{
  "typeName" : "AWS::Redshift::EndpointAuthorization",
  "description" : "Describes an endpoint authorization for authorizing Redshift-managed VPC endpoint access to a cluster across AWS accounts.",
  "sourceUrl" : "https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-redshift",
  "definitions" : {
    "AwsAccount" : {
      "type" : "string",
      "pattern" : "^\\d{12}$"
    },
    "VpcId" : {
      "type" : "string",
      "pattern" : "^vpc-[A-Za-z0-9]{1,17}$"
    }
  },
  "properties" : {
    "Grantor" : {
      "description" : "The AWS account ID of the cluster owner.",
      "$ref" : "#/definitions/AwsAccount"
    },
    "Grantee" : {
      "description" : "The AWS account ID of the grantee of the cluster.",
      "$ref" : "#/definitions/AwsAccount"
    },
    "ClusterIdentifier" : {
      "description" : "The cluster identifier.",
      "type" : "string",
      "pattern" : "^(?=^[a-z][a-z0-9]*(-[a-z0-9]+)*$).{1,63}$"
    },
    "AuthorizeTime" : {
      "description" : "The time (UTC) when the authorization was created.",
      "type" : "string"
    },
    "ClusterStatus" : {
      "description" : "The status of the cluster.",
      "type" : "string"
    },
    "Status" : {
      "description" : "The status of the authorization action.",
      "type" : "string"
    },
    "AllowedAllVPCs" : {
      "description" : "Indicates whether all VPCs in the grantee account are allowed access to the cluster.",
      "type" : "boolean"
    },
    "AllowedVPCs" : {
      "description" : "The VPCs allowed access to the cluster.",
      "type" : "array",
      "insertionOrder" : false,
      "items" : {
        "$ref" : "#/definitions/VpcId"
      }
    },
    "EndpointCount" : {
      "description" : "The number of Redshift-managed VPC endpoints created for the authorization.",
      "type" : "integer"
    },
    "Account" : {
      "description" : "The target AWS account ID to grant or revoke access for.",
      "$ref" : "#/definitions/AwsAccount"
    },
    "VpcIds" : {
      "description" : "The virtual private cloud (VPC) identifiers to grant or revoke access to.",
      "type" : "array",
      "insertionOrder" : false,
      "items" : {
        "$ref" : "#/definitions/VpcId"
      }
    },
    "Force" : {
      "description" : " Indicates whether to force the revoke action. If true, the Redshift-managed VPC endpoints associated with the endpoint authorization are also deleted.",
      "type" : "boolean"
    }
  },
  "tagging" : {
    "taggable" : false
  },
  "additionalProperties" : false,
  "required" : [ "ClusterIdentifier", "Account" ],
  "primaryIdentifier" : [ "/properties/ClusterIdentifier", "/properties/Account" ],
  "createOnlyProperties" : [ "/properties/ClusterIdentifier", "/properties/Account" ],
  "readOnlyProperties" : [ "/properties/Grantor", "/properties/Grantee", "/properties/AuthorizeTime", "/properties/ClusterStatus", "/properties/Status", "/properties/AllowedAllVPCs", "/properties/AllowedVPCs", "/properties/EndpointCount" ],
  "writeOnlyProperties" : [ "/properties/Force" ],
  "handlers" : {
    "create" : {
      "permissions" : [ "redshift:AuthorizeEndpointAccess" ],
      "timeoutInMinutes" : 60
    },
    "read" : {
      "permissions" : [ "redshift:DescribeEndpointAuthorization" ]
    },
    "update" : {
      "permissions" : [ "redshift:AuthorizeEndpointAccess", "redshift:RevokeEndpointAccess" ],
      "timeoutInMinutes" : 60
    },
    "delete" : {
      "permissions" : [ "redshift:RevokeEndpointAccess", "redshift:DeleteEndpointAccess", "ec2:DeleteClientVpnEndpoint", "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:DescribeAddresses", "ec2:DescribeInternetGateways", "ec2:DescribeSubnets" ],
      "timeoutInMinutes" : 60
    },
    "list" : {
      "permissions" : [ "redshift:DescribeEndpointAuthorization" ]
    }
  }
}