AWSTemplateFormatVersion: 2010-09-09
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: "WAF Rule"
        Parameters:
          - WAFRuleKey
          - DefaultAction
          - WebACLCloudFront
          - OverrideCustomerWebACL
      - Label:
          default: "Policy"
        Parameters:
          - PolicyName
          - AutoRemediate
      - Label:
          default: "Accounts and Organization"
        Parameters:
          - AccountScopeList
          - IncludeExcludeScope
          - OUScopeList
          - ScopeType
      - Label:
          default: "FMS Policy Resource Tagging"
        Parameters:
          - ResourceTagUsage
          - ScopeTagName1
          - ScopeTagValue1
          - ScopeTagName2
          - ScopeTagValue2
          - ScopeTagName3
          - ScopeTagValue3
Parameters:
  WAFRuleKey:
    Type: String
    Default: code/fms/fms-policy-waf-generator/policy-examples/default.json
  DefaultAction:
    Type: String
    Default: ALLOW
    AllowedValues:
      - ALLOW
      - BLOCK
  AccountScopeList:
    Type: CommaDelimitedList
    Description: A comma separated list of AWS account ID, uses for include/exclude based on Value of IncludeExcludeScope and if ScopeType is Accounts
    Default: <na>
  OUScopeList:
    Type: CommaDelimitedList
    Description: A comma separated list of AWS Organization OU's, uses for include/exclude based on Value of IncludeExcludeScope and if ScopeType is OU
    Default: <na>
  IncludeExcludeScope:
    Type: String
    Default: Include
    AllowedValues:
      - Include
      - Exclude
  PolicyName:
    Type: String
    Default: CloudFrontDefaultWAFPolicy
  ScopeType:
    Type: String
    Description: "Should Firewall Manager Policies be scoped to the entire org (root) or a specific list of OUs (OU)"
    Default: Org
    AllowedValues:
      - Org
      - OU
      - Accounts
  ResourceTagUsage:
    Type: String
    Default: Include
    AllowedValues:
      - Include
      - Exclude
  AutoRemediate:
    Type: String
    Description: "Should Firewall Manager automatically force attachment (true) or audit compliance (false) for all applicable resource types of the Default WAF Rule"
    Default: false
    AllowedValues:
      - true
      - false
  WebACLCloudFront:
    Type: String
    Default: true
    AllowedValues:
      - true
      - false
  OverrideCustomerWebACL:
    Type: String
    Description: Should this SecurityPolicy replace any assocaited WebACL's on scoped resources
    Default: false
    AllowedValues:
      - true
      - false
  ScopeTagName1:
    Type: String
    Default: <na>
  ScopeTagName2:
    Type: String
    Default: <na>
  ScopeTagName3:
    Type: String
    Default: <na>
  ScopeTagValue1:
    Type: String
    Default: <na>
  ScopeTagValue2:
    Type: String
    Default: <na>
  ScopeTagValue3:
    Type: String
    Default: <na>
  SSMParameterVersion:
    Type: String
    Default: Latest
Conditions:
  ScopeTagName1Flag: !Not [!Equals [!Ref ScopeTagName1, "<na>"]]
  ScopeTagName2Flag: !Not [!Equals [!Ref ScopeTagName2, "<na>"]]
  ScopeTagName3Flag: !Not [!Equals [!Ref ScopeTagName3, "<na>"]]
  ScopeTagValue1Flag: !Not [!Equals [!Ref ScopeTagValue1, "<na>"]]
  ScopeTagValue2Flag: !Not [!Equals [!Ref ScopeTagValue2, "<na>"]]
  ScopeTagValue3Flag: !Not [!Equals [!Ref ScopeTagValue3, "<na>"]]
  CreatePolicyFlag: !Equals [!Ref WebACLCloudFront, 'true']
  OUScopeFlag: !Equals [!Ref ScopeType, "OU"]
  AccountScopeFlag: !Equals [!Ref ScopeType, "Accounts"]
  ExcludeResourceTagFlag: !Equals [!Ref ResourceTagUsage, "Exclude"]
  IncludeScopeFlag: !Equals [!Ref IncludeExcludeScope, "Include"]
  ExcludeScopeFlag: !Equals [!Ref IncludeExcludeScope, "Exclude"]
Resources:
  SSMParameterPolicyConfig:
    Type: AWS::SSM::Parameter
    Properties:
