AWSTemplateFormatVersion: '2010-09-09'
Description: Creates R53 records and ACM Certificate. ACM certificate is for all subdomains for the specified domain name. (qs-1sflpub56)
Metadata:
  cfn-lint:
    config:
      ignore_checks:
        - W9002
        - W9003
        - W9006
Parameters:
  DomainName:
    Type: String
    Description: Domain Name configured for the cluster.
  HostedZoneID:
    Type: AWS::Route53::HostedZone::Id
    Description: Route 53 Hosted Zone ID to use. If left blank, Route 53
      will not be configured and DNS must be setup manually. If you specify this,
      you must also specify DomainName
#    MaxLength: 32
  LogBucket:
      Type: String
      Description: Bucket to write logs to
  QSS3BucketName:
    AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$"
    ConstraintDescription: Quick Start bucket name can include numbers, lowercase
      letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen
      (-).
    Default: aws-quickstart
    Description: S3 bucket name for the Quick Start assets. This string can include
      numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start
      or end with a hyphen (-).
    Type: String
  QSS3BucketRegion:
    Default: 'us-east-1'
    Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.'
    Type: String
  QSS3KeyPrefix:
    AllowedPattern: "^[0-9a-zA-Z-/]*$"
    ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters,
      uppercase letters, hyphens (-), and forward slash (/).
    Default: ''
    Description: S3 key prefix for the Quick Start assets. Quick Start key prefix
      can include numbers, lowercase letters, uppercase letters, hyphens (-), and
      forward slash (/).
    Type: String
  QSTagKey:
    Type: String
    Description: Tag key to identify resources from this Quick Start
  QSTagValue:
    Type: String
    Description: Tag value to identify resources from this Quick Start

Conditions:
  UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart']

Resources:
  CopyLambdaStack:
    Type: AWS::CloudFormation::Stack
    Properties: 
      TemplateURL:
        !Sub
          - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/copy-lambdas.template
          - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion]
            S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        LogBucket: !Ref LogBucket
        QSS3BucketName: !Ref QSS3BucketName
        QSS3BucketRegion: !Ref QSS3BucketRegion
        QSS3KeyPrefix: !Ref QSS3KeyPrefix
        QSTagKey: !Ref QSTagKey
        QSTagValue: !Ref QSTagValue
      Tags:
      - Key: !Ref QSTagKey
        Value: !Ref QSTagValue
  ACMCertificateRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
          Action: sts:AssumeRole
      ManagedPolicyArns:
      - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Path: "/"
      Policies:
      - PolicyName: lambda-acm
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - acm:RequestCertificate
            - acm:DescribeCertificate
            - acm:DeleteCertificate
            Resource:
            - "*"
          - Effect: Allow
            Action:
            - lambda:InvokeFunction
            Resource:
            - "*"
          - Effect: Allow
            Action:
            - route53:ChangeResourceRecordSets
            Resource:
            - !Sub arn:${AWS::Partition}:route53:::hostedzone/${HostedZoneID}
          - Effect: Allow
            Action:
            - logs:FilterLogEvents
            Resource:
            - "*"
  ACMCertificateLambda:
    Type: AWS::Lambda::Function
    Properties:
      Description: Creates and verifies an ACM certificate using DNS validation and Route53
      Handler: lambda_function.handler
      Runtime: python3.7
      Role: !GetAtt ACMCertificateRole.Arn
      Timeout: 600
      Tags:
      - Key: !Ref QSTagKey
        Value: !Ref QSTagValue
      Code:
        S3Bucket: !GetAtt CopyLambdaStack.Outputs.LambdaZipsBucket
        S3Key: !Sub "${QSS3KeyPrefix}functions/packages/ACMCert/lambda.zip"
  ACMCertificateDNS:
    Type: AWS::CloudFormation::CustomResource
    Properties:
      ServiceToken: !GetAtt ACMCertificateLambda.Arn
      HostedZoneId: !Ref HostedZoneID
      HostNames:
      - !Ref DomainName
      - !Sub '*.${DomainName}'

Outputs:
  ACMCertificate:
    Description: ARN of the ACM-Generated SSL Certificate
    Value: !GetAtt ACMCertificateDNS.Arn
  LambdaZipsBucket:
    Value: !GetAtt CopyLambdaStack.Outputs.LambdaZipsBucket
    Description: Bucket of Lambda Artifacts