AWSTemplateFormatVersion: '2010-09-09'

Description: Rafay Cost Management Single Account Template

Parameters:
  AthenaCURBucket:
    Description: The bucket that athena results are written to
    Type: String
  SpotDataFeedBucketName:
    Description: Optional. The bucket that spot feed are written to
    Type: String

Conditions:
  HasSpotFeedBucketName: !Not [ !Equals [ !Ref SpotDataFeedBucketName, "" ] ]

Resources:
  RafayCostUser:
    Type: 'AWS::IAM::User'
    Properties:
      UserName: 'RafayCostUser'
  RafayCostRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: 'RafayCostRole'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - 'ec2.amazonaws.com'
            Action:
              - 'sts:AssumeRole'

  SpotFeedPolicy:
    Type: 'AWS::IAM::Policy'
    Condition: HasSpotFeedBucketName
    Properties:
      Users:
        - !Ref RafaycostUser
      Roles:
        - !Ref RafayCostRole
      PolicyName: 'rafay-spot-data-feed-access'
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: SpotDataAccess
          Effect: Allow
          Action:
          - s3:ListAllMyBuckets
          - s3:ListBucket
          - s3:HeadBucket
          - s3:HeadObject
          - s3:List*
          - s3:Get*
          Resource: "*"
  AthenaPolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      Users:
        - !Ref RafayCostUser
      Roles:
        - !Ref RafayCostRole
      PolicyName: 'rafay-athena-access'
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: AthenaAccess
          Effect: Allow
          Action:
          - athena:*
          Resource:
          - "*"
        - Sid: ReadAccessToAthenaCurDataViaGlue
          Effect: Allow
          Action:
          - glue:GetDatabase*
          - glue:GetTable*
          - glue:GetPartition*
          - glue:GetUserDefinedFunction
          - glue:BatchGetPartition
          Resource:
          - arn:aws:glue:*:*:catalog
          - arn:aws:glue:*:*:database/athenacurcfn*
          - arn:aws:glue:*:*:table/athenacurcfn*/*
        - Sid: AthenaQueryResultsOutput
          Effect: Allow
          Action:
          - s3:GetBucketLocation
          - s3:GetObject
          - s3:ListBucket
          - s3:ListBucketMultipartUploads
          - s3:ListMultipartUploadParts
          - s3:AbortMultipartUpload
          - s3:CreateBucket
          - s3:PutObject
          Resource:
          - arn:aws:s3:::aws-athena-query-results-*
        - Sid: S3ReadAccessToAwsBillingData
          Effect: Allow
          Action:
          - s3:Get*
          - s3:List*
          Resource:
          - !Sub 'arn:aws:s3:::${AthenaCURBucket}*'
        - Sid: ReadAccessToAccountTags
          Effect: Allow
          Action:
          - organizations:ListAccounts
          - organizations:ListTagsForResource
          Resource: 
          - "*"