AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: "WorkMail Blog Poster Lambda SAM" Parameters: BlogDomain: Type: String Description: "The domain of the blog to which the Lambda function will post articles, e.g. 'myblog.home.blog'." SecretId: Type: String Description: "The ID of the SecretsManager secret in which the WordPress API token was saved." Resources: WorkMailBlogPosterFunction: Type: AWS::Serverless::Function Properties: CodeUri: src/ Handler: app.post_handler Runtime: python3.7 Timeout: 10 Role: Fn::GetAtt: WorkMailBlogPosterFunctionRole.Arn Layers: - !Sub arn:aws:lambda:${AWS::Region}:489970191081:layer:WorkMailLambdaLayer:2 Environment: Variables: BLOG_DOMAIN: Ref: BlogDomain SECRET_ID: Ref: SecretId WorkMailBlogPosterFunctionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - "lambda.amazonaws.com" Version: "2012-10-17" Path: "/" ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - "arn:aws:iam::aws:policy/AmazonWorkMailMessageFlowReadOnlyAccess" Policies: - PolicyName: "allow-secret-manager-get" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "secretsmanager:GetSecretValue" Resource: Fn::Sub: - "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretName}*" - { SecretName: !Ref SecretId } WorkMailPermissionToInvokeLambda: Type: AWS::Lambda::Permission DependsOn: WorkMailBlogPosterFunction Properties: Action: lambda:InvokeFunction FunctionName: !Ref WorkMailBlogPosterFunction Principal: !Sub 'workmail.${AWS::Region}.amazonaws.com' SourceArn: !Sub 'arn:aws:workmail:${AWS::Region}:${AWS::AccountId}:organization/*' Outputs: BlogPosterArn: Value: !GetAtt WorkMailBlogPosterFunction.Arn