# Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License").
# You may not use this file except in compliance with the License.
# A copy of the License is located at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# or in the "license" file accompanying this file. This file is distributed
# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
# express or implied. See the License for the specific language governing
# permissions and limitations under the License.

AWSTemplateFormatVersion: 2010-09-09

Description: >-
  This cloudformation template enables creation of AWS lambda, IAM roles. 

Parameters:
  lambdas3bucket:
    Type: String
    Description: Name of S3 bucket storing lambda code

Mappings:
    lambda:
      log:
        level: 'INFO'

Resources:
  WafRateRuleReloadLambda:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: !Ref lambdas3bucket
        S3Key: RateRuleReload.zip
      Handler: RateRuleReload.handler
      Runtime: python3.7
      Timeout: 300
      FunctionName: WAF-Config_RateRule_reload
      Role: !GetAtt LambdaExecutionRole.Arn
      Environment:
        Variables:
          LOG_LEVEL: !FindInMap ["lambda", "log", "level"]
          REGION: !Sub ${AWS::Region}
          SECURITY_ACCOUNT: !Sub ${AWS::AccountId}

  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: WAF-RateRuleReload-Lambda
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - lambda.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"

  LambdaExecutionPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: WAF-RateRuleReload_Policy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action:
          - logs:CreateLogGroup
          - logs:CreateLogStream
          Resource: arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/WAF-Config_RateRule_reload:*
        - Effect: Allow
          Action:
          - sts:AssumeRole
          Resource:
          - arn:aws:iam::*:role/WAF-RateRule-Reload
        - Effect: Allow
          Action:
          - fms:GetAdminAccount
          - fms:ListMemberAccounts
          - waf:GetWebACL
          - waf:ListWebACLs
          - waf:UpdateWebACL
          - organizations:DescribeOrganization
          Resource: !Sub "arn:aws:fms:*:${AWS::AccountId}:*/*"
      Roles:
      - !Ref LambdaExecutionRole