AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: > WorkMail Salesforce Lambda SAM Parameters: Username: Type: String Description: "Enter the username of your Salesforce account" Password: Type: String NoEcho: True Description: "Enter the password of your Salesforce account" SecurityToken: Type: String NoEcho: True Description: "Enter the security token of your Salesforce account" Resources: WorkMailSalesforceFunction: Type: AWS::Serverless::Function Properties: CodeUri: src/ Handler: app.salesforce_handler Runtime: python3.7 Timeout: 15 Role: !GetAtt WorkMailSalesforceFunctionRole.Arn Layers: - !Sub arn:aws:lambda:${AWS::Region}:489970191081:layer:WorkMailLambdaLayer:3 Environment: Variables: UPDATED_EMAIL_BUCKET: Ref: UpdatedEmailS3Bucket SF_SECRET_NAME: Ref: SFCredentials PermissionToCallLambdaAbove: Type: AWS::Lambda::Permission DependsOn: WorkMailSalesforceFunction Properties: Action: lambda:InvokeFunction FunctionName: !Ref WorkMailSalesforceFunction Principal: !Sub 'workmail.${AWS::Region}.amazonaws.com' SourceArn: !Sub 'arn:aws:workmail:${AWS::Region}:${AWS::AccountId}:organization/*' WorkMailSalesforceFunctionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - "lambda.amazonaws.com" Version: "2012-10-17" Path: "/" Policies: - PolicyName: "WorkMailMessageFlowAccessToS3Bucket" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - "s3:PutObject" Resource: !Sub "${UpdatedEmailS3Bucket.Arn}/*" Condition: Bool: aws:SecureTransport: true - PolicyName: "AllowSecretsManagerGetValue" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - "secretsmanager:GetSecretValue" Resource: !Ref SFCredentials ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - "arn:aws:iam::aws:policy/AmazonWorkMailMessageFlowFullAccess" # WorkMail configures a S3 bucket with all the required policy for reading updated messages. # By default all the object expire after 1 day. # To know more, see https://docs.aws.amazon.com/workmail/latest/adminguide/update-with-lambda.html UpdatedEmailS3Bucket: Type: AWS::S3::Bucket DeletionPolicy: Retain Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true VersioningConfiguration: Status: Enabled LifecycleConfiguration: Rules: - Status: Enabled ExpirationInDays: 1 # Delete after 1 day - Status: Enabled NoncurrentVersionExpirationInDays: 1 # Delete non current versions after 1 day UpdatedEmailS3BucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: UpdatedEmailS3Bucket PolicyDocument: Statement: - Effect: Allow Action: - "s3:GetObject" - "s3:GetObjectVersion" Resource: !Sub "${UpdatedEmailS3Bucket.Arn}/*" Condition: Bool: aws:SecureTransport: true ArnLike: aws:SourceArn: !Sub 'arn:aws:workmailmessageflow:${AWS::Region}:${AWS::AccountId}:message/*' Principal: Service: !Sub 'workmail.${AWS::Region}.amazonaws.com' # This policy enables WorkMail to read objects from your bucket SFCredentials: Type: 'AWS::SecretsManager::Secret' Properties: Description: Salesforce credentials in JSON format SecretString: !Sub '{"username":"${Username}","password":"${Password}", "token":"${SecurityToken}"}' Outputs: SalesforceArn: Value: !GetAtt WorkMailSalesforceFunction.Arn