# Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License").
# You may not use this file except in compliance with the License.
# A copy of the License is located at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# or in the "license" file accompanying this file. This file is distributed
# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
# express or implied. See the License for the specific language governing
# permissions and limitations under the License.

AWSTemplateFormatVersion: 2010-09-09

Description: >-
  Cloudformation template to deploy managed policy, role, lambda for rate based rule implementation in AWS Organization

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: AWS Account ID of Security account governing Firewall/WAF
        Parameters:
        - SecurityAccountId

Parameters:
  SecurityAccountId:
    Type: String

Resources:
  WafConfigRateRuleReloadRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: WAF-RateRule-Reload
      AssumeRolePolicyDocument:
        Statement:
        - Action:
          - sts:AssumeRole
          Effect: Allow
          Principal:
            AWS:
            - !Ref SecurityAccountId
        Version: '2012-10-17'
      Path: "/"

  WafConfigRateRuleReloadPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: Waf-RateRule-Reload_Policy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action:
          - wafv2:GetWebACL
          - wafv2:UpdateWebACL
          - wafv2:ListWebACLs
          Resource:
          - arn:aws:wafv2:*:*:*/*/*
      Roles:
      - !Ref WafConfigRateRuleReloadRole