{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Metadata": {
    "AWS::CloudFormation::Designer": {
      "ee09ff7b-5f50-40a7-b5cd-d41591410b63": {
        "size": {
          "width": 60,
          "height": 60
        },
        "position": {
          "x": 403,
          "y": 211
        },
        "z": 0,
        "embeds": []
      }
    }
  },
  "Parameters": {
    "ExternalID": {
      "Type": "String",
      "Default": "YourExternalID",
      "Description": "External ID secret"
    }
  },
  "Resources": {
    "iotRole": {
      "Type": "AWS::IAM::Role",
      "DeletionPolicy": "Retain",
      "Properties": {
        "Policies": [
          {
            "PolicyName": "iamAttachRolePolicy",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "iam:UpdateServiceSpecificCredential",
                    "iam:PassRole",
                    "iam:ResetServiceSpecificCredential"
                  ],
                  "Resource": "*"
                }
              ]
            }
          }
        ],
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": "lambda.amazonaws.com"
              },
              "Action": "sts:AssumeRole"
            },
            {
              "Effect": "Allow",
              "Principal": {
                "Service": "greengrass.amazonaws.com"
              },
              "Action": "sts:AssumeRole"
            },
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::921779095203:user/iot_platform_prod"
              },
              "Action": "sts:AssumeRole",
              "Condition": {
                "StringEquals": {
                  "sts:ExternalId": {
                    "Ref": "ExternalID"
                  }
                }
              }
            }
          ],
          "Version": "2012-10-17"
        },
        "ManagedPolicyArns": [
          "arn:aws:iam::aws:policy/AWSLambda_FullAccess",
          "arn:aws:iam::aws:policy/service-role/GreengrassOTAUpdateArtifactAccess",
          "arn:aws:iam::aws:policy/CloudWatchFullAccess",
          "arn:aws:iam::aws:policy/service-role/AWSGreengrassResourceAccessRolePolicy",
          "arn:aws:iam::aws:policy/AWSIoTFullAccess",
          "arn:aws:iam::aws:policy/AWSGreengrassFullAccess"
        ]
      },
      "Metadata": {
        "AWS::CloudFormation::Designer": {
          "id": "ee09ff7b-5f50-40a7-b5cd-d41591410b63"
        }
      }
    }
  }
}

