AWSTemplateFormatVersion: "2010-09-09"
Description: Creates KMS CMK, VPC, Aurora Database, Fargate application, and creates pipeline to build and deploy container
Parameters:
  KeyAdministratorRole:
    Type: String
    Description: This is the IAM Role that is managing the CMK. Be sure that the key policy that you create allows the current user to administer the CMK. https://aws.amazon.com/premiumsupport/knowledge-center/update-key-policy-future/
    Default: KeyAdministratorRole

  DatabaseEngine:
    Type: String
    Description: Aurora MySQL or Aurora PostgreSQL
    Default: aurora-mysql
    AllowedValues:
      - aurora-mysql
      - aurora-postgresql
    ConstraintDescription: Specify either aurora-mysql or aurora-postgresql

  DatabaseInstanceClass:
    Default: db.r4.large
    Type: String
    Description: "Database instance class, e.g. db.t2.micro (free tier) - Engine support: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html"
    ConstraintDescription: DB instance class not supported
    AllowedValues:
      - db.t2.small
      - db.t2.medium
      - db.t2.xlarge
      - db.r4.large
      - db.r4.xlarge
      - db.r4.2xlarge
      - db.r4.4xlarge
      - db.r4.8xlarge
      - db.r4.16xlarge

Resources: 
  KMSCMKKeyStack: 
    DependsOn: IAMRoleStack
    Type: AWS::CloudFormation::Stack
    Properties: 
      TemplateURL: cfn.kms.yaml
      Parameters:
        KeyAdministratorRole: !Ref KeyAdministratorRole

  VPCStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: cfn.vpc.yaml
      Parameters: 
        AvailabilityZone1: !Select
          - 0
          - !GetAZs
            Ref: 'AWS::Region'
        AvailabilityZone2: !Select
          - 1
          - !GetAZs
            Ref: 'AWS::Region'
        SingleNatGateway: "true"

  DatabaseStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: cfn.aurora.yaml
      Parameters:
        DatabaseEngine: !Ref DatabaseEngine
        DatabaseName: "EncryptedColumnsDB"
        DatabaseInstanceClass: !Ref DatabaseInstanceClass
        EnableAlarms: "true"
        EncryptionAtRest: "true"
        EnhancedMonitoring: "true"
        EncryptionAtRestCMKArn: !GetAtt KMSCMKKeyStack.Outputs.EncryptionAtRestCMKArn
        NetworkStackName: !GetAtt VPCStack.Outputs.StackName

  DatabaseStackMultiUser:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: cfn.aurora-multiuserrotation.yaml
      Parameters:
        DatabaseEngine: !Ref DatabaseEngine
        DatabaseName: "EncryptedColumnsDB"
        DatabaseInstanceClass: !Ref DatabaseInstanceClass
        EnableAlarms: "true"
        EncryptionAtRest: "true"
        EnhancedMonitoring: "true"
        EncryptionAtRestCMKArn: !GetAtt KMSCMKKeyStack.Outputs.EncryptionAtRestCMKArn
        NetworkStackName: !GetAtt VPCStack.Outputs.StackName  

  FargateStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      #TemplateURL: cfn.fargate.yaml
      TemplateURL: ../tmp/fargate-build-dir/template.yaml
      Parameters:
        FargateTaskRoleArn: !GetAtt IAMRoleStack.Outputs.FargateTaskRoleArn
        FargateTaskRoleName: !GetAtt IAMRoleStack.Outputs.FargateTaskRoleName
        NetworkStackName: !GetAtt VPCStack.Outputs.StackName
        DatabaseSecretsManagerArn: !GetAtt DatabaseStack.Outputs.DBSecretsArn
        DatabaseURL: !GetAtt DatabaseStack.Outputs.AuroraDbURL
        DatabasePort: !GetAtt DatabaseStack.Outputs.AuroraDBPort

  FargateStackMultiUser:
    Type: AWS::CloudFormation::Stack
    Properties:
      #TemplateURL: cfn.fargate.yaml
      TemplateURL: ../tmp/fargate-build-dir/template.yaml
      Parameters:
        FargateTaskRoleArn: !GetAtt IAMRoleStack.Outputs.FargateTaskRoleArn
        FargateTaskRoleName: !GetAtt IAMRoleStack.Outputs.FargateTaskRoleName
        NetworkStackName: !GetAtt VPCStack.Outputs.StackName
        DatabaseSecretsManagerArn: !GetAtt DatabaseStackMultiUser.Outputs.DBSecretApplicationUserArn
        DatabaseURL: !GetAtt DatabaseStackMultiUser.Outputs.AuroraDbURL
        DatabasePort: !GetAtt DatabaseStackMultiUser.Outputs.AuroraDBPort

  IAMDatabaseOneUserAuthenticationStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ../tmp/iamauthentication-build-dir/template.yaml
      Parameters:
        pDBClusterIdentifier: !GetAtt DatabaseStack.Outputs.AuroraClusterId
        pAppPrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1
        pAppPrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2
        pAppSecurityGroup: !GetAtt VPCStack.Outputs.AppSecurityGroup
        pDatabaseSecretsManagerArn: !GetAtt DatabaseStack.Outputs.DBSecretsArn
        pDatabaseURL: !GetAtt DatabaseStack.Outputs.AuroraDbURL

  IAMDatabaseMultiUserAuthenticationStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ../tmp/iamauthentication-build-dir/template.yaml
      Parameters:
        pDBClusterIdentifier: !GetAtt DatabaseStackMultiUser.Outputs.AuroraClusterId
        pAppPrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1
        pAppPrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2
        pAppSecurityGroup: !GetAtt VPCStack.Outputs.AppSecurityGroup
        pDatabaseSecretsManagerArn: !GetAtt DatabaseStackMultiUser.Outputs.DBSecretMasterUserArn
        pDatabaseURL: !GetAtt DatabaseStackMultiUser.Outputs.AuroraDbURL

  DatabaseApplicationUserCreateStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ../tmp/database-application-user-build-dir/template.yaml
      Parameters:
        pAppPrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1
        pAppPrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2
        pAppSecurityGroup: !GetAtt VPCStack.Outputs.AppSecurityGroup
        pDatabaseMaserUserSecretsManagerArn: !GetAtt DatabaseStackMultiUser.Outputs.DBSecretMasterUserArn
        pDatabaseApplicationUserSecretsManagerArn: !GetAtt DatabaseStackMultiUser.Outputs.DBSecretApplicationUserArn

  IAMRoleStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: cfn.iam.yaml

  LambdaTriggerStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: cfn.trigger-lambdas.yaml
      Parameters:
        ApplicationUserLambdaArn: !GetAtt DatabaseApplicationUserCreateStack.Outputs.CreateRDSApplicationUserFunctionArn
        SingleUserIAMAuthenticationLambdaArn: !GetAtt IAMDatabaseOneUserAuthenticationStack.Outputs.RDSIAMAuthenticationFunctionArn
        TwoUserIAMAuthenticationLambdaArn: !GetAtt IAMDatabaseMultiUserAuthenticationStack.Outputs.RDSIAMAuthenticationFunctionArn

Outputs:
  StackName:
    Value: !Ref AWS::StackName
    Export:
      Name: !Sub "${AWS::StackName}-StackName"
  AuroraClusterArn:
    Value: !GetAtt DatabaseStack.Outputs.AuroraClusterArn
    Export:
      Name: !Sub "${AWS::StackName}-AuroraClusterArn"
  CreateUrl:
    Description: "Go to this URL first"
    Value: !GetAtt FargateStack.Outputs.CreateUrl
    Export:
      Name: !Sub "${AWS::StackName}-CreateUrl"
  CreateUrlMultiUser:
    Description: "Go to this URL first"
    Value: !GetAtt FargateStackMultiUser.Outputs.CreateUrl
    Export:
      Name: !Sub "${AWS::StackName}-CreateUrlMultiUser"
  AuthenticateDataUrl:
    Description: "Use this URL to authenticate the data you entered on the Create page"
    Value: !GetAtt FargateStack.Outputs.AuthenticateDataUrl
    Export:
      Name: !Sub "${AWS::StackName}-AuthenticateDataUrl"
  FargateTaskRoleArn:
    Description: "Fargate Task IAM Role Arn"
    Value: !GetAtt IAMRoleStack.Outputs.FargateTaskRoleArn
    Export:
      Name: !Sub "${AWS::StackName}-FargateTaskRoleArn"
  FargateTaskRoleName:
    Value: !GetAtt IAMRoleStack.Outputs.FargateTaskRoleName
    Export:
      Name:  !Sub "${AWS::StackName}-FargateTaskRoleName"