AWSTemplateFormatVersion: 2010-09-09
Description: This Template will create the IAM Roles needed for the Prowler infrastructure
Parameters:
  ProwlerCrossAccountRoleName:
    Type: String
    Description: Name of the cross account Prowler IAM Role
    AllowedPattern: ^[\w+=,.@-]{1,64}$
    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
    Default: ProwlerXA-Role
  ECSExecutionRoleName:
    Type: String
    Description: Name for the ECS Task Execution Role
    AllowedPattern: ^[\w+=,.@-]{1,64}$
    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
    Default: ECSTaskExecution-Role
  ProwlerTaskRoleName:
    Type: String
    Description: Name for the ECS Prowler Task Role
    AllowedPattern: ^[\w+=,.@-]{1,64}$
    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
    Default: ProwlerECSTask-Role
  ECSEventRoleName:
    Type: String
    Description: Name for the Eventbridge Task Role
    AllowedPattern: ^[\w+=,.@-]{1,64}$
    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
    Default: ProwlerEvents-Role
Resources:
  ECSExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref ECSExecutionRoleName
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: ECSExecutionTrust
          Effect: Allow
          Principal:
            Service: ecs-tasks.amazonaws.com
          Action: sts:AssumeRole
  ProwlerTaskRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref ProwlerTaskRoleName
      Policies:
      - PolicyName: ProwlerAssumeRole
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Sid: AllowProwlerAssumeRole
            Effect: Allow
            Action: sts:AssumeRole
            Resource:
            - !Sub arn:aws:iam::*:role/${ProwlerCrossAccountRoleName}
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: ECSExecutionTrust
          Effect: Allow
          Principal:
            Service: ecs-tasks.amazonaws.com
          Action: sts:AssumeRole
  ECSEventRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref ECSEventRoleName
      Policies:
      - PolicyName: AllowProwlerEventsECS
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - ecs:RunTask
            Resource:
            - "*"
            Sid: EventRunECS
          - Effect: Allow
            Action: iam:PassRole
            Resource:
            - "*"
            Sid: EventPassRole
            Condition:
              StringLike:
                iam:PassedToService: ecs-tasks.amazonaws.com
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: EventsECSExecutionTrust
          Effect: Allow
          Principal:
            Service: events.amazonaws.com
          Action: sts:AssumeRole
Outputs:
  ECSExecutionRoleARN:
    Description: ARN of the ECS Task Execution Role
    Value: !GetAtt ECSExecutionRole.Arn
  ProwlerTaskRoleARN:
    Description: ARN of the ECS Prowler Task Role
    Value: !GetAtt ProwlerTaskRole.Arn
  ECSEventRoleARN:
    Description: ARN of the Eventbridge Task Role
    Value: !GetAtt ECSEventRole.Arn