{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
      "PorterRole": {
          "Type": "AWS::IAM::Role",
          "Properties": {
              "AssumeRolePolicyDocument": {
                  "Version": "2012-10-17",
                  "Statement": [
                      {
                          "Effect": "Allow",
                          "Principal": {
                              "AWS": [
                                  "arn:aws:iam::108458755588:role/CAPIManagement"
                              ]
                          },
                          "Condition": {
                              "StringEquals": {
                                  "sts:ExternalId": {
                                      "Ref": "ExternalIdParameter"
                                  }
                              }   
                          },
                          "Action": [
                              "sts:AssumeRole"
                          ]
                      },
                      {
                          "Effect": "Allow",
                          "Principal": {
                              "Service": [
                                  "ec2.amazonaws.com"
                              ]
                          },
                          "Action": [
                              "sts:AssumeRole"
                          ]
                      },
                      {
                          "Effect": "Allow",
                          "Principal": {
                              "Service": [
                                  "eks.amazonaws.com"
                              ]
                          },
                          "Action": [
                              "sts:AssumeRole"
                          ]
                      }
                  ]
              },
              "Path": "/",
              "ManagedPolicyArns": [
                  "arn:aws:iam::aws:policy/AdministratorAccess",
                  "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
                  "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
                  "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
                  "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
              ],
              "RoleName": "PorterRole"
          }
      }
  },
  "Parameters": {
      "ExternalIdParameter": {
          "Type" : "String",
          "Description": "External ID required for CAPIManagement role to access target ARN."
      }
  }
}