{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Creates the StrategicBlueUsageAnalyser IAM role, which grants Strategic Blue Services Ltd. console access to analyse usage e.g. using Cost Explorer.",
    "Metadata": {
        "AWS::CloudFormation::Interface": {
            "ParameterGroups": [
                {
                    "Label": {
                        "default": "Role-Based Access Control"
                    },
                    "Parameters": [
                        "TrustedAccountId"
                    ]
                },
                {
                    "Label": {
                        "default": "Customization"
                    },
                    "Parameters": [
                        "IncludeOrgManager"
                    ]
                }
            ],
            "ParameterLabels": {
                "TrustedAccountId": {
                    "default": "Trusted Account ID"
                },
                "IncludeOrgManager": {
                    "default": "Create OrgManager role?"
                }
            }
        }
    },
    "Parameters": {
        "TrustedAccountId": {
            "Description": "The trusted AWS account (Strategic Blue account).",
            "Type": "String",
            "MinLength": "12",
            "MaxLength": "12",
            "AllowedPattern": "^[0-9]{12}$",
            "ConstraintDescription": "AWS Account ID must be 12 digits"
        },
        "IncludeOrgManager": {
            "Description": "To include the SbslOrgManager role, set this parameter to true",
            "Type": "String",
            "AllowedValues": [
                "true",
                "false"
            ],
            "Default": "false"
        }
    },
    "Conditions": {
        "CreateOrgManager": {
            "Fn::Equals": [
                "true",
                {
                    "Ref": "IncludeOrgManager"
                }
            ]
        }
    },
    "Resources": {
        "RoleUsageAnalyser": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": "StrategicBlueUsageAnalyser",
                "Description": "Allows Strategic Blue to get an overview of the spending within this account.",
                "Path": "/",
                "MaxSessionDuration": 43200,
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "AWS": {
                                    "Ref": "TrustedAccountId"
                                }
                            },
                            "Action": [
                                "sts:AssumeRole"
                            ]
                        }
                    ]
                },
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/ComputeOptimizerReadOnlyAccess",
                    "arn:aws:iam::aws:policy/CostOptimizationHubReadOnlyAccess"
                ]
            }
        },
        "PolicyUsageAnalyser": {
            "Type": "AWS::IAM::Policy",
            "Properties": {
                "PolicyName": "StrategicBlueUsageAnalyserAccess",
                "Roles": [
                    {
                        "Ref": "RoleUsageAnalyser"
                    }
                ],
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Sid": "AnalyseUsage",
                            "Effect": "Allow",
                            "Action": [
                                "ce:Get*",
                                "ce:List*",
                                "ce:Describe*",
                                "ce:StartSavingsPlansPurchaseRecommendationGeneration"
                            ],
                            "Resource": "*"
                        },
                        {
                            "Sid": "DescribeSavingsPlans",
                            "Effect": "Allow",
                            "Action": [
                                "savingsplans:DescribeSavingsPlansOfferingRates",
                                "savingsplans:DescribeSavingsPlansOfferings",
                                "savingsplans:DescribeSavingsPlans",
                                "savingsplans:DescribeSavingsPlanRates"
                            ],
                            "Resource": "*"
                        }
                    ]
                }
            }
        },
        "RoleOrgManager": {
            "Type": "AWS::IAM::Role",
            "Condition": "CreateOrgManager",
            "Properties": {
                "RoleName": "SbslOrgManager",
                "Description": "Allows Strategic Blue to create new commitment holding accounts under this payer, and to invite existing commitment holding accounts in.",
                "Path": "/",
                "MaxSessionDuration": 43200,
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "AWS": {
                                    "Ref": "TrustedAccountId"
                                }
                            },
                            "Action": [
                                "sts:AssumeRole"
                            ]
                        }
                    ]
                },
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/AWSSupportAccess"
                ]
            }
        },
        "PolicyOrgManager": {
            "Type": "AWS::IAM::Policy",
            "Condition": "CreateOrgManager",
            "Properties": {
                "PolicyName": "sbsl-org-manager",
                "Roles": [
                    {
                        "Ref": "RoleOrgManager"
                    }
                ],
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Sid": "ReadOrganizationDetails",
                            "Effect": "Allow",
                            "Action": [
                                "account:GetAccountInformation",
                                "account:ListRegions",
                                "account:GetRegionOptStatus",
                                "organizations:List*",
                                "organizations:Describe*"
                            ],
                            "Resource": "*"
                        },
                        {
                            "Sid": "InviteChildAccounts",
                            "Effect": "Allow",
                            "Action": [
                                "organizations:InviteAccountToOrganization"
                            ],
                            "Resource": "*"
                        },
                        {
                            "Sid": "CreateNewChildAccounts",
                            "Effect": "Allow",
                            "Action": [
                                "organizations:CreateAccount"
                            ],
                            "Resource": "*"
                        },
                        {
                            "Sid": "SupportInfo",
                            "Effect": "Allow",
                            "Action": [
                                "trustedadvisor:DescribeAccount",
                                "trustedadvisor:DescribeChecks"
                            ],
                            "Resource": "*"
                        },
                        {
                            "Sid": "ViewServiceQuotas",
                            "Effect": "Allow",
                            "Action": [
                                "servicequotas:Get*",
                                "servicequotas:List*"
                            ],
                            "Resource": "*"
                        },
                        {
                            "Sid": "RequestQuotaIncreases",
                            "Effect": "Allow",
                            "Action": [
                                "servicequotas:RequestServiceQuotaIncrease"
                            ],
                            "Resource": [
                                "arn:aws:servicequotas:*:*:organizations/*"
                            ]
                        },
                        {
                            "Sid": "AllowCreationOfServiceLinkedRoleForServiceQuotas",
                            "Effect": "Allow",
                            "Action": [
                                "iam:CreateServiceLinkedRole"
                            ],
                            "Resource": [
                                "arn:aws:iam::*:role/aws-service-role/servicequotas.amazonaws.com/AWSServiceRoleForServiceQuotas"
                            ],
                            "Condition": {
                                "StringLike": {
                                    "iam:AWSServiceName": "servicequotas.amazonaws.com"
                                }
                            }
                        },
                        {
                            "Sid": "AssumeOrganizationAccountAccessRole",
                            "Effect": "Allow",
                            "Action": "sts:AssumeRole",
                            "Resource": [
                                "arn:aws:iam::*:role/OrganizationAccountAccessRole"
                            ]
                        }
                    ]
                }
            }
        }
    }
}