AWSTemplateFormatVersion: 2010-09-09
Description: IAM Role for creating VPC Flow Logs

Parameters:

  DeploymentName:
    Type: String
    Description: A name for this deployment

Resources:

  VpcFlowLogsRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${DeploymentName}-VpcFlowLogs"
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: vpc-flow-logs.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - !Ref AllowVpcFlowLogs

  AllowVpcFlowLogs:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Allow VPC Flow Logs to write logs
      ManagedPolicyName: VpcFlowLog
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
              - logs:DescribeLogGroups
              - logs:DescribeLogStreams
            Resource: "*"