{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "JAWS",
  "Parameters": {
    "aaaStage": {
      "Type": "String",
      "Default": "test"
    },
    "aaaDataModelPrefix": {
      "Type": "String",
      "Default": "test",
      "AllowedValues": [
        "test",
        "prod"
      ]
    },
    "aaaProjectName": {
      "Type": "String",
      "Default": "jaws",
      "AllowedValues": [
        "jaws"
      ]
    },
    "HostedZoneName": {
      "Type": "String",
      "Default": "myapp.com"
    }
  },
  "Resources": {
    "LambdaRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "lambda.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/"
      }
    },
    "Profile": {
      "Type": "AWS::IAM::InstanceProfile",
      "Properties": {
        "Path": "/",
        "Roles": [
          {
            "Ref": "LambdaRole"
          }
        ]
      }
    },
    "Group": {
      "Type": "AWS::IAM::Group",
      "Properties": {
        "Path": "/dataModel/"
      }
    },
    "DataModelPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": {
          "Fn::Join": [
            "-",
            [
              {
                "Ref": "aaaStage"
              },
              {
                "Ref": "aaaProjectName"
              }
            ]
          ]
        },
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
              ],
              "Resource": "arn:aws:logs:*:*:*"
            },
            {
              "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:Put*"
              ],
              "Resource": [
                {
                  "Fn::Join": [
                    "",
                    [
                      "arn:aws:s3:::",
                      {
                        "Ref": "aaaProjectName"
                      },
                      "-images.",
                      {
                        "Ref": "HostedZoneName"
                      },
                      "/",
                      {
                        "Ref": "aaaDataModelPrefix"
                      },
                      "*"
                    ]
                  ]
                }
              ],
              "Effect": "Allow"
            },
            {
              "Effect": "Allow",
              "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:BatchWriteItem",
                "dynamodb:DeleteItem",
                "dynamodb:DescribeTable",
                "dynamodb:Get*",
                "dynamodb:List*",
                "dynamodb:PutItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:UpdateItem",
                "dynamodb:UpdateTable"
              ],
              "Resource": [
                {
                  "Fn::Join": [
                    "",
                    [
                      "arn:aws:dynamodb:us-east-1:",
                      {
                        "Ref": "AWS::AccountId"
                      },
                      ":table/",
                      {
                        "Ref": "aaaDataModelPrefix"
                      },
                      "-",
                      {
                        "Ref": "aaaProjectName"
                      },
                      "-users*"
                    ]
                  ]
                },
                {
                  "Fn::Join": [
                    "",
                    [
                      "arn:aws:dynamodb:us-east-1:",
                      {
                        "Ref": "AWS::AccountId"
                      },
                      ":table/",
                      {
                        "Ref": "aaaDataModelPrefix"
                      },
                      "-",
                      {
                        "Ref": "aaaProjectName"
                      },
                      "-images*"
                    ]
                  ]
                }
              ]
            }
          ]
        },
        "Roles": [
          {
            "Ref": "LambdaRole"
          }
        ],
        "Groups": [
          {
            "Ref": "Group"
          }
        ]
      }
    }
  }
}