AWSTemplateFormatVersion: "2010-09-09"

Description: "Amazon VPC Lattice - AWS Lambda Application"

Resources:
# ---------- IAM ROLE (LAMBDA FUNCTION) ----------
  LambdaFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

# ---------- CLOUDWATCH LOG GROUPS ----------
  FunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub /aws/lambda/${LambdaFunction}
      RetentionInDays: 7

# ---------- LAMBDA FUNCTION ----------
  LambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Description: "Obtaining the AWS Region where the Lambda is located."
      Runtime: python3.9
      Timeout: 10
      Role: !GetAtt LambdaFunctionRole.Arn
      VpcConfig:
        SecurityGroupIds:
          - !Ref LambdaSecurityGroup
        SubnetIds:
          - !Ref LambdaSubnet1
          - !Ref LambdaSubnet2
      Handler: index.lambda_handler
      Code: 
        ZipFile: |-
          import json
          import logging
          import random
          import string
          import os
          import boto3

          log = logging.getLogger("handler")
          log.setLevel(logging.INFO)

          def lambda_handler(event, context):
              try:
                  # We obtain the AWS Region where the Lambda function is located
                  region = os.environ.get('AWS_REGION')
                  # We log the event received
                  log.info("Received event: %s", json.dumps(event))

                  # Return value
                  response = region
                  return {
                    "statusCode": 200,
                    "statusDescription": "200 OK",
                    "body": response
                  }

              except Exception as e:
                  log.exception("whoops")
                  log.info(e)

                  # Return exception error
                  return {
                    "statusCode": 500,
                    "statusDescription": "500 Internal Server Error",
                    "body": "Server error - check lambda logs\n"
                  }

# ---------- VPC RESOURCES ----------
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.3.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      InstanceTenancy: default
      Tags: 
        - 
          Key: Name
          Value: lambda-vpc
  
  IPv6CIDR:
    Type: AWS::EC2::VPCCidrBlock
    Properties:
      AmazonProvidedIpv6CidrBlock: true
      VpcId: !Ref VPC

  LambdaSubnet1:
    DependsOn:
      - IPv6CIDR
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      AvailabilityZone: !Sub ${AWS::Region}a
      CidrBlock: 10.3.0.0/24
      Ipv6CidrBlock:
        Fn::Sub:
          - "${VpcPart}${SubnetPart}"
          - SubnetPart: '01::/64'
            VpcPart: !Select [ 0, !Split [ '00::/56', !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ]]]
      Tags:
        - Key: Name
          Value: lambda-subnet-1

  LambdaSubnet2:
    DependsOn:
      - IPv6CIDR
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      AvailabilityZone: !Sub ${AWS::Region}b
      CidrBlock: 10.3.1.0/24
      Ipv6CidrBlock:
        Fn::Sub:
          - "${VpcPart}${SubnetPart}"
          - SubnetPart: '02::/64'
            VpcPart: !Select [ 0, !Split [ '00::/56', !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ]]]
      Tags:
        - Key: Name
          Value: lambda-subnet-2
   
# ---------- ROUTE TABLES ----------
  LambdaRouteTable1:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags: 
        -
          Key: Name
          Value: lambda-rt-1

  LambdaRouteTableAssociation1:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref LambdaRouteTable1
      SubnetId: !Ref LambdaSubnet1

  LambdaRouteTable2:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags: 
        -
          Key: Name
          Value: lambda-rt-2

  LambdaRouteTableAssociation2:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref LambdaRouteTable2
      SubnetId: !Ref LambdaSubnet2
  
# ---------- SECURITY GROUPS ----------  
  LatticeSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: lambda-vpc-lattice-sg
      GroupDescription: VPC Lattice Security Group
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - Description: Allowing HTTP
          IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          SourceSecurityGroupId: !Ref LambdaSecurityGroup
        - Description: Allowing HTTPS
          IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          SourceSecurityGroupId: !Ref LambdaSecurityGroup

  LambdaSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: lambda-vpc-sg
      GroupDescription: Lambda in VPC Security Group
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - Description: Allowing all traffic
          IpProtocol: "-1"
          CidrIp: 0.0.0.0/0
  
Outputs:
  LambdaArn:
    Description: "Lambda function ARN"
    Value: !GetAtt LambdaFunction.Arn