src/template.yml

# Copyright Amazon.com Inc. or its affiliates.
# SPDX-License-Identifier: Apache-2.0

AWSTemplateFormatVersion: "2010-09-09"
Transform: "AWS::Serverless-2016-10-31"
Description: ADF CloudFormation Initial Base Stack for the Management Account in the us-east-1 region.

Metadata:
  AWS::ServerlessRepo::Application:
    Name: aws-deployment-framework
    Description: >-
      The AWS Deployment Framework (ADF) is an extensive and flexible framework to manage and
      deploy resources across multiple AWS accounts and regions based on AWS Organizations.
    Author: AWS ADF Builders Team
    SpdxLicenseId: Apache-2.0
    LicenseUrl: ../LICENSE.txt
    ReadmeUrl: ../docs/installation-guide.md
    Labels:
      ["adf", "aws-deployment-framework", "multi-account", "cicd", "devops"]
    HomePageUrl: https://github.com/awslabs/aws-deployment-framework
    SemanticVersion: 4.0.0
    SourceCodeUrl: https://github.com/awslabs/aws-deployment-framework

Mappings:
  Metadata:
    ADF:
      Version: 4.0.0

Parameters:
  CrossAccountAccessRoleName:
    Type: String
    Default: OrganizationAccountAccessRole
    AllowedPattern: "[a-zA-Z0-9_+=,.@\\-]+"

  MainNotificationEndpoint:
    Type: String
    Default: ""
    Description: >-
      Example -> jane@example.com. (Only required when installing ADF for the
      first time.)

  DeploymentAccountName:
    Type: String
    Default: ""
    AllowedPattern: "[\\s\\S]*"
    MinLength: 0
    MaxLength: 50
    Description: >-
      The name of the new or existing deployment account. (Only required when
      installing ADF for the first time.)

  DeploymentAccountEmailAddress:
    Type: String
    Default: ""
    Description: >-
      The email address for the new or existing deployment account. (Only required when
      installing ADF for the first time.)

  DeploymentAccountAlias:
    Type: String
    Default: ""
    AllowedPattern: "([a-z0-9](([a-z0-9]|-(?!-))*[a-z0-9])?)?"
    MinLength: 0
    MaxLength: 63
    Description: >-
      Example -> companyname-deployment (Must be globally unique. Only required when
      installing ADF for the first time.)

  DeploymentAccountId:
    Type: String
    AllowedPattern: "(\\d{12})?"
    Default: ""
    Description: >-
      Example -> 123456789012  (Only supported when installing ADF for the first time
      and you have an existing AWS Account that you wish to use as the deployment
      account. Leave blank otherwise.)

  DeploymentAccountMainRegion:
    Type: String
    AllowedPattern: "(us(-gov)?|ap|ca|eu|sa)-(central|(north|south)?(east|west)?)-\\d"
    MinLength: 6
    Description: "Example -> us-east-1, us-gov-west-1, eu-west-1"

  DeploymentAccountTargetRegions:
    Type: CommaDelimitedList
    Default: ""
    Description: >-
      (Optional) Example -> us-east-1, us-west-1, eu-west-3. (Only supported when
      installing ADF for the first time. If you would like to update this later,
      please look at the adfconfig.yml file in the aws-deployment-framework-bootstrap
      repository.)

  ProtectedOUs:
    Type: CommaDelimitedList
    Default: ""
    Description: >-
      (Optional) Example -> ou-123,ou-234 (Only supported when installing ADF for
      the first time. If you would like to update this later, please look at the
      adfconfig.yml file in the aws-deployment-framework-bootstrap repository.)

  LogLevel:
    Description: >-
      At what Log Level the ADF should operate, default is INFO.
      Valid options are: DEBUG, INFO, WARN, ERROR, and CRITICAL.
    Type: String
    Default: "INFO"
    AllowedValues:
      - DEBUG
      - INFO
      - WARN
      - ERROR
      - CRITICAL

  AllowBootstrappingOfManagementAccount:
    Description: >-
      Would ADF need to bootstrap the Management Account of your AWS
      Organization too? If so, set this to "Yes".

      Only set this to "Yes" if a pipeline will deploy to the management
      account. Or if you need some of the bootstrap resources in the
      management account too.

      Please be careful: if you plan to set this to "Yes", make sure
      that the management account is in a dedicated organization unit
      that has bare minimum IAM permissions to deploy. Only grant access
      to resource types that are required using least-privilege!

      If you set/leave this at "No", make sure the management organization is
      in the root of your AWS Organization structure. Or in a dedicated
      organization unit and add the organization unit id to the protected
      organization unit list via the (ProtectedOUs) parameter.

      If not, leave at the default of "No".
      Valid options are: Yes, No
    Type: String
    Default: "No"
    AllowedValues:
      - "Yes"
      - "No"

  GrantOrgWidePrivilegedBootstrapAccessUntil:
    Description: >-
      When set at a date in the future, ADF will use the privileged
      cross-account access role to bootstrap the accounts. This is useful
      in situations where you are reworking the IAM permissions of the
      ADF bootstrap stacks (global-iam.yml). In some cases, setting this
      in the future might be required to upgrade ADF to newer versions of
      ADF too. If an ADF upgrade requires this, it will be clearly described
      in the CHANGELOG.md file and the release notes.

      Leave at the configured default to disable privileged bootstrap
      access for all accounts. When the date is in the past, only the AWS
      Accounts that are accessible to ADF but are not bootstrapped yet will
      be allowed access via the privileged cross-account access role.

      Date time format according to ISO 8601
      https://www.w3.org/TR/NOTE-datetime
    Type: String
    Default: "1900-12-31T23:59:59Z"
    AllowedPattern: "\\d{4}-[0-1]\\d-[0-3]\\dT[0-2]\\d:[0-5]\\d:[0-5]\\d([+-][0-2]\\d:[0-5]\\d|Z)"

Globals:
  Function:
    Architectures:
      - arm64
    CodeUri: lambda_codebase
    Runtime: python3.12
    Timeout: 300

Conditions:
  CreateCrossAccountAccessRole: !Equals
    - !Ref AllowBootstrappingOfManagementAccount
    - "Yes"

Resources:
  BootstrapTemplatesBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref "BootstrapTemplatesBucket"
      PolicyDocument:
        Statement:
          - Sid: "AllowBootstrapDeployments"
            Action:
              - s3:GetObject
            Effect: Allow
            Resource:
              - !Sub arn:${AWS::Partition}:s3:::${BootstrapTemplatesBucket}/adf-bootstrap/*
            Principal:
              AWS: "*"
            Condition:
              StringEquals:
                "aws:PrincipalOrgID":
                  - !GetAtt Organization.OrganizationId
              ArnLike:
                "aws:PrincipalArn":
                  - !Sub "arn:${AWS::Partition}:iam::*:role/${CrossAccountAccessRoleName}"
                  - !Sub "arn:${AWS::Partition}:iam::*:role/adf/bootstrap/adf-bootstrap-update-deployment-role"
          - Sid: "DenyInsecureConnections"
            Action:
              - "s3:*"
            Effect: Deny
            Condition:
              Bool:
                aws:SecureTransport: "false"
            Resource:
              - !Sub arn:${AWS::Partition}:s3:::${BootstrapTemplatesBucket}
              - !Sub arn:${AWS::Partition}:s3:::${BootstrapTemplatesBucket}/*
            Principal:
              AWS: "*"
          - Sid: "DenyInsecureTLS"
            Action:
              - "s3:*"
            Effect: Deny
            Condition:
              NumericLessThan:
                "s3:TlsVersion": "1.2"
            Resource:
              - !Sub arn:${AWS::Partition}:s3:::${BootstrapTemplatesBucket}
              - !Sub arn:${AWS::Partition}:s3:::${BootstrapTemplatesBucket}/*
            Principal:
              AWS: "*"

  BootstrapArtifactStorageBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      AccessControl: BucketOwnerFullControl
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerEnforced
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      VersioningConfiguration:
        Status: Enabled
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

  BootstrapTemplatesBucket:
    Type: "AWS::S3::Bucket"
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      AccessControl: BucketOwnerFullControl
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerEnforced
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      VersioningConfiguration:
        Status: Enabled
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

  ### Account processing begin
  AccountFileProcessingLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-management/"
      RoleName: "adf-account-management-account-file-processing"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref LambdaLayerPolicy
        - !Ref AccountAccessRolePolicy
        - !Ref AccountProcessingLambdaBasePolicy

  AccountFileProcessingLambdaPolicy:
    # Added as an IAM Managed Policy to break the circular dependency chain
    # This should not be added as a DependsOn on the lambda, by the time objects
    # are written in the bucket this policy is in effect already.
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      Description: "Policy to process accounts as configured in the bucket"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "organizations:DescribeOrganizationalUnit"
              - "organizations:ListParents"
              - "organizations:ListAccounts"
              - "organizations:DescribeOrganization"
              - "organizations:DescribeAccount"
            Resource: "*"
          - Effect: "Allow"
            Action: "s3:ListBucket"
            Resource: !GetAtt ADFAccountBucket.Arn
          - Effect: "Allow"
            Action: "s3:GetObject"
            Resource: !Sub "${ADFAccountBucket.Arn}/*"
          - Effect: "Allow"
            Action: "states:StartExecution"
            Resource: !Ref AccountManagementStateMachine
      Roles:
        - !Ref AccountFileProcessingLambdaRole

  AccountAccessRolePolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      Description: "Additional policy that allows a lambda to assume the cross account access role"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "sts:AssumeRole"
            Resource:
              - !GetAtt CrossAccountJumpRoleArn.Value

  AccountProcessingLambdaBasePolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      Description: "Base policy for all ADF account processing lambdas"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "logs:CreateLogGroup"
              - "logs:CreateLogStream"
              - "logs:PutLogEvents"
              - "xray:PutTelemetryRecords"
              - "xray:PutTraceSegments"
            Resource: "*"

  AccountManagementStateMachineExecutionRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-management/"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - states.amazonaws.com
            Action: "sts:AssumeRole"
            Condition:
              ArnEquals:
                "aws:SourceArn": !Sub "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:adf-account-management"
      Policies:
        - PolicyName: "adf-state-machine-role-policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "xray:PutTelemetryRecords"
                  - "xray:PutTraceSegments"
                Resource: "*"
              - Effect: Allow
                Action:
                  - "lambda:InvokeFunction"
                Resource:
                  - !GetAtt AccountAliasConfigFunction.Arn
                  - !GetAtt CreateAccountFunction.Arn
                  - !GetAtt RegisterAccountForSupportFunction.Arn
                  - !GetAtt AccountTagConfigFunction.Arn
                  - !GetAtt AccountOUConfigFunction.Arn
                  - !GetAtt GetAccountRegionsFunction.Arn
                  - !GetAtt DeleteDefaultVPCFunction.Arn
                  - !GetAtt AccountRegionConfigFunction.Arn
                  - !GetAtt JumpRoleApplication.Outputs.ManagerFunctionArn

  AccountFileProcessingFunction:
    Type: "AWS::Serverless::Function"
    Properties:
      Handler: process_account_files.lambda_handler
      Description: >-
        ADF - Account Management - Account File Event Processing.

        Responsible to kick-off the account management state machine.
        Triggers when new account configurations were added in the
        adf-accounts folder of the aws-deployment-framework-bootstrap
        repository.
      CodeUri: lambda_codebase/account_processing
      Tracing: Active
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Environment:
        Variables:
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          ORGANIZATION_ID: !GetAtt Organization.OrganizationId
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
          ACCOUNT_MANAGEMENT_STATEMACHINE_ARN: !Ref AccountManagementStateMachine
          ADF_PRIVILEGED_CROSS_ACCOUNT_ROLE_NAME: !Ref CrossAccountAccessRoleName
      FunctionName: adf-account-management-file-event-processor
      Role: !GetAtt AccountFileProcessingLambdaRole.Arn
      Events:
        S3YmlSuffixEvent:
          Type: S3
          Properties:
            Bucket:
              Ref: ADFAccountBucket
            Events: s3:ObjectCreated:*
            Filter:
              S3Key:
                Rules:
                  - Name: suffix
                    Value: yml
        S3YamlSuffixEvent:
          Type: S3
          Properties:
            Bucket:
              Ref: ADFAccountBucket
            Events: s3:ObjectCreated:*
            Filter:
              S3Key:
                Rules:
                  - Name: suffix
                    Value: yaml
    Metadata:
      BuildMethod: python3.12

  AccountAliasConfigLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-management/"
      RoleName: "adf-account-management-config-account-alias"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - lambda.amazonaws.com
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref LambdaLayerPolicy
        - !Ref AccountAccessRolePolicy
        - !Ref AccountProcessingLambdaBasePolicy

  AccountAliasConfigFunction:
    Type: "AWS::Serverless::Function"
    Properties:
      Handler: configure_account_alias.lambda_handler
      Description: ADF - Account Management - Account Alias Configuration
      CodeUri: lambda_codebase/account_processing
      Tracing: Active
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Environment:
        Variables:
          AWS_PARTITION: !Ref AWS::Partition
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          ORGANIZATION_ID: !GetAtt Organization.OrganizationId
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
          ADF_PRIVILEGED_CROSS_ACCOUNT_ROLE_NAME: !Ref CrossAccountAccessRoleName
      FunctionName: adf-account-management-config-alias
      Role: !GetAtt AccountAliasConfigLambdaRole.Arn
    Metadata:
      BuildMethod: python3.12

  AccountTagConfigFunctionRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-management/"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - lambda.amazonaws.com
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref LambdaLayerPolicy
        - !Ref AccountProcessingLambdaBasePolicy
      Policies:
        - PolicyName: "adf-lambda-tag-resource-policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "organizations:TagResource"
                  - "organizations:UntagResource"
                Resource:
                  - !Sub "arn:${AWS::Partition}:organizations::${AWS::AccountId}:account/${Organization.OrganizationId}/*"

  AccountTagConfigFunction:
    Type: "AWS::Serverless::Function"
    Properties:
      Handler: configure_account_tags.lambda_handler
      Description: ADF - Account Management - Account Tag Configuration
      CodeUri: lambda_codebase/account_processing
      Tracing: Active
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Environment:
        Variables:
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          ORGANIZATION_ID: !GetAtt Organization.OrganizationId
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
      FunctionName: adf-account-management-config-tags
      Role: !GetAtt AccountTagConfigFunctionRole.Arn
    Metadata:
      BuildMethod: python3.12

  AccountRegionConfigFunctionRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-management/"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - lambda.amazonaws.com
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref LambdaLayerPolicy
        - !Ref AccountProcessingLambdaBasePolicy
      Policies:
        - PolicyName: "adf-lambda-account-region-resource-policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "account:ListRegions"
                  - "account:EnableRegion"
                  - "sts:GetCallerIdentity"
                Resource: "*"
              - Effect: Allow
                Action: ssm:GetParameter
                Resource:
                  - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/adf/target_regions"

  AccountRegionConfigFunction:
    Type: "AWS::Serverless::Function"
    Properties:
      Handler: configure_account_regions.lambda_handler
      Description: ADF - Account Management - Account Region Configuration
      CodeUri: lambda_codebase/account_processing
      Tracing: Active
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Environment:
        Variables:
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          ORGANIZATION_ID: !GetAtt Organization.OrganizationId
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
      FunctionName: adf-account-management-config-region
      Role: !GetAtt AccountRegionConfigFunctionRole.Arn
    Metadata:
      BuildMethod: python3.12

  AccountOUConfigFunction:
    Type: "AWS::Serverless::Function"
    Properties:
      Handler: configure_account_ou.lambda_handler
      Description: ADF - Account Management - Account OU Configuration
      CodeUri: lambda_codebase/account_processing
      Tracing: Active
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Environment:
        Variables:
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          ORGANIZATION_ID: !GetAtt Organization.OrganizationId
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
      FunctionName: adf-account-management-config-ou
      Role: !GetAtt AccountOUConfigFunctionRole.Arn
    Metadata:
      BuildMethod: python3.12

  AccountOUConfigFunctionRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-management/"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - lambda.amazonaws.com
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref LambdaLayerPolicy
        - !Ref AccountProcessingLambdaBasePolicy
      Policies:
        - PolicyName: "adf-lambda-policy-move-ou"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "organizations:ListRoots"
                  - "organizations:ListParents"
                  - "organizations:MoveAccount"
                  - "organizations:ListOrganizationalUnitsForParent"
                  - "organizations:ListChildren"
                  - "organizations:ListAccounts*"
                Resource: "*"

  GetAccountRegionsFunction:
    Type: "AWS::Serverless::Function"
    Properties:
      Handler: get_account_regions.lambda_handler
      Description: ADF - Account Management - Get Default Regions
      CodeUri: lambda_codebase/account_processing
      Tracing: Active
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Environment:
        Variables:
          AWS_PARTITION: !Ref AWS::Partition
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          ORGANIZATION_ID: !GetAtt Organization.OrganizationId
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
          ADF_PRIVILEGED_CROSS_ACCOUNT_ROLE_NAME: !Ref CrossAccountAccessRoleName
      FunctionName: adf-account-management-get-regions
      Role: !GetAtt GetAccountRegionsLambdaRole.Arn
    Metadata:
      BuildMethod: python3.12

  GetAccountRegionsLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-management/"
      RoleName: "adf-account-management-get-account-regions"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - lambda.amazonaws.com
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref LambdaLayerPolicy
        - !Ref AccountAccessRolePolicy
        - !Ref AccountProcessingLambdaBasePolicy

  DeleteDefaultVPCFunction:
    Type: "AWS::Serverless::Function"
    Properties:
      Handler: delete_default_vpc.lambda_handler
      Description: ADF - Account Management - Delete the Default VPCs
      CodeUri: lambda_codebase/account_processing
      Tracing: Active
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Environment:
        Variables:
          AWS_PARTITION: !Ref AWS::Partition
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          ORGANIZATION_ID: !GetAtt Organization.OrganizationId
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
          ADF_PRIVILEGED_CROSS_ACCOUNT_ROLE_NAME: !Ref CrossAccountAccessRoleName
      FunctionName: adf-account-management-delete-default-vpc
      Role: !GetAtt DeleteDefaultVPCLambdaRole.Arn
    Metadata:
      BuildMethod: python3.12

  DeleteDefaultVPCLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-management/"
      RoleName: "adf-account-management-delete-default-vpc"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - lambda.amazonaws.com
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref LambdaLayerPolicy
        - !Ref AccountAccessRolePolicy
        - !Ref AccountProcessingLambdaBasePolicy

  CreateAccountFunction:
    Type: "AWS::Serverless::Function"
    Properties:
      Handler: create_account.lambda_handler
      Description: ADF - Account Management - Create Account
      CodeUri: lambda_codebase/account_processing
      Tracing: Active
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Environment:
        Variables:
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          ORGANIZATION_ID: !GetAtt Organization.OrganizationId
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
          ADF_PRIVILEGED_CROSS_ACCOUNT_ROLE_NAME: !Ref CrossAccountAccessRoleName
      FunctionName: adf-account-management-create-account
      Role: !GetAtt CreateAccountFunctionRole.Arn
    Metadata:
      BuildMethod: python3.12

  CreateAccountFunctionRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-management/"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - lambda.amazonaws.com
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref LambdaLayerPolicy
        - !Ref AccountProcessingLambdaBasePolicy
      Policies:
        - PolicyName: "adf-lambda-create-account-policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "organizations:CreateAccount"
                  - "organizations:DescribeCreateAccountStatus"
                Resource: "*"

  RegisterAccountForSupportFunction:
    Type: "AWS::Serverless::Function"
    Properties:
      Handler: register_account_for_support.lambda_handler
      Description: ADF - Account Management - Register support level
      CodeUri: lambda_codebase/account_processing
      Tracing: Active
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Environment:
        Variables:
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          ORGANIZATION_ID: !GetAtt Organization.OrganizationId
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
      FunctionName: adf-account-management-register-support-level
      Role: !GetAtt RegisterAccountForSupportFunctionRole.Arn
    Metadata:
      BuildMethod: python3.12

  RegisterAccountForSupportFunctionRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-management/"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - lambda.amazonaws.com
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref LambdaLayerPolicy
        - !Ref AccountProcessingLambdaBasePolicy
      Policies:
        - PolicyName: "adf-lambda-support-access-policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "support:DescribeSeverityLevels"
                  - "support:CreateCase"
                Resource: "*"

  ADFAccountBucket:
    Type: "AWS::S3::Bucket"
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      AccessControl: BucketOwnerFullControl
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerEnforced
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      VersioningConfiguration:
        Status: Enabled
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

  AccountManagementStateMachine:
    Type: "AWS::StepFunctions::StateMachine"
    Properties:
      StateMachineName: "adf-account-management"
      RoleArn: !GetAtt AccountManagementStateMachineExecutionRole.Arn
      TracingConfiguration:
        Enabled: true
      DefinitionString: !Sub |-
        {
          "Comment": "Create account?",
          "StartAt": "CreateAccountChoice",
          "States": {
            "CreateAccountChoice": {
              "Type": "Choice",
              "Choices": [
                {
                  "Variable": "$.needs_created",
                  "BooleanEquals": true,
                  "Comment": "Create Account",
                  "Next": "CreateAccount"
                }
              ],
              "Default": "ConfigureAccountRegions"
            },
            "ConfigureAccountAlias": {
              "Type": "Task",
              "Resource": "${AccountAliasConfigFunction.Arn}",
              "Retry": [
                {
                  "ErrorEquals": ["States.TaskFailed"],
                  "IntervalSeconds": 3,
                  "BackoffRate": 1.5,
                  "MaxAttempts": 10
                }, {
                  "ErrorEquals": [
                    "Lambda.Unknown",
                    "Lambda.ServiceException",
                    "Lambda.AWSLambdaException",
                    "Lambda.SdkClientException",
                    "Lambda.TooManyRequestsException"
                  ],
                  "IntervalSeconds": 2,
                  "BackoffRate": 2,
                  "MaxAttempts": 6
                }
              ],
              "Next": "ConfigureAccountTags"
            },
            "CreateAccount": {
              "Type": "Task",
              "Resource": "${CreateAccountFunction.Arn}",
              "Retry": [
                {
                  "ErrorEquals": ["States.TaskFailed"],
                  "IntervalSeconds": 3,
                  "BackoffRate": 1.5,
                  "MaxAttempts": 10
                }, {
                  "ErrorEquals": [
                    "Lambda.Unknown",
                    "Lambda.ServiceException",
                    "Lambda.AWSLambdaException",
                    "Lambda.SdkClientException",
                    "Lambda.TooManyRequestsException"
                  ],
                  "IntervalSeconds": 2,
                  "BackoffRate": 2,
                  "MaxAttempts": 6
                }
              ],
              "Next": "WaitFor10Seconds"
            },
            "WaitFor10Seconds": {
              "Type": "Wait",
              "Seconds": 10,
              "Next": "ConfigureAccountSupport"
            },
            "ConfigureAccountSupport": {
              "Type": "Task",
              "Resource": "${RegisterAccountForSupportFunction.Arn}",
              "Retry": [
                {
                  "ErrorEquals": ["States.TaskFailed"],
                  "IntervalSeconds": 3,
                  "BackoffRate": 1.5,
                  "MaxAttempts": 10
                }, {
                  "ErrorEquals": [
                    "Lambda.Unknown",
                    "Lambda.ServiceException",
                    "Lambda.AWSLambdaException",
                    "Lambda.SdkClientException",
                    "Lambda.TooManyRequestsException"
                  ],
                  "IntervalSeconds": 2,
                  "BackoffRate": 2,
                  "MaxAttempts": 6
                }
              ],
              "Next": "EnableBootstrappingJumpRole"
            },
            "EnableBootstrappingJumpRole": {
              "Type": "Task",
              "Resource": "${JumpRoleApplication.Outputs.ManagerFunctionArn}",
              "TimeoutSeconds": 300,
              "Retry": [
                {
                  "ErrorEquals": [
                    "Lambda.Unknown",
                    "Lambda.ServiceException",
                    "Lambda.AWSLambdaException",
                    "Lambda.SdkClientException",
                    "Lambda.TooManyRequestsException"
                  ],
                  "IntervalSeconds": 2,
                  "BackoffRate": 2,
                  "MaxAttempts": 6
                }
              ],
              "Next": "WaitForRoleUpdateToApply"
            },
            "WaitForRoleUpdateToApply": {
              "Type": "Wait",
              "Seconds": 60,
              "Next": "ConfigureAccountRegions"
            },
            "ConfigureAccountRegions": {
              "Type": "Task",
              "Resource": "${AccountRegionConfigFunction.Arn}",
              "Retry": [
                {
                  "ErrorEquals": [
                    "Lambda.ServiceException",
                    "Lambda.AWSLambdaException",
                    "Lambda.SdkClientException",
                    "Lambda.TooManyRequestsException"
                  ],
                  "IntervalSeconds": 2,
                  "MaxAttempts": 6,
                  "BackoffRate": 2
                }
              ],
              "Next": "AreRegionsConfigured"
            },
            "AreRegionsConfigured": {
              "Type": "Choice",
              "Choices": [
                {
                  "Variable": "$.all_regions_enabled",
                  "BooleanEquals": true,
                  "Next": "ConfigureAccountAlias"
                }
              ],
              "Default": "Wait 15 seconds"
            },
            "Wait 15 seconds": {
              "Type": "Wait",
              "Seconds": 15,
              "Next": "ConfigureAccountRegions"
            },
            "ConfigureAccountTags": {
              "Type": "Task",
              "Resource": "${AccountTagConfigFunction.Arn}",
              "Retry": [
                {
                  "ErrorEquals": ["States.TaskFailed"],
                  "IntervalSeconds": 3,
                  "BackoffRate": 1.5,
                  "MaxAttempts": 10
                }, {
                  "ErrorEquals": [
                    "Lambda.Unknown",
                    "Lambda.ServiceException",
                    "Lambda.AWSLambdaException",
                    "Lambda.SdkClientException",
                    "Lambda.TooManyRequestsException"
                  ],
                  "IntervalSeconds": 2,
                  "BackoffRate": 2,
                  "MaxAttempts": 6
                }
              ],
              "Next": "ConfigureAccountOU"
            },
            "ConfigureAccountOU": {
              "Type": "Task",
              "Resource": "${AccountOUConfigFunction.Arn}",
              "Retry": [
                {
                  "ErrorEquals": ["States.TaskFailed"],
                  "IntervalSeconds": 3,
                  "BackoffRate": 1.5,
                  "MaxAttempts": 10
                }, {
                  "ErrorEquals": [
                    "Lambda.Unknown",
                    "Lambda.ServiceException",
                    "Lambda.AWSLambdaException",
                    "Lambda.SdkClientException",
                    "Lambda.TooManyRequestsException"
                  ],
                  "IntervalSeconds": 2,
                  "BackoffRate": 2,
                  "MaxAttempts": 6
                }
              ],
              "Next": "DeleteDefaultVPCChoice"
            },
            "DeleteDefaultVPCChoice": {
              "Type": "Choice",
              "Choices": [
                {
                  "Variable": "$.delete_default_vpc",
                  "BooleanEquals": true,
                  "Next": "GetAccountDefaultRegionsFunction"
                }
              ],
              "Default": "Success"
            },
            "GetAccountDefaultRegionsFunction": {
              "Type": "Task",
              "Resource": "${GetAccountRegionsFunction.Arn}",
              "Retry": [
                {
                  "ErrorEquals": ["States.TaskFailed"],
                  "IntervalSeconds": 3,
                  "BackoffRate": 1.5,
                  "MaxAttempts": 10
                }, {
                  "ErrorEquals": [
                    "Lambda.Unknown",
                    "Lambda.ServiceException",
                    "Lambda.AWSLambdaException",
                    "Lambda.SdkClientException",
                    "Lambda.TooManyRequestsException"
                  ],
                  "IntervalSeconds": 2,
                  "BackoffRate": 2,
                  "MaxAttempts": 6
                }
              ],
              "Next": "DeleteDefaultVPCMap"
            },
            "DeleteDefaultVPCMap": {
              "Type": "Map",
              "Next": "Success",
              "Iterator": {
                "StartAt": "DeleteDefaultVPC",
                  "States": {
                    "DeleteDefaultVPC": {
                      "Type": "Task",
                      "Resource": "${DeleteDefaultVPCFunction.Arn}",
                      "OutputPath": "$.Payload",
                      "Parameters": {
                        "Payload.$": "$"
                      },
                      "Retry": [
                        {
                          "ErrorEquals": [
                            "Lambda.Unknown",
                            "Lambda.ServiceException",
                            "Lambda.AWSLambdaException",
                            "Lambda.SdkClientException",
                            "Lambda.TooManyRequestsException"
                          ],
                          "IntervalSeconds": 2,
                          "MaxAttempts": 6,
                          "BackoffRate": 2
                        }
                      ],
                      "End": true
                    }
                  }
                },
                "ItemsPath": "$.default_regions",
                "MaxConcurrency": 20,
                "Parameters": {
                  "region.$": "$$.Map.Item.Value",
                  "account_id.$": "$.account_id"
                },
                "ResultPath": null
              },
              "Success": {
                "Type": "Succeed"
              }
            }
          }
  ### Account processing end

