AWSTemplateFormatVersion: '2010-09-09'
Description: IAM group and role for role switching with administrator access

Resources:
  CopSwitchableAdminRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: cop-adminrole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess
        - !Sub arn:aws:iam::${AWS::AccountId}:policy/cop-test-s3-policy
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action: sts:AssumeRole
            Condition:
              Bool:
                aws:MultiFactorAuthPresent: true

  CopSwitchableAdminRoleGroup:
    Type: AWS::IAM::Group
    Properties:
      GroupName: cop-switchable-adminrole
      Policies:
        - PolicyName: AllowAssumeCopAdminRole
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: sts:AssumeRole
                Resource: !GetAtt CopSwitchableAdminRole.Arn

Outputs:
  RoleName:
    Description: Name of the switchable admin role
    Value: !Ref CopSwitchableAdminRole

  RoleArn:
    Description: ARN of the switchable admin role
    Value: !GetAtt CopSwitchableAdminRole.Arn

  GroupName:
    Description: Name of IAM group allowed to switch role
    Value: !Ref CopSwitchableAdminRoleGroup