---
AWSTemplateFormatVersion: 2010-09-09
Description: SCP account register cloudformation template.
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Parameters for the new created account
        Parameters:
          - MemberAccountID
          - OrganizationUnitID
          - CreateCloudTrail
Parameters:
  MemberAccountID:
    Description: "Enter Member Account ID to apply the SCP policy."
    Type: String
    AllowedPattern: (\d{12}|^$)
    ConstraintDescription: Must be a valid AWS account ID.
  OrganizationUnitID:
    Description: "AWS Organization Unit ID of the Member Account (Please ensure <OrganizationUnitID>.json does exist in the dedicated S3 bucket for SCP)"
    Type: String
    AllowedPattern: ".+"
    ConstraintDescription: "Enter the AWS Organization Unit ID of the Member Account"
  CreateCloudTrail:
    Description: "The option to create dedicated CloudTrail in the member account to capture the IAM events."
    Type: String
    AllowedValues:
      - yes
      - no
    Default: yes

Resources:
  SCPAccountRegister:
    Type: "AWS::Lambda::Function"
    Properties:
      Handler: "scp-account-register.main"
      Runtime: "python3.6"
      Role: "{{resolve:ssm:/scp/scp-account-register-role-arn}}"
      Timeout: 900
      TracingConfig:
        Mode: "Active"
      Code:
        S3Bucket: "{{resolve:ssm:/scp/cloudformation-s3-bucket-name}}"
        S3Key: "scp-account-register.zip"
      Environment:
        Variables:
          "MANAGEMENT_ACCOUNT_ID": "{{resolve:ssm:/scp/management-account-id}}"
          "ACCOUNT_ID": !Ref MemberAccountID
          "OU_ID": !Ref OrganizationUnitID
          "CREATE_SCP_TRAIL": !Ref CreateCloudTrail
          "DYNAMODB_TABLE_ARN": "{{resolve:ssm:/scp/dynamodb-arn}}"
          "SNS_TOPIC_ARN": "{{resolve:ssm:/scp/sns-topic-arn}}"
          "SCP_EVENT_BUS_ARN": "{{resolve:ssm:/scp/event-bus-arn}}"
          "SCP_EVENT_RULE_ARN": "{{resolve:ssm:/scp/event-rule-arn}}"
          "S3_BUCKET_NAME": "{{resolve:ssm:/scp/permission-boundary-s3-bucket-name}}"
          "ORGANIZATION_ROLE": "{{resolve:ssm:/scp/organization-access-role-name}}"
          "WHITELIST_ROLE_NAME": "{{resolve:ssm:/scp/whitelist-role-name-list}}"
          "PERMISSION_BOUNDARY_NAME": "{{resolve:ssm:/scp/permission-boundary-name}}"
          "READ_POLICY_STATEMENT_SID": "{{resolve:ssm:/scp/read-policy-statement-id}}"
          "S3_OBJECT_FOLDER": "{{resolve:ssm:/scp/s3-object-folder}}"
          "MANAGEMENT_ACCOUNT_ACCESS_ROLE": "{{resolve:ssm:/scp/management-account-access-role}}"

  TriggerLambda:
    Type: "Custom::TriggerLambda"
    Properties:
      ServiceToken: !GetAtt SCPAccountRegister.Arn
      MemberAccountID: !Ref MemberAccountID
      OrganizationUnitID: !Ref OrganizationUnitID
      CreateCloudTrail: !Ref CreateCloudTrail
Outputs:
  MemberAccountID:
    Description: The member account id.
    Value:
      Ref: MemberAccountID
  OrganizationUnitID:
    Description: The Organization Unit ID of the member account.
    Value:
      Ref: OrganizationUnitID