  ADFSharedPythonLambdaLayerVersion:
    Type: "AWS::Serverless::LayerVersion"
    Properties:
      ContentUri: "./lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python"
      CompatibleArchitectures:
        - arm64
      CompatibleRuntimes:
        - python3.12
      Description: "Shared Lambda Layer between management and deployment account"
      LayerName: adf_shared_layer
    Metadata:
      BuildMethod: python3.12
      BuildArchitecture: arm64

  LambdaLayerPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      Description: "Policy to allow Lambda functions to use the ADF Shared Python layer"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action: "lambda:GetLayerVersion"
            Resource: !Ref ADFSharedPythonLambdaLayerVersion

  CommonLambdaPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      Description: "Policy to allow Lambda functions to common Lambda resources"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "logs:CreateLogGroup"
              - "logs:CreateLogStream"
              - "logs:PutLogEvents"
              - "xray:PutTelemetryRecords"
              - "xray:PutTraceSegments"
            Resource: "*"

  ### Account-Bootstrapping Jump Role begin
  JumpRoleApplication:
    Type: AWS::Serverless::Application
    DeletionPolicy: Delete
    UpdateReplacePolicy: Retain
    Properties:
      Location: account_bootstrapping_jump_role.yml
      Parameters:
        OrganizationId: !GetAtt Organization.OrganizationId
        ADFVersion: !FindInMap ["Metadata", "ADF", "Version"]
        LambdaLayer: !Ref ADFSharedPythonLambdaLayerVersion
        CrossAccountAccessRoleName: !Ref CrossAccountAccessRoleName
        DeploymentAccountId: !GetAtt DeploymentAccount.AccountId
        LogLevel: !Ref LogLevel
        GrantOrgWidePrivilegedBootstrapAccessUntil: !Ref GrantOrgWidePrivilegedBootstrapAccessUntil
  ### Account-Bootstrapping Jump Role end

  BootstrapStackWaiterLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-bootstrapping/"
      RoleName: "adf-account-bootstrapping-bootstrap-stack-waiter"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref CommonLambdaPolicy
      Policies:
        - PolicyName: "stack-waiter-policies"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "sts:AssumeRole"
                Resource:
                  - !GetAtt CrossAccountJumpRoleArn.Value
                Condition:
                  StringEquals:
                    aws:PrincipalOrgID: !GetAtt Organization.OrganizationId

  BootstrapStackWaiterFunction:
    Type: "AWS::Serverless::Function"
    DependsOn:
      - BootstrapTemplatesBucketPolicy
    Properties:
      Handler: wait_until_complete.lambda_handler
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Description: ADF - Account Bootstrapping - Wait for Stack
      Environment:
        Variables:
          S3_BUCKET_NAME: !Ref BootstrapTemplatesBucket
          TERMINATION_PROTECTION: false
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          ORGANIZATION_ID: !GetAtt Organization.OrganizationId
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
      FunctionName: adf-account-bootstrapping-wait-for-bootstrap-stack
      Role: !GetAtt BootstrapStackWaiterLambdaRole.Arn
    Metadata:
      BuildMethod: python3.12

  DetermineEventLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-bootstrapping/"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref CommonLambdaPolicy
      Policies:
        - PolicyName: "determine-event-policies"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "ssm:GetParameter"
                  - "ssm:GetParameters"
                Resource:
                  - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/adf/config"
                  - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/adf/cross_account_access_role"
                  - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/adf/deployment_account_id"
                  - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/adf/deployment_account_region"
                  - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/adf/extensions/terraform/enabled"
                  - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/adf/target_regions"
              - Effect: "Allow"
                Action:
                  - "organizations:DescribeOrganizationalUnit"
                  - "organizations:DescribeOrganization"
                  - "organizations:ListParents"
                Resource: "*"

  DetermineEventFunction:
    Type: "AWS::Serverless::Function"
    DependsOn:
      - BootstrapTemplatesBucketPolicy
    Properties:
      Handler: determine_event.lambda_handler
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Description: ADF - Account Bootstrapping - Determine Event Type
      Environment:
        Variables:
          S3_BUCKET_NAME: !Ref BootstrapTemplatesBucket
          TERMINATION_PROTECTION: false
          SHARED_MODULES_BUCKET: !GetAtt SharedModulesBucketName.Value
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          ORGANIZATION_ID: !GetAtt Organization.OrganizationId
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
      FunctionName: adf-account-bootstrapping-determine-event
      Role: !GetAtt DetermineEventLambdaRole.Arn
    Metadata:
      BuildMethod: python3.12

  CrossAccountDeployBootstrapLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-bootstrapping/"
      RoleName: "adf-account-bootstrapping-cross-account-deploy-bootstrap"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref CommonLambdaPolicy
      Policies:
        - PolicyName: "cross-account-exec-policies"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "sts:AssumeRole"
                Resource:
                  - !GetAtt CrossAccountJumpRoleArn.Value
              - Effect: Allow
                Action:
                  - "ssm:GetParameter"
                  - "ssm:PutParameter"
                Resource:
                  - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/adf/deployment_account_id"
                  - !Sub "arn:${AWS::Partition}:ssm:${DeploymentAccountMainRegion}:${AWS::AccountId}:parameter/adf/deployment_account_id"
              - Effect: "Allow"
                Action: "s3:ListBucket"
                Resource: !GetAtt BootstrapTemplatesBucket.Arn
              - Effect: "Allow"
                Action: "s3:GetObject"
                Resource: !Sub "${BootstrapTemplatesBucket.Arn}/*"

  CrossAccountDeployBootstrapFunction:
    Type: "AWS::Serverless::Function"
    DependsOn:
      - BootstrapTemplatesBucketPolicy
    Properties:
      Handler: account_bootstrap.lambda_handler
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Description: >-
        ADF - Account Bootstrapping - Cross-Account Deploy Bootstrap Stacks
      Environment:
        Variables:
          S3_BUCKET_NAME: !Ref BootstrapTemplatesBucket
          TERMINATION_PROTECTION: false
          SHARED_MODULES_BUCKET: !GetAtt SharedModulesBucketName.Value
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          ORGANIZATION_ID: !GetAtt Organization.OrganizationId
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
      FunctionName: adf-account-bootstrapping-cross-account-deploy-bootstrap
      Role: !GetAtt CrossAccountDeployBootstrapLambdaRole.Arn
      Timeout: 900
    Metadata:
      BuildMethod: python3.12

  MovedToRootCleanupIfRequiredLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-bootstrapping/"
      RoleName: "adf-account-bootstrapping-moved-to-root-cleanup-if-required"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref CommonLambdaPolicy
      Policies:
        - PolicyName: "moved-to-root-policies"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "ssm:GetParameter"
                  - "ssm:GetParameters"
                Resource:
                  - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/adf/moves/to_root/action"
                  - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/adf/cross_account_access_role"
                  - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/adf/target_regions"
              - Effect: "Allow"
                Action:
                  - "sts:AssumeRole"
                Resource:
                  - !GetAtt CrossAccountJumpRoleArn.Value

  MovedToRootCleanupIfRequiredFunction:
    Type: "AWS::Serverless::Function"
    DependsOn:
      - BootstrapTemplatesBucketPolicy
    Properties:
      Handler: moved_to_root.lambda_handler
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Description: >-
        ADF - Account Bootstrapping - Moved to Root Cleanup Bootstrap Stacks
        if required.
      Environment:
        Variables:
          S3_BUCKET_NAME: !Ref BootstrapTemplatesBucket
          TERMINATION_PROTECTION: false
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
      FunctionName: adf-account-bootstrapping-moved-to-root-cleanup-if-required
      Role: !GetAtt MovedToRootCleanupIfRequiredLambdaRole.Arn
      Timeout: 900
    Metadata:
      BuildMethod: python3.12

  UpdateDeploymentResourcePoliciesLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-bootstrapping/"
      RoleName: "adf-account-bootstrapping-update-deployment-resource-policies"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref CommonLambdaPolicy
      Policies:
        - PolicyName: "update-resource-policies"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "sts:AssumeRole"
                Resource:
                  - !GetAtt CrossAccountJumpRoleArn.Value

  UpdateDeploymentResourcePoliciesFunction:
    Type: "AWS::Serverless::Function"
    DependsOn:
      - BootstrapTemplatesBucketPolicy
    Properties:
      Handler: generic_account_config.lambda_handler
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Description: ADF - Account Bootstrapping - Configure Deployment Target
      Environment:
        Variables:
          S3_BUCKET_NAME: !Ref BootstrapTemplatesBucket
          TERMINATION_PROTECTION: false
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
      FunctionName: adf-account-bootstrapping-config-policies-deployment-target
      Role: !GetAtt UpdateDeploymentResourcePoliciesLambdaRole.Arn
    Metadata:
      BuildMethod: python3.12

  AccountOUMoveEventsRule:
    Type: "AWS::Events::Rule"
    Properties:
      Name: "adf-account-bootstrapping-account-ou-move"
      Description: >-
        Triggers Account Bootstrapping state machine on Account OU move
      EventPattern:
        source:
          - aws.organizations
        detail:
          eventSource:
            - organizations.amazonaws.com
          eventName:
            - MoveAccount
      Targets:
        - Arn: !Ref AccountBootstrappingStateMachine
          RoleArn: !GetAtt AccountBootstrapStartExecutionRole.Arn
          Id: CreateStackLinkedAccountV1

