AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: Uses Kinesis Firehose to fanout SNS notifications to S3.


Parameters:
  DestinationBucketName:
    Type: String
    
Resources:
  
  ########## DESTINATION S3 BUCKET ###########
  DestinationBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref DestinationBucketName

  ########## KINESIS DATA FIREHOSE ###########
  DeliveryStream:
    Type: AWS::KinesisFirehose::DeliveryStream
    DependsOn:
      - DeliveryStreamPolicy
    Properties:
      DeliveryStreamType: "DirectPut"
      ExtendedS3DestinationConfiguration:
        BucketARN: !GetAtt DestinationBucket.Arn
        BufferingHints:
          SizeInMBs: 1
          IntervalInSeconds: 60
        CloudWatchLoggingOptions:
          Enabled: true
          LogGroupName: "/aws/kinesisfirehose/ibcd"
          LogStreamName: "S3Delivery"
        CompressionFormat: "GZIP"
        EncryptionConfiguration:
          NoEncryptionConfig: "NoEncryption"
        Prefix: ""
        RoleARN: !GetAtt DeliveryStreamRole.Arn

  ########## SNS TOPIC ###########
  SNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: SourceSNSTopic
      FifoTopic: False

  SNSSubscription:
    Type: AWS::SNS::Subscription
    DependsOn: 
      - SNSTopic
      - SNSSubscriptionRole
      - DeliveryStream
    Properties: 
      Protocol: firehose
      Endpoint: !GetAtt DeliveryStream.Arn
      TopicArn: !Ref SNSTopic
      SubscriptionRoleArn: !GetAtt SNSSubscriptionRole.Arn

  ########## POLICIES ##########
  SNSFirehoseAccessPolicy:
    Type: AWS::IAM::Policy
    Properties:
      Roles:
        - !Ref SNSSubscriptionRole
      PolicyName: SNS_Firehose_access_policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - firehose:DescribeDeliveryStream
              - firehose:ListDeliveryStreams
              - firehose:ListTagsForDeliveryStream
              - firehose:PutRecord
              - firehose:PutRecordBatch
            Resource:
              - !GetAtt DeliveryStream.Arn

  DeliveryStreamPolicy:
    Type: AWS::IAM::Policy
    Properties:
      Roles:
        - !Ref DeliveryStreamRole
      PolicyName: firehose_delivery_policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - s3:AbortMultipartUpload
              - s3:GetBucketLocation
              - s3:GetObject
              - s3:ListBucket
              - s3:ListBucketMultipartUploads
              - s3:PutObject
            Resource:
              - !Sub 'arn:aws:s3:::${DestinationBucket}'
              - !Sub 'arn:aws:s3:::${DestinationBucket}/*'

  ########## ROLES ###########
  SNSSubscriptionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: ''
            Effect: Allow
            Principal:
              Service: sns.amazonaws.com
            Action: sts:AssumeRole

  DeliveryStreamRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: ''
            Effect: Allow
            Principal:
              Service: firehose.amazonaws.com
            Action: sts:AssumeRole