# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

AWSTemplateFormatVersion: '2010-09-09'
Description: IPAM Delegation CloudFormation

Parameters:
  pNetworkHubAccountId:
    Description: NetworkHub Account ID for IPAM delegation
    Type: String
    Default: 123456789012

Resources:

  rIPAM:
    Type: 'Custom::IPAM'
    Version: '1.0'
    Properties:
      accountid: !Ref pNetworkHubAccountId
      ServiceToken: !GetAtt rIPAMLambdaDelegate.Arn

  rIPAMLambdaRoleDelegate:
    Type: 'AWS::IAM::Role'
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W11
            reason: "Resource * acceptable for this policy."
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
      Policies:
        - PolicyName: ipampolicy
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'ec2:EnableIpamOrganizationAdminAccount'
                  - 'organizations:RegisterDelegatedAdministrator'
                  - 'organizations:EnableAWSServiceAccess'
                  - 'iam:CreateServiceLinkedRole'
                Resource: '*'

  rIPAMLambdaDelegate:
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        ZipFile: |
          import json,boto3
          import cfnresponse
          from botocore.exceptions import ClientError

          def handler(event, context):
            print('this is the event ' + json.dumps(event))
            StackName = event['StackId']
            LogicalResourceId = event['LogicalResourceId']
            UniqueId = event['RequestId']
            print("Boto3 version: " + boto3.__version__)
            print("Parameters:\n" + (event['ResourceProperties']['accountid']) )
            props = event['ResourceProperties']

            client = boto3.client('ec2')

            if (event['RequestType'] == 'Create' or event['RequestType'] == 'Update'):
              try: 
                response = client.enable_ipam_organization_admin_account(DryRun = False, DelegatedAdminAccountId = (event['ResourceProperties']['accountid']))
                print(response)

                if response['Success'] == True:
                  print("IPAM configured")
                  print("Respond: SUCCESS")
                  cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
                else:
                  print("Respond: FAILED")
                  cfnresponse.send(event, context, cfnresponse.FAILED, {})
              except Exception as ex:
                print("failed executing requests.put(..): " + str(ex))
                cfnresponse.send(event, context, cfnresponse.FAILED, {})
            else:
              cfnresponse.send(event, context, cfnresponse.SUCCESS, {})

      Handler: index.handler
      MemorySize: 128
      Role: !GetAtt 'rIPAMLambdaRoleDelegate.Arn'
      Runtime: 'python3.8'
      Timeout: 60