AWSTemplateFormatVersion: 2010-09-09
Description: >-
  This template deploys the resources required to retain resource tags during AWS Backup restore jobs.
  It should be deployed to the AWS account and Region where you intend to restore resource.  
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Tag Replicator Configuration
        Parameters: 
            - pStackBinaryURL
            - pTagsToExcludeInCopy
    ParameterLabels:
      pStackBinaryURL:
        default: The URL for the StackBinary Zip File
      pTagsToExcludeInCopy:
        default: The Comma separated list of tags to exclude from copy operation        
Parameters:
  TagOnRestoreFunctionForAWSBackupLambdaRoleName:
    Description: The name of the role used by the TagOnRestoreFunctionForAWSBackup Lambda function
    Type: String
    Default: TagOnRestoreFunctionForAWSBackup
  pTagsToExcludeInCopy:
    Description: The Comma separated list of tags to exclude from copy operation
    Type: String    
    Default: 'aws:backup:source-resource'
  S3DeploymentBucketName:
    Description: Enter the Amazon S3 bucket name prefix that contains the AWS Lambda deployment package
    Type: String
  S3DeploymentPackage:
    Description: Enter the Amazon S3 key name for your AWS Lambda deployment package
    Type: String
  HomeAccountParameterStore:
    Description: Home Account Number for Backup and Recovery with AWS Backup solution
    Type: String


Resources:
  rAWSBackupEventBridgeRule:
    Type: AWS::Events::Rule
    Properties: 
      Description: EventBridge rule to match AWS Backup events to trigger tag replicator Lambda function.
      State: "ENABLED"
      EventPattern: 
        source:
          - 'aws.backup'
        detail-type:
          - 'Restore Job State Change'
        detail:
          status: 
              - 'COMPLETED'
      Targets: 
        - Arn: !GetAtt TagOnRestoreFunctionForAWSBackupLambda.Arn
          Id: "ProcessAWSBackupEventsUsingLambda" 

  rAWSBackupEventBridgeRuleInvokePermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref TagOnRestoreFunctionForAWSBackupLambda
      Principal: events.amazonaws.com
      SourceArn: !Sub ${rAWSBackupEventBridgeRule.Arn} 
          

  TagOnRestoreFunctionForAWSBackupLambda:
    Type: AWS::Lambda::Function
    Properties:
      Description: Function to manage AWS Backup events and trigger replicator code
      Handler: lambda_handler.handler
      Role: !Sub "arn:aws:iam::${AWS::AccountId}:role/${TagOnRestoreFunctionForAWSBackupLambdaRoleName}"
      Runtime: python3.7
      MemorySize: 1024
      Timeout: 600
      Code:
        S3Bucket: !Sub "${S3DeploymentBucketName}-${HomeAccountParameterStore}-${AWS::Region}"
        S3Key: !Sub "lambda/${S3DeploymentPackage}"
      Environment:
        Variables:
          TagOnRestoreStackId: !Ref AWS::StackId
          TagOnRestoreTagsToExclude: !Ref pTagsToExcludeInCopy




Outputs:
  oStackName:
    Value: !Ref AWS::StackName