{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Parameters": {
    "CrossAccountRoleName": {
      "Description": "The name of the cross account role that Cloud Capital will assume",
      "Type": "String"
    },
    "CloudCapitalAccountRole": {
      "Description": "The Cloud Capital AWS account that will assume the role",
      "Type": "String"
    },
    "CloudCapitalExternalId": {
      "Description": "The externalId generated by Cloud Capital",
      "Type": "String"
    },
    "CostAndUsageBucketName": {
      "Description": "The Bucket Name of the Cost and Usage Report exports",
      "Type": "String"
    }
  },
  "Resources": {
    "CrossAccountRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": {
          "Ref": "CrossAccountRoleName"
        },
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "",
              "Effect": "Allow",
              "Principal": {
                "AWS": {
                  "Ref": "CloudCapitalAccountRole"
                }
              },
              "Action": "sts:AssumeRole",
              "Condition": {
                "StringEquals": {
                  "sts:ExternalId": {
                    "Ref": "CloudCapitalExternalId"
                  }
                }
              }
            }
          ]
        },
        "Path": "/"
      }
    },
    "RolePolicies": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "CloudCapitalImportPolicy",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "budgets:Describe*",
                "budgets:View*",
                "ce:Get*",
                "ce:Describe*",
                "ce:List*",
                "ce:StartCostAllocationTagBackfill",
                "cur:Describe*",
                "cur:Get*",
                "cur:Validate*",
                "pricing:DescribeServices",
                "pricing:GetAttributeValues",
                "pricing:GetProducts",
                "organizations:Describe*",
                "organizations:List*",
                "savingsplans:Describe*",
                "billing:Get*",
                "payments:List*",
                "payments:Get*",
                "tax:List*",
                "tax:Get*",
                "consolidatedbilling:Get*",
                "consolidatedbilling:List*",
                "account:GetContactInformation",
                "invoicing:List*",
                "invoicing:Get*",
                "freetier:Get*"
              ],
              "Resource": "*"
            },
            {
              "Sid": "AccessCURBucket",
              "Effect": "Allow",
              "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:GetBucketLocation"
              ],
              "Resource": [
                { "Fn::Sub": "arn:aws:s3:::${CostAndUsageBucketName}" },
                { "Fn::Sub": "arn:aws:s3:::${CostAndUsageBucketName}/*" }
              ]
            }
          ]
        },
        "Roles": [
          {
            "Ref": "CrossAccountRole"
          }
        ]
      }
    }
  },
  "Outputs": {
    "CrossAccountRole": {
      "Description": "Role ARN for CloudCapital",
      "Value": { "Fn::GetAtt": "CrossAccountRole.Arn" }
    }
  }
}