AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: S3-to-EventBridge Integration 3 - Multiple Buckets

Parameters:
  MultiBucketName:
    Type: String
    Default: patterns-s3-eventbridge-multi

  LoggingBucketName:
    Type: String
    Default: patterns-s3-eventbridge-ct-logs-3

Resources:
  # Bucket for CloudTrail Logs
  MultiBucket1:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub ${MultiBucketName}-1

  MultiBucket2:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub ${MultiBucketName}-2

  MultiBucket3:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub ${MultiBucketName}-3

  LoggingBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref LoggingBucketName

  # Bucket policy enables CloudTrail to write to the logging bucket
  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref LoggingBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AWSCloudTrailAclCheck
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:GetBucketAcl
            Resource: !GetAtt LoggingBucket.Arn
          - Sid: AWSCloudTrailWrite
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:PutObject
            Resource: !Sub ${LoggingBucket.Arn}/AWSLogs/${AWS::AccountId}/*
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control

  # The CloudTrail trail - uses the LoggingBucketName as the trail name
  myTrail:
    Type: AWS::CloudTrail::Trail
    DependsOn: BucketPolicy
    Properties:
      TrailName: !Ref LoggingBucketName
      S3BucketName: !Ref LoggingBucket
      IsLogging: true
      IsMultiRegionTrail: false
      EventSelectors:
        - IncludeManagementEvents: false
          DataResources:
            - Type: AWS::S3::Object
              Values:
                - !Sub ${MultiBucket1.Arn}/
                - !Sub ${MultiBucket2.Arn}/
                - !Sub ${MultiBucket3.Arn}/
      IncludeGlobalServiceEvents: false

  ### This section configures the consuming Lambda function ###

  # Lambda function
  EventConsumerFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: eventConsumer/
      Handler: app.handler
      Runtime: nodejs14.x

  # EventBridge rule - invokes EventConsumerFunction 
  EventRule:
    Type: AWS::Events::Rule
    Properties:
      Description: EventRule
      State: ENABLED
      EventPattern:
        source:
          - aws.s3
        detail:
          eventName:
            - PutObject
          requestParameters:
            bucketName:
              - !Ref MultiBucket1
              - !Ref MultiBucket2
              - !Ref MultiBucket3
      Targets:
        - Arn: !GetAtt EventConsumerFunction.Arn
          Id: EventConsumerFunctionTarget

  PermissionForEventsToInvokeLambda:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !Ref EventConsumerFunction
      Action: lambda:InvokeFunction
      Principal: events.amazonaws.com
      SourceArn: !GetAtt EventRule.Arn