# EFS Backup Solution
#
# template for efs-backup-solution
# **DO NOT DELETE**
#
# author: aws-solutions-builder@

AWSTemplateFormatVersion: '2010-09-09'

Description: (SO0031) - EFS-to-EFS Backup Solution template. Version %%VERSION%%

Parameters:
  # Source EFS on which restore will be performed
  SrcEFS:
    Description: Source EFS Id
    Type: String
    AllowedPattern: .+
    ConstraintDescription: cannot be blank

  # Interval tag for your backups; daily, weekly, monthly
  IntervalTag:
    Description: Interval label to identify backups
    Type: String
    Default: daily
    AllowedValues:
      - daily
      - weekly
      - monthly

  # Number of backups you want to retain
  Retain:
    Description: Backups you want to retain
    Type: Number
    Default: 7

  # Folder identifier where backup will be stored
  FolderLabel:
    Description: Folder for your backups
    Type: String
    Default: efs-backup

  # Backup window for which backup will run
  BackupWindow:
    Description: Backup window duration in minutes
    Type: Number
    Default: 180
    ConstraintDescription: must specify backup window in minutes
    AllowedValues:
    - 60
    - 90
    - 120
    - 150
    - 180
    - 240
    - 300
    - 360
    - 480
    - 600
    - 720
    - 840
    - 960
    - 1080
    - 1200
    - 1320

  # Schedule for the backup, cron(0 2 * * ? *)
  BackupSchedule:
    Description: "Schedule for running backup. Note: Backup operations should not overlap--especially if scheduling more frequent than daily, take into consideration how long a backup usually takes on the given dataset."
    Type: String
    Default: cron(0 2 * * ? *)
    AllowedPattern: .+
    ConstraintDescription: cannot be blank

  # Source EFS Prefix which you want to backup
  BackupPrefix:
    Description: Source prefix for backup
    Type: String
    Default: '/'
    AllowedPattern: .+
    ConstraintDescription: cannot be blank

  # Performance mode for backup EFS
  EFSMode:
    Description: Performance mode for backup EFS
    Type: String
    Default: generalPurpose
    AllowedValues:
      - generalPurpose
      - maxIO

  # If customer wants notification for successful backups
  SuccessNotification:
    Description: Do you want to be notified for successful backups? *for failure, you will always be notified
    Type: String
    AllowedValues:
      - "Yes"
      - "No"
    Default: "Yes"

  # VPCId for the EFS
  VpcId:
    Description: VPC where the source EFS has mount targets
    Type: AWS::EC2::VPC::Id
    AllowedPattern: .+
    ConstraintDescription: cannot be blank

  # List of SubnetIDs for EC2, must be same AZ as of EFS Mount Targets (Choose 2)
  Subnets:
    Description: List of SubnetIDs for EC2, must be same AZ as of EFS Mount Targets (Choose 2).  Must specify subnets in different AZs.
    Type: List<AWS::EC2::Subnet::Id>
    AllowedPattern: .+
    ConstraintDescription: cannot be blank

  # Email for notifications
  Email:
    Description: Email for backup notifications
    Type: String
    AllowedPattern: .+
    ConstraintDescription: cannot be blank

  # CW Dashboard
  Dashboard:
    Description: Do you want dashoard for your metrics?
    Type: String
    AllowedValues:
      - "Yes"
      - "No"
    Default: "Yes"

  # EFS Encryption
  EFSEncryption:
    Description: Do you want backup EFS to be encrypted?
    Type: String
    AllowedValues:
      - "Yes"
      - "No"
    Default: "Yes"

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Backup Configuration
        Parameters:
          - SrcEFS
          - IntervalTag
          - Retain
          - FolderLabel
          - BackupWindow
          - BackupSchedule
          - BackupPrefix
          - EFSMode
          - EFSEncryption
      - Label:
          default: EC2 Configuration
        Parameters:
          - VpcId
          - Subnets
      - Label:
          default: Notification & Dashboard
        Parameters:
          - SuccessNotification
          - Email
          - Dashboard
    ParameterLabels:
      IntervalTag:
        default: Interval Label
      Subnets:
        default: Subnet IDs
      SrcEFS:
        default: Source EFS
      FolderLabel:
        default: Folder Label
      BackupWindow:
        default: Backup Window
      BackupSchedule:
        default: Backup Schedule
      BackupPrefix:
        default: Backup Prefix
      EFSMode:
        default: EFS Mode
      SuccessNotification:
        default: Success Notification
      VpcId:
        default: VPC ID
      EFSEncryption:
        default: EFS Encryption

