@incdevco/framework

{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "event log stack", "Parameters": { "Stage": { "Description": "stage of the stack", "Type": "String" } }, "Conditions": { "IsDevelopment": {"Fn::Not": [{"Fn::Equals": [{"Ref": "Stage"}, "production"]}]}, "IsProduction": {"Fn::Equals": [{"Ref": "Stage"}, "production"]} }, "Mappings": {}, "Resources": { "Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "AccessControl": "Private" } }, "LogSubscriptionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": {"Fn::Join": ["", [ "logs.", {"Ref": "AWS::Region"}, ".amazonaws.com" ]]} }, "Action": "sts:AssumeRole" } ] }, "ManagedPolicyArns": [], "Path": "/", "Policies": [] } }, "LogSubscriptionPolicy": { "Type": "AWS::IAM::Policy", "DependsOn": [ "LogSubscriptionRole" ], "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect":"Allow", "Action":[ "firehose:*" ], "Resource":[ {"Fn::Join": ["", [ "arn:aws:firehose:", {"Ref": "AWS::Region"}, ":", {"Ref": "AWS::AccountId"}, ":*" ]]} ] }, { "Effect":"Allow", "Action":[ "iam:*" ], "Resource":[ {"Fn::GetAtt": ["LogSubscriptionRole", "Arn"]} ] } ] }, "PolicyName": "FirehosePermissions", "Roles": [ {"Ref": "LogSubscriptionRole"} ] } }, "Firehose": { "Type": "AWS::KinesisFirehose::DeliveryStream", "Properties": { "S3DestinationConfiguration": { "BucketARN": {"Fn::Join": ["", [ "arn:aws:s3:::", {"Ref": "Bucket"} ]]}, "BufferingHints": { "IntervalInSeconds": 300, "SizeInMBs": 5 }, "CompressionFormat": "GZIP", "EncryptionConfiguration": { "NoEncryptionConfig": "NoEncryption" }, "Prefix": "", "RoleARN": {"Fn::GetAtt": ["Role", "Arn"]} } } }, "Role": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "firehose.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": {"Ref": "AWS::AccountId"} } } } ] }, "Path": "/", "Policies": [ { "PolicyName": "event-log-role", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:PutObject" ], "Resource": [ {"Fn::Join": ["", [ "arn:aws:s3:::", {"Ref": "Bucket"} ]]}, {"Fn::Join": ["", [ "arn:aws:s3:::", {"Ref": "Bucket"}, "/*" ]]}, "arn:aws:s3:::%FIREHOSE_BUCKET_NAME%", "arn:aws:s3:::%FIREHOSE_BUCKET_NAME%/*" ] }, { "Sid": "", "Effect": "Allow", "Action": [ "lambda:InvokeFunction", "lambda:GetFunctionConfiguration" ], "Resource": {"Fn::Join": ["", [ "arn:aws:lambda:", {"Ref": "AWS::Region"}, ":", {"Ref": "AWS::AccountId"}, ":function:%FIREHOSE_DEFAULT_FUNCTION%:%FIREHOSE_DEFAULT_VERSION%" ]]} }, { "Sid": "", "Effect": "Allow", "Action": [ "logs:PutLogEvents" ], "Resource": [ {"Fn::Join": ["", [ "arn:aws:logs:", {"Ref": "AWS::Region"}, ":", {"Ref": "AWS::AccountId"}, ":log-group:/aws/kinesisfirehose/*" ]]} ] } ] } } ] } } }, "Outputs": { "EventLogArn": { "Value": {"Fn::Join": ["", [ "arn:aws:firehose:", {"Ref": "AWS::Region"}, ":", {"Ref": "AWS::AccountId"}, ":deliverystream/", {"Ref": "Firehose"} ]]} }, "EventLogSubscriptionRoleArn": { "Value": {"Fn::GetAtt": ["LogSubscriptionRole", "Arn"]} } } }