---
AWSTemplateFormatVersion: 2010-09-09
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      -
        Label:
          default: "AWS Shield Advanced Configurations"
        Parameters:
          - EnabledProactiveEngagement
          - EnableSRTAccess
          - EmergencyContactEmail1
          - EmergencyContactPhone1
          - EmergencyContactNote1
          - EmergencyContactEmail2
          - EmergencyContactPhone2
          - EmergencyContactNote2
          - EmergencyContactEmail3
          - EmergencyContactPhone3
          - EmergencyContactNote3
          - EmergencyContactEmail4
          - EmergencyContactPhone4
          - EmergencyContactNote4
          - EmergencyContactEmail5
          - EmergencyContactPhone5
          - EmergencyContactNote5
          - SRTAccessRoleName
Parameters:
  EmergencyContactEmail1:
    Type: String
    Default: <na>
    AllowedPattern: ^\S+@\S+\.\S+$|\<na\>
  EmergencyContactEmail2:
    Type: String
    Default: <na>
    AllowedPattern: ^\S+@\S+\.\S+$|\<na\>
  EmergencyContactEmail3:
    Type: String
    Default: <na>
    AllowedPattern: ^\S+@\S+\.\S+$|\<na\>
  EmergencyContactEmail4:
    Type: String
    Default: <na>
    AllowedPattern: ^\S+@\S+\.\S+$|\<na\>
  EmergencyContactEmail5:
    Type: String
    Default: <na>
    AllowedPattern: ^\S+@\S+\.\S+$|\<na\>
  EmergencyContactPhone1:
    Type: String
    Default: <na>
    AllowedPattern: ^\+[0-9]{11}|\<na\>
  EmergencyContactPhone2:
    Type: String
    Default: <na>
    AllowedPattern: ^\+[0-9]{11}|\<na\>
  EmergencyContactPhone3:
    Type: String
    Default: <na>
    AllowedPattern: ^\+[0-9]{11}|\<na\>
  EmergencyContactPhone4:
    Type: String
    Default: <na>
    AllowedPattern: ^\+[0-9]{11}|\<na\>
  EmergencyContactPhone5:
    Type: String
    Default: <na>
    AllowedPattern: ^\+[0-9]{11}|\<na\>
  EmergencyContactNote1:
    Type: String
    Default: <na>
    AllowedPattern: ^[\w\s\.\-,:/()+@]*$|\<na\>
  EmergencyContactNote2:
    Type: String
    Default: <na>
    AllowedPattern: ^[\w\s\.\-,:/()+@]*$|\<na\>
  EmergencyContactNote3:
    Type: String
    Default: <na>
    AllowedPattern: ^[\w\s\.\-,:/()+@]*$|\<na\>
  EmergencyContactNote4:
    Type: String
    Default: <na>
    AllowedPattern: ^[\w\s\.\-,:/()+@]*$|\<na\>
  EmergencyContactNote5:
    Type: String
    Default: <na>
    AllowedPattern: ^[\w\s\.\-,:/()+@]*$|\<na\>
  EnabledProactiveEngagement:
    Type: String
    Default: true
    AllowedValues:
      - true
      - false
  SRTBuckets:
    Type: CommaDelimitedList
    Default: <na>
  SRTAccessRoleName:
    Type: String
    Default: AWSSRTAccess
  SRTAccessRoleAction:
    Type: String
    Default: "UseExisting"
    AllowedValues:
    - "UseExisting"
    - "CreateRole"
  EnableSRTAccess:
    Type: String
    Default: True
    AllowedValues:
      - True
      - False
Conditions:
    FirstEmergencyContact: !Not [ !Equals [!Ref EmergencyContactEmail1 , "<na>"]]
    SecondEmergencyContact: !Not [ !Equals [!Ref EmergencyContactEmail2 , "<na>"]]
    ThirdEmergencyContact: !Not [ !Equals [!Ref EmergencyContactEmail3 , "<na>"]]
    FourthEmergencyContact: !Not [ !Equals [!Ref EmergencyContactEmail4 , "<na>"]]
    FifthEmergencyContact: !Not [ !Equals [!Ref EmergencyContactEmail5 , "<na>"]]
    FirstEmergencyContactNote: !Not [ !Equals [!Ref EmergencyContactNote1 , "<na>"]]