Mappings:
  Map:
    encryption: {"Yes": "true", "No": "false"}
    send-data: {"SendAnonymousData": "Yes"}
    c5.xlarge: {"Arch":"HVM64"}
    us-east-1: {"InstanceSize":"c5.xlarge"}
    us-east-2: {"InstanceSize":"c5.xlarge"}
    us-west-1: {"InstanceSize":"c5.xlarge"}
    us-west-2: {"InstanceSize":"c5.xlarge"}
    ca-central-1: {"InstanceSize":"c5.xlarge"}
    eu-west-1: {"InstanceSize":"c5.xlarge"}
    eu-central-1: {"InstanceSize":"c5.xlarge"}
    eu-west-2: {"InstanceSize":"c5.xlarge"}
    ap-southeast-1: {"InstanceSize":"c5.xlarge"}
    ap-southeast-2: {"InstanceSize":"c5.xlarge"}
    ap-northeast-1: {"InstanceSize":"c5.xlarge"}
    ap-northeast-2: {"InstanceSize":"c5.xlarge"}
    ap-south-1: {"InstanceSize":"c5.xlarge"}
    sa-east-1: {"InstanceSize":"c5.xlarge"}
  SourceCode:
    General:
      S3Bucket: "%%BUCKET_NAME%%"
      KeyPrefix: "%%SOLUTION_NAME%%/%%VERSION%%"

Conditions:
  DashboardOpt: !Equals [ !Ref Dashboard, "Yes" ]

Resources:
  #
  # EFS resources
  # [EFSSecurityGroup, EFSIngressRule, DstEFS, MountTarget0, MountTarget1]
  #
  EFSSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: F1000
            reason: "allowing all egress traffic"
    Properties:
      VpcId: !Sub ${VpcId}
      GroupDescription: !Sub SG for EFS backup solution ${AWS::StackName}

  EFSIngressRule:
    Type: AWS::EC2::SecurityGroupIngress
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W36
            reason: "adding description causes replace during CFN update, causing a stack creation error"
          - id: W42
            reason: Allowing ICMP within the same security group only
    Properties:
      FromPort: -1
      GroupId: !Sub ${EFSSecurityGroup}
      IpProtocol: -1
      SourceSecurityGroupId: !Sub ${EFSSecurityGroup}
      ToPort: -1

  DstEFS:
    Type: AWS::EFS::FileSystem
    DeletionPolicy: Retain
    Properties:
      FileSystemTags:
        - Key: Name
          Value: !Sub efs-backup-${AWS::StackName}
      PerformanceMode: !Sub ${EFSMode}
      Encrypted: !FindInMap [Map, encryption, !Ref EFSEncryption]

  MountTarget0:
    Type: AWS::EFS::MountTarget
    Properties:
      FileSystemId: !Sub ${DstEFS}
      SubnetId: !Select [ 0, !Ref Subnets ]
      SecurityGroups:
        - !Sub ${EFSSecurityGroup}

  MountTarget1:
    Type: AWS::EFS::MountTarget
    Properties:
      FileSystemId: !Sub ${DstEFS}
      SubnetId: !Select [ 1, !Ref Subnets ]
      SecurityGroups:
        - !Sub ${EFSSecurityGroup}

  #
  # EC2 resources
  # [BackupInstanceLaunchConfig, EFSAutoScalingGroup, LifecycleHook]
  #
  BackupInstanceLaunchConfig:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      ImageId: !GetAtt AMIInfo.Id
      SecurityGroups:
        - !Sub ${EFSSecurityGroup}
      InstanceType: !FindInMap [Map, !Ref "AWS::Region", "InstanceSize"]
      IamInstanceProfile: !Sub ${InstanceProfile}
      UserData:
        # download and run efs-backup script
        # 12/28/2018 - EFS-21432 - adding retries for downloads
          Fn::Base64: !Sub
            - |
              #!/bin/bash
              # sudo yum install amazon-ssm-agent -y
              sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
              sudo start amazon-ssm-agent

