# Notebook #1
## This is an example notebook is creating the UDF to send table change events within Snowflake to AWS EventBridge
### UDF is 'vectorized' for scalability and performance & AWS Credentials Auto-Refresh
Written by Steven.Maser@snowflake.com

In [None]:
from snowflake.snowpark.context import get_active_session
session = get_active_session()

#Variables for object creation (define to your needs)
DB= 'EVENT_MONITORING'
SCHEMA = 'PUBLIC'
SUB_SCHEMA = 'PROCESSING'
AWS_REGION = 'us-west-2'
AWS_CLIENT = 'events'
AWS_EVENTBUS_NAME='default' # used 'default' for Demonstrations
AWS_ROLE_ARN='arn:aws:iam::xxxxxxxxxx:role/my-external-access-iam' # provided by your AWS acount
EXT_UDF_NAME = 'notifyEventBridge' # Name of UDF this notebook creates

In [None]:
--1. Create Network Rule, listing allowed AWS Services
CREATE OR REPLACE NETWORK RULE {{DB}}.{{SCHEMA}}.aws_event_network_rule
  MODE = EGRESS
  TYPE = HOST_PORT
  VALUE_LIST = ('events.{{AWS_REGION}}.amazonaws.com');


In [None]:
--2.  Create Security Integration (defined in AWS and the Role to Assume with EventBridge permissions)
CREATE SECURITY INTEGRATION if not exists aws_event_security_integration
 TYPE = API_AUTHENTICATION
 AUTH_TYPE = AWS_IAM
 ENABLED = TRUE
 AWS_ROLE_ARN = '{{AWS_ROLE_ARN}}'; -- Use ARN of role you will assume

In [None]:
--3.  Get (USER_ARN and External_ID to add a trust in AWS Policy )
describe integration aws_event_security_integration;

--4. Add value of API_AWS_EXTERNAL_ID to your AWS Role's Trust Policy
      ---https://docs.snowflake.com/en/sql-reference/external-functions-creating-aws-common-api-integration-proxy-link#set-up-the-trust-relationship-s-between-snowflake-and-the-new-iam-role

### Step 4:  Use value API_AWS_EXTERNAL_ID value above to set your Trust Policy in AWS for security

Warning: will change values if you re-create your security integration

In [None]:
--5.  Create an AWS Secret and grant usage
CREATE OR REPLACE SECRET {{DB}}.{{SCHEMA}}.aws_event_token
  TYPE = CLOUD_PROVIDER_TOKEN
  API_AUTHENTICATION = aws_event_security_integration;
GRANT READ ON SECRET {{DB}}.{{SCHEMA}}.aws_event_token TO ROLE {{session.get_current_role()}};

In [None]:
--6.  Create External Access Integration connecting steps 1-4 and grant access
CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION aws_event_integration
  ALLOWED_NETWORK_RULES = ({{DB}}.{{SCHEMA}}.aws_event_network_rule)
  ALLOWED_AUTHENTICATION_SECRETS = ({{DB}}.{{SCHEMA}}.aws_event_token)
  ENABLED = true;
GRANT USAGE ON INTEGRATION aws_event_integration TO ROLE {{session.get_current_role()}};

In [None]:
--7. Create UDF that batches 10 records at a time to send to AWS EventBridge (its current limit)
        --- Note:  total event size must be less than 256KB
        -- Note:  This has Refreshable Credentials for potentially long-running jobs
        --another example:  https://medium.com/snowflake/making-batch-api-calls-in-snowflake-with-vectorized-udfs-b9a15c7c0704

CREATE OR REPLACE FUNCTION {{DB}}.{{SCHEMA}}.{{EXT_UDF_NAME}}(event string)
RETURNS STRING
LANGUAGE PYTHON
RUNTIME_VERSION = 3.11
HANDLER = 'put'
PACKAGES=('snowflake-snowpark-python','boto3','botocore')
EXTERNAL_ACCESS_INTEGRATIONS = (aws_event_integration)
SECRETS = ('aws_event_token' = aws_event_token)
AS
$$
import pandas
import _snowflake
from _snowflake import vectorized

import boto3
from botocore.credentials import RefreshableCredentials
from botocore.session import get_session
from datetime import datetime, timedelta, timezone
import _snowflake

class Boto3Client:
    """A class to manage AWS client connections with refreshable credentials in Snowflake."""
    
    def __init__(self, region: str = None):
        self.region = region
        self._token_name = None
        self._session = None
        self.session_ttl = 300 # Refresh session every 5 minutes
        
    def _get_client(self, service: str, token_name: str) -> boto3.client:
        """
        Get a boto3 client for the specified service.
        
        Args:
            service (str): AWS service name
            token_name (str): Snowflake token name
            
        Returns:
            boto3.client: Configured boto3 client
        """
        
        if not self._session:
            self._token_name = token_name
            self._session = self.__create_refreshable_session()
        return self._session.client(service, region_name=self.region)
    
    def __create_refreshable_session(self) -> boto3.Session:
        session = get_session()
        session._credentials = RefreshableCredentials.create_from_metadata(
            metadata=self.__get_credentials(),
            refresh_using=self.__get_credentials,
            method='sts-assume-role'
        )
        return boto3.Session(botocore_session=session)
    
    def __get_credentials(self) -> dict:
        if not self._token_name:
            raise ValueError("Token name not set")
        cpo = _snowflake.get_cloud_provider_token(self._token_name)
        return {
            'access_key': cpo.access_key_id,
            'secret_key': cpo.secret_access_key,
            'token': cpo.token,
            'expiry_time': (datetime.now(timezone.utc) + timedelta(seconds=self.session_ttl)).isoformat().replace("+00:00", "Z")
        }

@vectorized(input=pandas.DataFrame, max_batch_size=10)
def put(event):
    # Create a client
    client = Boto3Client(region='{{AWS_REGION}}')._get_client('{{AWS_CLIENT}}', 'aws_event_token')
    payload = event[0].apply(lambda x: {
        'Source': 'Snowflake|db.schema.table',
        'DetailType': 'Table Change Event',
        'Detail': x,
        'EventBusName': '{{AWS_EVENTBUS_NAME}}'
    }).tolist() 

    response = client.put_events(Entries=payload) 
    data = []
    for record in response['Entries']:
        data.append(record['EventId'])
    return pandas.Series(data)
$$;

In [None]:
--8. Test Creating Payload
select OBJECT_CONSTRUCT('Account',current_account(),'Region',current_region(),'Database','$db_name','Schema','$schema','Table','$table','Record',OBJECT_CONSTRUCT(*))::STRING as Event from TEST_TABLE;

In [None]:
--9.  Test Sending Events to AWS EventBridge and return AWS EventIds
SELECT {{DB}}.{{SCHEMA}}.{{EXT_UDF_NAME}}(
    OBJECT_CONSTRUCT('Account',current_account(), 'Region',current_region(), 'Database','$db_name', 'Schema','$schema', 'Table','$table', 'Record',OBJECT_CONSTRUCT(*))::STRING
) as EventId FROM TEST_TABLE;
