{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Creates the StrategicBlueRiSeller IAM role, which grants Strategic Blue Services Ltd. permission to sell EC2 RIs within this account.",
    "Metadata": {
        "AWS::CloudFormation::Interface": {
            "ParameterGroups": [
                {
                    "Label": {
                        "default": "Role-Based Access Control"
                    },
                    "Parameters": [
                        "TrustedAccountId"
                    ]
                }
            ],
            "ParameterLabels": {
                "TrustedAccountId": {
                    "default": "Trusted Account Id"
                }
            }
        }
    },
    "Parameters": {
        "TrustedAccountId": {
            "Description": "The trusted AWS account (Strategic Blue account).",
            "Type": "String",
            "MinLength": "12",
            "MaxLength": "12",
            "AllowedPattern": "^[0-9]{12}$",
            "ConstraintDescription": "AWS Account Id must be 12 digits"
        }
    },
    "Resources": {
        "SbslRiSellerRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": "StrategicBlueRiSeller",
                "Description": "Allows Strategic Blue traders to sell Reserved Instances in this account on the AWS RI Marketplace",
                "Path": "/",
                "MaxSessionDuration": 43200,
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "AWS": {
                                    "Ref": "TrustedAccountId"
                                }
                            },
                            "Action": [
                                "sts:AssumeRole"
                            ]
                        }
                    ]
                }
            }
        },
        "SbslRiSellerPolicy": {
            "Type": "AWS::IAM::Policy",
            "Properties": {
                "PolicyName": "UseRiMarketplace",
                "Roles": [
                    {
                        "Ref": "SbslRiSellerRole"
                    }
                ],
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Sid": "DiscoverSaleableRis",
                            "Effect": "Allow",
                            "Action": [
                                "ec2:DescribeRegions",
                                "ec2:DescribeReservedInstances"
                            ],
                            "Resource": "*"
                        },
                        {
                            "Sid": "SellOnRiMarketplace",
                            "Effect": "Allow",
                            "Action": [
                                "ec2:DescribeReservedInstancesListings",
                                "ec2:CreateReservedInstancesListing",
                                "ec2:CancelReservedInstancesListing"
                            ],
                            "Resource": "*"
                        }
                    ]
                }
            }
        }
    }
}