#Copyright 2008-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.

#Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
#http://aws.amazon.com/apache2.0/
#or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

AWSTemplateFormatVersion: 2010-09-09
Description: This template sets up the infrastructure required for an AWS Service Catalog based Account Vending Machine. (fdp-1pg158jfl)
Parameters:
  SourceBucket:
    Description: "Bucket name of the S3 bucket holding all the files for the Account Vending Machine set up"
    Type: String

  SourceTemplate:
    Description: "Enter the template URL for the cloudformation template to launch account creation"
    Type: String

  AccountAdministrator:
    Description: "Enter the ARN of the IAM entity (role or user or group) that will be performing account creation from AWS Service Catalog"
    Type: String
    AllowedPattern: ".+"

  # Requestszip:
  #   Description: Requests zip file for creating the Requests Layer
  #   Type: String

Resources:

  # RequestLayer:
  #   Type: AWS::Lambda::LayerVersion
  #   Properties:
  #     CompatibleRuntimes:
  #       - python3.6
  #       - python3.7
  #       - python3.8
  #     Content:
  #       S3Bucket: !Ref SourceBucket
  #       S3Key: !Ref Requestszip
  #     Description: RequestsLayer
  #     LayerName: requests
  #     LicenseInfo: MIT

  AccountBuilderLambda:
    Type: "AWS::Lambda::Function"
    DependsOn: LambdaExecuteRole
    Properties:
      Handler: "AccountCreationLambda.main"
      Runtime: "python3.9"
      Role: !GetAtt LambdaExecuteRole.Arn
      # Layers:
      #   - !Ref RequestLayer
      Timeout: 800
      TracingConfig:
          Mode: "Active"
      Code:
        S3Bucket: !Sub
          #- ${Bucket}-${AWS::Region}
          - ${Bucket}
          - { Bucket: !Ref SourceBucket }
        S3Key: "AccountCreationLambda.zip"
        
#   AccountBuilderLambdaVersion:
#     Type: AWS::Lambda::Version
#     Properties:
#       FunctionName: !Ref AccountBuilderLambda
      
#   AccountBuilderLambdaalias:
#     Type: AWS::Lambda::Alias
#     Properties:
#       FunctionName: !Ref AccountBuilderLambda
#       FunctionVersion: !GetAtt AccountBuilderLambdaVersion.Version
#       Name: AccountBuilderLambdaAlias
#     #   RoutingConfig:
#     #     AdditionalVersionWeights:
#     #       - FunctionVersion: !GetAtt version.Version
#     #         FunctionWeight: 0.5
      
  AccountBuilderLambdaAsyncconfig:
    Type: AWS::Lambda::EventInvokeConfig
    Properties:
      FunctionName: !Ref AccountBuilderLambda
      MaximumEventAgeInSeconds: 300
      MaximumRetryAttempts: 0
      Qualifier: "$LATEST"

  LambdaExecuteRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
            Effect: "Allow"
            Principal:
              Service:
                - "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AdministratorAccess"
      Path: "/"

  AccountVendingPortfolio:
    Type: "AWS::ServiceCatalog::Portfolio"
    Properties:
      DisplayName: "Account Vending Machine"
      AcceptLanguage: "en"
      ProviderName: "AWS"

  AccountVendingMachineProduct:
    Type: "AWS::ServiceCatalog::CloudFormationProduct"
    Properties:
      AcceptLanguage: "en"
      Description: "This product is an account vending machine builds a new account"
      Distributor: "Amazon"
      Name: "Account Vending Machine"
      Owner: "AWS"
      SupportEmail: "support@yourcompany.com"
      SupportUrl: "https://www.amazon.com"
      SupportDescription: "Support Description"
      ProvisioningArtifactParameters:
      -
        Description: "AWS Account Vending"
        Name: "Refreshed in May 2023"
        Info:
          LoadTemplateFromURL : !Ref SourceTemplate

  AVMAssociation:
    Type: "AWS::ServiceCatalog::PortfolioProductAssociation"
    Properties:
      ProductId: !Ref AccountVendingMachineProduct
      PortfolioId: !Ref AccountVendingPortfolio

  PortfolioPrincipalAssociation:
    Type: "AWS::ServiceCatalog::PortfolioPrincipalAssociation"
    Properties:
      PrincipalARN: !Ref AccountAdministrator
      PortfolioId: !Ref AccountVendingPortfolio
      PrincipalType: IAM

  ServiceCatalogLaunchRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
            Effect: "Allow"
            Principal:
              Service:
                - "servicecatalog.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AdministratorAccess"
      Path: "/"

  ServiceCatalogLaunchConstraint:
    Type: "AWS::ServiceCatalog::LaunchRoleConstraint"
    DependsOn: ServiceCatalogLaunchRole
    Properties:
      Description: This is a launch constraint created for the account vending portfolio
      AcceptLanguage: en
      PortfolioId: !Ref AccountVendingPortfolio
      ProductId: !Ref AccountVendingMachineProduct
      RoleArn: !GetAtt ServiceCatalogLaunchRole.Arn

  ServiceCatalogTagOption:
    Type: "AWS::ServiceCatalog::TagOption"
    Properties:
      Active: true
      Value: "avm-reference-architecture"
      Key: "Name"

  ServiceCatalogTagOptionAssociation:
    Type: "AWS::ServiceCatalog::TagOptionAssociation"
    Properties:
      TagOptionId: !Ref ServiceCatalogTagOption
      ResourceId: !Ref AccountVendingPortfolio

Outputs:
  AccountLambda:
    Description: ARN of the account creation lambda function
    Value: !GetAtt AccountBuilderLambda.Arn