AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  PoseidonExecutors

  Execute untrusted code in AWS functions.

# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
  Function:
    Timeout: 15

Resources:
  PoseidonExecWebSocket:
    Type: AWS::ApiGatewayV2::Api
    Properties:
      Name: PoseidonExecWebSocket
      ProtocolType: WEBSOCKET
      RouteSelectionExpression: "$request.body.action"

  Deployment:
    Type: AWS::ApiGatewayV2::Deployment
    DependsOn:
      - java11ExecRoute
    Properties:
      ApiId: !Ref PoseidonExecWebSocket

  Stage:
    Type: AWS::ApiGatewayV2::Stage
    Properties:
      StageName: production
      Description: Production Stage
      DeploymentId: !Ref Deployment
      ApiId: !Ref PoseidonExecWebSocket

  java11ExecRoute: # More info about Routes: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-route.html
    Type: AWS::ApiGatewayV2::Route
    Properties:
      ApiId: !Ref PoseidonExecWebSocket
      RouteKey: java11Exec
      AuthorizationType: NONE
      OperationName: java11ExecRoute
      Target: !Join
        - '/'
        - - 'integrations'
          - !Ref java11ExecInteg

  java11ExecInteg: # More info about Integrations: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html
    Type: AWS::ApiGatewayV2::Integration
    Properties:
      ApiId: !Ref PoseidonExecWebSocket
      Description: Java 11 Exec Integration
      IntegrationType: AWS_PROXY
      IntegrationUri:
        Fn::Sub:
          arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${java11ExecFunction.Arn}/invocations

  java11ExecFunction:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
      CodeUri: java11Exec/
      Handler: poseidon.App::handleRequest
      Runtime: java11
      Architectures:
        - arm64
      MemorySize: 2048
      Policies:
        - Statement:
            - Effect: Allow
              Action:
                - 'execute-api:*'
              Resource: "*"
            - Effect: Allow
              Action:
                - 'logs:CreateLogGroup'
              Resource:
                - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*'
            - Effect: Allow
              Action:
                - 'logs:CreateLogStream'
                - 'logs:PutLogEvents'
              Resource:
                - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${PoseidonExecWebSocket}:*'

  java11ExecPermission:
    Type: AWS::Lambda::Permission
    DependsOn:
      - PoseidonExecWebSocket
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref java11ExecFunction
      Principal: apigateway.amazonaws.com

Outputs:
  WebSocketURI:
    Description: "The WSS Protocol URI to connect to"
    Value: !Join [ '', [ 'wss://', !Ref PoseidonExecWebSocket, '.execute-api.',!Ref 'AWS::Region','.amazonaws.com/',!Ref 'Stage' ] ]

  java11ExecFunctionArn:
    Description: "Java 11 Execution Lambda Function ARN"
    Value: !GetAtt java11ExecFunction.Arn

  java11ExecFunctionIamRole:
    Description: "Implicit IAM Role created for the Java 11 Execution function"
    Value: !GetAtt java11ExecFunctionRole.Arn