# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
  Template to setup api gateway and apis as part of bootstrap
Parameters:
  RegisterTenantLambdaExecutionRoleArn:
    Type: String
  TenantManagementLambdaExecutionRoleArn:
    Type: String
  RegisterTenantFunctionArn:
    Type: String
  ProvisionTenantFunctionArn:
    Type: String
  GetTenantsFunctionArn:
    Type: String
  CreateTenantFunctionArn:
    Type: String
  CreateTenantAdminUserFunctionArn:
    Type: String
  AuthorizerFunctionArn:
    Type: String
  AdminApiGatewayApi:
    Type: String
Resources:
  #provide api gateway permissions to call lambda functions
  RegisterTenantLambdaApiGatewayExecutionPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref RegisterTenantFunctionArn
      Principal: apigateway.amazonaws.com
      SourceArn: !Join ["", ["arn:aws:execute-api:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":", !Ref AdminApiGatewayApi, "/*/*/*" ]]
  CreateTenantAdminUserLambdaApiGatewayExecutionPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref CreateTenantAdminUserFunctionArn
      Principal: apigateway.amazonaws.com
      SourceArn: !Join ["", ["arn:aws:execute-api:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":", !Ref AdminApiGatewayApi, "/*/*/*" ]]
  ProvisionTenantLambdaApiGatewayExecutionPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref ProvisionTenantFunctionArn
      Principal: apigateway.amazonaws.com
      SourceArn: !Join ["", ["arn:aws:execute-api:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":", !Ref AdminApiGatewayApi, "/*/*/*" ]]
  AuthorizerLambdaApiGatewayExecutionPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref AuthorizerFunctionArn
      Principal: apigateway.amazonaws.com
      SourceArn: !Join ["", ["arn:aws:execute-api:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":", !Ref AdminApiGatewayApi, "/*/*" ]]
  CreateTenantLambdaApiGatewayExecutionPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref CreateTenantFunctionArn
      Principal: apigateway.amazonaws.com
      SourceArn: !Join ["", ["arn:aws:execute-api:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":", !Ref AdminApiGatewayApi, "/*/*/*" ]]
  GetTenantsLambdaApiGatewayExecutionPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref GetTenantsFunctionArn
      Principal: apigateway.amazonaws.com
      SourceArn: !Join ["", ["arn:aws:execute-api:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":", !Ref AdminApiGatewayApi, "/*/*/*" ]]