AWSTemplateFormatVersion: "2010-09-09"
Description: CloudFormation template for Non-Supported ECR API Calls.
Metadata: 
  AWS::CloudFormation::Interface:
    ParameterGroups:
      -
        Label:
          default: "Solution Configuration"
        Parameters:
          - Objective
      -
        Label:
          default: "Amazon SNS Topic Configuration"
        Parameters:
          - SNSName
          - SNSProtocol
          - SNSEndpoint
      -
        Label:
          default: "Amazon EventBridge Configuration"
        Parameters:
          - EventRuleName
          - APICallName
    ParameterLabels:
      SNSName:
        default: "Amazon SNS Topic Name:"
      SNSProtocol:
        default: "Amazon SNS Protocol:"
      SNSEndpoint:
        default: "Amazon SNS Endpoint (as per SNS Protocol):"
      EventRuleName:
        default: "Amazon Eventbridge Rule Name:"
      APICallName:
        default: "Amazon ECR CloudTrail Event Name/API Call ',' seperated:"
      Objective:
        default: "Solution Objective :"
Parameters:
  SNSName:
    Type: String
    MinLength: 1
    MaxLength: 256
    AllowedPattern: ^[a-zA-Z0-9\-_]*$

  SNSProtocol:
    Type: String
    Default: email
    AllowedValues:
      - http
      - https
      - email
      - email-json
      - sms
      - sqs
      - application
      - lambda
  SNSEndpoint:
    Type: String
  EventRuleName:
    Type: String
    MinLength: 1
    MaxLength: 64
    AllowedPattern: ^[\.\-_A-Za-z0-9]+
  APICallName:
    Type: CommaDelimitedList
    Default: CreateRepository,DeleteRepository,PutImage,ReplicateImage
  Objective:
    Type: String
    Default: SUCCESS
    AllowedValues:
     - SUCCESS
     - FAILURE
Conditions:
  StackObjective:
   !Equals [!Ref Objective,"FAILURE"]
Resources:
  EventRule0:
    Type: AWS::Events::Rule
    Properties:
      EventBusName: default
      EventPattern:
        source:
          - aws.ecr
        detail-type:
          - AWS API Call via CloudTrail
        detail:
          eventSource:
            - ecr.amazonaws.com
          eventName: !Ref APICallName
          errorCode:
            Fn::If:
              - StackObjective
              - [ exists: true ]
              - [ exists: false ]
      Name: !Ref EventRuleName
      State: ENABLED
      Targets:
        - Id: !Sub "Id-${AWS::StackName}-${AWS::Region}-${AWS::AccountId}"
          Arn: !Ref MySNSTopic
          InputTransformer:
            InputPathsMap:
              Error_Code:
                Fn::If:
                  - StackObjective
                  - $.detail.errorCode
                  - !Ref AWS::NoValue
              Error_Message:
                Fn::If:
                  - StackObjective
                  - $.detail.errorCode
                  - !Ref AWS::NoValue
              Event_Name: $.detail.eventName
              Region: $.region
              Time: $.time
              RepoARN: $.detail.resources[0].ARN
            InputTemplate:
              Fn::If:
                - StackObjective
                - >-
                  "Good Day User, This is to notify that '<Event_Name>' is failed in '<Region>' with '<Error_Code>' with message: '<Error_Message>'.This activity happened on '<Time>'"
                - >- 
                  "Good Day User, This is to notify that '<Event_Name>' is successful for '<RepoARN>' in '<Region>'. This activity happened on '<Time>'"
              
  MySNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      Subscription:
        - Protocol: !Ref SNSProtocol
          Endpoint: !Ref SNSEndpoint
      TopicName: !Ref SNSName
      KmsMasterKeyId: !Ref KMSKey
  KMSKey:
    Type: AWS::KMS::Key
    Properties: 
      Description: "AWS KMS key to encypt Amazon SNS topic"
      EnableKeyRotation: true
      KeyPolicy:
        Version: 2012-10-17
        Id: Iam-access
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action:
            - "kms:CreateKey"
            - "kms:CreateGrant"
            - "kms:DescribeKey"
            - "kms:EnableKey"
            - "kms:EnableKeyRotation"
            - "kms:ListGrants"
            - "kms:ListKeyPolicies"
            - "kms:ListKeys"
            - "kms:ListResourceTags"
            - "kms:ListRetirableGrants"
            - "kms:UpdateKeyDescription"
            - "kms:PutKeyPolicy"
            - "kms:RevokeGrant"
            - "kms:DisableKey"
            - "kms:GetKeyPolicy"
            - "kms:GetKeyRotationStatus"
            - "kms:GetParametersForImport"
            - "kms:TagResource"
            - "kms:UntagResource"
            - "kms:ScheduleKeyDeletion"
            - "kms:CancelKeyDeletion"
            Resource: '*'
          - Sid: Allow event bridge
            Effect: Allow
            Principal:
              Service: "events.amazonaws.com"
            Action:
             - kms:GenerateDataKey
             - kms:Decrypt
            Resource: "*"
  MySNSTopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument :
        Id: !Ref SNSName
        Statement:
          - 
            Action:
             - "sns:GetTopicAttributes"
             - "sns:SetTopicAttributes"
             - "sns:AddPermission"
             - "sns:RemovePermission"
             - "sns:DeleteTopic"
             - "sns:Subscribe"
             - "sns:ListSubscriptionsByTopic"
             - "sns:Publish"
            Effect: Allow
            Principal:
              Service: "events.amazonaws.com"
            Resource: !Ref MySNSTopic
      Topics: 
        - !Ref MySNSTopic