AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template to create the Media Lambda for the Automatic Ads Solution
Parameters:
  EnvironmentSuffix:
    Type: String
    Default: dev
  SolutionName:
    Type: String
    Default: automads-solution
  DynamoDBMetadataTable:
    Type: 'String'
  DynamoDBMetadataTableArn:
    Type: 'String'

Resources:
  AdProfilesBucket:
    DependsOn: BucketPermission
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub "${EnvironmentSuffix}-${SolutionName}-ads-bucket"
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
      NotificationConfiguration:
        LambdaConfigurations:
          -
            Event: 's3:ObjectCreated:*'
            Function: !GetAtt Function.Arn
            Filter:
              S3Key:
                Rules:
                  - Name: Suffix
                    Value: '.vmap.xml'
      Tags:
        -
          Key: 'Stack'
          Value: !Sub ${AWS::StackName}
        -
          Key: 'Environment'
          Value: !Ref EnvironmentSuffix

  AdProfilesBucketPolicy: 
    Type: AWS::S3::BucketPolicy
    Properties: 
      Bucket: 
        Ref: "AdProfilesBucket"
      PolicyDocument: 
        Statement: 
          - 
            Action: 
              - "s3:*"
            Effect: "Deny"
            Resource: 
              Fn::Join: 
                - ""
                - 
                  - "arn:aws:s3:::"
                  - 
                    Ref: "AdProfilesBucket"
                  - "/*"
            Principal: "*"
            Condition: 
              Bool: 
                aws:SecureTransport: "false"

  BucketPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: 'lambda:InvokeFunction'
      FunctionName: !GetAtt Function.Arn
      Principal: s3.amazonaws.com
      SourceAccount: !Ref "AWS::AccountId"
      SourceArn: !Sub arn:aws:s3:::${EnvironmentSuffix}-${SolutionName}-ads-bucket
  MediaLambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              Service:
                - "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: access-mediatailor
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: 
                  - 'mediatailor:PutPlaybackConfiguration'
                  - 'mediatailor:TagResource'
                Resource: 'arn:aws:mediatailor:*:*:playbackConfiguration/*'
        - PolicyName: access-metadata-table
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: 
                  - 'dynamodb:GetItem'
                  - 'dynamodb:UpdateItem'
                Resource: !Ref DynamoDBMetadataTableArn
  Function:
    Type: AWS::Lambda::Function
    Properties:
      Code: '../functions/media-lambda/dist/media-lambda.zip'
      Description: 'Lambda Function that triggers MediaTailor job'
      Environment:
        Variables:
          METADATA_TABLE: !Ref DynamoDBMetadataTable
      FunctionName: !Sub ${EnvironmentSuffix}-${SolutionName}-media-lambda
      Handler: media-lambda.lambda_handler
      MemorySize: 512
      Role: !GetAtt MediaLambdaExecutionRole.Arn
      Runtime: python3.6
      Tags:
        -
          Key: 'Stack'
          Value: !Sub ${AWS::StackName}
      Timeout: 30

Outputs:
  MediaLambdaExecutionRoleArn:
    Value: !GetAtt MediaLambdaExecutionRole.Arn
  AdProfilesBucket:
    Value: !Ref AdProfilesBucket
    Description: Bucket for Ads Profiles (VMAPs) storage