AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31

Parameters:
  UserTable:
    Type: String
    Default: betaeducacao-prod-users_d2o3r5gmm4it7j
  OrderTable:
    Type: String
    Default: betaeducacao-prod-orders
  EnrollmentTable:
    Type: String
    Default: betaeducacao-prod-enrollments
  NewEnrollmentTable:
    Type: String
    Default: saladeaula_enrollments
  CourseTable:
    Type: String
    Default: saladeaula_courses

Globals:
  Function:
    CodeUri: app/
    Runtime: python3.13
    Tracing: Active
    Architectures:
      - x86_64
    Layers:
      - !Sub arn:aws:lambda:sa-east-1:336641857101:layer:layercake:86
    Environment:
      Variables:
        TZ: America/Sao_Paulo
        LOG_LEVEL: DEBUG
        POWERTOOLS_LOGGER_SAMPLE_RATE: 0.1
        POWERTOOLS_LOGGER_LOG_EVENT: true
        DYNAMODB_PARTITION_KEY: id
        USER_TABLE: !Ref UserTable
        ORDER_TABLE: !Ref OrderTable
        ENROLLMENT_TABLE: !Ref EnrollmentTable
        COURSE_TABLE: !Ref CourseTable
        KONVIVA_API_URL: https://lms.saladeaula.digital
        KONVIVA_SECRET_KEY: "{{resolve:ssm:/betaeducacao/konviva/secret_key/str}}"
        MEILISEARCH_HOST: https://meili.saladeaula.digital
        MEILISEARCH_API_KEY: "{{resolve:ssm:/saladeaula/meili_api_key}}"

Resources:
  HttpLog:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 90

  HttpApi:
    Type: AWS::Serverless::HttpApi
    Properties:
      CorsConfiguration:
        AllowOrigins: ["*"]
        AllowMethods: [GET, POST, PUT, DELETE, PATCH, OPTIONS]
        AllowHeaders: [Content-Type, X-Requested-With, Authorization, X-Tenant]
        AllowCredentials: false
        MaxAge: 600
      Auth:
        DefaultAuthorizer: LambdaRequestAuthorizer
        Authorizers:
          LambdaRequestAuthorizer:
            FunctionArn: !GetAtt AuthFunction.Arn
            AuthorizerPayloadFormatVersion: "2.0"
            EnableFunctionDefaultPermissions: true
            EnableSimpleResponses: true
            Identity:
              Headers: [Authorization]
              ReauthorizeEvery: 300

  HttpApiFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: app.lambda_handler
      LoggingConfig:
        LogGroup: !Ref HttpLog
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref UserTable
        - DynamoDBCrudPolicy:
            TableName: !Ref CourseTable
        - DynamoDBCrudPolicy:
            TableName: !Ref OrderTable
        - DynamoDBCrudPolicy:
            TableName: !Ref EnrollmentTable
        - Version: 2012-10-17
          Statement:
            - Effect: Allow
              Action:
                - cognito-idp:AdminGetUser
                - cognito-idp:AdminSetUserPassword
              Resource: !Sub arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/*
      Events:
        Preflight:
          Type: HttpApi
          Properties:
            Path: /{proxy+}
            Method: OPTIONS
            ApiId: !Ref HttpApi
            Auth:
              Authorizer: NONE
        AnyRequest:
          Type: HttpApi
          Properties:
            Path: /{proxy+}
            Method: ANY
            ApiId: !Ref HttpApi
        Lookup:
          Type: HttpApi
          Properties:
            Path: /lookup/{username}
            Method: GET
            ApiId: !Ref HttpApi
            Auth:
              Authorizer: NONE

  AuthFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: auth.lambda_handler
      LoggingConfig:
        LogGroup: !Ref HttpLog
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref UserTable