# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

AWSTemplateFormatVersion: '2010-09-09'
Description: |
  Package CloudFormation template into the provided S3 bucket

Parameters:
  S3BucketName:
    Description: Name of the existing S3 bucket where the CloudFormation templates will be packaged
    Type: String

Outputs:
  SMProjectSCPortfolioS3Uri:
    Description: S3 URI for SageMaker projects as Service Catalog portfolio deployment stack
    Value: !Sub 'https://s3.${AWS::Region}.amazonaws.com/${S3BucketName}/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml'

  SMProjectSCPortfolioDeployLink:
    Description: Link to open CloudFormation deployment of Service Catalog portfolio with SageMaker projects
    Value: !Sub 'https://console.aws.amazon.com/cloudformation/home?region=${AWS::Region}#/stacks/new?templateURL=https://s3.${AWS::Region}.amazonaws.com/${S3BucketName}/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml'

  StartBuildCLICommand:
    Description: CLI to start CodeBuild build
    Value: !Sub 'aws codebuild start-build --project-name ${CfnTemplatePackageProject}'

Resources:

  StartBuildLambdaExecutionRole:  
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: InlinePolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: CodeBuildPermission
                Effect: Allow
                Action:
                  - codebuild:StartBuild
                Resource: !GetAtt CfnTemplatePackageProject.Arn     
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'

  StartBuildLambda:
    Type: AWS::Lambda::Function
    Properties:
      ReservedConcurrentExecutions: 1
      Code:
        ZipFile: |
          # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
          # SPDX-License-Identifier: MIT-0
          import json
          import boto3
          import cfnresponse

          cb = boto3.client("codebuild")

          def lambda_handler(event, context):
              try:
                  response_status = cfnresponse.SUCCESS

                  if 'RequestType' in event and event['RequestType'] == 'Create':
                      cb.start_build(projectName=event['ResourceProperties']['ProjectName'])
                      
                  cfnresponse.send(event, context, response_status, {}, '')

              except Exception as e:
                  print(str(e))
                  cfnresponse.send(event, context, cfnresponse.FAILED, {}, physicalResourceId=event.get('PhysicalResourceId'), reason=str(e))

      Description: Start CodeBuild project
      Handler: index.lambda_handler
      MemorySize: 128
      Role: !GetAtt StartBuildLambdaExecutionRole.Arn 
      Runtime: python3.8
      Timeout: 120

  StartBuild:
    Type: Custom::StartBuild
    Properties:
      ServiceToken: !GetAtt StartBuildLambda.Arn
      ProjectName: !Ref CfnTemplatePackageProject

  CodeBuildServiceRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: codebuild.amazonaws.com
            Action: 'sts:AssumeRole'
      Path: '/service-role/'
      Policies:
        - PolicyName: CodeBuildServiceRoleInLinePolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              -
                Action:
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: '*'
                Effect: 'Allow'
              -
                Action:
                  - 's3:*Object'
                  - 's3:GetObjectVersion'
                  - 's3:GetBucketAcl'
                  - 's3:GetBucketLocation'
                  - 's3:ListBucket'
                  - 's3:PutObjectTagging'
                  - 's3:CreateBucket'
                Resource: 
                  - !Sub 'arn:aws:s3:::${S3BucketName}'
                  - !Sub 'arn:aws:s3:::${S3BucketName}/*'
                Effect: 'Allow'
              -
                Action:
                  - 'codebuild:CreateReportGroup'
                  - 'codebuild:CreateReport'
                  - 'codebuild:UpdateReport'
                  - 'codebuild:BatchPutTestCases'
                  - 'codebuild:BatchPutCodeCoverages'
                Resource: !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/*'
                Effect: 'Allow'

  CfnTemplatePackageProject:
    Type: AWS::CodeBuild::Project
    Properties:
      Description: !Sub 'Packaging CFN templates into ${S3BucketName}'
      ServiceRole: !GetAtt CodeBuildServiceRole.Arn
      Artifacts: 
        Type: NO_ARTIFACTS
      Environment:
        Type: 'LINUX_CONTAINER'
        ComputeType: 'BUILD_GENERAL1_SMALL'
        Image: 'aws/codebuild/amazonlinux2-x86_64-standard:3.0'
        EnvironmentVariables:
          - Name: 'S3_BUCKET_NAME'
            Value: !Ref S3BucketName
          - Name: 'DEPLOYMENT_REGION'
            Value: !Ref AWS::Region
      Source:
        Type: S3
        Location: !Sub '${S3BucketName}/amazon-sagemaker-reusable-components/amazon-sagemaker-reusable-components.zip'
        BuildSpec: buildspec-package-cfn.yml
      LogsConfig:
        CloudWatchLogs:
          Status: 'ENABLED'
      TimeoutInMinutes: 5