AWSTemplateFormatVersion:  2010-09-09

Description: 'This template creates an S3 Bucket and Kinesis Firehose Delivery Stream that uses SES Config Set to ingest events on S3'

Resources:    
  s3BucketSESEvents:
    Type: AWS::S3::Bucket
    Properties:
      LoggingConfiguration: 
        DestinationBucketName:
          !Join
            - ''
            - - 'aws-s3-ses-analytics-'
              - !Ref AWS::AccountId
        LogFilePrefix: access-logs      
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      BucketName: 
        !Join
          - ''
          - - 'aws-s3-ses-analytics-'
            - !Ref AWS::AccountId

  S3SESEventsBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref s3BucketSESEvents
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - 
            Action:
              - s3:GetObject
              - s3:ListBucket
              - s3:PutObject
            Effect: Allow
            Resource:
              - !Sub arn:aws:s3:::${s3BucketSESEvents}
              - !Sub arn:aws:s3:::${s3BucketSESEvents}/*
            Principal:
              AWS: !GetAtt ConfigSetPermissionPutFirehose.Arn
  
  firehoseSESRole:
    Type: AWS::IAM::Role
    Properties:
        AssumeRolePolicyDocument:
            Version: 2012-10-17
            Statement:
            -
                Effect: Allow
                Principal:
                    Service: firehose.amazonaws.com
                Action: 'sts:AssumeRole'
                Condition:
                    StringEquals:
                     'sts:ExternalId': !Ref 'AWS::AccountId'
        Policies:
          -
            PolicyName: !Join
                - ''
                - - 'aws-ses-analytics-kinesis-policy-'
                  - !Ref AWS::StackName
            PolicyDocument:
                Version: 2012-10-17
                Statement:
                - 
                    Effect: Allow
                    Action:
                        - 's3:AbortMultipartUpload'
                        - 's3:GetBucketLocation'
                        - 's3:GetObject'
                        - 's3:ListBucket'
                        - 's3:ListBucketMultipartUploads'
                        - 's3:PutObject'
                        - 'lambda:InvokeFunction' 
                        - 'lambda:GetFunctionConfiguration'  
                    Resource:
                    - !Join 
                        - ''
                        - - 'arn:aws:s3:::'
                          - !Ref s3BucketSESEvents
                    - !Join 
                        - ''
                        - - 'arn:aws:s3:::'
                          - !Ref s3BucketSESEvents
                          - '*'
  firehoseDeliveryStream: 
    Type: AWS::KinesisFirehose::DeliveryStream
    Properties:
      DeliveryStreamEncryptionConfigurationInput:
        KeyType: AWS_OWNED_CMK 
      DeliveryStreamName: 
        !Join
          - ''
          - - 'aws-ses-analytics-kinesis-'
            - !Ref AWS::AccountId
      ExtendedS3DestinationConfiguration:
        BucketARN: !Join 
          - ''
          - - 'arn:aws:s3:::'
            - !Ref s3BucketSESEvents
        CompressionFormat: UNCOMPRESSED
        Prefix: raw/
        RoleARN: !GetAtt firehoseSESRole.Arn

  ConfigSetPermissionPutFirehose:
    Type: AWS::IAM::Role
    Properties: 
        AssumeRolePolicyDocument: 
          Version: "2012-10-17"
          Statement: 
          - 
            Effect: "Allow"
            Principal: 
                Service: ses.amazonaws.com
            Action: sts:AssumeRole
        Path: '/service-role/'
        Policies: 
          - 
            PolicyName: !Join
                - ''
                - - 'AWS-ses-config-set-destination-'
                  - !Ref AWS::StackName
            PolicyDocument:
                Version: '2012-10-17'
                Statement:
                    - 
                      Effect: Allow
                      Action:
                          - firehose:PutRecord
                          - firehose:PutRecordBatch
                      Resource: 
                        - !Join 
                          - ''
                          - - 'arn:aws:firehose:'
                            - !Ref AWS::Region
                            - ':'
                            - !Ref AWS::AccountId
                            - ':deliverystream/'
                            - !Join
                              - ''
                              - - 'aws-ses-analytics-kinesis-'
                                - !Ref AWS::AccountId

Outputs:
  KinesisFireHoseDeliveryStream:
    Description: 'Kinesis Delivery Stream'
    Value: !GetAtt firehoseDeliveryStream.Arn
  ConfigSetPermissionPutFirehose:
    Description: 'IAM Service Role for Configuration Set Destination S3 Put'
    Value: !GetAtt ConfigSetPermissionPutFirehose.Arn