#-----------------------------------------------------------------------------------------------------------------------
#   Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
#
#  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
#  with the License. A copy of the License is located at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
#  OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
#  and limitations under the License.
#-----------------------------------------------------------------------------------------------------------------------
---
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31

Description: API Gateway Lambda Authorizer to verify JWT tokens.

Parameters:
  Environment:
    Description: Name of environment.  Used to name the created resources.
    Type: String
    MinLength: 1

  OpenSslLambdaLayerArn:
    Description: OpenSSL lambda layer ARN
    Type: String
    MinLength: 1
  JwtIssuer:
    Description: JWT Issuer
    Type: String
    MinLength: 1

Resources:
  CustAuthLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub 'cdf-jwt-auth-${Environment}'
      CodeUri: ../bundle.zip
      Handler: packages/services/auth-jwt/dist/index.handler
      Layers:
        - !Ref OpenSslLambdaLayerArn
      MemorySize: 512
      Role: !GetAtt LambdaExecutionRole.Arn
      Runtime: nodejs16.x
      Timeout: 30
      Environment:
        Variables:
          TOKEN_ISSUER: !Ref JwtIssuer
          APP_CONFIG_DIR: 'packages/services/auth-jwt/src/config'
      Tracing: Active

  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
          Action: sts:AssumeRole
      Path: '/'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSLambdaExecute
        - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess

  ApiGwAuthInvokeRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
                - apigateway.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: apiGwLambdaInvoke
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: lambda:invokeFunction
                Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*'

Outputs:
  CustomAuthLambdaArn:
    Description: Custom Auth Lambda Arn
    Value: !Sub '${CustAuthLambdaFunction.Arn}'
    Export:
      Name: !Sub '${AWS::StackName}-CustAuthLambdaArn'
  StackName:
    Description: Custom Auth Stack Name
    Value: !Sub '${AWS::StackName}'