AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  This CloudFormation deploys
Parameters:
  FunctionName:
    Type: String
    Default: crossAccLambdaFunction
    Description: Lambda Function Name.

  FunctionRoleName:
    Type: String
    Default: crossAccLambdaFunctionRole
    Description: Lambda Function execution role's name.

  FirstAccountID:
    Type: String
    Description: Account Id where Step function is deployed
    AllowedPattern: ^\d{12}
  
  StepFunctionRoleName:
    Type: String
    Description: Enter the name of the Step Function role name which is deployed in first account

Resources:
  LambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
            - Effect: Allow
              Principal:
                Service: lambda.amazonaws.com
              Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      RoleName: !Ref FunctionRoleName


  LambdaFunction:
    Type: AWS::Lambda::Function
    DependsOn: LambdaRole
    Properties: 
      Code: 
        ZipFile:  |
          import json

          def lambda_handler(event, context):
              # TODO implement
              return {
                  'statusCode': 200,
                  'body': json.dumps('Hello from Lambda in account B!')
              }
      FunctionName: !Ref FunctionName
      Handler: index.lambda_handler
      MemorySize: 128
      Role: !GetAtt LambdaRole.Arn
      Runtime: python3.9
      Timeout: 5

  LambdaResourcePolicy:
    Type: AWS::Lambda::Permission
    Properties: 
      Action: lambda:InvokeFunction
      FunctionName: !Ref LambdaFunction
      Principal: !Sub
                  - "arn:aws:iam::${AccountId}:role/${RoleName}"
                  - AccountId: !Ref FirstAccountID
                    RoleName: !Ref StepFunctionRoleName