AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: An Amazon SNS trigger that sends CloudWatch alarm notifications to Slack.

Parameters:
  AccountID:
    Type: String
    Description: "Account ID"
  
  ClusterRegion:
    Type: String
    Description: "Cluster Region"    

  KMSKeyID:
    Type: String
    Description: "KMS Key ID"

  FunctionName:
    Type: String
    Description: "Lambda Function Name"
  
  EncryptedURL:
    Type: String
    Description: "Encrypted URL"

  SlackChannel:
    Type: String
    Description: "Slack Channel"

Resources:
  # Define the SNS topic
  CloudwatchToSlackTopic:
    Type: AWS::SNS::Topic
    Properties:
      Subscription:
        - Protocol: lambda
          Endpoint: !GetAtt CloudwatchToSlackFn.Arn    

  # Provide permission for SNS to invoke the Lambda function
  CloudwatchToSlackPermission:
    Type: 'AWS::Lambda::Permission'
    Properties:
      Action: 'lambda:InvokeFunction'
      FunctionName: !Ref CloudwatchToSlackFn
      Principal: sns.amazonaws.com
      SourceArn: !Ref CloudwatchToSlackTopic
   
  # Define lambda function
  CloudwatchToSlackFn:
    Type: 'AWS::Serverless::Function'
    Properties:
      FunctionName: !Ref FunctionName
      Handler: lambda_function.lambda_handler
      Runtime: python3.7
      Description: >-
        An Amazon SNS trigger that sends CloudWatch alarm notifications to Slack.
      CodeUri: cloudwatch-to-slack-function.zip
      Policies:
      - Statement:
        - Sid: KMSKeyDecryptPolicy
          Effect: Allow
          Action:
          - kms:Decrypt
          Resource: 
            !Join
              - ''
              - - 'arn:aws:kms:'
                - !Ref ClusterRegion
                - ':'
                - !Ref AccountID
                - ':key/'
                - !Ref KMSKeyID
          Condition:
            StringEquals:
              "kms:EncryptionContext:LambdaFunctionName": !Ref FunctionName
      MemorySize: 128
      Timeout: 3
      Environment:
        Variables:
          kmsEncryptedHookUrl: !Ref EncryptedURL
          slackChannel: !Ref SlackChannel
      KmsKeyArn:
        !Join
          - ''
          - - 'arn:aws:kms:'
            - !Ref ClusterRegion
            - ':'
            - !Ref AccountID
            - ':key/'
            - !Ref KMSKeyID
      Tags:
        'lambda-console:blueprint': cloudwatch-alarm-to-slack-python
      RuntimeManagementConfig:
        UpdateRuntimeOn: Auto

Outputs:
  CloudwatchToSlackFnName:
    Description: Cloudwatch to Slack Lmabda function name
    Value: !Ref CloudwatchToSlackFn

  CloudwatchToSlackFnArn:
    Description: Cloudwatch to Slack Lmabda function ARN
    Value: !GetAtt CloudwatchToSlackFn.Arn
  
  CloudwatchToSlackTopicName:
    Description: Cloudwatch to Slack SNS Topic name
    Value: !GetAtt CloudwatchToSlackTopic.TopicName

  CloudwatchToSlackTopicArn:
    Description: Cloudwatch to Slack SNS Topic ARN
    Value: !Ref CloudwatchToSlackTopic