              # SIM:V4488716 - 08/03/2018 - Support custom DHCP option
              # https://github.com/awslabs/efs-backup/issues/1
              cat <<EOT | sudo tee /etc/resolv.conf
              search amazonaws.com
              nameserver 169.254.169.253
              EOT

              curl --connect-timeout 5 --speed-time 5 --retry 10  --retry-delay 5 https://s3.${AWS::Region}.amazonaws.com/${S3Bucket}-${AWS::Region}/${KeyPrefix}/efs-ec2-backup.sh -o /home/ec2-user/efs-ec2-backup.sh
              curl --connect-timeout 5 --speed-time 5 --retry 10  --retry-delay 5 https://s3.${AWS::Region}.amazonaws.com/${S3Bucket}-${AWS::Region}/${KeyPrefix}/efs-backup-fpsync.sh -o /home/ec2-user/efs-backup-fpsync.sh

              chmod a+x /home/ec2-user/efs-ec2-backup.sh
              chmod a+x /home/ec2-user/efs-backup-fpsync.sh

              /home/ec2-user/efs-ec2-backup.sh ${SrcEFS} ${DstEFS} ${IntervalTag} ${Retain} ${FolderLabel} ${BackupPrefix}
            - S3Bucket: !FindInMap ["SourceCode", "General", "S3Bucket"]
              KeyPrefix: !FindInMap ["SourceCode", "General", "KeyPrefix"]

  EFSAutoScalingGroup:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      VPCZoneIdentifier: !Ref Subnets
      LaunchConfigurationName: !Sub ${BackupInstanceLaunchConfig}
      MinSize: 0
      DesiredCapacity: 0
      MaxSize: 1
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName}-instance
          PropagateAtLaunch : true

  LifecycleHook:
    Type: AWS::AutoScaling::LifecycleHook
    Properties:
      AutoScalingGroupName: !Sub ${EFSAutoScalingGroup}
      LifecycleTransition: autoscaling:EC2_INSTANCE_TERMINATING
      HeartbeatTimeout: 3600

  #
  # Serverless resources
  # [Orchestrator, EFSDynamoDB, EFSLogBucket]
  #
  Orchestrator:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Sub ${AWS::StackName}
      Description: EFS Backup - Lambda function to create EFS backups
      Environment:
        Variables:
          instance_type: !FindInMap [Map, !Ref "AWS::Region", "InstanceSize"]
          autoscaling_group_name: !Sub ${EFSAutoScalingGroup}
          source_efs: !Sub ${SrcEFS}
          destination_efs: !Sub ${DstEFS}
          backup_prefix: !Sub ${BackupPrefix}
          folder_label: !Sub ${FolderLabel}
          table_name: !Sub ${EFSDynamoDB}
          backup_window_period: !Sub ${BackupWindow}
          backup_retention_copies: !Sub ${Retain}
          interval_tag: !Sub ${IntervalTag}
          s3_bucket: !Sub ${EFSLogBucket}
          topic_arn: !Sub ${SNSTopic}
          uuid: !Sub ${CreateUniqueID.UUID}
          send_anonymous_data: !FindInMap [Map, send-data, SendAnonymousData]
          notification_on_success: !Sub ${SuccessNotification}
          cw_dashboard: !Sub ${Dashboard}
          efs_mode: !Sub ${EFSMode}
      Handler: orchestrator.lambda_handler
      Role: !Sub ${OrchestratorRole.Arn}
      Code:
        S3Bucket: !Join ["-", [!FindInMap ["SourceCode", "General", "S3Bucket"], !Ref "AWS::Region"]]
        S3Key: !Join ["/", [!FindInMap ["SourceCode", "General", "KeyPrefix"], "efs_to_efs_backup.zip"]]
      Runtime: python3.8
      Timeout: 300

  EFSDynamoDB:
    Type: AWS::DynamoDB::Table
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W28
            reason: "leaving table name as is to prevent replacement during stack update"
    Properties:
        SSESpecification:
          SSEEnabled: true
        AttributeDefinitions:
          - AttributeName: BackupId
            AttributeType: S
        KeySchema:
          - AttributeName: BackupId
            KeyType: HASH
        # 12/28/2018 - EFS-21432 - DynamoDB on-demand capacity
        BillingMode: PAY_PER_REQUEST
        TimeToLiveSpecification:
          AttributeName: ExpireItem
          Enabled: true
        TableName: !Sub ${AWS::StackName}