  BootstrapCodeBuildRole:
    Type: AWS::IAM::Role
    Properties:
      Path: "/adf/bootstrap-pipeline/"
      RoleName: adf-bootstrap-pipeline-codebuild
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "codebuild.amazonaws.com"
            Action:
              - "sts:AssumeRole"
            Condition:
              ArnEquals:
                "aws:SourceArn": !Sub "arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/adf-bootstrap-pipeline-build"
      ManagedPolicyArns:
        - !Ref "CodeBuildPolicy"
      Policies:
        - PolicyName: bootstrap-only
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "support:CreateCase"
                  - "support:DescribeSeverityLevels"
                Resource: "*"

  CodeBuildPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      Description: "Policy to allow CodeBuild to perform actions"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "sts:AssumeRole"
            Resource:
              - !GetAtt CrossAccountJumpRoleArn.Value
          - Effect: "Allow"
            Action:
              - "logs:CreateLogGroup"
              - "logs:CreateLogStream"
              - "logs:PutLogEvents"
              - "organizations:AttachPolicy"
              - "organizations:CreatePolicy"
              - "organizations:DeletePolicy"
              - "organizations:DescribeAccount"
              - "organizations:DescribeOrganization"
              - "organizations:DescribeOrganizationalUnit"
              - "organizations:DescribePolicy"
              - "organizations:DetachPolicy"
              - "organizations:EnablePolicyType"
              - "organizations:ListAccounts"
              - "organizations:ListAccountsForParent"
              - "organizations:ListChildren"
              - "organizations:ListOrganizationalUnitsForParent"
              - "organizations:ListParents"
              - "organizations:ListPolicies"
              - "organizations:ListPoliciesForTarget"
              - "organizations:ListRoots"
              - "organizations:UpdatePolicy"
              - "sts:GetCallerIdentity"
            Resource: "*"
          - Effect: Allow
            Action:
              - "ssm:GetParameter"
              - "ssm:GetParameters"
              - "ssm:PutParameter"
            Resource:
              - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/adf/*"
          - Effect: "Allow"
            Action:
              - "states:ListExecutions"
            Resource:
              - !Ref AccountManagementStateMachine
              - !Ref AccountBootstrappingStateMachine
          - Effect: "Allow"
            Action:
              - "s3:DeleteObject"
              - "s3:GetBucketPolicy"
              - "s3:GetObject"
              - "s3:ListBucket"
              - "s3:PutObject"
            Resource:
              - !GetAtt "ADFAccountBucket.Arn"
              - !Sub "${ADFAccountBucket.Arn}/*"
              - !GetAtt "BootstrapTemplatesBucket.Arn"
              - !Sub "${BootstrapTemplatesBucket.Arn}/*"
              - !Sub "arn:${AWS::Partition}:s3:::${SharedModulesBucket.BucketName}"
              - !Sub "arn:${AWS::Partition}:s3:::${SharedModulesBucket.BucketName}/*"
          - Effect: "Allow"
            Action:
              - "s3:GetBucketPolicy"
              - "s3:GetObject"
              - "s3:ListBucket"
            Resource:
              - !GetAtt "BootstrapArtifactStorageBucket.Arn"
              - !Sub "${BootstrapArtifactStorageBucket.Arn}/*"

  OrganizationsReadonlyRole:
    Type: AWS::IAM::Role
    DependsOn: CleanupLegacyStacks
    Properties:
      Path: /adf/organizations/
      RoleName: "adf-organizations-readonly"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Sub "arn:${AWS::Partition}:iam::${DeploymentAccount.AccountId}:root"
            Condition:
              StringEquals:
                "aws:PrincipalOrgID":
                  - !GetAtt Organization.OrganizationId
              ArnEquals:
                "aws:PrincipalArn":
                  - !Sub "arn:${AWS::Partition}:iam::${DeploymentAccount.AccountId}:role/adf-codebuild-role"
                  - !Sub "arn:${AWS::Partition}:iam::${DeploymentAccount.AccountId}:role/adf/pipeline-management/adf-pipeline-management-generate-inputs"
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: "adf-organizations-readonly-policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - organizations:ListAccounts
                  - organizations:ListAccountsForParent
                  - organizations:DescribeAccount
                  - organizations:ListOrganizationalUnitsForParent
                  - organizations:ListRoots
                  - organizations:ListChildren
                  - tag:GetResources
                Resource: "*"

  CodeCommitRepository:
    Type: AWS::CodeCommit::Repository
    Properties:
      RepositoryName: "aws-deployment-framework-bootstrap"
      RepositoryDescription: !Sub >-
        CodeCommit Repo for AWS Deployment Framework base in ${AWS::AccountId}

  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    DependsOn:
      - BootstrapTemplatesBucketPolicy
    Properties:
      TimeoutInMinutes: 60
      Artifacts:
        Type: CODEPIPELINE
      Environment:
        ComputeType: "BUILD_GENERAL1_LARGE"
        PrivilegedMode: false
        Image: "aws/codebuild/standard:7.0"
        EnvironmentVariables:
          - Name: ADF_VERSION
            Value: !FindInMap ["Metadata", "ADF", "Version"]
          - Name: TERMINATION_PROTECTION
            Value: "false"
          - Name: PYTHONPATH
            Value: "./adf-build/shared/python"
          - Name: S3_BUCKET
            Value: !Ref BootstrapTemplatesBucket
          - Name: ACCOUNT_BUCKET
            Value: !Ref ADFAccountBucket
          - Name: MANAGEMENT_ACCOUNT_ID
            Value: !Ref AWS::AccountId
          - Name: SHARED_MODULES_BUCKET
            Value: !GetAtt SharedModulesBucketName.Value
          - Name: ORGANIZATION_ID
            Value: !GetAtt Organization.OrganizationId
          - Name: ADF_LOG_LEVEL
            Value: !Ref LogLevel
          - Name: ACCOUNT_MANAGEMENT_STATE_MACHINE_ARN
            Value: !Ref AccountManagementStateMachine
          - Name: MAIN_DEPLOYMENT_REGION
            Value: !Ref DeploymentAccountMainRegion
          - Name: ACCOUNT_BOOTSTRAPPING_STATE_MACHINE_ARN
            Value: !Ref AccountBootstrappingStateMachine
        Type: LINUX_CONTAINER
      Name: "adf-bootstrap-pipeline-build"
      ServiceRole: !GetAtt BootstrapCodeBuildRole.Arn
      Source:
        BuildSpec: |
          version: 0.2
          phases:
            install:
              runtime-versions:
                python: 3.12
            pre_build:
              commands:
                - pip install yq --root-user-action ignore --quiet
                - ADF_PERFORM_TESTS=`cat adfconfig.yml | yq -r '.config."bootstrap-pipeline"."run-tests" // "enabled"'`
                - >-
                  pip install
                  -r adf-build/requirements.txt
                  -r adf-build/shared/requirements.txt
                  -r adf-build/shared/helpers/requirements.txt
                  --root-user-action ignore
                  --quiet
                - |
                  if [ "$ADF_PERFORM_TESTS" = "enabled" ] ; then
                    echo "Performing tests"
                    pip install \
                    -r requirements-dev.txt \
                    -r adf-build/requirements-dev.txt \
                    -r adf-build/shared/requirements-dev.txt \
                    -r adf-build/shared/helpers/requirements-dev.txt \
                    --quiet \
                    --root-user-action ignore
                    tox
                  else
                    echo "Skipping tests"
                  fi
                - >-
                  docker run --privileged --rm
                  public.ecr.aws/eks-distro-build-tooling/binfmt-misc:qemu-v7.0.0
                  --install arm64
            build:
              commands:
                - >-
                  sam build
                  --use-container
                  --template adf-bootstrap/deployment/global.yml
                - >-
                  sam package
                  --output-template-file adf-bootstrap/deployment/global.yml
                  --region $MAIN_DEPLOYMENT_REGION
                  --s3-prefix adf-bootstrap/deployment
                  --s3-bucket $SHARED_MODULES_BUCKET
                - python adf-build/store_config.py
                # Shared Modules to be used with AWS CodeBuild:
                - >-
                  aws s3 sync
                  ./adf-build/shared
                  s3://$SHARED_MODULES_BUCKET/adf-build
                  --only-show-errors
                # Base templates:
                - >-
                  aws s3 sync . s3://$S3_BUCKET --only-show-errors --delete
                # Upload account files to the ACCOUNT_BUCKET
                - >-
                  python adf-build/shared/helpers/sync_to_s3.py
                  --extension .yml
                  --extension .yaml
                  --metadata adf_version=${ADF_VERSION}
                  --upload-with-metadata execution_id=${CODEPIPELINE_EXECUTION_ID}
                  --recursive adf-accounts
                  s3://$ACCOUNT_BUCKET
                # Sleep for 10 seconds so the state machine is able to kick start the processing
                # of these newly uploaded files if any.
                - sleep 10
                # Updates config, updates (or creates) base stacks:
                - python adf-build/main.py
        Type: CODEPIPELINE
      Tags:
        - Key: "Name"
          Value: "adf-bootstrap-pipeline-build"

