template.yml

AWSTemplateFormatVersion: "2010-09-09"
Description: CFn Artifacts Bucket

Parameters:
  CircleCISourceAWSUserArn:
    Type: AWS::SSM::Parameter::Value<String>
    Default: CircleCISourceAWSUserArn

  CircleCIDeployRoleExternalId:
    Type: AWS::SSM::Parameter::Value<String>
    Default: CircleCIDeployRoleExternalId

Resources:
  ArtifactBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub bookmarks-artifacts-${AWS::AccountId}-${AWS::Region}
      LifecycleConfiguration:
        Rules:
          - ExpirationInDays: 7
            Status: Enabled

  ChatBotSnsTopic:
    Type: AWS::SNS::Topic

  ChatBotSnsTopicArnParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: BookmarksChatBotSnsTopicArn
      Type: String
      Value: !Ref ChatBotSnsTopic

  CircleCIDeployRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Ref CircleCISourceAWSUserArn
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                sts:ExternalId: !Ref CircleCIDeployRoleExternalId
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonS3FullAccess
      Policies:
        - PolicyName: CloudFomrationPassRolePolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - cloudformation:*
                  - iam:PassRole
                Resource:
                  - "*"

  CloudFormationDeployRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudformation.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess

  ArticlesTable:
    Type: AWS::DynamoDB::Table
    Properties:
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: userId
          AttributeType: S
        - AttributeName: createdAt
          AttributeType: N
      KeySchema:
        - AttributeName: userId
          KeyType: HASH
        - AttributeName: createdAt
          KeyType: RANGE
      StreamSpecification:
        StreamViewType: NEW_IMAGE

  ArticlesTableNameParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: ArticlesTableName
      Type: String
      Value: !Ref ArticlesTable

  ArticlesTableStreamArnParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: ArticlesTableStreamArn
      Type: String
      Value: !GetAtt ArticlesTable.StreamArn

  FederatedUserPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      AllowUnauthenticatedIdentities: true

  UnauthenticatedRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: sts:AssumeRoleWithWebIdentity
            Principal:
              Federated: cognito-identity.amazonaws.com
            Condition:
              StringEquals:
                cognito-identity.amazonaws.com:aud: !Ref FederatedUserPool
              ForAnyValue:StringLike:
                cognito-identity.amazonaws.com:amr: unauthenticated
      Policies:
        - PolicyName: Access
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - kms:Decrypt
                  - ssm:GetParameter
                Resource: "*"
              - Effect: Allow
                Action:
                  - dynamodb:BatchGetItem
                  - dynamodb:BatchWriteItem
                  - dynamodb:PutItem
                  - dynamodb:DeleteItem
                  - dynamodb:GetItem
                  - dynamodb:Query
                  - dynamodb:Scan
                  - dynamodb:UpdateItem
                Resource: !GetAtt ArticlesTable.Arn

  RoleAttachment:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId: !Ref FederatedUserPool
      Roles:
        unauthenticated: !GetAtt UnauthenticatedRole.Arn

Outputs:
  ArtifactBucketName:
    Value: !Ref ArtifactBucket
  ChatBotSnsTopicArn:
    Value: !Ref ChatBotSnsTopic
  CircleCIDeployRoleArn:
    Value: !GetAtt CircleCIDeployRole.Arn
  CloudFormationDeployRoleArn:
    Value: !GetAtt CloudFormationDeployRole.Arn
  ArticlesTableName:
    Value: !Ref ArticlesTable
  ArticlesTableStreamArn:
    Value: !GetAtt ArticlesTable.StreamArn
  FederatedUserPoolArn:
    Value: !Ref FederatedUserPool