bytekast/template.yaml

## template.yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31

Parameters:
  StageName:
    Type: String
    Default: dev
    AllowedValues:
      - dev
      - staging
      - prod
  BucketName:
    Type: String
    Default: !!!REPLACE ME!!! # Unique Bucket Name
  StreamName:
    Type: String
    Default: !!!REPLACE ME!!! # Unique Kinesis Stream Name
  AuthorizerArn:
    Type: String
    Default: !!!REPLACE ME!!! # Authorizer Arn

Resources:

  KinesisStream:
    Type: AWS::Kinesis::Stream
    Properties:
      Name: !Ref StreamName
      ShardCount: 1
      RetentionPeriodHours: 168 # 7 Days

  ApiGatewayKinesisRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "sts:AssumeRole"
            Principal:
              Service:
                - "apigateway.amazonaws.com"
      Policies:
        - PolicyName: "KinesisPutRecord"
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: "Allow"
                Action:
                  - "kinesis:PutRecord"
                  - "kinesis:DescribeStream"
                  - "kinesis:GetRecords"
                  - "kinesis:GetShardIterator"
                  - "kinesis:ListShards"
                  - "kinesis:ListStreams"
                Resource:
                  - !GetAtt KinesisStream.Arn
        - PolicyName: "InvokeLambda"
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: "Allow"
                Action:
                  - "lambda:InvokeFunction"
                Resource:
                  - !Ref AuthorizerArn

  HttpApi:
    Type: AWS::Serverless::HttpApi
    Properties:
      StageName: !Ref StageName
      DefinitionBody:
        openapi: "3.0.0"
        info:
          title: !Ref AWS::StackName
        paths:
          /ingest:
            post:
              responses:
                default:
                  statusCode: 200
              x-amazon-apigateway-integration:
                credentials: !GetAtt ApiGatewayKinesisRole.Arn
                integrationSubtype: Kinesis-PutRecord
                requestParameters:
                  StreamName: !Ref KinesisStream
                  Data: $request.body
                  PartitionKey: $request.body.id
                type: "aws_proxy"
                payloadFormatVersion: "1.0"
                connectionType: "INTERNET"
      Auth:
        DefaultAuthorizer: TokenAuthorizer
        Authorizers:
          TokenAuthorizer:
            FunctionInvokeRole: !GetAtt ApiGatewayKinesisRole.Arn
            AuthorizerPayloadFormatVersion: 1.0
            FunctionArn: !Ref AuthorizerArn
            Identity:
              ReauthorizeEvery: 3600
              Headers:
                - Authorization

  DestinationBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref BucketName
      VersioningConfiguration:
        Status: Enabled

  KinesisFirehoseRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - "firehose.amazonaws.com"
            Action:
              - "sts:AssumeRole"
            Condition:
              StringEquals:
                sts:ExternalId: !Ref AWS::AccountId
      Path: "/"
      Policies:
        - PolicyName: !Sub "${StreamName}-firehose-role-policy"
          PolicyDocument:
            Statement:
              - Effect: "Allow"
                Action:
                  - "s3:AbortMultipartUpload"
                  - "s3:GetBucketLocation"
                  - "s3:GetObject"
                  - "s3:ListBucket"
                  - "s3:ListBucketMultipartUploads"
                  - "s3:PutObject"
                Resource:
                  - !Sub "arn:aws:s3:::${BucketName}"
                  - !Sub "arn:aws:s3:::${BucketName}/*"
              - Effect: "Allow"
                Action:
                  - "kinesis:*"
                Resource:
                  - !Sub "arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${StreamName}"
              - Effect: "Allow"
                Action:
                  - "firehose:*"
                Resource:
                  - !Sub "arn:aws:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${StreamName}"

  KinesisFirehoseLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub "/aws/kinesisfirehose/${StreamName}"
      RetentionInDays: 7

  KinesisFirehoseDeliveryStream:
    Type: AWS::KinesisFirehose::DeliveryStream
    Properties:
      DeliveryStreamType: KinesisStreamAsSource
      DeliveryStreamName: !Ref StreamName
      KinesisStreamSourceConfiguration:
        KinesisStreamARN: !GetAtt KinesisStream.Arn
        RoleARN: !GetAtt KinesisFirehoseRole.Arn
      ExtendedS3DestinationConfiguration:
        BucketARN: !GetAtt DestinationBucket.Arn
        BufferingHints:
          IntervalInSeconds: '60'
          SizeInMBs: '1'
        CompressionFormat: UNCOMPRESSED
        Prefix: !Sub '${StreamName}/'
        RoleARN: !GetAtt KinesisFirehoseRole.Arn
        ProcessingConfiguration:
          Enabled: 'false'
        CloudWatchLoggingOptions:
          Enabled: true
          LogGroupName: !Ref KinesisFirehoseLogGroup
          LogStreamName: "S3Delivery"

Outputs:
  LocationApi:
    Value: !Sub "https://${HttpApi}.execute-api.${AWS::Region}.amazonaws.com/${StageName}/ingest"
	AWSTemplateFormatVersion: '2010-09-09'
	Transform: AWS::Serverless-2016-10-31

