Description: "SIEM on Amazon OpenSearch Service v2.10.3: log exporter - Active Directory"
Parameters:
  KdfAdName:
    Type: String
    Default: siem-ad-event-to-s3
    Description: Define new Kinesis Data Firehose Name to deliver AD event
  KdfBufferSize:
    Type: Number
    Default: 1
    Description: Enter a buffer size between 1 - 128 (MiB)
    MaxValue: 128
    MinValue: 1
  KdfBufferInterval:
    Type: Number
    Default: 60
    Description: Enter a buffer interval between 60 - 900 (seconds.)
    MaxValue: 900
    MinValue: 60
  CwlAdName:
    Type: String
    Default: /aws/directoryservice/d-XXXXXXXXXXXXXXXXX
    Description: Specify CloudWatch Logs group name
Resources:
  KDFForAdEventLog:
    Type: AWS::KinesisFirehose::DeliveryStream
    Properties:
      DeliveryStreamName:
        Ref: KdfAdName
      S3DestinationConfiguration:
        BucketARN:
          Fn::Join:
            - ""
            - - "arn:aws:s3:::"
              - Fn::ImportValue: sime-log-bucket-name-v2
        BufferingHints:
          IntervalInSeconds:
            Ref: KdfBufferInterval
          SizeInMBs:
            Ref: KdfBufferSize
        CompressionFormat: UNCOMPRESSED
        Prefix:
          Fn::Join:
            - ""
            - - AWSLogs/
              - Ref: AWS::AccountId
              - /DirectoryService/MicrosoftAD/
        RoleARN:
          Fn::Join:
            - ""
            - - "arn:aws:iam::"
              - Ref: AWS::AccountId
              - :role/service-role/
              - Fn::ImportValue: siem-kdf-to-s3-role-name-v2
  KinesisSubscription:
    Type: AWS::Logs::SubscriptionFilter
    Properties:
      DestinationArn:
        Fn::GetAtt:
          - KDFForAdEventLog
          - Arn
      FilterPattern: ""
      LogGroupName:
        Ref: CwlAdName
      RoleArn:
        Fn::Join:
          - ""
          - - "arn:aws:iam::"
            - Ref: AWS::AccountId
            - :role/
            - Fn::ImportValue: siem-cwl-to-kdf-role-name-v2