AWSTemplateFormatVersion: 2010-09-09
Description: Provisions HIPAA Ready Environment in AWS - Prod (qs-1rabh51ko)
Metadata:
  Identifier:
    Value: main
  Input:
    Description: Input of all required parameters in nested stacks
  Output:
    Description: N/A
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: Production VPC configuration
      Parameters:
      - ProdVPCCIDRBlock
      - ProdVPCSubnet1
      - ProdVPCSubnet2
      - ProdVPCFlowLogLogGroupRetention
    ParameterLabels:
      ProdVPCCIDRBlock:
        default: Production VPC CIDR block
      ProdVPCSubnet1:
        default: Production Subnet 1 CIDR block
      ProdVPCSubnet2:
        default: Production Subnet 2 CIDR block
      ProdVPCFlowLogLogGroupRetention:
        default: Production VPC log group retention days
Parameters:
  ProdVPCCIDRBlock:
    Type: String
    Description: Production VPC CIDR block.
    AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
  ProdVPCSubnet1:
    Type: String
    Description: Production VPC private subnet 1.
    AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
  ProdVPCSubnet2:
    Type: String
    Description: Production VPC private subnet 2.
    AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
  ProdVPCFlowLogLogGroupRetention:
    Type: String
    Description: Production VPC flow logs log group retention days.
Resources:
  ProductionVPCFlowLogGroup:
    Type: 'AWS::Logs::LogGroup'
    Properties:
      RetentionInDays: !Ref ProdVPCFlowLogLogGroupRetention
  ProductionFlowLogsRole:
    Metadata:
      cfn-lint: { config: { ignore_checks: [ EIAMPolicyWildcardResource, EIAMPolicyActionWildcard ], ignore_reasons: [ EIAMPolicyWildcardResource: "Requires full access to function", EIAMPolicyActionWildcard: "Required for proper function" ] } }
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AllowFlowLogs
            Effect: Allow
            Principal:
              Service: vpc-flow-logs.amazonaws.com
            Action: 'sts:AssumeRole'
      Description: Production Flow Logs Role
      Path: /
      Policies:
        - PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                  - 'logs:DescribeLogGroups'
                  - 'logs:DescribeLogStreams'
                Resource: '*'
          PolicyName: Production-Flow-Logs-Role
      Tags:
        - Key: Name
          Value: Production VPC Flow Logs Role
        - Key: Purpose
          Value: Networking
  ProductionVPC:
    Type: 'AWS::EC2::VPC'
    Properties:
      CidrBlock: !Ref ProdVPCCIDRBlock
      EnableDnsHostnames: true
      EnableDnsSupport: true
      Tags:
        - Key: Name
          Value: Production VPC
        - Key: Purpose
          Value: Networking
    DependsOn:
      - ProductionVPCFlowLogGroup
  ProductionVPCFlowLogs:
    Type: 'AWS::EC2::FlowLog'
    Properties:
      ResourceId: !Ref ProductionVPC
      ResourceType: VPC
      TrafficType: ALL
      DeliverLogsPermissionArn: !GetAtt 
        - ProductionFlowLogsRole
        - Arn
      LogDestinationType: cloud-watch-logs
      LogGroupName: !Ref ProductionVPCFlowLogGroup
      Tags:
        - Key: Name
          Value: Production VPC Flow Logs
        - Key: Purpose
          Value: Networking
  ProductionCoreSubnet1:
    Type: 'AWS::EC2::Subnet'
    Properties:
      CidrBlock: !Ref ProdVPCSubnet1
      VpcId: !Ref ProductionVPC
      AvailabilityZone: !Select [ 0, !GetAZs "" ]
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: Production Core Subnet 1
        - Key: Purpose
          Value: Networking
  ProductionCoreSubnet2:
    Type: 'AWS::EC2::Subnet'
    Properties:
      CidrBlock: !Ref ProdVPCSubnet2
      VpcId: !Ref ProductionVPC
      AvailabilityZone: !Select [ 1, !GetAZs "" ]
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: Production Core Subnet 2
        - Key: Purpose
          Value: Networking
  ProductionPrivateRouteTable1:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref ProductionVPC
      Tags:
        - Key: Name
          Value: Production VPC Private Route Table 1
        - Key: Purpose
          Value: Networking
  ProductionCore1RouteAssociation:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      RouteTableId: !Ref ProductionPrivateRouteTable1
      SubnetId: !Ref ProductionCoreSubnet1
  ProductionCore2RouteAssociation:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      RouteTableId: !Ref ProductionPrivateRouteTable1
      SubnetId: !Ref ProductionCoreSubnet2
Outputs:
  ProductionCoreSubnet1:
    Value: !Ref ProductionCoreSubnet1
  ProductionCoreSubnet2:
    Value: !Ref ProductionCoreSubnet2
  ProductionVPC:
    Value: !Ref ProductionVPC
  ProductionPrivateRouteTable1:
    Value: !Ref ProductionPrivateRouteTable1
  Help:
    Description: For assistance or questions regarding this quickstart please email compliance-accelerator@amazon.com
    Value: ''