Description:  This template deploys a VPC, with a pair of public and private subnets spread
  across two Availability Zones. It deploys an internet gateway, with a default
  route on the public subnets. It deploys a pair of NAT gateways (one in each AZ),
  and default routes for them in the private subnets.

Parameters:
  RouteTable1:
    Description: The first routing table to use with the vpc endpoints
    Type: String

  RouteTable2:
    Description: The second routing table to use with the vpc endpoints
    Type: String

  RouteTable3:
    Description: The first routing table to use with the vpc endpoints
    Type: String

  Subnet1:
    Description: The subnet where the sqs endpoint is deployed
    Type: String

  Subnet2:
    Description: The second subnet where the sqs endpoint is deployed
    Type: String

  VPC:
    Description: The vpc where application resources run
    Type: String

  VPCCidrBlock:
    Description: The cidr block for the VPC
    Type: String


Resources:
  S3GatewayEndpoint:
    Type: 'AWS::EC2::VPCEndpoint'
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: "*"
            Action:
              - s3:GetObject
              - s3:GetObjectAttributes
              - s3:GetObjectVersion
              - s3:GetObjectVersionAttributes
              - s3:PutObject
              - s3:PutObjectAcl
              - s3:PutObjectVersion
              - s3:PutObjectVersionAcl
            Resource:
              - 'arn:aws:s3:::*/*'
#            Condition:
#              StringEquals:
#                'aws:PrincipalAccount': "${AWS::AccountId}"
      RouteTableIds:
        - !Ref RouteTable1
        - !Ref RouteTable2
        - !Ref RouteTable3
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
      VpcId: !Ref VPC

  InterfaceEndpointSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for the processing handler function
      SecurityGroupEgress:
        - Description: Allow all outbound traffic
          IpProtocol: "tcp"
          CidrIp: !Ref VPCCidrBlock
          FromPort: "443"
          ToPort: "443"
      SecurityGroupIngress:
        - Description: Allow traffic from the VPC
          IpProtocol: "tcp"
          CidrIp: !Ref VPCCidrBlock
          FromPort: "443"
          ToPort: "443"
      VpcId: !Ref VPC

  SQSInterfaceEndpoint:
    Type: 'AWS::EC2::VPCEndpoint'
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.sqs'
      VpcId: !Ref VPC
      VpcEndpointType: Interface
      PrivateDnsEnabled: true
      SecurityGroupIds:
        - !Ref InterfaceEndpointSecurityGroup
      SubnetIds:
        - !Ref Subnet1
        - !Ref Subnet2

  StepFunctionsInterfaceEndpoint:
    Type: 'AWS::EC2::VPCEndpoint'
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.states'
      VpcId: !Ref VPC
      VpcEndpointType: Interface
      PrivateDnsEnabled: true
      SecurityGroupIds:
        - !Ref InterfaceEndpointSecurityGroup
      SubnetIds:
        - !Ref Subnet1
        - !Ref Subnet2

  RekognitionInterfaceEndpoint:
    Type: 'AWS::EC2::VPCEndpoint'
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.rekognition'
      VpcId: !Ref VPC
      VpcEndpointType: Interface
      PrivateDnsEnabled: true
      SecurityGroupIds:
        - !Ref InterfaceEndpointSecurityGroup
      SubnetIds:
        - !Ref Subnet1
        - !Ref Subnet2

Outputs:
  InterfaceEndpointSecurityGroup:
    Description: A reference to the security group
    Value: !Ref InterfaceEndpointSecurityGroup