blog-prerequisites.yml

---
AWSTemplateFormatVersion: "2010-09-09"

Description: >
###################################################################################
#
#   **WARNING** 
#   This template creates IAM Role, IAM Policy, EBS Volume and related resources. 
#   You will be billed for the AWS resources used if you create a stack from this template.
#     
###################################################################################


Resources: 
  SSMEBSOperationsAutomationsExecutionRole: 
    Type: "AWS::IAM::Role"
    Properties: 
      RoleName: SSMAutomationChangeManagerEBS
      AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement: 
          - 
            Effect: "Allow"
            Principal: 
              Service: 
                - "ssm.amazonaws.com"
            Action: 
              - "sts:AssumeRole"
      Path: "/"
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole
  SSMEBSOperationsAutomationExecutionRolePolicies: 
    Type: "AWS::IAM::Policy"
    Properties: 
      PolicyName: "ChangManagerEBSVolume"
      PolicyDocument: 
        Version: "2012-10-17"
        Statement: 
          - 
            Effect: "Allow"
            Action: [
                "ec2:DeleteVolume",
                "iam:PassRole",
                "ec2:DescribeVolumeStatus",
                "ec2:DeleteSnapshot",
                "ec2:CreateSnapshots",
                "ec2:DescribeVolumes",
                "ec2:CreateSnapshot",
                "ssm:StartChangeRequestExecution",
                "iam:PassRole",
                "ec2:DescribeSnapshots"
            ]
            Resource: "*"
      Roles: 
        - 
          Ref: "SSMEBSOperationsAutomationsExecutionRole"
  SSMConfigEC2LabRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: WorkshopEC2SSMRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Principal:
            Service: ec2.amazonaws.com
          Action: sts:AssumeRole
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
  SSMConfigEC2LabProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - !Ref "SSMConfigEC2LabRole"
      Path: /
      InstanceProfileName: WorkshopEC2SSMRole
  UnusedEBSVolume:
    Type: AWS::EC2::Volume
    Properties:
      Size: 10
      VolumeType: gp3
      AvailabilityZone: !Select 
        - 0
        - Fn::GetAZs: !Ref "AWS::Region"