AWSTemplateFormatVersion: 2010-09-09
Description: Reusable cloudformation template to build lambda functions using codebuild

Parameters:

  LambdaFunctionsBuildSpec:
    Type: String
    Description: File path to the buildspec artifact
    Default: src/lambda/buildspec.yml

  SourceFolder:
    Type: String
    Description: folder name of lambda handler.py in src/lambda
    Default: lambda-function

  ParamCodeBucket:
    Type: AWS::SSM::Parameter::Value<String>
    Description: SSM Parameter to store code bucket name
    Default: /codecommit/bucket    

  ParamCodeCommitRepo:
    Type: AWS::SSM::Parameter::Value<String>
    Description: SSM Parameter to store repo name 
    Default: /codecommit/repo

Resources:

  CodeBuildRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: codebuild.amazonaws.com
        Version: "2012-10-17"
      RoleName: role-codebuild-lambda-layer

  CodeBuildPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
            Effect: Allow
            Resource:
              !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*:*'
          - Action:
              - codebuild:CreateReportGroup
              - codebuild:CreateReport
              - codebuild:UpdateReport
              - codebuild:BatchPutTestCases
            Effect: Allow
            Resource:
              !Sub 'arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/*:*'
          - Action:
              - s3:PutObject
              - s3:PutObjectAcl
              - s3:Get*
              - s3:List*
            Effect: Allow
            Resource:
              - !Sub 'arn:aws:s3:::${ParamCodeBucket}'
              - !Sub 'arn:aws:s3:::${ParamCodeBucket}/*'
          - Action:
              - codecommit:Get*
              - codecommit:GitPull
            Effect: Allow
            Resource:
              - !Sub 'arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:${ParamCodeCommitRepo}'
              - !Sub 'arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:${ParamCodeCommitRepo}:*'
          - Action:
              - ssm:PutParameter
              - ssm:GetParameter
              - ssm:DeleteParameter
            Effect: Allow
            Resource: "*"
        Version: "2012-10-17"
      PolicyName: policy-codebuild-lambda-layer
      Roles:
        - !Ref CodeBuildRole

  CodeBuildLambdaFunctions:
    Type: AWS::CodeBuild::Project
    Properties:
      Name: lambda-function-build
      BadgeEnabled: true
      Description: Build Lambda Functions
      ServiceRole: !GetAtt CodeBuildRole.Arn
      Artifacts:
        ArtifactIdentifier: 'id-function'
        Type: S3
        Location: !Ref ParamCodeBucket
        NamespaceType: BUILD_ID
        Packaging: ZIP
      Environment:
        Type: LINUX_CONTAINER
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/standard:1.0
        EnvironmentVariables:
          - Name: SourceFolder
            Type: PLAINTEXT
            Value: !Ref SourceFolder
          - Name: CodeBucket
            Type: PLAINTEXT
            Value: !Ref ParamCodeBucket
      Source:
        Type: CODECOMMIT
        Location: !Sub 'https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${ParamCodeCommitRepo}'
        BuildSpec: !Ref LambdaFunctionsBuildSpec
      TimeoutInMinutes: 10