AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: > WorkMail CAP Exchange Parameters: WorkMailOrganizationID: Type: String AllowedPattern: "^m-[0-9a-f]{32}$" Description: "You can find your organization id using workmail/list-organizations AWS CLI" ExchangeSecretsID: Type: String Default: "production/ExchangeSecrets" Description: "Exchange secrets (see https://github.com/aws-samples/amazon-workmail-lambda-templates/blob/master/workmail-cap-exchange/README.md for more details)" EventLoggingEnabled: Type: String Default: "True" AllowedValues: ["True", "False"] Description: "Whether event logging is enabled. When set to False events and exception messages are never logged." Resources: WorkMailCapExchangeFunction: Type: AWS::Serverless::Function Properties: CodeUri: src/ Handler: app.lambda_handler Runtime: python3.9 Timeout: 20 Role: !GetAtt WorkMailCapExchangeFunctionRole.Arn Layers: - !Sub arn:aws:lambda:${AWS::Region}:489970191081:layer:WorkMailLambdaLayer:9 Environment: Variables: EXCHANGE_SECRETS_ID: Ref: ExchangeSecretsID EVENT_LOGGING_ENABLED: Ref: EventLoggingEnabled WorkMailCapExchangeFunctionPermission: Type: AWS::Lambda::Permission Properties: FunctionName: !GetAtt WorkMailCapExchangeFunction.Arn Action: lambda:InvokeFunction Principal: !Sub availability.workmail.${AWS::Region}.amazonaws.com SourceArn: Fn::Sub: - "arn:aws:workmail:${AWS::Region}:${AWS::AccountId}:organization/${OrganizationId}" - { OrganizationId: !Ref WorkMailOrganizationID } WorkMailCapExchangeFunctionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - "lambda.amazonaws.com" Version: "2012-10-17" Path: "/" Policies: - PolicyName: "AllowSecretsManagerGetValue" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - "secretsmanager:GetSecretValue" Resource: Fn::Sub: - "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretName}*" - { SecretName: !Ref ExchangeSecretsID } ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" Outputs: WorkMailCapExchangeFunctionName: Value: !Ref WorkMailCapExchangeFunction