|
| 1 | +AWSTemplateFormatVersion: '2010-09-09' |
| 2 | +Description: > |
| 3 | + Adobe LLMO EdgeOptimize connector role — full setup (CDN log delivery + Lambda@Edge |
| 4 | + origin-request routing). Deploy this stack in the customer AWS account to grant Adobe |
| 5 | + SpaceCat permission to read CloudFront distribution configs, create Lambda@Edge functions, |
| 6 | + and enable CloudWatch Logs Delivery for CDN access-log forwarding to Adobe. |
| 7 | +
|
| 8 | + Setup type: log-and-oae (logs + Origin@Edge routing) |
| 9 | +
|
| 10 | +Parameters: |
| 11 | + TrustedPrincipalArn: |
| 12 | + Type: String |
| 13 | + Description: ARN of the Adobe SpaceCat IAM principal allowed to assume this role. |
| 14 | + AllowedPattern: 'arn:aws:iam::[0-9]{12}:.*' |
| 15 | + ExternalId: |
| 16 | + Type: String |
| 17 | + Description: > |
| 18 | + Org-scoped external ID derived from the customer IMS org. Must match the value |
| 19 | + SpaceCat presents during AssumeRole (confused-deputy prevention). |
| 20 | + MinLength: 1 |
| 21 | + RoleName: |
| 22 | + Type: String |
| 23 | + Default: AdobeLLMOptimizerCloudFrontConnectorRole |
| 24 | + Description: Name for the IAM role created in this account. |
| 25 | + |
| 26 | +Resources: |
| 27 | + ConnectorRole: |
| 28 | + Type: AWS::IAM::Role |
| 29 | + Properties: |
| 30 | + RoleName: !Ref RoleName |
| 31 | + AssumeRolePolicyDocument: |
| 32 | + Version: '2012-10-17' |
| 33 | + Statement: |
| 34 | + - Effect: Allow |
| 35 | + Principal: |
| 36 | + AWS: !Ref TrustedPrincipalArn |
| 37 | + Action: sts:AssumeRole |
| 38 | + Condition: |
| 39 | + StringEquals: |
| 40 | + sts:ExternalId: !Ref ExternalId |
| 41 | + Description: > |
| 42 | + Grants Adobe SpaceCat cross-account access to CloudFront distributions and |
| 43 | + CloudWatch Logs Delivery for CDN log forwarding and Lambda@Edge routing. |
| 44 | + Policies: |
| 45 | + - PolicyName: EdgeOptimizeLogAndOAEPolicy |
| 46 | + PolicyDocument: |
| 47 | + Version: '2012-10-17' |
| 48 | + Statement: |
| 49 | + # CloudFront read access — used for distribution discovery and config inspection |
| 50 | + - Sid: CloudFrontRead |
| 51 | + Effect: Allow |
| 52 | + Action: |
| 53 | + - cloudfront:ListDistributions |
| 54 | + - cloudfront:GetDistribution |
| 55 | + - cloudfront:GetDistributionConfig |
| 56 | + Resource: '*' |
| 57 | + # CloudFront write access — used to add the Edge Optimize origin and routing function |
| 58 | + - Sid: CloudFrontWrite |
| 59 | + Effect: Allow |
| 60 | + Action: |
| 61 | + - cloudfront:UpdateDistribution |
| 62 | + - cloudfront:CreateFunction |
| 63 | + - cloudfront:UpdateFunction |
| 64 | + - cloudfront:PublishFunction |
| 65 | + - cloudfront:DescribeFunction |
| 66 | + - cloudfront:GetFunction |
| 67 | + - cloudfront:CreateCachePolicy |
| 68 | + - cloudfront:GetCachePolicy |
| 69 | + - cloudfront:ListCachePolicies |
| 70 | + Resource: '*' |
| 71 | + # Lambda@Edge — create and version the origin-request handler |
| 72 | + - Sid: LambdaEdgeWrite |
| 73 | + Effect: Allow |
| 74 | + Action: |
| 75 | + - lambda:CreateFunction |
| 76 | + - lambda:UpdateFunctionCode |
| 77 | + - lambda:UpdateFunctionConfiguration |
| 78 | + - lambda:GetFunction |
| 79 | + - lambda:PublishVersion |
| 80 | + - lambda:ListVersionsByFunction |
| 81 | + - lambda:AddPermission |
| 82 | + - lambda:GetPolicy |
| 83 | + Resource: !Sub 'arn:aws:lambda:us-east-1:${AWS::AccountId}:function:edgeoptimize-origin' |
| 84 | + # IAM PassRole — needed to attach the Lambda execution role |
| 85 | + - Sid: LambdaExecRolePass |
| 86 | + Effect: Allow |
| 87 | + Action: iam:PassRole |
| 88 | + Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/edgeoptimize-lambda-exec' |
| 89 | + # IAM CreateRole — create the Lambda execution role if absent |
| 90 | + - Sid: LambdaExecRoleCreate |
| 91 | + Effect: Allow |
| 92 | + Action: |
| 93 | + - iam:CreateRole |
| 94 | + - iam:PutRolePolicy |
| 95 | + - iam:AttachRolePolicy |
| 96 | + - iam:GetRole |
| 97 | + Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/edgeoptimize-lambda-exec' |
| 98 | + # CloudWatch Logs Delivery — create delivery source + link to Adobe destination |
| 99 | + - Sid: LogsDeliveryWrite |
| 100 | + Effect: Allow |
| 101 | + Action: |
| 102 | + - logs:PutDeliverySource |
| 103 | + - logs:CreateDelivery |
| 104 | + - logs:GetDeliverySource |
| 105 | + - logs:DescribeDeliveries |
| 106 | + Resource: '*' |
| 107 | + |
| 108 | +Outputs: |
| 109 | + RoleArn: |
| 110 | + Description: ARN of the connector IAM role |
| 111 | + Value: !GetAtt ConnectorRole.Arn |
| 112 | + RoleName: |
| 113 | + Description: Name of the connector IAM role |
| 114 | + Value: !Ref ConnectorRole |
0 commit comments