{
  "AWSTemplateFormatVersion" : "2010-09-09",

  "Description" : "Deepfence Cross-Account ECR Registry Setup",

  "Metadata" : {
    "AWS::CloudFormation::Interface" : {
      "ParameterGroups" : [
        {
          "Label" : {
            "default": "AWS Config for Deepfence Management Console host",
          },
          "Parameters" : ["AccountId"]
        }
      ],
      "ParameterLabels" : [
        {
          "AccountId" : {
            "default" : "Account ID of AWS account hosting Deepfence Management Console"
          }
        }
      ]
    }
  },

  "Parameters" : {
    "AccountId": {
      "Type": "String",
      "Description" : "Account ID of AWS account hosting Deepfence Management Console",
      "MinLength": "8"
    }
  },

  "Resources" : {
    "DeepfenceConsoleEcrAssumeRole" : {
      "Type" : "AWS::IAM::Role",
      "Properties" : {
        "RoleName" : "deepfence-console-ecr-assume-role",
        "AssumeRolePolicyDocument" : {
          "Statement" : [{
            "Effect" : "Allow",
            "Principal" : {
              "AWS" : { "Fn::Join" : ["", ["arn:aws:iam::", {"Ref": "AccountId"}, ":root"] ] }
            },
            "Action" : "sts:AssumeRole"
          }]
        },
        "Policies" : [
          {
            "PolicyName": "df-ecr-public-and-private-read-only",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action"   : [
                    "sts:GetServiceBearerToken",
                    "ecr-public:GetAuthorizationToken",
                    "ecr-public:BatchCheckLayerAvailability",
                    "ecr-public:GetRepositoryPolicy",
                    "ecr-public:DescribeRepositories",
                    "ecr-public:DescribeRegistries",
                    "ecr-public:DescribeImages",
                    "ecr-public:DescribeImageTags",
                    "ecr-public:GetRepositoryCatalogData",
                    "ecr-public:GetRegistryCatalogData",
                    "ecr:DescribeImageScanFindings",
                    "ecr:GetLifecyclePolicyPreview",
                    "ecr:GetDownloadUrlForLayer",
                    "ecr:DescribeImageReplicationStatus",
                    "ecr:ListTagsForResource",
                    "ecr:ListImages",
                    "ecr:BatchGetRepositoryScanningConfiguration",
                    "ecr:BatchGetImage",
                    "ecr:DescribeImages",
                    "ecr:DescribeRepositories",
                    "ecr:BatchCheckLayerAvailability",
                    "ecr:GetRepositoryPolicy",
                    "ecr:GetLifecyclePolicy",
                    "ecr:GetRegistryPolicy",
                    "ecr:DescribeRegistry",
                    "ecr:DescribePullThroughCacheRules",
                    "ecr:GetAuthorizationToken",
                    "ecr:GetRegistryScanningConfiguration"
                  ],
                  "Resource": "*"
                }
              ]
            }
          }        
        ],
        "Tags" : [
          {
            "Key" : "Name",
            "Value" : "deepfence-console-ecr-assume-role"
          }
        ]
      }
    }
  },

  "Outputs" : {
    "RoleARN" : {
      "Value" : { "Fn::GetAtt" : [ "DeepfenceConsoleEcrAssumeRole", "Arn" ]},
      "Description" : "Role ARN of new role with access to cross-account ECR registry"
    }
  }
}