template.yaml

Parameters:
  ECRRepositoryTag:
    Type: String
    Description: ECR repository URI


Resources:
  TransactionIngestion:
    Type: AWS::Kinesis::Stream
    Properties:
      StreamEncryption:
        EncryptionType: KMS
        KeyId: alias/aws/kinesis
      StreamModeDetails:
        StreamMode: ON_DEMAND
  validData:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub ${AWS::StackName}-validdata-${AWS::AccountId}
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: alias/aws/s3
      PublicAccessBlockConfiguration:
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  validDataBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref validData
      PolicyDocument:
        Id: RequireEncryptionInTransit
        Version: '2012-10-17'
        Statement:
          - Principal: '*'
            Action: '*'
            Effect: Deny
            Resource:
              - !GetAtt validData.Arn
              - !Sub ${validData.Arn}/*
            Condition:
              Bool:
                aws:SecureTransport: 'false'
  validateData:
    Type: AWS::Serverless::Function
    Properties:
      Description: !Sub
        - Stack ${AWS::StackName} Function ${ResourceName}
        - ResourceName: validateData
      MemorySize: 3008
      Timeout: 30
      Tracing: Active
      Events:
        TransactionIngestion:
          Type: Kinesis
          Properties:
            Stream: !GetAtt TransactionIngestion.Arn
            StartingPosition: TRIM_HORIZON
            BatchSize: 1
      PackageType: Image
      Environment:
        Variables:
          VALIDDATA_BUCKET_NAME: !Ref validData
          VALIDDATA_BUCKET_ARN: !GetAtt validData.Arn
          INVALIDDATA_BUCKET_NAME: !Ref InvalidData
          INVALIDDATA_BUCKET_ARN: !GetAtt InvalidData.Arn
      Policies:
        - Statement:
            - Effect: Allow
              Action:
                - s3:GetObject
                - s3:GetObjectAcl
                - s3:GetObjectLegalHold
                - s3:GetObjectRetention
                - s3:GetObjectTorrent
                - s3:GetObjectVersion
                - s3:GetObjectVersionAcl
                - s3:GetObjectVersionForReplication
                - s3:GetObjectVersionTorrent
                - s3:ListBucket
                - s3:ListBucketMultipartUploads
                - s3:ListBucketVersions
                - s3:ListMultipartUploadParts
                - s3:AbortMultipartUpload
                - s3:DeleteObject
                - s3:DeleteObjectVersion
                - s3:PutObject
                - s3:PutObjectLegalHold
                - s3:PutObjectRetention
                - s3:RestoreObject
              Resource:
                - !Sub arn:${AWS::Partition}:s3:::${validData}
                - !Sub arn:${AWS::Partition}:s3:::${validData}/*
        - Statement:
            - Effect: Allow
              Action:
                - s3:GetObject
                - s3:GetObjectAcl
                - s3:GetObjectLegalHold
                - s3:GetObjectRetention
                - s3:GetObjectTorrent
                - s3:GetObjectVersion
                - s3:GetObjectVersionAcl
                - s3:GetObjectVersionForReplication
                - s3:GetObjectVersionTorrent
                - s3:ListBucket
                - s3:ListBucketMultipartUploads
                - s3:ListBucketVersions
                - s3:ListMultipartUploadParts
                - s3:AbortMultipartUpload
                - s3:DeleteObject
                - s3:DeleteObjectVersion
                - s3:PutObject
                - s3:PutObjectLegalHold
                - s3:PutObjectRetention
                - s3:RestoreObject
              Resource:
                - !Sub arn:${AWS::Partition}:s3:::${InvalidData}
                - !Sub arn:${AWS::Partition}:s3:::${InvalidData}/*
      ImageUri: !Sub 294331937131.dkr.ecr.ca-central-1.amazonaws.com/fraud-detection/validation-lambda:${ECRRepositoryTag}
  validateDataLogGroup:
    Type: AWS::Logs::LogGroup
    DeletionPolicy: Retain
    Properties:
      LogGroupName: !Sub /aws/lambda/${validateData}
  InvalidData:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub ${AWS::StackName}-invalidda-${AWS::AccountId}
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: alias/aws/s3
      PublicAccessBlockConfiguration:
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  InvalidDataBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref InvalidData
      PolicyDocument:
        Id: RequireEncryptionInTransit
        Version: '2012-10-17'
        Statement:
          - Principal: '*'
            Action: '*'
            Effect: Deny
            Resource:
              - !GetAtt InvalidData.Arn
              - !Sub ${InvalidData.Arn}/*
            Condition:
              Bool:
                aws:SecureTransport: 'false'
Transform: AWS::Serverless-2016-10-31