AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: "WorkMail Save And Update Email" Parameters: Disclaimer: Type: String Default: '' Description: "[Optional] Text that you'd like to prepend to the email body." Footer: Type: String Default: '' Description: "[Optional] Text that you'd like to append to the email body. Use {key} to template the S3 object key for the saved message." SubjectTag: Type: String Default: '' Description: "[Optional] Text that you'd like to prepend to the email subject. Use {key} to template the S3 object key for the saved message." SavedBucketExpiration: Type: Number Default: '1' Description: "[Optional] Number of days to keep the saved messages in the S3 bucket. Defaults to 1." UpdateInternalMessages: Type: String Default: 'False' AllowedValues: - 'True' - 'False' Description: "[Optional] Determines if internal messages should be updated." UpdateExternalMessages: Type: String Default: 'True' AllowedValues: - 'True' - 'False' Description: "[Optional] Determines if external messages should be updated." Resources: WorkMailSaveAndUpdateEmailFunction: Type: AWS::Serverless::Function DependsOn: - WorkMailUpdatedMsgBucket - WorkMailSavedMsgBucket Properties: CodeUri: src/ Handler: app.update_handler Runtime: python3.7 Timeout: 10 Role: Fn::GetAtt: WorkMailSaveAndUpdateEmailFunctionRole.Arn Layers: - !Sub arn:aws:lambda:${AWS::Region}:489970191081:layer:WorkMailLambdaLayer:2 Environment: Variables: DISCLAIMER: Ref: Disclaimer FOOTER: Ref: Footer UPDATED_EMAIL_BUCKET: Ref: WorkMailUpdatedMsgBucket SAVED_EMAIL_BUCKET: Ref: WorkMailSavedMsgBucket SUBJECT_TAG: Ref: SubjectTag UPDATE_INTERNAL_MESSAGES: Ref: UpdateInternalMessages UPDATE_EXTERNAL_MESSAGES: Ref: UpdateExternalMessages WorkMailSaveAndUpdateEmailFunctionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - "lambda.amazonaws.com" Version: "2012-10-17" Path: "/" ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - "arn:aws:iam::aws:policy/AmazonWorkMailMessageFlowFullAccess" Policies: - PolicyName: "allow-s3-write" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "s3:PutObject" Resource: - Fn::Sub: "${WorkMailUpdatedMsgBucket.Arn}/*" - Fn::Sub: "${WorkMailSavedMsgBucket.Arn}/*" WorkMailPermissionToInvokeLambda: Type: AWS::Lambda::Permission DependsOn: WorkMailSaveAndUpdateEmailFunction Properties: Action: lambda:InvokeFunction FunctionName: !Ref WorkMailSaveAndUpdateEmailFunction Principal: !Sub 'workmail.${AWS::Region}.amazonaws.com' SourceArn: !Sub 'arn:aws:workmail:${AWS::Region}:${AWS::AccountId}:organization/*' WorkMailUpdatedMsgBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: BlockPublicAcls : true BlockPublicPolicy : true IgnorePublicAcls : true RestrictPublicBuckets : true VersioningConfiguration: Status: Enabled LifecycleConfiguration: Rules: - Status: Enabled ExpirationInDays: 1 # Delete after 1 day - Status: Enabled NoncurrentVersionExpirationInDays : 1 # Delete non current versions after 1 day WorkMailSavedMsgBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: BlockPublicAcls : true BlockPublicPolicy : true IgnorePublicAcls : true RestrictPublicBuckets : true VersioningConfiguration: Status: Enabled LifecycleConfiguration: Rules: - Status: Enabled ExpirationInDays: Ref: SavedBucketExpiration - Status: Enabled NoncurrentVersionExpirationInDays: Ref: SavedBucketExpiration WorkMailUpdatedMsgBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: WorkMailUpdatedMsgBucket PolicyDocument: Statement: - Action: - "s3:GetObject" - "s3:GetObjectVersion" Effect: Allow Resource: - Fn::Sub: "${WorkMailUpdatedMsgBucket.Arn}/*" Condition: Bool: aws:SecureTransport: true ArnLike: aws:SourceArn: !Sub 'arn:aws:workmailmessageflow:${AWS::Region}:${AWS::AccountId}:message/*' Principal: Service: !Sub 'workmail.${AWS::Region}.amazonaws.com' Outputs: UpdateEmailArn: Value: !GetAtt WorkMailSaveAndUpdateEmailFunction.Arn