---
AWSTemplateFormatVersion: "2010-09-09"

Description:
  Creates IAM role needed to complete the VOD 
  MediaConvert Workshop.  S3 permissions are full access in
  this sample, but can be restricted to only the input/output 
  buckets, if desired.

  Creates a bucket to store inputs and outputs for MediaConvert and a role to 
  pass to MediaConvert to access the bucket and other account resources 
  MediaConvert needs to process jobs from the console and API.  For the lab, 
  the bucket is website enabled so that output videos can play out as web resources.

#Parameters:
  #MediaBucket:
  #  Type: String
  #  Description: 
  #    The name for the bucket you want to use for MediaConvert 
  #    inputs and ouputs, e.g. 'vod-yourname.' 

Resources:
  MediaConvertRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-MediaConvertRole"
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - "mediaconvert.amazonaws.com"
                - "mediaconvert.us-east-1.amazonaws.com"
                - "mediaconvert.ap-northeast-1.amazonaws.com"
                - "mediaconvert.ap-southeast-1.amazonaws.com"
                - "mediaconvert.ap-southeast-2.amazonaws.com"
                - "mediaconvert.eu-central-1.amazonaws.com"
                - "mediaconvert.eu-west-1.amazonaws.com"
                - "mediaconvert.us-east-1.amazonaws.com"
                - "mediaconvert.us-west-1.amazonaws.com"
                - "mediaconvert.us-west-2.amazonaws.com"
            Action:
              - sts:AssumeRole
      Policies:
        -
          PolicyName: !Sub "${AWS::StackName}-MediaConvertPolicy"
          PolicyDocument:
            Statement:
              -
                Effect: "Allow"
                Action:
                  - "s3:*"
                Resource:
                  - "*"
              -
                Effect: "Allow"
                Action:
                  - "autoscaling:Describe*"
                  - "cloudwatch:*"
                  - "logs:*"
                  - "sns:*"
                Resource:
                  - "*"

  MediaBucket:
    Properties:
      WebsiteConfiguration:
        IndexDocument: index.html
      CorsConfiguration:
        CorsRules:
        - AllowedHeaders: ['*']
          AllowedMethods: [GET]
          AllowedOrigins: ['*']
          ExposedHeaders: [Date]
          Id: myCORSRuleId1
          MaxAge: '3600'
      LifecycleConfiguration:
        Rules:
        - Id: ExpireRule
          Status: Enabled
          ExpirationInDays: '7'
    DeletionPolicy: Retain
    Type: "AWS::S3::Bucket"

  MediaBucketPolicy:
    Properties:
      Bucket: !Ref MediaBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal: "*"
            Action: s3:GetObject
            Resource: !Sub "arn:aws:s3:::${MediaBucket}/*"
    Type: "AWS::S3::BucketPolicy"

Outputs:
  MediaBucket:
    Value: !Ref MediaBucket 
  MediaConvertRole: 
    Value: !Ref MediaConvertRole
  MediaConvertRoleArn:
    Value: !GetAtt MediaConvertRole.Arn