      Name: !Sub "/fms-policy-generator-config/${PolicyName}"
      Type: String
      Value: |
        {"type":"WAFV2","preProcessRuleGroups":[{"ruleGroupArn":null,"overrideAction":{"type":"COUNT"},"managedRuleGroupIdentifier":{"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesCommonRuleSet"},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true},{"ruleGroupArn":null,"overrideAction":{"type":"COUNT"},"managedRuleGroupIdentifier":{"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesKnownBadInputsRuleSet"},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true},{"ruleGroupArn":null,"overrideAction":{"type":"COUNT"},"managedRuleGroupIdentifier":{"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesAmazonIpReputationList"},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true},{"ruleGroupArn":null,"overrideAction":{"type":"COUNT"},"managedRuleGroupIdentifier":{"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesBotControlRuleSet"},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true},{"ruleGroupArn":null,"overrideAction":{"type":"COUNT"},"managedRuleGroupIdentifier":{"version":null,"vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesAnonymousIpList"},"ruleGroupType":"ManagedRuleGroup","excludeRules":[],"sampledRequestsEnabled":true}],"postProcessRuleGroups":[],"defaultAction":{"type":"ALLOW"},"overrideCustomerWebACLAssociation":false,"loggingConfiguration":{"logDestinationConfigs":["firehosear"],"redactedFields":[],"loggingFilterConfigs":null},"sampledRequestsEnabledForDefaultActions":true}
      Tags:
        Application: fms-policy-waf-generator
        User: !Ref PolicyName
  GenerateFMSPolicyCFN:
    DependsOn: SSMParameterPolicyConfig
    Type: Custom::GenerateFMSPolicy
    Properties:
      ServiceToken: !ImportValue FMSPolicyBuilderLambdaArn
      ManagedServiceDataTemplate: !Sub "/fms-policy-generator-config/${PolicyName}"
      OverrideCustomerWebACLAssociation: !Ref OverrideCustomerWebACL
      SSMParameterVersion: !Ref "SSMParameterVersion"
      DefaultAction: !Ref DefaultAction
  FMSWAFPolicy:
    Condition: CreatePolicyFlag
    Type: AWS::FMS::Policy
    Properties:
      ExcludeResourceTags: !If [ExcludeResourceTagFlag, true, false]
      ResourceType: AWS::CloudFront::Distribution
      PolicyName: !Ref PolicyName
      Tags:
        - Key: User
          Value: !Ref PolicyName
      IncludeMap:
        ORGUNIT:
          !If [IncludeScopeFlag, !If [OUScopeFlag, !Ref OUScopeList, !Ref "AWS::NoValue"], !Ref "AWS::NoValue"]
        ACCOUNT:
          !If [IncludeScopeFlag, !If [AccountScopeFlag,  !Ref AccountScopeList, !Ref "AWS::NoValue"], !Ref "AWS::NoValue"]
      ExcludeMap:
        ORGUNIT:
          !If [ExcludeScopeFlag, !If [OUScopeFlag, !Ref OUScopeList, !Ref "AWS::NoValue"], !Ref "AWS::NoValue"]
        ACCOUNT:
          !If [ExcludeScopeFlag, !If [AccountScopeFlag,  !Ref AccountScopeList, !Ref "AWS::NoValue"], !Ref "AWS::NoValue"]
      RemediationEnabled: !Ref AutoRemediate
      DeleteAllPolicyResources: true
      SecurityServicePolicyData:
        Type: WAFV2
        ManagedServiceData: !GetAtt GenerateFMSPolicyCFN.Template
      #ResourceTags:
      ResourceTags:
        !If
        - ScopeTagName1Flag
        -
          - !If
            - ScopeTagName1Flag
            - Key:  !Ref ScopeTagName1
              Value: !If [ScopeTagValue1Flag, !Ref ScopeTagValue1, ""]
            - !Ref "AWS::NoValue"
          - !If
            - ScopeTagName2Flag
            - Key:  !Ref ScopeTagName2
              Value: !If [ScopeTagValue2Flag, !Ref ScopeTagValue2, ""]
            - !Ref "AWS::NoValue"
          - !If
            - ScopeTagName3Flag
            - Key:  !Ref ScopeTagName3
              Value: !If [ScopeTagValue3Flag, !Ref ScopeTagValue3, ""]
            - !Ref "AWS::NoValue"
        - !Ref "AWS::NoValue"