AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Creates a Lambda function that audits for dangling DNS records in the AWS Organization and writes output to an S3 bucket
Parameters:
  DestinationBucketName:
    Type: String
Resources:
  DestinationBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName:
        Ref: DestinationBucketName
      AccessControl: Private
      LoggingConfiguration:
        DestinationBucketName:
          Ref: LoggingBucket
        LogFilePrefix: access-logs
      BucketEncryption:
        ServerSideEncryptionConfiguration:
        - ServerSideEncryptionByDefault:
            SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: TRUE
        IgnorePublicAcls: TRUE
        BlockPublicPolicy: TRUE
        RestrictPublicBuckets: TRUE
      VersioningConfiguration:
        Status: Enabled
    Metadata:
      SamResourceId: DestinationBucket
  LoggingBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName:
        Fn::Sub: ${DestinationBucketName}-logging
      AccessControl: LogDeliveryWrite
      BucketEncryption:
        ServerSideEncryptionConfiguration:
        - ServerSideEncryptionByDefault:
            SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: TRUE
        IgnorePublicAcls: TRUE
        BlockPublicPolicy: TRUE
        RestrictPublicBuckets: TRUE
      VersioningConfiguration:
        Status: Enabled
    Metadata:
      SamResourceId: LoggingBucket
  LoggingBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: LoggingBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
        - Action:
          - s3:GetObject
          - s3:PutObject
          Effect: Allow
          Resource:
            Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: LoggingBucket
              - /*
          Principal:
            AWS:
              Fn::Sub: arn:aws:iam::${AWS::AccountId}:root
    Metadata:
      SamResourceId: LoggingBucketPolicy
  DestinationBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: DestinationBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
        - Action:
          - s3:GetObject
          - s3:PutObject
          Effect: Allow
          Resource:
            Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: DestinationBucket
              - /*
          Principal:
            AWS:
              Fn::Sub: arn:aws:iam::${AWS::AccountId}:root
    Metadata:
      SamResourceId: DestinationBucketPolicy
  DanglingDNSAuditFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: s3://aws-sam-cli-managed-default-samclisourcebucket-18md3jms38zsh/sam-app/a89429587d59de4f6a84ea7b60f3ea04
      Handler: app.lambda_handler
      Runtime: python3.9
      MemorySize: 128
      Timeout: 300
      Role:
        Fn::Sub: arn:aws:iam::${AWS::AccountId}:role/aws-controltower-AuditReadOnlyRole
      Architectures:
      - arm64
      Environment:
        Variables:
          DestinationBucketName:
            Ref: DestinationBucketName
    Metadata:
      SamResourceId: DanglingDNSAuditFunction