AWSTemplateFormatVersion: "2010-09-09"
Description: Read-only IAM role for FinOps Pack AWS Savings Review access.

Parameters:
  TrustedPrincipalArn:
    Type: String
    Default: arn:aws:iam::123456789012:role/FinOpsPackScanner
    AllowedPattern: '^arn:aws:iam::\d{12}:(role/.+|root)$'
    ConstraintDescription: Must be an AWS IAM principal ARN.
    Description: Stable FinOps Pack scanner principal allowed to assume this role.
  ExternalId:
    Type: String
    MinLength: 8
    NoEcho: true
    Description: External ID generated by FinOps Pack for this scan.
  RoleName:
    Type: String
    Default: finops-pack-readonly
    Description: Name of the IAM role to create.

Resources:
  FinOpsPackReadOnlyRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref RoleName
      Description: Cross-account read-only role for FinOps Pack AWS Savings Review.
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: AllowFinOpsPackScannerWithExternalId
            Effect: Allow
            Principal:
              AWS: !Ref TrustedPrincipalArn
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                sts:ExternalId: !Ref ExternalId
      Policies:
        - PolicyName: finops-pack-readonly-policy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: ReadAccountInventory
                Effect: Allow
                Action:
                  - ec2:DescribeRegions
                  - ec2:DescribeInstances
                  - ec2:DescribeNatGateways
                  - ec2:DescribeVolumes
                  - ecs:DescribeServices
                  - ecs:DescribeTaskDefinition
                  - ecs:ListClusters
                  - ecs:ListServices
                  - lambda:ListFunctions
                  - cloudwatch:GetMetricStatistics
                  - organizations:ListAccounts
                  - rds:DescribeDBClusters
                  - rds:DescribeDBInstances
                  - s3:GetBucketLocation
                  - s3:GetLifecycleConfiguration
                  - s3:ListAllMyBuckets
                Resource: "*"
              - Sid: ReadCostAndOptimizationSignals
                Effect: Allow
                Action:
                  - ce:GetCostAndUsage
                  - ce:GetCostAndUsageWithResources
                  - cost-optimization-hub:GetRecommendation
                  - cost-optimization-hub:ListEnrollmentStatuses
                  - cost-optimization-hub:ListRecommendationSummaries
                  - cost-optimization-hub:ListRecommendations
                Resource: "*"

Outputs:
  RoleArn:
    Description: ARN of the read-only role for FinOps Pack.
    Value: !GetAtt FinOpsPackReadOnlyRole.Arn
  RoleName:
    Description: Name of the read-only role for FinOps Pack.
    Value: !Ref FinOpsPackReadOnlyRole