# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Template for StackSet to create cross account role accessible by Network VPC account'

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Required Parameters
        Parameters:
            - networkAccountId
            - organizationId
    ParameterLabels:
      networkAccountId:
        default: AWS Account ID for Network Services
      organizationId:
        default: The unique ID for your AWS Organization

Parameters:
  networkAccountId:
    Type: String
    Description: Account ID of the shared network resources
    AllowedPattern: '^\d{12}$'
  organizationId:
    Type: String
    Description: Organization ID beginning with o-
    AllowedPattern: '^o-[a-z0-9]{10,32}'

Conditions:
  IsNetworkAccount: !Equals [!Ref networkAccountId, !Ref AWS::AccountId] 
  NotNetworkAccount: !Not [!Equals [!Ref networkAccountId, !Ref AWS::AccountId]]

Resources:
## ToDo set to only deploy once when deploying multi region
  NetworkParameterExecutionRole:
    Type: 'AWS::IAM::Role'
    Condition: NotNetworkAccount
    Properties:
      RoleName: NetworkParameterExecutionRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${networkAccountId}:root'
            Action: sts:AssumeRole
            Condition:
              StringLike:
                aws:PrincipalArn: '*NetworkParameterAdminRole'
              StringEquals:
                aws:PrincipalOrgID: !Ref organizationId
      Policies:
        - PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - cloudformation:CreateStack
                  - cloudformation:DescribeStacks
                  - cloudformation:DeleteStack
                  - cloudformation:UpdateStack
                Resource: 'arn:aws:cloudformation:*:*:stack/StackSet-*'
              - Effect: Allow
                Action:
                  - sns:*
                Resource: '*'
              - Effect: Allow
                Action:
                  - ssm:PutParameter
                  - ssm:DeleteParameter
                  - ssm:AddTagsToResource
                Resource: 'arn:aws:ssm:*:*:parameter/Network/*'
          PolicyName: NetworkParameterExecutionPolicy
  
  # IAM Role for Lambda function that creates parameter store items across accounts
  NetworkParameterAdminRole:
    Type: 'AWS::IAM::Role'
    Condition: IsNetworkAccount
    Properties:
      RoleName: NetworkParameterAdminRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudformation.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Policies:
        - PolicyName: shareVpcParameters
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: sts:AssumeRole
                Resource: arn:aws:iam::*:role/NetworkParameterExecutionRole