AWSTemplateFormatVersion: 2010-09-09
Description: A Cloudformation template to create Kendra resources. (qs-1qu380l4b)

Parameters: 
  QSS3KeyPrefix:
    Type: String
    Description: The S3 key name prefix used for your copy of Quick Start assets
    Default: quickstart-quantiphi-lex-kendra-backend/
    AllowedPattern: ^[0-9a-zA-Z-/]*$
  
  KendraS3BucketName:
    AllowedPattern: ^[a-z0-9][a-z0-9-.]*$
    Description: The name of the S3 bucket which has the Kendra docs for syncing
    Type: String

  KendraIndexName:
    Description: The name of the Kendra Index
    Type: String
    Default: Lex-Kendra-Bot-Index

  KendraIndexEdition:
    Description: Kendra Index Edition (DEVELOPER_EDITION or ENTERPRISE_EDITION)
    Type: String
    AllowedValues: 
      - DEVELOPER_EDITION
      - ENTERPRISE_EDITION
    Default: DEVELOPER_EDITION

  KendraDataSourceName:
    Description: The name of sata source for the Kendra Index
    Type: String
    Default: lex-kendra-bot-data-source

  KendraFAQName:
    Description: The name of FAQs for the Kendra Index
    Type: String
    Default: lex-kendra-bot-faqs

  KendraFAQFileKey:
    AllowedPattern: ^.*.csv$
    Description: The file where FAQs are stored for the Kendra Index
    Type: String

  ArtifactsS3BucketName:
    AllowedPattern: ^[a-z0-9][a-z0-9-.]*$
    Description: The name of S3 Bucket in which Lambda code is present
    Type: String

Resources: 
  KendraIndexIAMRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - lambda.amazonaws.com
            - kendra.amazonaws.com
            - s3.amazonaws.com
          Action:
          - sts:AssumeRole

  KendraIndexIAMPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: !Join
        - ''
        - - !Ref 'KendraIndexIAMRole'
          - _policy
      Roles:
      - Ref: KendraIndexIAMRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action:
          - "logs:CreateLogGroup"
          - "logs:CreateLogStream"
          - "logs:PutLogEvents"
          Resource:
           !Sub "arn:${AWS::Partition}:logs:*:*:*"
        - Effect: Allow
          Action:
          - "s3:GetObject"
          - "s3:ListBucket"
          - "s3:HeadBucket"
          Resource:
          - !Sub "arn:${AWS::Partition}:s3:::${ArtifactsS3BucketName}"
          - !Sub "arn:${AWS::Partition}:s3:::${ArtifactsS3BucketName}/*"
          - !Sub "arn:${AWS::Partition}:s3:::${KendraS3BucketName}"
          - !Sub "arn:${AWS::Partition}:s3:::${KendraS3BucketName}/*"
        - Effect: Allow
          Action:
          - "kendra:CreateIndex"
          Resource:
          - "*"
        - Effect: Allow
          Action:
          - "kendra:DeleteIndex"
          - "kendra:CreateDataSource"
          - "kendra:DescribeIndex"
          - "kendra:StartDataSourceSyncJob"
          - "kendra:CreateFaq"
          - "kendra:TagResource"
          - "kendra:UntagResource"
          Resource:
          - !Sub "arn:${AWS::Partition}:kendra:${AWS::Region}:${AWS::AccountId}:index/*"
          - !Sub "arn:${AWS::Partition}:kendra:${AWS::Region}:${AWS::AccountId}:index/*/data-source/*"
          - !Sub "arn:${AWS::Partition}:kendra:${AWS::Region}:${AWS::AccountId}:index/*/faq/*"
        - Effect: Allow
          Action:
          - "iam:GetRole"
          - "iam:PassRole"
          Resource:
          - !GetAtt KendraIndexIAMRole.Arn
        - Effect: Allow
          Action:
          - "lambda:InvokeFunction"
          - "lambda:AddPermission"
          - "lambda:RemovePermission"
          Resource:
          - !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*"
        - Effect: Allow
          Action:
          - "events:PutRule"
          - "events:DeleteRule"
          - "events:PutTargets"
          - "events:RemoveTargets"
          Resource:
          - !Sub "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/*"

  KendraOperationsFunction:
    DependsOn:
    - KendraIndexIAMPolicy
    Type: AWS::Lambda::Function
    Properties:
      Layers: [!Ref CrHelperLayer]
      Runtime: python3.6          
      Timeout: 900
      Role: !GetAtt KendraIndexIAMRole.Arn
      MemorySize: 256
      Handler: kendra_custom_resource.lambda_handler
      Code:
        S3Bucket: !Ref ArtifactsS3BucketName
        S3Key: !Sub "${QSS3KeyPrefix}functions/packages/kendra_custom_resource/kendra_custom_resource.zip"
      Description: Lambda backed Custom Resource for Kendra Index Operations

  CrHelperLayer:
    Type: AWS::Lambda::LayerVersion
    Properties:
      CompatibleRuntimes:
        - python3.6
        - python3.7
      Content:
        S3Bucket: !Ref ArtifactsS3BucketName
        S3Key: !Sub "${QSS3KeyPrefix}functions/packages/lambda_layers/lambda_layers.zip"
  
  KendraCustomResource: 
    Type: Custom::KendraCustomResource
    Properties:
      ServiceToken: !GetAtt KendraOperationsFunction.Arn
      IndexRoleArn: !GetAtt KendraIndexIAMRole.Arn
      IndexName: !Ref KendraIndexName
      Edition: !Ref KendraIndexEdition
      DataSourceName: !Ref KendraDataSourceName
      KendraS3Bucket: !Ref KendraS3BucketName
      DataSourceRoleArn: !GetAtt KendraIndexIAMRole.Arn
      FAQName: !Ref KendraFAQName
      FAQRoleArn: !GetAtt KendraIndexIAMRole.Arn
      FAQFileKey: !Ref KendraFAQFileKey

Outputs:
  
  LambdaFunctionARN:
    Description: ARN of Lambda Function used for Kendra Index Custom Resource Operations
    Value: !GetAtt KendraOperationsFunction.Arn

  KendraIndexID:
    Description: Index ID for the Kendra Index
    Value: !GetAtt KendraCustomResource.KendraIndexId
    Export:
      Name: "KendraIndexID"