AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31

Parameters:
  BucketName:
    Type: String
    Default: saladeaula.digital
  UserTable:
    Type: String
    Default: betaeducacao-prod-users_d2o3r5gmm4it7j

Globals:
  Function:
    CodeUri: app/
    Runtime: python3.13
    Tracing: Active
    Architectures:
      - x86_64
    Layers:
      - !Sub arn:aws:lambda:sa-east-1:336641857101:layer:layercake:72
    Environment:
      Variables:
        TZ: America/Sao_Paulo
        LOG_LEVEL: DEBUG
        POWERTOOLS_LOGGER_SAMPLE_RATE: 0.1
        POWERTOOLS_LOGGER_LOG_EVENT: true
        USER_TABLE: !Ref UserTable

Resources:
  EventLog:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 90

  EventCsvChunksFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: events.batch.csv_chunks.lambda_handler
      LoggingConfig:
        LogGroup: !Ref EventLog
      Policies:
        - S3CrudPolicy:
            BucketName: !Ref BucketName
      Events:
        DynamoDBEvent:
          Type: EventBridgeRule
          Properties:
            Pattern:
              resources: [betaeducacao-prod-users_d2o3r5gmm4it7j]
              detail:
                new_image:
                  sk:
                    - prefix: batch_jobs#

  EventEmailReceivingFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: events.email_receiving.lambda_handler
      LoggingConfig:
        LogGroup: !Ref EventLog
      Policies:
        - DynamoDBCrudPolicy:
          TableName: !Ref UserTable

  LambdaInvokePermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt EventEmailReceivingFunction.Arn
      Action: lambda:InvokeFunction
      Principal: ses.amazonaws.com
      SourceArn: !Sub arn:aws:ses:${AWS::Region}:${AWS::AccountId}:receipt-rule-set/*

  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref BucketName
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: ses.amazonaws.com
            Action: s3:PutObject
            Resource: !Sub arn:aws:s3:::${BucketName}/*
            Condition:
              StringEquals:
                aws:SourceAccount: !Ref AWS::AccountId
              StringLike:
                aws:SourceArn: !Sub arn:aws:ses:${AWS::Region}:${AWS::AccountId}:receipt-rule-set/*

  EmailReceiptRuleSet:
    Type: AWS::SES::ReceiptRuleSet
    Properties:
      RuleSetName: users.noreply.saladeaula.digital

  EmailReceiptRule:
    Type: AWS::SES::ReceiptRule
    DependsOn:
      - LambdaInvokePermission
      - BucketPolicy
    Properties:
      RuleSetName: !Ref EmailReceiptRuleSet
      Rule:
        Name: lambda
        Enabled: true
        Actions:
          - LambdaAction:
              FunctionArn: !GetAtt EventEmailReceivingFunction.Arn
              InvocationType: RequestResponse
          - S3Action:
              BucketName: !Ref BucketName
              ObjectKeyPrefix: "mailbox"
        ScanEnabled: true