ctava · October 27, 2017 01:22
diff --git a/gistfile1.txt b/gistfile1.txt
  "Resources": {
    "EcsTaskRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [ "ecs-tasks.amazonaws.com" ]
              },
              "Action": [ "sts:AssumeRole" ]
            }
          ]
        },
        "Path": "/"
      }
    },

    "SqsIamPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": { "Fn::Sub": "${AWS::StackName}-sqs" },
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "sqs:ChangeMessageVisibility",
                "sqs:ChangeMessageVisibilityBatch",
                "sqs:DeleteMessage",
                "sqs:DeleteMessageBatch",
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sqs:ListQueues",
                "sqs:ReceiveMessage",
                "sqs:SendMessage",
                "sqs:SendMessageBatch",
                "sqs:SetQueueAttributes"
              ],
              "Resource": [
                { "Fn::FindInMap": [ "SqsQueue", { "Ref": "Environment" }, "ArnPrefix" ] }
              ]
            }
          ]
        },
        "Roles": [
          { "Ref": "EcsTaskRole" }
        ]
      }
    },

    "S3IamPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": { "Fn::Sub": "${AWS::StackName}-s3" },
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:Get*",
                "s3:List*"
              ],
              "Resource": [
                { "Fn::Sub": [
                  "arn:aws:s3:::${S3BucketName}",
                  { "S3BucketName": { "Fn::FindInMap": [ "S3Bucket", { "Ref": "Environment" }, "Name" ] } }
                ] },
                { "Fn::Sub": [
                  "arn:aws:s3:::${S3BucketName}/*",
                  { "S3BucketName": { "Fn::FindInMap": [ "S3Bucket", { "Ref": "Environment" }, "Name" ] } }
                ] }
              ]
            }
          ]
        },
        "Roles": [
          { "Ref": "EcsTaskRole" }
        ]
      }
    },

    "LambdaGenerateSnapshotIamPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": { "Fn::Sub": "${AWS::StackName}-lambda-generate-snapshot" },
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "lambda:InvokeAsync",
                "lambda:InvokeFunction"
              ],
              "Resource": [
                { "Fn::FindInMap": [ "LambdaGenerateSnapshot", { "Ref": "Environment" }, "ArnPrefix" ] }
              ]
            }
          ]
        },
        "Roles": [
          { "Ref": "EcsTaskRole" }
        ]
      }
    },

    "KmsIamPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": { "Fn::Sub": "${AWS::StackName}-kms" },
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "kms:Get*",
                "kms:List*",
                "kms:Decrypt",
                "kms:Describe*"
              ],
              "Resource": [
                { "Fn::FindInMap": [ "KmsKeys", { "Ref": "Environment" }, "Arn" ] }
              ]
            }
          ]
        },
        "Roles": [
          { "Ref": "EcsTaskRole" }
        ]
      }
    },

    "CloudwatchLogsGroup": {
      "Type": "AWS::Logs::LogGroup",
      "Properties": {
        "LogGroupName": { "Ref": "AWS::StackName" },
        "RetentionInDays": "3"
      }
    },
	"Resources": {
	"EcsTaskRole": {
	"Type": "AWS::IAM::Role",
	"Properties": {
	"AssumeRolePolicyDocument": {
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"Service": [ "ecs-tasks.amazonaws.com" ]
	},
	"Action": [ "sts:AssumeRole" ]
	}
	]
	},
	"Path": "/"
	}
	},

	"SqsIamPolicy": {
	"Type": "AWS::IAM::Policy",
	"Properties": {
	"PolicyName": { "Fn::Sub": "${AWS::StackName}-sqs" },
	"PolicyDocument": {
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"sqs:ChangeMessageVisibility",
	"sqs:ChangeMessageVisibilityBatch",
	"sqs:DeleteMessage",
	"sqs:DeleteMessageBatch",
	"sqs:GetQueueAttributes",
	"sqs:GetQueueUrl",
	"sqs:ListQueues",
	"sqs:ReceiveMessage",
	"sqs:SendMessage",
	"sqs:SendMessageBatch",
	"sqs:SetQueueAttributes"
	],
	"Resource": [
	{ "Fn::FindInMap": [ "SqsQueue", { "Ref": "Environment" }, "ArnPrefix" ] }
	]
	}
	]
	},
	"Roles": [
	{ "Ref": "EcsTaskRole" }
	]
	}
	},

	"S3IamPolicy": {
	"Type": "AWS::IAM::Policy",
	"Properties": {
	"PolicyName": { "Fn::Sub": "${AWS::StackName}-s3" },
	"PolicyDocument": {
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"s3:AbortMultipartUpload",
	"s3:DeleteObject",
	"s3:DeleteObjectVersion",
	"s3:Get*",
	"s3:List*"
	],
	"Resource": [
	{ "Fn::Sub": [
	"arn:aws:s3:::${S3BucketName}",
	{ "S3BucketName": { "Fn::FindInMap": [ "S3Bucket", { "Ref": "Environment" }, "Name" ] } }
	] },
	{ "Fn::Sub": [
	"arn:aws:s3:::${S3BucketName}/*",
	{ "S3BucketName": { "Fn::FindInMap": [ "S3Bucket", { "Ref": "Environment" }, "Name" ] } }
	] }
	]
	}
	]
	},
	"Roles": [
	{ "Ref": "EcsTaskRole" }
	]
	}
	},

	"LambdaGenerateSnapshotIamPolicy": {
	"Type": "AWS::IAM::Policy",
	"Properties": {
	"PolicyName": { "Fn::Sub": "${AWS::StackName}-lambda-generate-snapshot" },
	"PolicyDocument": {
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"lambda:InvokeAsync",
	"lambda:InvokeFunction"
	],
	"Resource": [
	{ "Fn::FindInMap": [ "LambdaGenerateSnapshot", { "Ref": "Environment" }, "ArnPrefix" ] }
	]
	}
	]
	},
	"Roles": [
	{ "Ref": "EcsTaskRole" }
	]
	}
	},

	"KmsIamPolicy": {
	"Type": "AWS::IAM::Policy",
	"Properties": {
	"PolicyName": { "Fn::Sub": "${AWS::StackName}-kms" },
	"PolicyDocument": {
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"kms:Get*",
	"kms:List*",
	"kms:Decrypt",
	"kms:Describe*"
	],
	"Resource": [
	{ "Fn::FindInMap": [ "KmsKeys", { "Ref": "Environment" }, "Arn" ] }
	]
	}
	]
	},
	"Roles": [
	{ "Ref": "EcsTaskRole" }
	]
	}
	},

	"CloudwatchLogsGroup": {
	"Type": "AWS::Logs::LogGroup",
	"Properties": {
	"LogGroupName": { "Ref": "AWS::StackName" },
	"RetentionInDays": "3"
	}
	},