  EFSLogBucket:
    Type: AWS::S3::Bucket
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W35
            reason: "for this bucket, access logging does not currently add significant value"
          - id: W51
            reason: The bucket is restricted from publis, so bucket policy is not needed.
    Properties:
      VersioningConfiguration:
        Status: Enabled
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      AccessControl: Private
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
    DeletionPolicy: Retain

  #
  # Cloudwatch events/rule resources
  # [EFSBackupStartEvent, BackupStartEventLambdaPermission, ASGEvent, ASGEventLambdaPermission]
  #
  EFSBackupStartEvent:
    Type: AWS::Events::Rule
    Properties:
      Description: Schedule to run EFS backup
      ScheduleExpression: !Sub ${BackupSchedule}
      State: ENABLED
      Targets:
        - Arn: !Sub ${Orchestrator.Arn}
          Id: OrchestratorEvent1
          Input: "{\"mode\" : \"backup\" , \"action\": \"start\"}"

  BackupStartEventLambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !Sub ${Orchestrator}
      Action: lambda:InvokeFunction
      Principal: events.amazonaws.com
      SourceArn: !Sub ${EFSBackupStartEvent.Arn}

  ASGEvent:
    Type: AWS::Events::Rule
    Properties:
      Description: Rule to catch ASG Events
      EventPattern:
        source:
          - aws.autoscaling
        detail-type:
          - EC2 Instance-terminate Lifecycle Action
          - EC2 Instance Terminate Successful
        detail:
          AutoScalingGroupName:
            - !Sub ${EFSAutoScalingGroup}
      State: ENABLED
      Targets:
        - Arn: !Sub ${Orchestrator.Arn}
          Id: OrchestratorEvent1

  ASGEventLambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !Sub ${Orchestrator}
      Action: lambda:InvokeFunction
      Principal: events.amazonaws.com
      SourceArn: !Sub ${ASGEvent.Arn}


  #
  # Dashboard and Notification resources
  # [CWDashboard, SNSTopic]
  #
  CWDashboard:
    Type: AWS::CloudWatch::Dashboard
    Condition: DashboardOpt
    Properties:
      DashboardName: !Sub ${AWS::StackName}-${AWS::Region}
      DashboardBody: !Sub '{"widgets":[{"type":"metric","x":0,"y":0,"width":18,"height":3,"properties":{"view":"singleValue","stacked":true,"metrics":[["AWS/EFS","BurstCreditBalance","FileSystemId","${SrcEFS}",{"stat":"Minimum"}],[".","PermittedThroughput",".","."],[".","TotalIOBytes",".",".",{"period":60,"stat":"Sum"}]],"region":"${AWS::Region}","title":"BurstCreditBalance, PermittedThroughput, TotalIOBytes - Source","period":300}},{"type":"metric","x":0,"y":3,"width":18,"height":3,"properties":{"view":"singleValue","stacked":false,"region":"${AWS::Region}","metrics":[["AWS/EFS","BurstCreditBalance","FileSystemId","${DstEFS}",{"period":60,"stat":"Average"}],[".","PermittedThroughput",".",".",{"period":60,"stat":"Average"}],[".","TotalIOBytes",".",".",{"period":60,"stat":"Sum"}]],"title":"BurstCreditBalance, PermittedThroughput, TotalIOBytes - Backup","period":300}},{"type":"text","x":18,"y":0,"width":6,"height":12,"properties":{"markdown":"\n# EFS Backup Solution \n \n Visit Solution:[LandingPage](http://aws.amazon.com/answers/infrastructure-management/efs-backup). \n A link to this dashboard: [${AWS::StackName}](#dashboards:name=${AWS::StackName}). \n"}},{"type":"metric","x":0,"y":6,"width":9,"height":6,"properties":{"view":"timeSeries","stacked":false,"metrics":[["AWS/Lambda","Errors","FunctionName","${Orchestrator}",{"stat":"Sum"}],[".","Invocations",".",".",{"stat":"Sum"}]],"region":"${AWS::Region}","period":300,"title":"Orchestrator"}},{"type":"metric","x":9,"y":6,"width":9,"height":6,"properties":{"view":"timeSeries","stacked":false,"metrics":[["AWS/DynamoDB","SuccessfulRequestLatency","TableName","${EFSDynamoDB}","Operation","UpdateItem",{"stat":"Sum"}],["...","PutItem",{"stat":"Sum"}]],"region":"${AWS::Region}","title":"Backup Table"}}]}'

  SNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      KmsMasterKeyId: "alias/aws/sns"
      Subscription:
      - Protocol: email
        Endpoint: !Sub ${Email}


  #
  # IAM resources
  # [OrchestratorRole, EC2Role, EC2RolePolicies, InstanceProfile]
  #
  OrchestratorRole:
    Type: AWS::IAM::Role
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W11
            reason: "resource level permission not allowed"
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
          Action: sts:AssumeRole
      Path: /
      Policies:
      - PolicyName: !Sub Orchestrator-Policy-${AWS::StackName}-${AWS::Region}
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:PutLogEvents
            Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*
          - Effect: Allow
            Action:
            - autoscaling:UpdateAutoScalingGroup
            Resource:
            - !Sub arn:aws:autoscaling:${AWS::Region}:${AWS::AccountId}:autoScalingGroup:*:autoScalingGroupName/${EFSAutoScalingGroup}
          - Effect: Allow
            Action:
            - cloudwatch:GetMetricStatistics # resource level permission not allowed
            Resource: '*'
          - Effect: Allow
            Action:
            - elasticfilesystem:DescribeFileSystems
            Resource:
            - !Sub arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/*
          - Effect: Allow
            Action:
            - events:DeleteRule
            - events:ListTargetsByRule
            - events:PutRule
            - events:PutTargets
            - events:RemoveTargets
            Resource: !Sub arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*
          - Effect: Allow
            Action:
            - dynamodb:GetItem
            - dynamodb:PutItem
            Resource: !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${EFSDynamoDB}
          - Effect: Allow
            Action:
            - sns:Publish
            Resource: !Sub arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${SNSTopic.TopicName}
          - Effect: Allow
            Action:
            - lambda:AddPermission
            - lambda:GetFunction
            - lambda:RemovePermission
            Resource: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:* # cannot mention Orchestrator lambda, as that will cause cyclic dependency
          - Effect: Allow
            Action:
            - ssm:SendCommand
            Resource:
            - !Sub arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*
            - !Sub arn:aws:ssm:*:*:document/AWS-RunShellScript
            - !Sub arn:aws:s3:::${EFSLogBucket}/*


  EC2Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"

  EC2RolePolicies:
    Type: AWS::IAM::Policy
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W12
            reason: "resource level permission not allowed"
    Properties:
      PolicyName: !Sub ${AWS::StackName}-${AWS::Region}
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action:
          - autoscaling:CompleteLifecycleAction
          - autoscaling:SetDesiredCapacity
          Resource:
          - !Sub arn:aws:autoscaling:${AWS::Region}:${AWS::AccountId}:autoScalingGroup:*:autoScalingGroupName/${EFSAutoScalingGroup}
          - !Sub arn:aws:autoscaling:${AWS::Region}:${AWS::AccountId}:autoScalingGroup:*:autoScalingGroupName/${BackupInstanceLaunchConfig}
        - Effect: Allow
          Action:
          - dynamodb:UpdateItem
          Resource: !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${EFSDynamoDB}
        - Effect: Allow
          Action:
          - cloudwatch:GetMetricStatistics # resource level permission not allowed
          Resource: '*'
        - Effect: Allow
          Action:
          - s3:PutObject
          Resource: !Sub arn:aws:s3:::${EFSLogBucket}/*
        - Effect: Allow
          Action:
          - ec2:DescribeTags
          Resource: '*'
        # From the managed policy: AmazonSSMManagedInstanceCore
        - Effect: Allow
          Action:
            - ssm:DescribeAssociation
            - ssm:GetDeployablePatchSnapshotForInstance
            - ssm:GetDocument
            - ssm:DescribeDocument
            - ssm:GetManifest
            - ssm:GetParameter
            - ssm:GetParameters
            - ssm:ListAssociations
            - ssm:ListInstanceAssociations
            - ssm:PutInventory
            - ssm:PutComplianceItems
            - ssm:PutConfigurePackageResult
            - ssm:UpdateAssociationStatus
            - ssm:UpdateInstanceAssociationStatus
            - ssm:UpdateInstanceInformation
            - ssmmessages:CreateControlChannel
            - ssmmessages:CreateDataChannel
            - ssmmessages:OpenControlChannel
            - ssmmessages:OpenDataChannel
            - ec2messages:AcknowledgeMessage
            - ec2messages:DeleteMessage
            - ec2messages:FailMessage
            - ec2messages:GetEndpoint
            - ec2messages:GetMessages
            - ec2messages:SendReply
          Resource: "*"
      Roles:
      - !Sub ${EC2Role}

  InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
      - !Sub ${EC2Role}


  #
  # Helper Resources
  # [SolutionHelperRole, AMIInfoFunction, AMIInfo, SolutionHelper, CreateUniqueID]
  #
  SolutionHelperRole:
    Type: AWS::IAM::Role
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W11
            reason: "resource level permission not allowed"
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
          Action: sts:AssumeRole
      Path: /
      Policies:
      - PolicyName: Helper_Permissions
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:PutLogEvents
            Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*
          - Effect: Allow
            Action:
            - ec2:DescribeImages
            Resource: "*"

  AMIInfoFunction:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: !Join ["-", [!FindInMap ["SourceCode", "General", "S3Bucket"], !Ref "AWS::Region"]]
        S3Key: !Join ["/", [!FindInMap ["SourceCode", "General", "KeyPrefix"], "amilookup.zip"]]
      Handler: amilookup.handler
      Runtime: nodejs12.x
      Timeout: 120
      Description: EFS Backup - This function is CloudFormation custom lambda resource that
         looks up the latest AMI ID.
      Role: !Sub ${SolutionHelperRole.Arn}

  AMIInfo:
    Type: Custom::AMIInfo
    Properties:
      ServiceToken: !GetAtt AMIInfoFunction.Arn
      Region: !Ref "AWS::Region"
      Architecture: !FindInMap [Map, !FindInMap [Map, !Ref "AWS::Region", "InstanceSize"], "Arch"]

  SolutionHelper:
    Type: AWS::Lambda::Function
    Properties:
      Handler: solution-helper.lambda_handler
      Role: !Sub ${SolutionHelperRole.Arn}
      Description: EFS Backup - This function is a CloudFormation custom lambda resource that
        generates UUID for each deployment.
      Code:
        S3Bucket: !Join ["-", [!FindInMap ["SourceCode", "General", "S3Bucket"], !Ref "AWS::Region"]]
        S3Key: !Join ["/", [!FindInMap ["SourceCode", "General", "KeyPrefix"], "efs_to_efs_backup.zip"]]
      Runtime: python3.8
      Timeout: 300

  CreateUniqueID:
    Type: Custom::LoadLambda
    Properties:
      ServiceToken: !Sub ${SolutionHelper.Arn}
      Region: !Sub ${AWS::Region}

  SendAnonymousMetrics:
    Type: Custom::SendAnonymousMetrics
    Properties:
      ServiceToken: !Sub ${SolutionHelper.Arn}
      Region: !Sub ${AWS::Region}
      SolutionId: SO0031
      SolutionVersion: "%%VERSION%%"
      SolutionUuid: !GetAtt CreateUniqueID.UUID
      EventType: backup
      SendAnonymousMetrics: !FindInMap [Map, send-data, SendAnonymousData]

Outputs:
  UUID:
    Description: Anonymous UUID for each stack deployment
    Value: !Sub ${CreateUniqueID.UUID}

  SNSTopic:
    Description: Topic for your backup notifications
    Value: !Sub ${SNSTopic.TopicName}

  SourceEFS:
    Description: Source EFS provided by user
    Value: !Sub ${SrcEFS}

  BackupEFS:
    Description: Backup EFS created by template
    Value: !Sub ${DstEFS}

  DashboardView:
    Condition: DashboardOpt
    Description: CloudWatch Dashboard to view EFS metrics
    Value: !Sub ${CWDashboard}

  LogBucket:
    Description: S3 bucket for your backup logs
    Value: !Sub ${EFSLogBucket}

  AmiId:
    Description: Ami Id vended in template
    Value: !GetAtt AMIInfo.Id

  EFSSecurityGroup:
    Description: Backup EFS security group
    Value: !Ref EFSSecurityGroup