---
AWSTemplateFormatVersion: "2010-09-09"
Description: "Buildkite agent's IAM policy"

Resources:
  BuildkiteAgentManagedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyDocument:
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "s3:*",
                "s3-object-lambda:*"
              ],
              "Resource": "*"
            },
            {
              "Effect": "Allow",
              "Action": "lambda:InvokeFunction",
              "Resource": "*"
            },
            {
              "Effect": "Allow",
              "Action": "secretsmanager:GetSecretValue",
              "Resource": "*"
            }
          ]
        }