########################################################################
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
########################################################################
AWSTemplateFormatVersion: 2010-09-09
Description:
  AWS Control Tower Execution IAM Role Creation. - 'common_prerequisites' solution in the repo,
  https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2h)
Metadata:
  SRA:
    Version: 1.1
    Order: 2
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: General Properties
        Parameters:
          - pSRASolutionTagKey
          - pSRASolutionName
      - Label:
          default: Control Tower Role Attributes
        Parameters:
          - pAWSControlTowerExecutionRoleName
    ParameterLabels:
      pAWSControlTowerExecutionRoleName:
        default: AWS Control Tower Execution Role Name
      pSRASolutionName:
        default: SRA Solution Name
      pSRASolutionTagKey:
        default: SRA Solution Tag Key

Parameters:
  pAWSControlTowerExecutionRoleName:
    AllowedValues: [AWSControlTowerExecution]
    Default: AWSControlTowerExecution
    Description: AWS Control Tower execution role name
    Type: String
  pSRASolutionName:
    AllowedValues: [sra-common-prerequisites]
    Default: sra-common-prerequisites
    Description: The SRA solution name. The default value is the folder name of the solution
    Type: String
  pSRASolutionTagKey:
    AllowedValues: [sra-solution]
    Default: sra-solution
    Description: The SRA solution tag key applied to all resources created by the solution that support tagging. The value is the pSRASolutionName.
    Type: String

Resources:
  rAWSControlTowerRole:
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Type: AWS::IAM::Role
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W28
            reason: Specific role name provided for AWS Control Tower
          - id: W43
            reason: Administrator policy is required for the role
    Properties:
      RoleName: !Ref pAWSControlTowerExecutionRoleName
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess
      Tags:
        - Key: !Ref pSRASolutionTagKey
          Value: !Ref pSRASolutionName

Outputs:
  oAWSControlTowerExecutionRoleArn:
    Description: AWS Control Tower Execution Role ARN
    Value: !GetAtt rAWSControlTowerRole.Arn
  oSRASolutionName:
    Description: SRA Solution Name
    Value: !Ref pSRASolutionName