{ "AWSTemplateFormatVersion" : "2010-09-09", "Description" : "Deepfence Cross-Account ECR Registry Setup", "Metadata" : { "AWS::CloudFormation::Interface" : { "ParameterGroups" : [ { "Label" : { "default": "AWS Config for Deepfence Management Console host", }, "Parameters" : ["ECRAccessRole"] } ], "ParameterLabels" : [ { "ECRAccessRole" : { "default" : "ARN of role with ECR registry read-only permission and trust policy for this account to assume the role" } } ] } }, "Parameters" : { "ECRAccessRole": { "Type": "String", "Description" : "ARN of role with ECR registry read-only permission and trust policy for this account to assume the role" } }, "Resources" : { "DeepfenceConsoleEcrAccessRole" : { "Type" : "AWS::IAM::Role", "Properties" : { "RoleName" : "deepfence-console-ecr-access-role", "AssumeRolePolicyDocument" : { "Statement" : [{ "Effect" : "Allow", "Principal" : { "Service" : "ec2.amazonaws.com" }, "Action" : "sts:AssumeRole" }] }, "Policies" : [ { "PolicyName": "df-access-ecr", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action" : [ "sts:AssumeRole" ], "Resource": {"Ref": "ECRAccessRole"} } ] } } ], "Tags" : [ { "Key" : "Name", "Value" : "deepfence-console-ecr-access-role" } ] } }, "DeepfenceInstanceProfile": { "Type" : "AWS::IAM::InstanceProfile", "Properties" : { "InstanceProfileName" : "deepfence-console-ecr-access-instance-profile", "Path" : "/", "Roles" : [{"Ref": "DeepfenceConsoleEcrAccessRole"}] } } }, "Outputs" : { "InstanceProfileARN" : { "Value" : { "Fn::GetAtt" : [ "DeepfenceInstanceProfile", "Arn" ]}, "Description" : "Instance Profile ARN of new instance profile with access to cross-account ECR registry" } } }