########################################################################
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
########################################################################
AWSTemplateFormatVersion: 2010-09-09
Description:
  This template deploys Customizations for Control Tower (CFCT). - 'common_cfct_setup' solution in the repo,
  https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2a)
Metadata:
  SRA:
    Version: 1.2
    Entry: Parameters for deploying CFCT solution without resolving SSM parameters
    Order: 1
  cfn-lint:
    config:
      ignore_checks:
        - W6001
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: General Properties
        Parameters:
          - pSRASolutionName
          - pSRAStagingS3BucketName
      - Label:
          default: CFCT - Pipeline Configuration
        Parameters:
          - pPipelineApprovalStage
          - pPipelineApprovalEmail
          - pCodePipelineSource
      - Label:
          default: CFCT - AWS CodeCommit Setup (Applicable if 'AWS CodeCommit' was selected as the CodePipeline Source)
        Parameters:
          - pExistingRepository
          - pCodeCommitRepositoryName
          - pCodeCommitBranchName
      - Label:
          default: CFCT - AWS CloudFormation StackSets Configuration
        Parameters:
          - pRegionConcurrencyType
          - pMaxConcurrentPercentage
          - pFailureTolerancePercentage

    ParameterLabels:
      pCodeCommitBranchName:
        default: CodeCommit Branch Name
      pCodeCommitRepositoryName:
        default: CodeCommit Repository Name
      pCodePipelineSource:
        default: AWS CodePipeline Source
      pExistingRepository:
        default: Existing CodeCommit Repository?
      pFailureTolerancePercentage:
        default: Failure Tolerance Percentage
      pMaxConcurrentPercentage:
        default: Max Concurrent Percentage
      pPipelineApprovalEmail:
        default: Pipeline Approval Email Address
      pPipelineApprovalStage:
        default: Pipeline Approval Stage
      pRegionConcurrencyType:
        default: Region Concurrency Type
      pSRASolutionName:
        default: SRA Solution Name
      pSRAStagingS3BucketName:
        default: SRA Staging S3 Bucket Name

Parameters:
  pCodeCommitBranchName:
    Default: main
    Description: Name of the branch in CodeCommit repository that contains custom Control Tower configuration.
    MaxLength: 256
    MinLength: 1
    Type: String
  pCodeCommitRepositoryName:
    AllowedPattern: '^[\w-.]{1,100}(?<!\.git)$'
    ConstraintDescription: Max 100 alphanumeric characters. Also special characters supported [_. -]. Name cannot end in '.git'.
    Default: custom-control-tower-configuration
    Description: Name of the CodeCommit repository that contains custom Control Tower configuration.
    Type: String
  pCodePipelineSource:
    AllowedValues: [Amazon S3, AWS CodeCommit]
    Default: AWS CodeCommit
    Description: Which AWS CodePipeline source provider do you want to select?
    Type: String
  pExistingRepository:
    AllowedValues: ['Yes', 'No']
    Default: 'No'
    Description: Are you using an existing CodeCommit repository that already contains custom Control Tower configuration?
    Type: String
  pFailureTolerancePercentage:
    Default: 0
    Description:
      The percentage of accounts, per Region, for which this stack operation can fail before AWS CloudFormation stops the operation in that Region.
    MaxValue: 100
    MinValue: 0
    Type: Number
  pMaxConcurrentPercentage:
    Default: 100
    Description: The maximum percentage of accounts in which to perform this operation at one time.
    MaxValue: 100
    MinValue: 1
    Type: Number
  pPipelineApprovalEmail:
    AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$'
    ConstraintDescription: Must be a valid email address.
    Default: ''
    Description: (Not required if Pipeline Approval Stage = 'No') Email for notifying that the CustomControlTower pipeline is waiting for an Approval
    Type: String
  pPipelineApprovalStage:
    AllowedValues: ['Yes', 'No']
    Default: 'No'
    Description: Do you want to add a manual approval stage to the Custom Control Tower Configuration Pipeline?
    Type: String
  pRegionConcurrencyType:
    AllowedValues: [PARALLEL, SEQUENTIAL]
    Default: 'PARALLEL'
    Description: Select the the concurrency type of deploying StackSets operations in Regions.
    Type: String
  pSRASolutionName:
    AllowedValues: [sra-common-cfct-setup]
    Default: sra-common-cfct-setup
    Description: The SRA solution name. The Description value is the folder name of the solution
    Type: String
  pSRAStagingS3BucketName:
    AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$'
    ConstraintDescription:
      Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names.
    Default: /sra/staging-s3-bucket-name
    Description:
      SSM Parameter for SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket
      name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
    Type: AWS::SSM::Parameter::Value<String>

Rules:
  PipelineApprovalEmailValidation:
    RuleCondition: !Equals [!Ref pPipelineApprovalEmail, '']
    Assertions:
      - AssertDescription: "'Pipeline Approval Email Address' parameter is required if the 'Pipeline Approval Stage' parameter is set to 'Yes'."
        Assert: !Equals [!Ref pPipelineApprovalStage, 'No']

Resources:
  rCFCTStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/customizations-for-aws-control-tower.template
      # TemplateURL: https://s3.amazonaws.com/solutions-reference/customizations-for-aws-control-tower/latest/custom-control-tower-initiation.template
      Tags:
        - Key: sra-solution
          Value: !Ref pSRASolutionName
      Parameters:
        CodeCommitBranchName: !Ref pCodeCommitBranchName
        CodeCommitRepositoryName: !Ref pCodeCommitRepositoryName
        CodePipelineSource: !Ref pCodePipelineSource
        ExistingRepository: !Ref pExistingRepository
        FailureTolerancePercentage: !Ref pFailureTolerancePercentage
        MaxConcurrentPercentage: !Ref pMaxConcurrentPercentage
        PipelineApprovalEmail: !Ref pPipelineApprovalEmail
        PipelineApprovalStage: !Ref pPipelineApprovalStage
        RegionConcurrencyType: !Ref pRegionConcurrencyType

Outputs:
  CustomControlTowerSolutionVersion:
    Description: Version Number
    Value: 'v2.5.3'