AWSTemplateFormatVersion: 2010-09-09
Description: Provisions HIPAA Ready Environment in AWS - Dev (qs-1rabh51jr)
Metadata:
  Identifier:
    Value: main
  Input:
    Description: Input of all required parameters in nested stacks
  Output:
    Description: N/A
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: Development VPC configuration
      Parameters:
      - DevVPCCIDRBlock
      - DevVPCSubnet1
      - DevVPCSubnet2
      - DevVPCFlowLogLogGroupRetention
    ParameterLabels:
      DevVPCCIDRBlock:
        default: Development VPC CIDR block
      DevVPCSubnet1:
        default: Development Subnet 1 CIDR block
      DevVPCSubnet2:
        default: Development Subnet 2 CIDR block
      DevVPCFlowLogLogGroupRetention:
        default: Development VPC log group retention days
Parameters:
  DevVPCCIDRBlock:
    Type: String
    Description: Development VPC CIDR block.
    AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
  DevVPCSubnet1:
    Type: String
    Description: Development VPC private subnet 1.
    AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
  DevVPCSubnet2:
    Type: String
    Description: Development VPC private subnet 2.
    AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
  DevVPCFlowLogLogGroupRetention:
    Type: String
    Description: Development VPC flow logs log group retention days.
Resources:
  DevelopmentVPCFlowLogGroup:
    Type: 'AWS::Logs::LogGroup'
    Properties:
      RetentionInDays: !Ref DevVPCFlowLogLogGroupRetention
  DevelopmentFlowLogsRole:
#    Metadata:
#      cfn-lint: { config: { ignore_checks: [ EIAMPolicyWildcardResource, EIAMPolicyActionWildcard ], ignore_reasons: [ EIAMPolicyWildcardResource: "Requires full access to function", EIAMPolicyActionWildcard: "Required for proper function" ] } }
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AllowFlowLogs
            Effect: Allow
            Principal:
              Service: vpc-flow-logs.amazonaws.com
            Action: 'sts:AssumeRole'
      Description: Development Flow Logs Role
      Path: /
      Policies:
        - PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                  - 'logs:DescribeLogGroups'
                  - 'logs:DescribeLogStreams'
                Resource: !Sub '${DevelopmentVPCFlowLogGroup.Arn}'
          PolicyName: Development-Flow-Logs-Role
      Tags:
        - Key: Name
          Value: Development VPC Flow Logs Role
        - Key: Purpose
          Value: Networking
  DevVPC:
    Type: 'AWS::EC2::VPC'
    Properties:
      CidrBlock: !Ref DevVPCCIDRBlock
      EnableDnsHostnames: true
      EnableDnsSupport: true
      Tags:
        - Key: Name
          Value: Development VPC
        - Key: Purpose
          Value: Networking
    DependsOn:
      - DevelopmentVPCFlowLogGroup
  DevelopmentVPCFlowLogs:
    Type: 'AWS::EC2::FlowLog'
    Properties:
      ResourceId: !Ref DevVPC
      ResourceType: VPC
      TrafficType: ALL
      DeliverLogsPermissionArn: !GetAtt 
        - DevelopmentFlowLogsRole
        - Arn
      LogDestinationType: cloud-watch-logs
      LogGroupName: !Ref DevelopmentVPCFlowLogGroup
      Tags:
        - Key: Name
          Value: Development VPC Flow Logs
        - Key: Purpose
          Value: Networking
  DevCoreSubnet1:
    Type: 'AWS::EC2::Subnet'
    Properties:
      CidrBlock: !Ref DevVPCSubnet1
      VpcId: !Ref DevVPC
      AvailabilityZone: !Select [ 0, !GetAZs "" ]
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: Development Core Subnet 1
        - Key: Purpose
          Value: Networking
  DevCoreSubnet2:
    Type: 'AWS::EC2::Subnet'
    Properties:
      CidrBlock: !Ref DevVPCSubnet2
      VpcId: !Ref DevVPC
      AvailabilityZone: !Select [ 1, !GetAZs "" ]
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: Development Core Subnet 2
        - Key: Purpose
          Value: Networking
  DevPrivateRouteTable1:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref DevVPC
      Tags:
        - Key: Name
          Value: Development VPC Private Route Table 1
        - Key: Purpose
          Value: Networking
  DevCore1RouteAssociation:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      RouteTableId: !Ref DevPrivateRouteTable1
      SubnetId: !Ref DevCoreSubnet1
  DevCore2RouteAssociation:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      RouteTableId: !Ref DevPrivateRouteTable1
      SubnetId: !Ref DevCoreSubnet2
Outputs:
  DevelopmentVPCSubnet1:
    Value: !Ref DevCoreSubnet1
  DevelopmentVPCSubnet2:
    Value: !Ref DevCoreSubnet2
  DevelopmentVPC:
    Value: !Ref DevVPC
  DevelopmentPrivateRouteTable1:
    Value: !Ref DevPrivateRouteTable1
  Help:
    Description: For assistance or questions regarding this quickstart please email compliance-accelerator@amazon.com
    Value: ''