serverless.yaml

service: push-code
provider:
  name: aws
  runtime: rust
  memorySize: 128
  stage: prod
  region: us-west-1

  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - sqs:*
      Resource:
        - !GetAtt WorkQueue.Arn
    - Effect: "Allow"
      Action:
        - secretsmanager:GetSecretValue
      Resource:
        - !Ref GitCredential
    - Effect: "Allow"
      Action:
        - s3:PutObject
      Resource:
        - !Join
          - ""
          - - !GetAtt SourceStore.Arn
            - "/*"

  environment:
    PUSHCODE_WORK_QUEUE: !Ref WorkQueue
    CJ_PUSHCODE_GIT_CREDENTIALS_ID: !Join
        - "/"
        - - !Ref AWS::StackName
          - GitCredential
    CJ_PUSHCODE_SOURCE_BUCKET: !Ref SourceStore
    RUST_BACKTRACE: "1"


package:
  individually: true

plugins:
  - serverless-rust

functions:
  accept:
    # handler value syntax is `{cargo-package-name}.{bin-name}`
    # or `{cargo-package-name}` for short when you are building a
    # default bin for a given package.
    handler: aws-push-code.accept
    events:
      - http:
          path: '/push-code'
          method: POST
  work:
    handler: aws-push-code.work
    memorySize: 2048
    events:
      - sqs:
          arn: !GetAtt WorkQueue.Arn
          batchSize: 1
    # onError: !Ref ErrorTopic
    vpc:
          securityGroupIds:
            - !ImportValue network-AttachedNetworkDefaultSecurityGroup
          subnetIds:
            - !ImportValue network-AttachedNetworkLeftSubnet
            - !ImportValue network-AttachedNetworkRightSubnet

resources:
  Resources:
    WorkQueue:
      Type: AWS::SQS::Queue
      Properties:
        RedrivePolicy:
          deadLetterTargetArn: !GetAtt DeadLetterQueue.Arn
          maxReceiveCount : 2

    SourceStore:
      Type: AWS::S3::Bucket
      Properties:
          VersioningConfiguration:
              Status: Enabled

    SourceStoreReadPolicy:
      Type: AWS::IAM::ManagedPolicy
      Properties:
        # Annoying! Cannot use YAML here. Serverless is doing something that causes it to be invalid
        PolicyDocument: {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:ListBucket",
                "s3:GetBucketVersioning"
              ],
              "Resource": [
                "Fn::Join": ["", [{"Fn::GetAtt": "SourceStore.Arn"}, "/*"]],
                {"Fn::GetAtt": "SourceStore.Arn"}
              ]
            }
          ]
        }



    GitCredential:
      Type: AWS::SecretsManager::Secret
      Properties:
        Name: !Join
          - "/"
          - - !Ref AWS::StackName
            - GitCredential
        SecretString: "REPLACEME"

    DeadLetterQueue:
      Type: AWS::SQS::Queue

  Outputs:
    SourceStore:
      Value: !Ref SourceStore
      Export:
        Name: !Join
          - ":"
          - - !Ref AWS::StackName
            - SourceStore
    SourceStoreReadPolicyArn:
      Value: !Ref SourceStoreReadPolicy
      Export:
        Name: !Join
          - ":"
          - - !Ref AWS::StackName
            - SourceStoreReadPolicyArn