AWSTemplateFormatVersion: '2010-09-09'
Description: SecurityV0 delegated-admin/security-account bootstrap for AWS org-mode onboarding.

Parameters:
  SecurityV0PrincipalArn:
    Type: String
    Description: ARN of the SecurityV0 hub principal that will assume member roles.
  ExternalId:
    Type: String
    NoEcho: true
    Description: ExternalId used for member-account assume-role trust.
  RoleName:
    Type: String
    Default: SecurityV0ReadOnly
    Description: Role name that StackSets will create in member accounts. Must match the canonical CFN at sv0-connectors/integrations/aws/cfn/securityv0-readonly-role.yaml (default SecurityV0ReadOnly) and the connector's _DEFAULT_SPOKE_ROLE_NAME.
  StackSetName:
    Type: String
    Default: SecurityV0-MemberReadOnlyRole
    Description: Suggested StackSet name for member-account deployment.

Resources:
  SecurityV0BootstrapLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub '/securityv0/bootstrap/${AWS::StackName}'
      RetentionInDays: 30

  SecurityV0BootstrapRecord:
    Type: AWS::SSM::Parameter
    Properties:
      Name: !Sub '/securityv0/bootstrap/${AWS::StackName}'
      Type: String
      Value: !Sub |
        {
          "securityv0PrincipalArn": "${SecurityV0PrincipalArn}",
          "roleName": "${RoleName}",
          "stackSetName": "${StackSetName}",
          "accountId": "${AWS::AccountId}",
          "region": "${AWS::Region}"
        }
      Description: SecurityV0 AWS org-mode bootstrap metadata.

Outputs:
  SecurityAccountId:
    Description: Delegated-admin/security account ID.
    Value: !Ref AWS::AccountId
  SecurityV0PrincipalArn:
    Description: Principal ARN expected in member-account trust policies.
    Value: !Ref SecurityV0PrincipalArn
  ExternalId:
    Description: ExternalId to pass to the member-account StackSet.
    Value: !Ref ExternalId
  RoleName:
    Description: Member-account role name.
    Value: !Ref RoleName
  StackSetName:
    Description: Suggested StackSet name.
    Value: !Ref StackSetName
  MemberTemplateUrl:
    Description: Canonical raw GitHub URL for the member-account read-only role CloudFormation template (single source of truth in sv0-connectors).
    Value: https://raw.githubusercontent.com/SecurityV0/sv0-connectors/main/integrations/aws/cfn/securityv0-readonly-role.yaml