AWSTemplateFormatVersion: "2010-09-09"
Description: Amazon S3 Find and Forget Data Access IAM Role (uksb-1qjminsba)

Parameters:
  SourceAccountId:
    Type: String
    Description: The ID of the AWS account in which the S3F2 solution is deployed
    AllowedPattern: "^[0-9]{12}$"

Resources:
  Role:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: S3F2DataAccessRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: "Allow"
          Principal:
            AWS:
            - !Sub "arn:${AWS::Partition}:iam::${SourceAccountId}:root"
          Action: "sts:AssumeRole"
        - Effect: "Allow"
          Principal:
            AWS:
            - !Sub "arn:${AWS::Partition}:iam::${SourceAccountId}:root"
          Action: "sts:TagSession"

Outputs:
  RoleArn:
    Value: !GetAtt Role.Arn
  RoleName:
    Value: !Ref Role