AWSTemplateFormatVersion: "2010-09-09"
Description: "Content Localization on AWS %%VERSION%% - Opensearch Consumer stack"

Parameters:
  NodeType:
    Description: "The node type to be provisioned for the Opensearch cluster"
    Type: String
    Default: "t3.small.search"
    AllowedValues:
      - "t3.small.search"
      - "m4.large.search"
      - "m4.xlarge.search"
      - "c4.large.search"
      - "c4.xlarge.search"
      - "r4.large.search"
      - "r4.xlarge.search"
    ConstraintDescription: "must be a valid Opensearch node type."
  NodeCount:
    Description: "The number of nodes in the Opensearch cluster."
    Type: Number
    Default: 2
  MieDataplaneBucket:
    Type: String
    Description: "Name of the dataplane bucket"
  AnalyticsStreamArn:
    Description: "Arn of the Media Insights on AWS kinesis data stream"
    Type: String
  MieKMSArn:
    Description: ARN of the Media Insights KMS Key
    Type: String

Mappings:
  SourceCode:
    General:
      RegionalS3Bucket: '%%REGIONAL_BUCKET_NAME%%'
      KeyPrefix: "content-localization-on-aws/%%VERSION%%"

Resources:
  # Opensearch cluster

  # TODO: Best Practice - Resource found with an explicit name, this disallows updates that require replacement of this resource

  OpensearchServiceDomain:
    Type: "AWS::OpenSearchService::Domain"
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W90
            reason: "This resource does not need to access any other resource provisioned within a VPC."
    Properties:
      EBSOptions:
        EBSEnabled: true
        Iops: 0
        VolumeSize: 10
        VolumeType: gp2
      EncryptionAtRestOptions:
        Enabled: true
      NodeToNodeEncryptionOptions:
        Enabled: true
      ClusterConfig:
        DedicatedMasterEnabled: false
        InstanceCount:
          !Ref NodeCount
        ZoneAwarenessEnabled: false
        InstanceType:
          !Ref NodeType
      EngineVersion: Elasticsearch_7.10
      SnapshotOptions:
        AutomatedSnapshotStartHour: 0

  # open search consumer lambda

  OpensearchConsumerLambda:
    Type: "AWS::Lambda::Function"
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "This resource does not need to access any other resource provisioned within a VPC."
          - id: W92
            reason: "This function does not performance optimization, so the default concurrency limits suffice."
    Properties:
      Handler: "lambda_handler.lambda_handler"
      Role: !GetAtt StreamConsumerRole.Arn
      Code:
        S3Bucket: !Join ["-", [!FindInMap ["SourceCode", "General", "RegionalS3Bucket"], Ref: "AWS::Region"]]
        S3Key:
          !Join [
              "/",
            [
              !FindInMap ["SourceCode", "General", "KeyPrefix"],
              "esconsumer.zip",
            ],
          ]
      Runtime: "python3.7"
      Timeout: 900
      MemorySize: 2048
      Environment:
        Variables:
          EsEndpoint: !GetAtt OpensearchServiceDomain.DomainEndpoint
          DataplaneBucket: !Ref MieDataplaneBucket
          botoConfig: '{"user_agent_extra": "AwsSolution/SO0164/%%VERSION%%"}'

  # stream event mapping for lambda

  StreamingFunctionEventMapping:
    Type: "AWS::Lambda::EventSourceMapping"
    Properties:
      Enabled: true
      EventSourceArn: !Ref AnalyticsStreamArn
      FunctionName: !GetAtt OpensearchConsumerLambda.Arn
      StartingPosition: "LATEST"

  # IAM

  # TODO: Need to clean up this policy with regards to opensearch access
  StreamConsumerRole:
    Type: "AWS::IAM::Role"
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W11
            reason: "Lambda requires ability to write to cloudwatch *, as configured in the default AWS lambda execution role."
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: !Sub "${AWS::StackName}-ElasticKinesisAccessPolicy"
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - "kinesis:DescribeStream"
                  - "kinesis:GetShardIterator"
                  - "kinesis:GetRecords"
                Resource: !Ref AnalyticsStreamArn
              - Effect: Allow
                Action:
                  - "logs:CreateLogGroup"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                Resource: !Join ["",["arn:aws:logs:", Ref: "AWS::Region", ":", Ref: "AWS::AccountId", ":log-group:*"]]
              - Effect: Allow
                Action:
                  - "es:ESHttpPost"
                  - "es:ESHttpPut"
                  - "es:ESHttpDelete"
                  - "es:ESHttpGet"
                Resource: !Join ["", [!GetAtt OpensearchServiceDomain.Arn, "/*"]]
              - Effect: Allow
                Action:
                  - "es:DescribeOpensearchDomain"
                  - "es:GetCompatibleOpensearchVersions"
                  - "es:DescribeOpensearchDomains"
                Resource: !GetAtt OpensearchServiceDomain.Arn
              - Effect: Allow
                Action:
                  - "s3:GetObject"
                  - "s3:PutObject"
                Resource: !Sub "arn:aws:s3:::${MieDataplaneBucket}/*"
              - Effect: Allow
                Action:
                  - "kms:GenerateDataKey*"
                  - "kms:DescribeKey"
                  - "kms:Encrypt"
                  - "kms:Decrypt"
                  - "kms:ReEncrypt*"
                Resource: !Ref MieKMSArn
Outputs:
  DomainEndpoint:
    Value: !GetAtt OpensearchServiceDomain.DomainEndpoint
  DomainArn:
    Value: !GetAtt OpensearchServiceDomain.Arn