changes to ekko report

Report Generator/lambda-python3.12/template.yaml

@@ -19,12 +19,22 @@ Resources:
         Variables:
           username: henry.pump.automation@gmail.com
           password: Henry Pump @ 2022
+          TBREPORTBUCKET_BUCKET_NAME: !Ref TBReportBucket
+          TBREPORTBUCKET_BUCKET_ARN: !GetAtt TBReportBucket.Arn
       Architectures:
         - arm64
       CodeUri: tbreport
       Runtime: python3.12
       Handler: tbreport.lambda_handler
-      Policies: AmazonSESFullAccess
+      Policies:
+        - AmazonSESFullAccess
+        - Statement:
+            - Effect: Allow
+              Action:
+                - s3:PutObject
+              Resource:
+                - !Sub arn:${AWS::Partition}:s3:::${TBReportBucket}
+                - !Sub arn:${AWS::Partition}:s3:::${TBReportBucket}/*
       Layers:
         - !Ref TBReportLayer
   TBReportLayer:
@@ -65,4 +75,33 @@ Resources:
             Statement:
               - Effect: Allow
                 Action: lambda:InvokeFunction
-                Resource: !GetAtt TBReport.Arn
+                Resource: !GetAtt TBReport.Arn
+  TBReportBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: !Sub thingsboard-email-reports
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: aws:kms
+              KMSMasterKeyID: alias/aws/s3
+      PublicAccessBlockConfiguration:
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+  TBReportBucketBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref TBReportBucket
+      PolicyDocument:
+        Id: RequireEncryptionInTransit
+        Version: '2012-10-17'
+        Statement:
+          - Principal: '*'
+            Action: '*'
+            Effect: Deny
+            Resource:
+              - !GetAtt TBReportBucket.Arn
+              - !Sub ${TBReportBucket.Arn}/*
+            Condition:
+              Bool:
+                aws:SecureTransport: 'false'