  CodePipeline:
    Type: AWS::CodePipeline::Pipeline
    Properties:
      ArtifactStore:
        Type: S3
        Location: !Ref BootstrapArtifactStorageBucket
      RoleArn: !GetAtt BootstrapCodePipelineRole.Arn
      Name: "aws-deployment-framework-bootstrap-pipeline"
      Stages:
        - Name: CodeCommit
          Actions:
            - Name: Source
              ActionTypeId:
                Category: Source
                Owner: AWS
                Version: "1"
                Provider: CodeCommit
              OutputArtifacts:
                - Name: "TemplateSource"
              Configuration:
                BranchName: !GetAtt DetermineDefaultBranchName.DefaultBranchName
                RepositoryName: !GetAtt CodeCommitRepository.Name
                PollForSourceChanges: false
              RunOrder: 1
        - Name: EnableBootstrappingViaJumpRole
          Actions:
            - Name: EnableBootstrappingViaJumpRole
              ActionTypeId:
                Category: Invoke
                Owner: AWS
                Provider: Lambda
                Version: "1"
              RunOrder: 1
              Configuration:
                FunctionName: !GetAtt JumpRoleApplication.Outputs.ManagerFunctionName
              InputArtifacts: []
              OutputArtifacts: []
        - Name: UploadAndUpdateBaseStacks
          Actions:
            - Name: UploadAndUpdateBaseStacks
              ActionTypeId:
                Category: Build
                Owner: AWS
                Version: "1"
                Provider: CodeBuild
              OutputArtifacts:
                - Name: "aws-deployment-framework-bootstrap-build"
              InputArtifacts:
                - Name: "TemplateSource"
              Configuration:
                ProjectName: !Ref CodeBuildProject
                EnvironmentVariables: >-
                  [
                    {
                      "name": "CODEPIPELINE_EXECUTION_ID",
                      "value": "#{codepipeline.PipelineExecutionId}",
                      "type": "PLAINTEXT"
                    }
                  ]
              RunOrder: 1
        - Name: RestrictBootstrappingViaJumpRole
          Actions:
            - Name: RestrictBootstrappingViaJumpRole
              ActionTypeId:
                Category: Invoke
                Owner: AWS
                Provider: Lambda
                Version: "1"
              RunOrder: 1
              Configuration:
                FunctionName: !GetAtt JumpRoleApplication.Outputs.ManagerFunctionName
              InputArtifacts: []
              OutputArtifacts: []

  BootstrapCodePipelineRole:
    Type: AWS::IAM::Role
    Properties:
      Path: "/adf/bootstrap-pipeline/"
      RoleName: "adf-bootstrap-codepipeline"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - codepipeline.amazonaws.com
            Action:
              - sts:AssumeRole
            Condition:
              StringEqualsIfExists:
                "aws:SourceAccount": !Ref AWS::AccountId
                "aws:SourceArn": !Sub "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:aws-deployment-framework-bootstrap-pipeline"
      Policies:
        - PolicyName: bootstrap-codepipeline-policies
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "s3:GetObject"
                  - "s3:ListBucket"
                  - "s3:PutObject"
                Resource:
                  - !GetAtt "BootstrapArtifactStorageBucket.Arn"
                  - !Sub "${BootstrapArtifactStorageBucket.Arn}/*"
              - Effect: Allow
                Sid: "CodeBuild"
                Action:
                  - "codebuild:BatchGetBuilds"
                  - "codebuild:StartBuild"
                Resource:
                  - !GetAtt CodeBuildProject.Arn
              - Effect: Allow
                Sid: "CodeCommit"
                Action:
                  - "codecommit:GetBranch"
                  - "codecommit:GetCommit"
                  - "codecommit:UploadArchive"
                  - "codecommit:GetUploadArchiveStatus"
                  - "codecommit:CancelUploadArchive"
                Resource:
                  - !GetAtt CodeCommitRepository.Arn
              - Effect: Allow
                Sid: "Lambda"
                Action:
                  - "lambda:InvokeFunction"
                Resource:
                  - !GetAtt JumpRoleApplication.Outputs.ManagerFunctionArn

  AccountBootstrapStateMachineExecutionRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-bootstrapping/"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - states.amazonaws.com
            Action: "sts:AssumeRole"
            Condition:
              ArnEquals:
                "aws:SourceArn": !Sub "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:adf-account-bootstrapping"
      Policies:
        - PolicyName: "adf-state-machine-role-policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "lambda:InvokeFunction"
                Resource:
                  - !GetAtt DetermineEventFunction.Arn
                  - !GetAtt CrossAccountDeployBootstrapFunction.Arn
                  - !GetAtt MovedToRootCleanupIfRequiredFunction.Arn
                  - !GetAtt BootstrapStackWaiterFunction.Arn
                  - !GetAtt UpdateDeploymentResourcePoliciesFunction.Arn
                  - !GetAtt JumpRoleApplication.Outputs.ManagerFunctionArn

  AccountBootstrapStartExecutionRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/account-bootstrapping/"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - events.amazonaws.com
            Action: "sts:AssumeRole"
            Condition:
              ArnEquals:
                "aws:SourceArn": !Sub "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/adf-account-bootstrapping-account-ou-move"
      Policies:
        - PolicyName: "adf-start-state-machine"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "states:StartExecution"
                Resource:
                  - !Ref AccountBootstrappingStateMachine

  AccountBootstrappingStateMachine:
    Type: "AWS::StepFunctions::StateMachine"
    Properties:
      StateMachineName: "adf-account-bootstrapping"
      RoleArn: !GetAtt AccountBootstrapStateMachineExecutionRole.Arn
      TracingConfiguration:
        Enabled: true
      DefinitionString: !Sub |-
        {
          "Comment": "ADF Account Bootstrapping Process",
          "StartAt": "DetermineEvent",
          "States": {
            "DetermineEvent": {
              "Type": "Task",
              "Resource": "${DetermineEventFunction.Arn}",
              "Next": "EnableBootstrappingJumpRole",
              "TimeoutSeconds": 300,
              "Retry": [
                {
                  "ErrorEquals": [
                    "Lambda.Unknown",
                    "Lambda.ServiceException",
                    "Lambda.AWSLambdaException",
                    "Lambda.SdkClientException",
                    "Lambda.TooManyRequestsException"
                  ],
                  "IntervalSeconds": 2,
                  "BackoffRate": 2,
                  "MaxAttempts": 6
                }
              ]
            },
            "EnableBootstrappingJumpRole": {
              "Type": "Task",
              "Resource": "${JumpRoleApplication.Outputs.ManagerFunctionArn}",
              "Next": "WaitForRoleUpdateToApply",
              "TimeoutSeconds": 300,
              "Retry": [
                {
                  "ErrorEquals": [
                    "Lambda.Unknown",
                    "Lambda.ServiceException",
                    "Lambda.AWSLambdaException",
                    "Lambda.SdkClientException",
                    "Lambda.TooManyRequestsException"
                  ],
                  "IntervalSeconds": 2,
                  "BackoffRate": 2,
                  "MaxAttempts": 6
                }
              ]
            },
            "WaitForRoleUpdateToApply": {
              "Type": "Wait",
              "Seconds": 60,
              "Next": "MovedToRootOrProtected?"
            },
            "MovedToRootOrProtected?": {
              "Type": "Choice",
              "Choices": [
                {
                  "Variable": "$.moved_to_protected",
                  "NumericEquals": 1,
                  "Next": "ExecuteDeploymentAccountStateMachine"
                },
                {
                  "Variable": "$.moved_to_root",
                  "NumericEquals": 1,
                  "Next": "MovedToRootCleanupIfRequired"
                }
              ],
              "Default": "CreateOrUpdateBaseStack"
            },
            "CreateOrUpdateBaseStack": {
              "Type": "Task",
              "Resource": "${CrossAccountDeployBootstrapFunction.Arn}",
              "Retry": [
                {
                  "ErrorEquals": [
                    "InvalidTemplateError",
                    "GenericAccountConfigureError"
                  ],
                  "IntervalSeconds": 1,
                  "BackoffRate": 1.1,
                  "MaxAttempts": 45
                }, {
                  "ErrorEquals": [
                    "AccountCreationNotFinishedError"
                  ],
                  "IntervalSeconds": 10,
                  "BackoffRate": 1.1,
                  "MaxAttempts": 45
                }, {
                  "ErrorEquals": [
                    "Lambda.Unknown",
                    "Lambda.ServiceException",
                    "Lambda.AWSLambdaException",
                    "Lambda.SdkClientException",
                    "Lambda.TooManyRequestsException",
                    "States.Timeout"
                  ],
                  "IntervalSeconds": 2,
                  "BackoffRate": 2,
                  "MaxAttempts": 6
                }
              ],
              "Catch": [
                {
                  "ErrorEquals": ["States.ALL"],
                  "Next": "ExecuteDeploymentAccountStateMachine",
                  "ResultPath": "$.error"
                }
              ],
              "Next": "WaitUntilBootstrapComplete",
              "TimeoutSeconds": 900
            },
            "MovedToRootCleanupIfRequired": {
              "Type": "Task",
              "Resource": "${MovedToRootCleanupIfRequiredFunction.Arn}",
              "Retry": [
                {
                  "ErrorEquals": [
                    "RetryError"
                  ],
                  "IntervalSeconds": 10,
                  "BackoffRate": 1.0,
                  "MaxAttempts": 20
                }, {
                  "ErrorEquals": [
                    "Lambda.Unknown",
                    "Lambda.ServiceException",
                    "Lambda.AWSLambdaException",
                    "Lambda.SdkClientException",
                    "Lambda.TooManyRequestsException"
                  ],
                  "IntervalSeconds": 2,
                  "BackoffRate": 2,
                  "MaxAttempts": 6
                }
              ],
              "Catch": [
                {
                  "ErrorEquals": ["States.ALL"],
                  "Next": "ExecuteDeploymentAccountStateMachine",
                  "ResultPath": "$.error"
                }
              ],
              "Next": "ExecuteDeploymentAccountStateMachine",
              "TimeoutSeconds": 900
            },
            "WaitUntilBootstrapComplete": {
              "Type": "Task",
              "Resource": "${BootstrapStackWaiterFunction.Arn}",
              "Retry": [
                {
                  "ErrorEquals": ["RetryError"],
                  "IntervalSeconds": 10,
                  "BackoffRate": 1.0,
                  "MaxAttempts": 500
                }, {
                  "ErrorEquals": [
                    "Lambda.Unknown",
                    "Lambda.ServiceException",
                    "Lambda.AWSLambdaException",
                    "Lambda.SdkClientException",
                    "Lambda.TooManyRequestsException"
                  ],
                  "IntervalSeconds": 2,
                  "BackoffRate": 2,
                  "MaxAttempts": 6
                }
              ],
              "Catch": [
                {
                  "ErrorEquals": ["States.ALL"],
                  "Next": "ExecuteDeploymentAccountStateMachine",
                  "ResultPath": "$.error"
                }
              ],
              "Next": "DeploymentAccount?",
              "TimeoutSeconds": 900
            },
            "DeploymentAccount?": {
              "Type": "Choice",
              "Choices": [
                {
                  "Variable": "$.is_deployment_account",
                  "NumericEquals": 1,
                  "Next": "Success"
                }
              ],
              "Default": "ExecuteDeploymentAccountStateMachine"
            },
            "ExecuteDeploymentAccountStateMachine": {
              "Type": "Task",
              "Resource": "${UpdateDeploymentResourcePoliciesFunction.Arn}",
              "Retry": [
                {
                  "ErrorEquals": [
                    "Lambda.Unknown",
                    "Lambda.ServiceException",
                    "Lambda.AWSLambdaException",
                    "Lambda.SdkClientException",
                    "Lambda.TooManyRequestsException"
                  ],
                  "IntervalSeconds": 2,
                  "BackoffRate": 2,
                  "MaxAttempts": 6
                }
              ],
              "Next": "Success",
              "TimeoutSeconds": 900
            },
            "Success": {
              "Type": "Succeed"
            }
          }
        }

