# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

AWSTemplateFormatVersion: '2010-09-09'
Description: IPAM Pools
Transform:
  - Replication-IpamRegionalPool-Macro

Parameters:
  pOrgId:
    Description: Id of organization
    Type: String
    Default: o-abcdefgh
  pOperatingRegionList: 
    Description: A list of AWS Regions where the IPAM is allowed to manage IP address CIDRs
    Type: String
    Default: "us-east-1,us-east-2"     
  pMainPoolCIDRIPv4List:
    Description: IPv4 CIDR provisioned to the main IPAM pool (TOP-LEVEL-POOL). 
    Type: String
    Default: "10.0.0.0/8"
  pRegionalPool1CIDRIPv4List:
    Description: The list of CIDRs for regional pools (one per region) provisioned from the main IPAM pool, given in order as pOperatingRegionList.  
    Type: String
    Default: "10.0.0.0/16,10.1.0.0/16"
  pOperatingEnvironmentsList: 
    Description: A list of Environments where the IPAM is allowed to manage IP address CIDRs
    Type: String
    # AllowedValues:
    #   - "Prod"
    #   - "NonProd"
    Default: "Prod,NonProd"  
  pPoolCIDRIPv4ListProd:
    Description: The list of production pool CIDRs (one per region) provisioned from the respective regional IPAM pool, given in order as pOperatingRegionList. 
    Type: String
    Default: "10.0.192.0/18,10.1.192.0/18"
  pPoolCIDRIPv4ListNonProd:
    Description: The list of non-production pool CIDRs (one per region) provisioned from the respective regional IPAM pool, given in order as pOperatingRegionList. 
    Type: String
    Default: "10.0.64.0/18,10.1.64.0/18"

Resources:

  rIPAM:
    Type: AWS::EC2::IPAM
    Properties: 
      Description: Organization IPAM
      OperatingRegions:
        ReplicateforMultipleRegions:
          RegionName: 'pOperatingRegionList'

  rIPAMScope:
    Type: AWS::EC2::IPAMScope
    Properties: 
      Description: Custom Scope for Private IP Addresses
      IpamId: !Ref rIPAM
      IpamScopeType: private

  rIPAMTOPPoolIPv4:
    Type: AWS::EC2::IPAMPool
    Properties: 
      AddressFamily: ipv4
      Description: TOP-LEVEL-POOL
      IpamScopeId: !Ref rIPAMScope
      ProvisionedCidrs: 
        - Cidr: !Ref pMainPoolCIDRIPv4List
      Tags:
        - Key: "Name"
          Value: "TOP-LEVEL-POOL" 

  rIPAMPoolRegion:
    Type: AWS::EC2::IPAMPool
    Properties: 
      AddressFamily: ipv4
      Description: Regional IPAM Pool
      IpamScopeId: !Ref rIPAMScope
      ReplicateforMultipleRegions:
        Locale: 'pOperatingRegionList'
      SourceIpamPoolId: !Ref rIPAMTOPPoolIPv4  
      ProvisionedCidrs: 
        ReplicateforMultipleRegions:
          - Cidr: 'pRegionalPool1CIDRIPv4List'

  rIPAMPoolEnv:
    Type: AWS::EC2::IPAMPool
    Properties: 
      AutoImport: yes
      AddressFamily: ipv4
      Description: IPAM Pool
      IpamScopeId: !Ref rIPAMScope
      ReplacewithLocale:
        Locale: 'pOperatingRegionList'
      ProvisionedCidrs: 
        ReplicateforMultipleEnvironments:
          - Cidr: 'pPoolCIDRIPv4List'
      ReplaceWithRegionalPoolId:
        SourceIpamPoolId: !Ref rIPAMPoolRegional1IPv4

  rIPAMShare:
    Type: "AWS::RAM::ResourceShare"
    Properties:
      Name: IPAM Share
      ResourceArns:
        ReplacewithResourceArn:
          -  'rIPAMPool-Arn'
      Principals:
        - !Sub arn:aws:organizations::${pManagementAccountID}:organization/${pOrgId}
      PermissionArns: 
        - arn:aws:ram::aws:permission/AWSRAMDefaultPermissionsIpamPool        
      AllowExternalPrincipals: false