AWSTemplateFormatVersion: 2010-09-09

Description: >-
  Creates an EFS file system and mount points. **WARNING** You will be billed for the AWS
  resources used if you create a stack from this template.

Metadata:
  LICENSE: Apache License Version 2.0
  cfn-lint:
    config:
      ignore_checks:
        # Check for QSID
        - E9008

  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: FileSystem configuration
        Parameters:
          - EFSPerformanceMode
          - EFSThroughputMode
          - EFSProvisionedThroughputInMibps
      - Label:
          default: Network configuration
        Parameters:
          - PrivateSubnet1AID
          - PrivateSubnet2AID
          - PrivateSubnet3AID
          - FileSystemSecurityGroupId
    ParameterLabels:
      EFSPerformanceMode:
        default: EFS FileSystem Performance mode
      EFSThroughputMode:
        default: EFS FileSystem Throughput mode
      EFSProvisionedThroughputInMibps:
        default: EFS Provisioned Throughput In Mibps
      PrivateSubnet1AID:
        default: Private subnet 1 ID
      PrivateSubnet2AID:
        default: Private subnet 2 ID
      PrivateSubnet3AID:
        default: Private subnet 3 ID
      FileSystemSecurityGroupId:
        default: FileSystem security group ID

Parameters:
  PrivateSubnet1AID:
    Type: 'AWS::EC2::Subnet::Id'
    Description: Subnet Id for private subnet 1 located in Availability Zone 1.
    AllowedPattern: '^subnet-[a-zA-Z0-9]*$'
    ConstraintDescription: Invalid subnet id
  PrivateSubnet2AID:
    Type: 'AWS::EC2::Subnet::Id'
    Description: Subnet Id for private subnet 2 located in Availability Zone 2.
    AllowedPattern: '^subnet-[a-zA-Z0-9]*$'
    ConstraintDescription: Invalid subnet id
  PrivateSubnet3AID:
    Type: String
    Description: Subnet Id for private subnet 3 located in Availability Zone 3.
    Default: ''
  FileSystemSecurityGroupId:
    Type: 'AWS::EC2::SecurityGroup::Id'
    Description: The group ID of the specified security group, such as sg-94b3a1f6.
    AllowedPattern: '^sg-[a-zA-Z0-9]*$'
    ConstraintDescription: Please select FileSystemSecurityGroupId security group.
  EFSProvisionedThroughputInMibps:
    Type: Number
    Default: 0
    Description: The throughput, measured in MiB/s, that you want to provision for a file system that you're creating. Valid values are 1-1024. Required if ThroughputMode is set to provisioned.
    MinValue: 0
    MaxValue: 1024
  EFSPerformanceMode:
    Type: String
    Default: generalPurpose
    Description: The performance mode of the file system.
    AllowedValues:
      - generalPurpose
      - maxIO
  EFSThroughputMode:
    Type: String
    Default: bursting
    Description: Specifies the throughput mode for the file system, either bursting or provisioned.
    AllowedValues:
      - bursting
      - provisioned

Rules:
  ProvisionedThroughput:
    RuleCondition: !Equals 
      - !Ref EFSThroughputMode
      - provisioned
    Assertions:
      - Assert: !Not 
          - !Equals 
            - '0'
            - !Ref EFSProvisionedThroughputInMibps
        AssertDescription: >-
          EfsProvisionedThroughputInMibps must be greater than 0 when ThroughputMode is provisioned
  BurstingThroughput:
    RuleCondition: !Equals 
      - !Ref EFSThroughputMode
      - bursting
    Assertions:
      - Assert: !Equals 
          - '0'
          - !Ref EFSProvisionedThroughputInMibps
        AssertDescription: >-
          EfsProvisionedThroughputInMibps must be 0 when ThroughputMode is bursting

Conditions:
  IsProvisioned: !Equals 
    - !Ref EFSThroughputMode
    - provisioned
  3AZDeployment: !Not 
    - !Equals 
      - !Ref PrivateSubnet3AID
      - ''

Resources:
  EFSFileSystem:
    Type: 'AWS::EFS::FileSystem'
    Properties:
      Encrypted: 'true'
      PerformanceMode: !Ref EFSPerformanceMode
      ProvisionedThroughputInMibps: !If 
        - IsProvisioned
        - !Ref EFSProvisionedThroughputInMibps
        - !Ref 'AWS::NoValue'
      ThroughputMode: !Ref EFSThroughputMode
      FileSystemTags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-EFS'
  MountTargetPrivateSubnet1:
    Type: 'AWS::EFS::MountTarget'
    Properties:
      FileSystemId: !Ref EFSFileSystem
      SecurityGroups:
        - !Ref FileSystemSecurityGroupId
      SubnetId: !Ref PrivateSubnet1AID
  MountTargetPrivateSubnet2:
    Type: 'AWS::EFS::MountTarget'
    Properties:
      FileSystemId: !Ref EFSFileSystem
      SecurityGroups:
        - !Ref FileSystemSecurityGroupId
      SubnetId: !Ref PrivateSubnet2AID
  MountTargetPrivateSubnet3:
    Condition: 3AZDeployment
    Type: 'AWS::EFS::MountTarget'
    Properties:
      FileSystemId: !Ref EFSFileSystem
      SecurityGroups:
        - !Ref FileSystemSecurityGroupId
      SubnetId: !Ref PrivateSubnet3AID

Outputs:
  FileSystemId:
    Description: The ID of your EFS file system.
    Value: !GetAtt 
      - EFSFileSystem
      - FileSystemId