  DetermineDefaultBranchName:
    Type: Custom::DetermineDefaultBranchName
    Properties:
      ServiceToken: !GetAtt DetermineDefaultBranchNameHandler.Arn
      Version: !FindInMap ["Metadata", "ADF", "Version"]
      RepositoryArn: !GetAtt CodeCommitRepository.Arn

  DetermineDefaultBranchNameHandler:
    Type: AWS::Serverless::Function
    Properties:
      Handler: handler.lambda_handler
      CodeUri: lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/determine_default_branch
      Description: !Sub >-
        ADF - Installer - Determine the default branch of the
        ${CodeCommitRepository.Name} repository.
      Policies:
        - Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - codecommit:GetRepository
              Resource: !GetAtt CodeCommitRepository.Arn
      FunctionName: ADFBootstrapDetermineDefaultBranchName
    Metadata:
      BuildMethod: python3.12

  InitialCommit:
    Type: Custom::InitialCommit
    Properties:
      ServiceToken: !GetAtt InitialCommitHandler.Arn
      Version: !FindInMap ["Metadata", "ADF", "Version"]
      RepositoryArn: !GetAtt CodeCommitRepository.Arn
      DirectoryName: bootstrap_repository
      ExistingAccountId: !GetAtt DeploymentAccount.AccountId
      DeploymentAccountRegion: !Ref DeploymentAccountMainRegion
      DeploymentAccountFullName: !Ref DeploymentAccountName
      DeploymentAccountEmailAddress: !Ref DeploymentAccountEmailAddress
      DeploymentAccountAlias: !Ref DeploymentAccountAlias
      CrossAccountAccessRole: !Ref CrossAccountAccessRoleName
      TargetRegions: !Ref DeploymentAccountTargetRegions
      ProtectedOUs: !Ref ProtectedOUs
      NotificationEndpoint: !Ref MainNotificationEndpoint
      DefaultBranchName: !GetAtt DetermineDefaultBranchName.DefaultBranchName

  InitialCommitHandler:
    Type: AWS::Serverless::Function
    Properties:
      Handler: handler.lambda_handler
      CodeUri: lambda_codebase/initial_commit
      Description: !Sub >-
        ADF - Installer - Initial Commit Bootstrap.

        Creates the initial commit or update PR on the default branch of the
        ${CodeCommitRepository.Name} repository. As required to install/update
        ADF.
      Policies:
        - Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - codecommit:CreateBranch
                - codecommit:CreateCommit
                - codecommit:CreatePullRequest
                - codecommit:DeleteBranch
                - codecommit:GetBranch
                - codecommit:GetDifferences
              Resource: !GetAtt CodeCommitRepository.Arn
      FunctionName: BootstrapCreateInitialCommitFunction
    Metadata:
      BuildMethod: python3.12

  SharedModulesBucket:
    Type: Custom::CrossRegionBucket
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      ServiceToken: !GetAtt CrossRegionBucketHandler.Arn
      Region: !Ref DeploymentAccountMainRegion
      BucketNamePrefix: !Sub "adf-shared-modules-${DeploymentAccountMainRegion}"
      Version: !FindInMap ["Metadata", "ADF", "Version"]
      PolicyDocument:
        Statement:
          - Action:
              - s3:GetObject
            Effect: Allow
            Resource:
              - "{bucket_arn}/adf-bootstrap/*"
              - "{bucket_arn}/adf-build/*"
            Principal:
              AWS:
                - !Sub "arn:${AWS::Partition}:iam::${DeploymentAccount.AccountId}:root"
          - Action:
              - s3:ListBucket
            Effect: Allow
            Resource:
              - "{bucket_arn}"
            Principal:
              AWS:
                - !Sub "arn:${AWS::Partition}:iam::${DeploymentAccount.AccountId}:root"
            Condition:
              StringLike:
                "s3:prefix":
                  - "adf-bootstrap/*"
                  - "adf-build/*"
          - Action:
              - s3:GetObject
            Effect: Allow
            Resource:
              - "{bucket_arn}/adf-bootstrap/*"
            Principal:
              Service:
                - cloudformation.amazonaws.com
            Condition:
              StringEquals:
                "aws:SourceOrgID":
                  - !GetAtt Organization.OrganizationId
          - Sid: "DenyInsecureConnections"
            Action:
              - "s3:*"
            Effect: Deny
            Condition:
              Bool:
                aws:SecureTransport: "false"
            Principal:
              AWS: "*"
          - Sid: "DenyInsecureTLS"
            Action:
              - "s3:*"
            Effect: Deny
            Condition:
              NumericLessThan:
                "s3:TlsVersion": "1.2"
            Principal:
              AWS: "*"

  CleanupLegacyStacks:
    Type: Custom::CleanupLegacyStacks
    Properties:
      ServiceToken: !GetAtt CleanupLegacyStacksHandler.Arn
      Version: !FindInMap ["Metadata", "ADF", "Version"]
      DeploymentAccountRegion: !Ref DeploymentAccountMainRegion

  CleanupLegacyStacksHandler:
    Type: AWS::Serverless::Function
    Properties:
      Handler: handler.lambda_handler
      CodeUri: lambda_codebase/cleanup_legacy_stacks
      Description: >-
        ADF - Installer - Cleanup Legacy Stacks.

        Checks if legacy specific legacy bootstrap stacks exists.
        If they do, they are cleaned up automatically.
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Environment:
        Variables:
          MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
          DEPLOYMENT_REGION: !Ref DeploymentAccountMainRegion
          ADF_VERSION: !FindInMap ["Metadata", "ADF", "Version"]
          ADF_LOG_LEVEL: !Ref LogLevel
      Policies:
        - Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - cloudformation:DescribeStacks
                - cloudformation:DeleteStack
              Resource:
                - !Sub "arn:${AWS::Partition}:cloudformation:${DeploymentAccountMainRegion}:${AWS::AccountId}:stack/adf-global-base-adf-build"
                - !Sub "arn:${AWS::Partition}:cloudformation:${DeploymentAccountMainRegion}:${AWS::AccountId}:stack/adf-global-base-adf-build/*"
            - Effect: Allow
              Action:
                - iam:DeleteRole
                - iam:DeleteRolePolicy
                - iam:UntagRole
              Resource:
                - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CrossAccountAccessRoleName}"
                - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CrossAccountAccessRoleName}-readonly"
            - Effect: "Allow"
              Action: "lambda:GetLayerVersion"
              Resource: !Ref ADFSharedPythonLambdaLayerVersion
      FunctionName: CleanupLegacyStacksFunction
    Metadata:
      BuildMethod: python3.12

  OrganizationsRole:
    # Only required if you intend to bootstrap the management account.
    Type: AWS::IAM::Role
    Condition: CreateCrossAccountAccessRole
    DependsOn:
      - CleanupLegacyStacks
      - JumpRoleApplication
    Properties:
      Path: /
      RoleName: !Ref CrossAccountAccessRoleName
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !GetAtt CrossAccountJumpRoleArn.Value
            Action:
              - "sts:AssumeRole"

