AWSTemplateFormatVersion: '2010-09-09'
Description: >
  AttestAtlas read-only cross-account access role. Creates an IAM role in
  your AWS account that AttestAtlas's worker assumes (via sts:AssumeRole) to
  collect infrastructure inventory + posture evidence. No long-lived
  credentials leave your account. The trust policy requires a unique
  External ID generated server-side by AttestAtlas to prevent
  confused-deputy attacks.

  Version: v1
  Permissions: AWS-managed ReadOnlyAccess (v1 baseline; future v2 will swap
  in a narrower SecurityAudit + specific Get/List actions policy).

Parameters:
  ExternalId:
    Type: String
    Description: >
      Per-integration external ID generated by AttestAtlas. DO NOT change
      this; AttestAtlas will reject AssumeRole calls that don't match the
      ID it issued.
    MinLength: 16
    MaxLength: 64
    AllowedPattern: '^[A-Za-z0-9_\-]+$'
    NoEcho: false

  AttestAtlasAccountId:
    Type: String
    Description: AttestAtlas's AWS account ID (issued during onboarding).
    AllowedPattern: '^\d{12}$'

  RoleName:
    Type: String
    Default: AttestAtlasReadOnly
    Description: Name for the IAM role this stack creates.
    MinLength: 1
    MaxLength: 64
    AllowedPattern: '^[A-Za-z0-9+=,.@_\-]+$'

Resources:
  AttestAtlasReadOnlyRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref RoleName
      Description: >-
        Read-only role assumed by AttestAtlas's worker for infrastructure
        inventory and posture evidence collection.
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AttestAtlasAccountId}:root'
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                sts:ExternalId: !Ref ExternalId
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/ReadOnlyAccess
      Tags:
        - Key: ManagedBy
          Value: AttestAtlas
        - Key: Purpose
          Value: read-only-inventory-and-posture
        - Key: Version
          Value: v1

Outputs:
  RoleArn:
    Description: >-
      Paste this ARN back into the AttestAtlas onboarding wizard to complete
      the integration setup.
    Value: !GetAtt AttestAtlasReadOnlyRole.Arn

  ExternalIdEcho:
    Description: The external ID this role trusts (for your records).
    Value: !Ref ExternalId