	Parameters:
	StageName:
	Type: String
	Default: dev
	AllowedValues:
	- dev
	- staging
	- prod
	BucketName:
	Type: String
	Default: !!!REPLACE ME!!! # Unique Bucket Name
	StreamName:
	Type: String
	Default: !!!REPLACE ME!!! # Unique Kinesis Stream Name
	AuthorizerArn:
	Type: String
	Default: !!!REPLACE ME!!! # Authorizer Arn

	Resources:

	KinesisStream:
	Type: AWS::Kinesis::Stream
	Properties:
	Name: !Ref StreamName
	ShardCount: 1
	RetentionPeriodHours: 168 # 7 Days

	ApiGatewayKinesisRole:
	Type: "AWS::IAM::Role"
	Properties:
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: "Allow"
	Action:
	- "sts:AssumeRole"
	Principal:
	Service:
	- "apigateway.amazonaws.com"
	Policies:
	- PolicyName: "KinesisPutRecord"
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: "Allow"
	Action:
	- "kinesis:PutRecord"
	- "kinesis:DescribeStream"
	- "kinesis:GetRecords"
	- "kinesis:GetShardIterator"
	- "kinesis:ListShards"
	- "kinesis:ListStreams"
	Resource:
	- !GetAtt KinesisStream.Arn
	- PolicyName: "InvokeLambda"
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: "Allow"
	Action:
	- "lambda:InvokeFunction"
	Resource:
	- !Ref AuthorizerArn

	HttpApi:
	Type: AWS::Serverless::HttpApi
	Properties:
	StageName: !Ref StageName
	DefinitionBody:
	openapi: "3.0.0"
	info:
	title: !Ref AWS::StackName
	paths:
	/ingest:
	post:
	responses:
	default:
	statusCode: 200
	x-amazon-apigateway-integration:
	credentials: !GetAtt ApiGatewayKinesisRole.Arn
	integrationSubtype: Kinesis-PutRecord
	requestParameters:
	StreamName: !Ref KinesisStream
	Data: $request.body
	PartitionKey: $request.body.id
	type: "aws_proxy"
	payloadFormatVersion: "1.0"
	connectionType: "INTERNET"
	Auth:
	DefaultAuthorizer: TokenAuthorizer
	Authorizers:
	TokenAuthorizer:
	FunctionInvokeRole: !GetAtt ApiGatewayKinesisRole.Arn
	AuthorizerPayloadFormatVersion: 1.0
	FunctionArn: !Ref AuthorizerArn
	Identity:
	ReauthorizeEvery: 3600
	Headers:
	- Authorization

	DestinationBucket:
	Type: AWS::S3::Bucket
	Properties:
	BucketName: !Ref BucketName
	VersioningConfiguration:
	Status: Enabled

	KinesisFirehoseRole:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- "firehose.amazonaws.com"
	Action:
	- "sts:AssumeRole"
	Condition:
	StringEquals:
	sts:ExternalId: !Ref AWS::AccountId
	Path: "/"
	Policies:
	- PolicyName: !Sub "${StreamName}-firehose-role-policy"
	PolicyDocument:
	Statement:
	- Effect: "Allow"
	Action:
	- "s3:AbortMultipartUpload"
	- "s3:GetBucketLocation"
	- "s3:GetObject"
	- "s3:ListBucket"
	- "s3:ListBucketMultipartUploads"
	- "s3:PutObject"
	Resource:
	- !Sub "arn:aws:s3:::${BucketName}"
	- !Sub "arn:aws:s3:::${BucketName}/*"
	- Effect: "Allow"
	Action:
	- "kinesis:*"
	Resource:
	- !Sub "arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${StreamName}"
	- Effect: "Allow"
	Action:
	- "firehose:*"
	Resource:
	- !Sub "arn:aws:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${StreamName}"

	KinesisFirehoseLogGroup:
	Type: AWS::Logs::LogGroup
	Properties:
	LogGroupName: !Sub "/aws/kinesisfirehose/${StreamName}"
	RetentionInDays: 7

	KinesisFirehoseDeliveryStream:
	Type: AWS::KinesisFirehose::DeliveryStream
	Properties:
	DeliveryStreamType: KinesisStreamAsSource
	DeliveryStreamName: !Ref StreamName
	KinesisStreamSourceConfiguration:
	KinesisStreamARN: !GetAtt KinesisStream.Arn
	RoleARN: !GetAtt KinesisFirehoseRole.Arn
	ExtendedS3DestinationConfiguration:
	BucketARN: !GetAtt DestinationBucket.Arn
	BufferingHints:
	IntervalInSeconds: '60'
	SizeInMBs: '1'
	CompressionFormat: UNCOMPRESSED
	Prefix: !Sub '${StreamName}/'
	RoleARN: !GetAtt KinesisFirehoseRole.Arn
	ProcessingConfiguration:
	Enabled: 'false'
	CloudWatchLoggingOptions:
	Enabled: true
	LogGroupName: !Ref KinesisFirehoseLogGroup
	LogStreamName: "S3Delivery"

	Outputs:
	LocationApi:
	Value: !Sub "https://${HttpApi}.execute-api.${AWS::Region}.amazonaws.com/${StageName}/ingest"