  OrganizationsPolicy:
    # Only required if you intend to bootstrap the management account.
    Type: AWS::IAM::Policy
    Condition: CreateCrossAccountAccessRole
    Properties:
      PolicyName: "adf-management-account-bootstrap-policy"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - cloudformation:CancelUpdateStack
              - cloudformation:ContinueUpdateRollback
              - cloudformation:CreateChangeSet
              - cloudformation:CreateStack
              - cloudformation:CreateUploadBucket
              - cloudformation:DeleteChangeSet
              - cloudformation:DeleteStack
              - cloudformation:DescribeChangeSet
              - cloudformation:DescribeStacks
              - cloudformation:ExecuteChangeSet
              - cloudformation:ListStacks
              - cloudformation:SetStackPolicy
              - cloudformation:SignalResource
              - cloudformation:UpdateStack
              - cloudformation:UpdateTerminationProtection
            Resource:
              - !Sub "arn:${AWS::Partition}:cloudformation:*:${AWS::AccountId}:stack/*"
          - Effect: Allow
            Action:
              - cloudformation:ValidateTemplate
              - ec2:DeleteInternetGateway
              - ec2:DeleteNetworkInterface
              - ec2:DeleteRouteTable
              - ec2:DeleteSubnet
              - ec2:DeleteVpc
              - ec2:DescribeInternetGateways
              - ec2:DescribeNetworkInterfaces
              - ec2:DescribeRegions
              - ec2:DescribeRouteTables
              - ec2:DescribeSubnets
              - ec2:DescribeVpcs
              - iam:CreateAccountAlias
              - iam:DeleteAccountAlias
              - iam:ListAccountAliases
            Resource:
              - "*"
          - Effect: Allow
            Action:
              - ssm:PutParameter
              - ssm:GetParameters
              - ssm:GetParameter
            Resource:
              - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/adf/*"
          - Effect: Allow
            Action:
              - iam:CreateRole
              - iam:DeleteRole
              - iam:TagRole
              - iam:UntagRole
            Resource:
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-automation-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-cloudformation-deployment-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-cloudformation-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-codecommit-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-readonly-automation-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-terraform-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/bootstrap/adf-bootstrap-test-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/bootstrap/adf-bootstrap-update-deployment-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/bootstrap/adf-update-cross-account-access"
          - Effect: Allow
            Action:
              - iam:DeleteRolePolicy
              - iam:GetRole
              - iam:GetRolePolicy
              - iam:PutRolePolicy
              - iam:UpdateAssumeRolePolicy
            Resource:
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-automation-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-bootstrap-test-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-bootstrap-update-deployment-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-cloudformation-deployment-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-cloudformation-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-codecommit-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-readonly-automation-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-terraform-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-update-cross-account-access"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/bootstrap/adf-bootstrap-test-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/bootstrap/adf-bootstrap-update-deployment-role"
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/bootstrap/adf-update-cross-account-access"
          - Effect: "Allow"
            Action:
              - iam:DeleteRole
              - iam:DeleteRolePolicy
              - iam:UntagRole
            Resource:
              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf-update-cross-account-access-role"
      Roles:
        - !Ref OrganizationsRole

  SharedModulesBucketName:
    Type: AWS::SSM::Parameter
    Properties:
      Description: DO NOT EDIT - Used by The AWS Deployment Framework
      Name: /adf/shared_modules_bucket
      Type: String
      Value: !GetAtt SharedModulesBucket.BucketName

  LogLevelSetting:
    Type: AWS::SSM::Parameter
    Properties:
      Description: DO NOT EDIT - Used by The AWS Deployment Framework
      Name: /adf/adf_log_level
      Type: String
      Value: !Ref LogLevel

  CrossAccountJumpRoleArn:
    Type: AWS::SSM::Parameter
    Properties:
      Description: DO NOT EDIT - Used by The AWS Deployment Framework
      Name: /adf/cross_account_jump_role
      Type: String
      Value: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/adf/account-bootstrapping/jump/adf-bootstrapping-cross-account-jump-role"

  CrossRegionBucketHandler:
    Type: AWS::Serverless::Function
    Properties:
      Handler: handler.lambda_handler
      CodeUri: lambda_codebase/cross_region_bucket
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
      Description: !Sub >-
        ADF - Installer - Create Shared Modules Bucket in
        ${DeploymentAccountMainRegion}.
      Policies:
        - Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action: s3:CreateBucket
              Resource: !Sub "arn:${AWS::Partition}:s3:::adf-shared-modules-*"
              Condition:
                StringLike:
                  "s3:LocationConstraint": !Ref DeploymentAccountMainRegion
            - Effect: Allow
              Action:
                - s3:DeleteBucket
                - s3:PutBucketEncryption
                - s3:PutBucketOwnershipControls
                - s3:PutBucketPolicy
                - s3:PutBucketPublicAccessBlock
                - s3:PutEncryptionConfiguration
              # This must match BucketNamePrefix of the SharedModulesBucket resource
              Resource: !Sub "arn:${AWS::Partition}:s3:::adf-shared-modules-*"
            - Effect: Allow
              Action: ssm:GetParameter
              Resource:
                # Hardcoded name (instead of ${SharedModulesBucketName}) to avoid a circular
                # dependency. Converting this to an inline policy can break the circle
                - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/adf/shared_modules_bucket"
                - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/adf/deployment_account_region"
            - Effect: "Allow"
              Action: "lambda:GetLayerVersion"
              Resource: !Ref ADFSharedPythonLambdaLayerVersion
      FunctionName: CrossRegionBucketHandler
    Metadata:
      BuildMethod: python3.12

  Organization:
    Type: Custom::Organization
    Properties:
      ServiceToken: !GetAtt OrganizationHandler.Arn

  OrganizationHandler:
    Type: AWS::Serverless::Function
    Properties:
      Handler: handler.lambda_handler
      CodeUri: lambda_codebase/organization
      Description: ADF - Installer - Enable AWS Organizations
      Policies:
        - Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - "organizations:CreateOrganization"
                - "organizations:DeleteOrganization"
                - "organizations:DescribeOrganization"
                - "organizations:ListRoots"
              Resource: "*"
            - Effect: Allow
              Action: "iam:CreateServiceLinkedRole"
              Resource: !Sub "arn:${AWS::Partition}:iam::*:role/aws-service-role/*"
      FunctionName: AwsOrganizationsHandler
    Metadata:
      BuildMethod: python3.12

  DeploymentOrganizationUnit:
    Type: Custom::OrganizationUnit
    Properties:
      ServiceToken: !GetAtt OrganizationUnitHandler.Arn
      ParentId: !GetAtt Organization.OrganizationRootId
      OrganizationUnitName: deployment

  OrganizationUnitHandler:
    Type: AWS::Serverless::Function
    Properties:
      Handler: handler.lambda_handler
      CodeUri: lambda_codebase/organization_unit
      Description: ADF - Installer - Manage Deployment Organization Unit
      Policies:
        - Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - "organizations:CreateOrganizationalUnit"
                - "organizations:DeleteOrganizationalUnit"
                - "organizations:ListOrganizationalUnitsForParent"
              Resource: "*"
      FunctionName: OrganizationUnitHandler
    Metadata:
      BuildMethod: python3.12

  DeploymentAccount:
    Type: Custom::Account
    DependsOn: Organization
    Properties:
      ServiceToken: !GetAtt AccountHandler.Arn
      AccountName: !Ref DeploymentAccountName
      AccountEmailAddress: !Ref DeploymentAccountEmailAddress
      CrossAccountAccessRoleName: !Ref CrossAccountAccessRoleName
      ExistingAccountId: !Ref DeploymentAccountId
      TriggerOnUpdateOfADF: !FindInMap ["Metadata", "ADF", "Version"]

  AccountHandlerFunctionRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/adf/installer/deployment-account-management/"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - lambda.amazonaws.com
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref LambdaLayerPolicy
      Policies:
        - PolicyName: "adf-account-management-access"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "organizations:CreateAccount"
                  - "organizations:DescribeCreateAccountStatus"
                  - "organizations:ListAccountsForParent"
                  - "organizations:ListOrganizationalUnitsForParent"
                  - "organizations:ListRoots"
                Resource: "*"
              - Effect: Allow
                Action:
                  - "ssm:GetParameter"
                  - "ssm:PutParameter"
                Resource: !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/adf/deployment_account_id"
              - Effect: Allow
                Action:
                  - "logs:CreateLogGroup"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                Resource: "*"

  AccountHandler:
    Type: AWS::Serverless::Function
    Properties:
      Handler: handler.lambda_handler
      CodeUri: lambda_codebase/account
      Description: ADF - Installer - Deployment Account Management
      Role: !GetAtt AccountHandlerFunctionRole.Arn
      FunctionName: AccountHandler
      Layers:
        - !Ref ADFSharedPythonLambdaLayerVersion
    Metadata:
      BuildMethod: python3.12

  PipelineCloudWatchEventRole:
    Type: AWS::IAM::Role
    Properties:
      Path: "/adf/bootstrap-pipeline/"
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - events.amazonaws.com
            Action: sts:AssumeRole
            Condition:
              ArnEquals:
                "aws:SourceArn": !Sub "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/adf-bootstrap-pipeline-watch-repo"
      Policies:
        - PolicyName: adf-bootstrap-execute-cwe
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: codepipeline:StartPipelineExecution
                Resource: !Sub "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipeline}"

  PipelineCloudWatchEventRule:
    Type: "AWS::Events::Rule"
    Properties:
      Name: "adf-bootstrap-pipeline-watch-repo"
      EventPattern:
        source:
          - aws.codecommit
        detail-type:
          - "CodeCommit Repository State Change"
        resources:
          - !GetAtt CodeCommitRepository.Arn
        detail:
          event:
            - referenceCreated
            - referenceUpdated
          referenceType:
            - branch
          referenceName:
            - !GetAtt DetermineDefaultBranchName.DefaultBranchName
      Targets:
        - Arn: !Sub "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipeline}"
          RoleArn: !GetAtt PipelineCloudWatchEventRole.Arn
          Id: adf-codepipeline-trigger-bootstrap

Outputs:
  ADFVersionNumber:
    Value: !FindInMap ["Metadata", "ADF", "Version"]
    Export:
      Name: "ADFVersionNumber"

  CodeCommitHttpURL:
    Description: "The CodeCommit HTTP Url"
    Value: !GetAtt CodeCommitRepository.CloneUrlHttp
    Export:
      Name: "BaseTemplatesRepoHttpURL"

  CodeCommitSshURL:
    Description: "The CodeCommit SSH Url"
    Value: !GetAtt CodeCommitRepository.CloneUrlSsh
    Export:
      Name: "BaseTemplatesRepoSSHURL"