AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  ecs_compliance_as_code_opa
  
  Template for ecs_compliance_as_code_opa

# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
  Function:
    Timeout: 5

Resources:
  ECSApprovedContainerRegistyFunction:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
      CodeUri: ecs-opa/
      Handler: ecs-opa
      Runtime: go1.x
      Environment:
        Variables:
          SNS_TOPIC_ARN: !Ref DevSecOpsTeamNotificationTopic
          SSM_PARAMETER: !Ref opapolicy
      Tracing: Active # https://docs.aws.amazon.com/lambda/latest/dg/lambda-x-ray.html
      Policies:
      - AWSXrayWriteOnlyAccess
      - AWSLambdaBasicExecutionRole
      - SNSPublishMessagePolicy:
          TopicName: 
            !Ref DevSecOpsTeamNotificationTopic
      - SSMParameterReadPolicy:
          ParameterName:
            !Ref opapolicy
      - Statement:
        - Sid: ECSTaskPolicy
          Effect: Allow
          Action:
          - ecs:StopTask
          Resource: !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task/*' 
      - Statement:
        - Sid: ECSServiceRWPolicy
          Effect: Allow
          Action:
          - ecs:UpdateService
          Resource: !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:service/*'
      - Statement:
        - Sid: ECSServiceListPolicy
          Effect: Allow
          Action:
          - ecs:ListServices
          Resource: '*'
      - Statement:
        - Sid: ECSTaskDefinitionPolicy
          Effect: Allow
          Action:
          - ecs:DeregisterTaskDefinition
          Resource: '*'
      - Statement:
        - Sid: KMSPolicy
          Effect: Allow
          Action:
          - kms:GenerateDataKey
          - kms:Decrypt
          Resource: !GetAtt DevSecOpsTeamNotificationTopicKey6AB29FA6.Arn
      Events:
        Trigger:
          Type: CloudWatchEvent 
          Properties:
            Pattern:
              source:
                - aws.ecs
              detail-type:
                - "ECS Task State Change"
              detail:
                desiredStatus:
                  - "prefix": "RUN"
  DevSecOpsTeamNotificationTopic:
    Type: AWS::SNS::Topic
    Properties:
      KmsMasterKeyId: !GetAtt DevSecOpsTeamNotificationTopicKey6AB29FA6.Arn
  DevSecOpsTeamNotificationTopicKey6AB29FA6:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Statement:
          - Action: kms:*
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' 
            Resource: '*'
      EnableKeyRotation: true
  opapolicy:
    Type: AWS::SSM::Parameter
    Properties:
      Type: String
      Value: !Sub "package ecstaskstatuswatcher\n\ndefault allow = false\n\nallow =true {\n    not any_non_approved_container_registry\n}\n\nany_non_approved_container_registry {\n    some i\n    input.containers[i]\n    not startswith(input.containers[i].image, \"${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com\") \n}"
      Description: OPA Policy
      Name: opa-policy
      Tier: Advanced