########################################################################
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
########################################################################
AWSTemplateFormatVersion: 2010-09-09
Description:
  This template creates an IAM role for AWS Config Recorder in the Control Tower Management account. - 'config_management_account' solution in the
  repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse2s)
Metadata:
  SRA:
    Version: 1.0
    Order: 2
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: General Properties
        Parameters:
          - pSRASolutionTagKey
          - pSRASolutionName
          - pManagedResourcePrefix
    ParameterLabels:
      pManagedResourcePrefix:
        default: Managed Resource Prefix
      pSRASolutionName:
        default: SRA Solution Name
      pSRASolutionTagKey:
        default: SRA Solution Tag Key

Parameters:
  pManagedResourcePrefix:
    AllowedValues: [aws-controltower]
    Default: aws-controltower
    Description: Prefix for the managed resources
    Type: String
  pSRASolutionName:
    AllowedValues: [sra-config-management-account]
    Default: sra-config-management-account
    Description: The SRA solution name. The default value is the folder name of the solution
    Type: String
  pSRASolutionTagKey:
    AllowedValues: [sra-solution]
    Default: sra-solution
    Description: The SRA solution tag key applied to all resources created by the solution that support tagging. The value is the pSRASolutionName.
    Type: String

Resources:
  rConfigRecorderRole:
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W28
            reason: Explicit name provided
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ${pManagedResourcePrefix}-ConfigRecorderRole
      Description: Role for AWS Config Recorder
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: sts:AssumeRole
            Principal:
              Service:
                - config.amazonaws.com
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWS_ConfigRole
      Tags:
        - Key: !Ref pSRASolutionTagKey
          Value: !Ref pSRASolutionName

Outputs:
  oConfigRecorderRoleArn:
    Description: Config Recorder Role ARN
    Value: !GetAtt rConfigRecorderRole.Arn