########################################################################
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
########################################################################
AWSTemplateFormatVersion: 2010-09-09
Description:
  This template creates an IAM role for enabling S3 account public access block settings within each account - 's3_block_account_public_access'
  solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse5t)

Metadata:
  SRA:
    Version: 1.2
    Order: 2
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: General Properties
        Parameters:
          - pSRASolutionName
      - Label:
          default: Role Properties
        Parameters:
          - pManagementAccountId
          - pS3BlockAccountPublicAccessLambdaRoleName
          - pS3BlockAccountPublicAccessRoleName

    ParameterLabels:
      pManagementAccountId:
        default: Organization Management Account ID
      pS3BlockAccountPublicAccessLambdaRoleName:
        default: S3 Block Account Public Access Lambda Role Name
      pS3BlockAccountPublicAccessRoleName:
        default: S3 Enable Block Public Access IAM Role Name
      pSRASolutionName:
        default: SRA Solution Name

Parameters:
  pManagementAccountId:
    AllowedPattern: '^\d{12}$'
    ConstraintDescription: Must be 12 digits
    Description: Organization Management Account ID
    Type: String
  pS3BlockAccountPublicAccessRoleName:
    AllowedPattern: '^[\w+=,.@-]{1,64}$'
    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
    Default: sra-s3-block-account-public-access
    Description: S3 Block Account Public Access IAM Role Name
    Type: String
  pS3BlockAccountPublicAccessLambdaRoleName:
    AllowedPattern: '^[\w+=,.@-]{1,64}$'
    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
    Default: sra-s3-block-account-public-access-lambda
    Description: S3 Block Account Public Access Lambda Role Name
    Type: String
  pSRASolutionName:
    AllowedValues: [s3-block-account-public-access]
    Default: s3-block-account-public-access
    Description: The SRA solution name. The default value is the folder name of the solution
    Type: String

Resources:
  rS3ConfigurationRole:
    Type: AWS::IAM::Role
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W11
            reason: Actions require * in resource
          - id: W28
            reason: Explicit name provided
    Properties:
      RoleName: !Ref pS3BlockAccountPublicAccessRoleName
      Description: !Sub SRA role assumed by '${pS3BlockAccountPublicAccessLambdaRoleName}' to enable the S3 account public access block
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Condition:
              StringEquals:
                aws:PrincipalArn:
                  - !Sub arn:${AWS::Partition}:iam::${pManagementAccountId}:role/${pS3BlockAccountPublicAccessLambdaRoleName}
                  - !Sub arn:${AWS::Partition}:iam::${pManagementAccountId}:role/Admin
            Principal:
              AWS:
                - !Sub arn:${AWS::Partition}:iam::${pManagementAccountId}:root
      Tags:
        - Key: sra-solution
          Value: !Ref pSRASolutionName
      Policies:
        - PolicyName: sra-s3-block-account-public-access-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: S3AccountPublicAccessBlock
                Effect: Allow
                Action:
                  - s3:GetAccountPublicAccessBlock
                  - s3:PutAccountPublicAccessBlock
                Resource: '*'

Outputs:
  oS3ConfigurationRoleArn:
    Description: SRA S3 Block Account Public Access Role
    Value: !GetAtt rS3ConfigurationRole.Arn