sagemaker:List*",
							"savingsplans:DescribeSavingsPlans",
							"sdb:GetAttributes",
							"sdb:List*",
							"ses:Get*",
							"ses:List*",
							"sns:Get*",
							"sns:List*",
							"sqs:GetQueueAttributes",
							"sqs:ListQueues",
							"storagegateway:List*",
							"storagegateway:Describe*",
							"workspaces:Describe*"
                          ],
                          "Resource":"*"
                          },
                            {
                              "Effect": "Allow",
                              "Action": [
                                "ec2:DeleteSnapshot"
                              ],
                              "Resource": "*"
                            },
                            {
                              "Effect": "Allow",
                              "Action": [
                                "ec2:DeleteVolume"
                              ],
                              "Resource": "*"
                            },
                            {
                              "Effect": "Allow",
                              "Action": [
                                "ec2:TerminateInstances"
                              ],
                              "Resource": "*"
                            },
                            {
                              "Effect": "Allow",
                              "Action": [
                                "ec2:StartInstances"
                              ],
                              "Resource": "*"
                            },
                            {
                              "Effect": "Allow",
                              "Action": [
                                "ec2:StopInstances"
                              ],
                              "Resource": "*"
                            },
                            {
                              "Effect": "Allow",
                              "Action": [
                                "ec2:RebootInstances"
                              ],
                              "Resource": "*"
                            },
                            {
                              "Effect": "Allow",
                              "Action": [
                                "ec2:ModifyReservedInstances"
                              ],
                              "Resource": "*"
                            },
                            {
                              "Effect": "Allow",
                              "Action": [
                                "ec2:DescribeReservedInstancesOfferings",
                                "ec2:PurchaseReservedInstancesOffering",
                                "sts:GetFederationToken"
                              ],
                              "Resource": "*"
                            },
                            {
                              "Effect": "Allow",
                              "Action": [
                                "rds:DescribeReservedDBInstancesOfferings",
                                "rds:PurchaseReservedDBInstancesOffering"
                              ],
                              "Resource": "*"
                            },
                            {
                              "Effect": "Allow",
                              "Action": [
                                "lambda:InvokeFunction"
                              ],
                              "Resource": "*"
                            },
                            {
                              "Effect": "Allow",
                              "Action": [
                                "ec2:ReleaseAddress"
                              ],
                              "Resource": "*"
                            },
                            {
                              "Effect": "Allow",
                              "Action": [
                                "ec2:CreateSnapshot"
                              ],
                              "Resource": "*"
                            },
                            {
                                "Effect": "Allow",
                                "Action": [
                                  "ec2:ModifyReservedInstances",
                                  "ec2:DescribeReservedInstancesOfferings",
                                  "ec2:GetReservedInstancesExchangeQuote",
                                  "ec2:AcceptReservedInstancesExchangeQuote"
                                ],
                                "Resource": "*"
                            },
                  {
                     "Effect": "Allow",
                     "Action": [
                         "s3:Get*",
                         "s3:List*"
                     ],
                     "Resource": [
                        {"Fn::Join":["",["arn:aws:s3:::",{"Ref":"CloudTrailBucketName"}]]},
                        {"Fn::Join":["",["arn:aws:s3:::",{"Ref":"CloudTrailBucketName"},"/*"]]},
                        {"Fn::Join":["",["arn:aws:s3:::",{"Ref":"DBRBucketName"}]]},
                        {"Fn::Join":["",["arn:aws:s3:::",{"Ref":"DBRBucketName"},"/*"]]},
                        {"Fn::Join":["",["arn:aws:s3:::",{"Ref":"CURBucketName"}]]},
                        {"Fn::Join":["",["arn:aws:s3:::",{"Ref":"CURBucketName"},"/*"]]}
                     ]
                  }
               ]
            },
            "Roles":[
               {
                  "Ref":"CloudHealthRoleARN"
               }

            ]

         }
      },
      "CloudHealthRoleARN":{
         "Type":"AWS::IAM::Role",
         "Properties":{
            "RoleName": "CloudHealth-CF-Role-AUTO",
            "AssumeRolePolicyDocument":{
               "Version": "2012-10-17",
               "Statement": [ {
                     "Effect": "Allow",
                     "Principal": {"AWS": "arn:aws:iam::454464851268:root"},
                     "Action": "sts:AssumeRole",
                     "Condition": {"StringEquals": {"sts:ExternalId": {"Ref": "CustomerExternalID"} }}
               }]
            }         }
      }
   },
   "Outputs":{
    "CustomerExternalID":{
       "Value":{
          "Ref":"CustomerExternalID"
       }
    },
      "DBRBucketName":{
         "Value":{
            "Ref":"DBRBucketName"
        }
    },
      "CURBucketName":{
         "Value":{
            "Ref":"CURBucketName"
        }
    },
      "CURBucketPath":{
         "Value":{
            "Ref":"CURBucketPath"
        }
    },
      "AccountFriendlyName":{
         "Value":{
            "Ref":"AccountFriendlyName"
         }
      },
      "CloudTrailBucketName":{
         "Value":{
            "Ref":"CloudTrailBucketName"
         }
      },
      "CloudTrailBucketPath":{
         "Value":{
            "Ref":"CloudTrailBucketPath"
         }
      },
      "CloudHealthRoleARN":{
         "Value":{
            "Fn::GetAtt":[
               "CloudHealthRoleARN",
               "Arn"
            ]
         }
      }
   }
}