Parameters:
  App:
    Type: String
    Description: Your application's name.
  Env:
    Type: String
    Description: The environment name your service, job, or workflow is being deployed to.
  Name:
    Type: String
    Description: The name of the service, job, or workflow being deployed.
Resources:
  todotable:
    Metadata:
      'aws:copilot:description': 'An Amazon DynamoDB table for todotable'
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: !Sub ${App}-${Env}-${Name}-todotable
      AttributeDefinitions:
        - AttributeName: TodoId
          AttributeType: "N"
      BillingMode: PAY_PER_REQUEST
      KeySchema:
        - AttributeName: TodoId
          KeyType: HASH

  todotableAccessPolicy:
    Metadata:
      'aws:copilot:description': 'An IAM ManagedPolicy for your service to access the todotable db'
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: !Sub
        - Grants CRUD access to the Dynamo DB table ${Table}
        - { Table: !Ref todotable }
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: DDBActions
            Effect: Allow
            Action:
              - dynamodb:BatchGet*
              - dynamodb:DescribeStream
              - dynamodb:DescribeTable
              - dynamodb:Get*
              - dynamodb:Query
              - dynamodb:Scan
              - dynamodb:BatchWrite*
              - dynamodb:Create*
              - dynamodb:Delete*
              - dynamodb:Update*
              - dynamodb:PutItem
            Resource: !Sub ${ todotable.Arn}
          - Sid: DDBLSIActions
            Action:
              - dynamodb:Query
              - dynamodb:Scan
            Effect: Allow
            Resource: !Sub ${ todotable.Arn}/index/*

Outputs:
  todotableName:
    Description: "The name of this DynamoDB."
    Value: !Ref todotable
  todotableAccessPolicy:
    Description: "The IAM::ManagedPolicy to attach to the task role."
    Value: !Ref todotableAccessPolicy