Resources:

  # Create the VPC for the whole application
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: "10.0.0.0/16"
      Tags:
      - Key: Name
        Value: !Sub "${AWS::StackName}-VPC"

  # For each function:
  # Give them the AWSLambdaVPCAccessExecutionRole policy
  # Give them the security group created by your NAT stack
  # Put them in the private subnets created by your NAT stack
  SampleFunction:
    Type: AWS::Serverless::Function
    Properties:
      Description: A function inside the VPC with internet access
      CodeUri: ./src/SampleFunctions/
      Handler: AssemblyName::Namespace.Namespace.Class::Method
      Policies: AWSLambdaVPCAccessExecutionRole
      VpcConfig:
        SecurityGroupIds:
          - !GetAtt NatStack.Outputs.LambdaSecurityGroup
        SubnetIds:
          - !GetAtt NatStack.Outputs.PrivateSubnet1
          - !GetAtt NatStack.Outputs.PrivateSubnet2
          - !GetAtt NatStack.Outputs.PrivateSubnet3

  # Deploy the NAT stack as a nested stack
  NatStack:
    Type: AWS::Serverless::Application
    Properties:
      Location: template-nat.yaml
      Parameters:
        VpcId: !Ref VPC
        Tag: !Sub "${AWS::StackName}"