---
#-----------------------------------------------------------------------------------------------------------------------
#   Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
#
#  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
#  with the License. A copy of the License is located at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
#  OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
#  and limitations under the License.
#-----------------------------------------------------------------------------------------------------------------------
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: CDF Deployment Helper (AWS Connected Device Framework)

Parameters:
  Environment:
    Description: Name of environment.  Used to name the created resources.
    Type: String
    MinLength: 1
  ArtifactsBucket:
    Description: Name of environment.  Used to name the created resources.
    Type: String

  CDFSecurityGroupId:
    Description: |
      ID of an existing security group to deploy CDF and/or AssetLibrary into if an existing VPC is to be used.
      A new security group will be created if not provided.
    Type: String
  PrivateSubnetIds:
    Description: |
      ID of existing private subnetIds to deploy CDF and/or AssetLibrary into if an existing VPC is to be used.
      New private subnets will be created if not provided.
    Type: CommaDelimitedList
Resources:
  CustomResourceVPCLambda:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub 'cdf-cfnCustomResourcesVPC-${Environment}'
      CodeUri: ../bundle.zip
      Handler: lambda_custom_resource_proxy.handler
      MemorySize: 512
      Role: !GetAtt CustomResourceLambdaVPCRole.Arn
      Runtime: nodejs16.x
      Timeout: 60
      Tracing: Active
      VpcConfig:
        SubnetIds: !Ref PrivateSubnetIds
        SecurityGroupIds:
          - !Ref CDFSecurityGroupId
      Environment:
        Variables:
          APP_CONFIG_DIR: 'config'
          COMMANDANDCONTROL_API_FUNCTION_NAME: !Sub 'cdf-commandandcontrol-rest-${Environment}'
          COMMANDANDCONTROL_MODE: lambda

  CustomResourceLambdaVPCRole:
    Type: AWS::IAM::Role
    Properties:
      Description: 'CDF Core application configuration override'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
          Action: sts:AssumeRole
      Path: '/'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSLambdaExecute
        - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess
        - arn:aws:iam::aws:policy/AWSIoTFullAccess
        - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
        - !Ref CustomResourceLambdaVPCPolicies

  CustomResourceLambdaVPCPolicies:
    Type: 'AWS::IAM::ManagedPolicy'
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W13
            reason: 'EC2 full access on resources is to manage unnamed resources'
    Properties:
      Description: 'CDF Core application configuration override'
      Path: '/'
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: 'iot'
            Action:
              - 'iot:*'
            Effect: Allow
            Resource: '*'
          - Sid: 'sts'
            Action:
              - 'sts:*'
            Effect: Allow
            Resource: '*'
          - Sid: 'eventbridge'
            Action:
              - 'events:PutEvents'
            Effect: Allow
            Resource: '*'
          - Sid: 'iampassrole'
            Action:
              - 'iam:PassRole'
            Effect: Allow
            Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/cdf-*'
          - Effect: Allow
            Action:
              - 's3:ListBucket'
              - 's3:GetObject'
            Resource:
              - !Sub 'arn:aws:s3:::${ArtifactsBucket}'
          - Action:
              - 'ec2:DescribeVpcEndpoints'
            Effect: Allow
            Resource: '*'
          - Sid: 'lambda'
            Action:
              - 'lambda:AddPermission'
              - 'lambda:CreateEventSourceMapping'
              - 'lambda:DeleteEventSourceMapping'
              - 'lambda:ListEventSourceMappings'
            Effect: Allow
            Resource: '*'
          - Action:
              - 'lambda:Invoke*'
            Effect: Allow
            Resource:
              - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:cdf-*'

  CustomResourceVpcLambdaArnSsmParameter:
    Type: 'AWS::SSM::Parameter'
    Properties:
      Description: Custom Resource VPC Lambda ARN
      Name: !Sub '/cdf/deployment-helper-vpc/${Environment}/CustomResourceVpcLambdaArn'
      Type: String
      Value: !GetAtt CustomResourceVPCLambda.Arn

  NotAvailableSsmParameter:
    Type: 'AWS::SSM::Parameter'
    Properties:
      Description: Store Emptry string in SSM parameter to be used for optional parameter
      Name: !Sub '/cdf/deployment-helper-vpc/${Environment}/NotAvailable'
      Type: String
      Value: 'N/A'

Outputs:
  CustomResourceVpcLambdaArn:
    Value: !GetAtt CustomResourceVPCLambda.Arn
    Export:
      Name: !Sub 'cdf-deployment-helper-vpc-${Environment}-customResourceVpcLambdaArn'