    SecondEmergencyContactNote: !Not [ !Equals [!Ref EmergencyContactNote2 , "<na>"]]
    ThirdEmergencyContactNote: !Not [ !Equals [!Ref EmergencyContactNote3 , "<na>"]]
    FourthEmergencyContactNote: !Not [ !Equals [!Ref EmergencyContactNote4 , "<na>"]]
    FifthEmergencyContactNote: !Not [ !Equals [!Ref EmergencyContactNote5 , "<na>"]]
    EnableSRTAccessCondition: !Equals [!Ref "EnableSRTAccess", True]
    SRTCreateRoleCondition: !Equals [!Ref "SRTAccessRoleAction", "CreateRole"]
    SRTBucketsCondition: !Not [!Equals [ !Join [",",!Ref "SRTBuckets"], "<na>" ] ]
    ProactiveEngagementCondition: !Equals [ !Ref "EnabledProactiveEngagement",true]
Resources:
  ProactiveEngagement:
    DeletionPolicy: Delete
    Condition: ProactiveEngagementCondition
    Type: AWS::Shield::ProactiveEngagement
    Properties:
      ProactiveEngagementStatus: ENABLED
      EmergencyContactList:
        !If
        - FirstEmergencyContact
        -
          - !If
              - FirstEmergencyContact
              - EmailAddress: !Ref "EmergencyContactEmail1"
                ContactNotes: !If [FirstEmergencyContactNote, !Ref "EmergencyContactNote1", !Ref "AWS::NoValue"]
                PhoneNumber: !Ref "EmergencyContactPhone1"
              - !Ref "AWS::NoValue"
          - !If
              - SecondEmergencyContact
              - EmailAddress: !Ref "EmergencyContactEmail2"
                ContactNotes: !If [SecondEmergencyContactNote, !Ref "EmergencyContactNote2", !Ref "AWS::NoValue"]
                PhoneNumber: !Ref "EmergencyContactPhone2"
              - !Ref "AWS::NoValue"
          - !If
              - ThirdEmergencyContact
              - EmailAddress: !Ref "EmergencyContactEmail3"
                ContactNotes: !If [ThirdEmergencyContactNote, !Ref "EmergencyContactNote3", !Ref "AWS::NoValue"]
                PhoneNumber: !Ref "EmergencyContactPhone3"
              - !Ref "AWS::NoValue"
          - !If
              - FourthEmergencyContact
              - EmailAddress: !Ref "EmergencyContactEmail4"
                ContactNotes: !If [FourthEmergencyContactNote, !Ref "EmergencyContactNote4", !Ref "AWS::NoValue"]
                PhoneNumber: !Ref "EmergencyContactPhone4"
              - !Ref "AWS::NoValue"
          - !If
              - FifthEmergencyContact
              - EmailAddress: !Ref "EmergencyContactEmail5"
                ContactNotes: !If [FifthEmergencyContactNote, !Ref "EmergencyContactNote5", !Ref "AWS::NoValue"]
                PhoneNumber: !Ref "EmergencyContactPhone5"
              - !Ref "AWS::NoValue"
        - !Ref "AWS::NoValue"

  SRTAccess:
    Condition: EnableSRTAccessCondition
    Type: AWS::Shield::DRTAccess
    Properties:
      LogBucketList:
        !If
        - SRTBucketsCondition
        - !Ref "SRTBuckets"
        - !Ref "AWS::NoValue"
      RoleArn:
        !If
        - SRTCreateRoleCondition
        - !GetAtt SRTAccessRole.Arn
        - !Sub "arn:aws:iam::${AWS::AccountId}:role/${SRTAccessRoleName}"
  SRTAccessRole:
    Condition: SRTCreateRoleCondition
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref "SRTAccessRoleName"
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy'
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - 'drt.shield.amazonaws.com'
            Action:
              - 'sts:AssumeRole'