---
AWSTemplateFormatVersion: 2010-09-09

Description: "This template creates lambda function required to configure 2 ADCs in HA pair across Availability Zones"

Parameters:
  ADCCustomPassword:
    Type: String
    AllowedPattern: '[.\S]{1,}'
    ConstraintDescription: Password length must be minimum 1 character.
      Whitespace characters not allowed.
    Description: Strong password recommended.
    NoEcho: true
  PrimaryManagementPrivateIP:
    Description: Primary Management Private IP
    Type: String
  LambdaSecurityGroupID:
    Type: String
  PrimaryServerPrivateSubnetID:
    Type: AWS::EC2::Subnet::Id
    Description: >-
      Private Subnet ID of an existing subnet dedicated for Primary Server ENI.
  SecondaryServerPrivateSubnetID:
    Type: AWS::EC2::Subnet::Id
    Description: >-
      Private Subnet ID of an existing subnet dedicated for Secondary Server ENI.
  SecondaryManagementPrivateIP:
    Description: Secondary Management Private IP
    Type: String

  QSS3BucketName:
    AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$"
    ConstraintDescription: >-
      Quick Start bucket name can include numbers, lowercase letters, uppercase
      letters, and hyphens (-). It cannot start or end with a hyphen (-).
    Description: >-
      S3 bucket name for the Quick Start assets. This bucket name can include
      numbers, lowercase letters, uppercase letters, and hyphens (-), but should
      not start or end with a hyphen. You can specify your own bucket if you
      copy all of the assets and submodules into it, if you want to override the
      Quick Start behavior for your specific implementation.
    Type: String
  QSS3KeyPrefix:
    AllowedPattern: "^[0-9a-zA-Z-/]*/$"
    ConstraintDescription: >-
      Quick Start key prefix can include numbers, lowercase letters, uppercase
      letters, hyphens (-), and forward slash (/).
    Default: quickstart-citrix-adc-vpx/
    Description: >-
      [Note] The QSS3KeyPrefix should have to end with forward slash (/).
      S3 key prefix for the Quick Start assets. Quick Start key prefix can
      include numbers, lowercase letters, uppercase letters, hyphens (-), and
      forward slash (/).
    Type: String

Resources:
  ServersActiveRole:
    Type: AWS::IAM::Role
    Properties:
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName} LambdaRole
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: lambdalogtocloudwatch
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - "logs:CreateLogGroup"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                  - "logs:CreateExportTask"
                  - "logs:DescribeExportTask"
                Resource: !Sub "arn:${AWS::Partition}:logs:*:*:*"
        - PolicyName: lambdaallowreadec2
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Action:
                  - "ec2:DescribeInstances"
                  - "ec2:DescribeNetworkInterfaces"
                  - "ec2:DescribeSubnets"
                  - "ec2:DescribeVpcs"
                  - "ec2:DescribeAvailabilityZones"
                  - "ec2:DescribeInstanceStatus"
                Resource: "*"
                Effect: Allow
        - PolicyName: lambdaupdate
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Action:
                  - lambda:UpdateFunctionCode
                Resource: "*"
                Effect: Allow
        - PolicyName: lambdaallowvpcaccessexecution
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Action:
                  - "ec2:CreateNetworkInterface"
                  - "ec2:DeleteNetworkInterface"
                  - "ec2:AttachNetworkInterface"
                  - "ec2:DetachNetworkInterface"
                  - "ec2:ModifyNetworkInterfaceAttribute"
                  - "ec2:ResetNetworkInterfaceAttribute"
                Resource: "*"
                Effect: Allow
  ConfigureServersActiveActiveFunction:
    Type: AWS::Lambda::Function
    Properties:
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName} LambdaFunction
      Code:
        S3Bucket: !Ref QSS3BucketName
        S3Key: !Sub ${QSS3KeyPrefix}functions/packages/adc/lambda-adc.zip
      Handler: lambda_servers_active_active.lambda_handler
      Runtime: python3.8
      Timeout: 900
      Role: !GetAtt ServersActiveRole.Arn
      VpcConfig:
        SubnetIds:
          - !Ref PrimaryServerPrivateSubnetID
          - !Ref SecondaryServerPrivateSubnetID
        SecurityGroupIds:
          - !Ref LambdaSecurityGroupID

  ConfigureServersActiveActiveCustomResource:
    Type: AWS::CloudFormation::CustomResource
    Properties:
      ADCCustomPassword: !Ref ADCCustomPassword
      ServiceToken: !GetAtt ConfigureServersActiveActiveFunction.Arn
      PrimaryADCPrivateNSIP: !Ref PrimaryManagementPrivateIP
      PrimaryADCServerPrivateSubnetID: !Ref PrimaryServerPrivateSubnetID
      SecondaryADCPrivateNSIP: !Ref SecondaryManagementPrivateIP
      SecondaryADCServerPrivateSubnetID: !Ref SecondaryServerPrivateSubnetID