AWSTemplateFormatVersion: "2010-09-09"

Description: "SNS Topic and tools to fan out alerts to email and or Slack"

Conditions:

  IsSetEmail:
    Fn::Not:
      - Fn::Equals:
        - Ref: AlertEmail
        - ""
  IsSetSlack:
    Fn::Not:
      - Fn::Equals:
        - Ref: AlertSlackWebHook
        - ""

Resources:

  AlertHubTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: AlertHub

  # Email
  EmailAlertsSubscription:
    Type: AWS::SNS::Subscription
    Condition: IsSetEmail
    Properties:
      Endpoint: { Ref: AlertEmail }
      Protocol: email
      TopicArn: { Ref: AlertHubTopic }

  # Slack
  SlackAlertsSubscription:
    Type: AWS::SNS::Subscription
    Condition: IsSetSlack
    Properties:
      Endpoint: {"Fn::GetAtt": ["SNSAlertHubFunction", "Arn"] }
      Protocol: lambda
      TopicArn: { Ref: AlertHubTopic }

  IamRole:
    Type: AWS::IAM::Role
    Condition: IsSetSlack
    Properties:
      Policies:
        - PolicyName: ResolveAccountAlias
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action:
                - iam:ListAccountAliases
              Resource:
                - "*"

        - PolicyName: LogtoCloudwatchGroup
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action:
              - logs:CreateLogStream
              - logs:PutLogEvents
              Resource:
                - Fn::Sub: "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/SNSAlertHub:log-stream:*"
            - Effect: Allow
              Action:
              - logs:CreateLogGroup
              Resource:
                - Fn::Sub: "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/SNSAlertHub:*"

      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
            - sts:AssumeRole
            Effect: Allow
            Principal:
              Service: [ lambda.amazonaws.com ]

  SNSAlertHubAllowed2Lambda:
    Type: AWS::Lambda::Permission
    Condition: IsSetSlack
    Properties:
      Action: lambda:InvokeFunction
      Principal: sns.amazonaws.com
      FunctionName: { Ref: SNSAlertHubFunction }
      SourceArn: { Ref: AlertHubTopic }

  SNSAlertHubFunction:
    Type: AWS::Lambda::Function
    Condition: IsSetSlack
    Properties:
      PackageType: Image
      Code:
        ImageUri: { "Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${ImageTag}" }
      Description: "Lambda function to forward alerts from SNS to Slack"
      FunctionName: SNSAlertHub
      MemorySize: 128
      Role: { "Fn::GetAtt": ["IamRole", "Arn"] }
      Timeout: 10
      Environment:
        Variables:
          WEBHOOK_URL: { Ref: AlertSlackWebHook }
          # DEBUG: "1"

Metadata:
  Template:
    Name: sns-alert-hub
    Hash: 98fcf521f053f7412a90ce360ab62807
    AwsCfnLib: v0.2.1
  CloudBender:
    Version: 0.9.9

Parameters:

  ImageTag:
    Type: String
    Description: "(Optional) Overwrite default ImageTag"
    Default: "sns-alert-hub:v0.5.8"

  AlertEmail:
    Type: String
    Description: "(Optional) Email address to receive alerts via SMTP"
    Default: ""

  AlertSlackWebHook:
    Type: String
    Description: "(Optional) Encrypted (KMS Default key) Slack webhook to post alerts; deploys Slack Lambda function"
    Default: ""
    NoEcho: True

Outputs:

  AlertHubTopic:
    Value: { Ref: AlertHubTopic }
    Description: ARN of the SNS AlertHub Topic