AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: |
  lambda-python3.12
  Sample SAM Template for lambda-python3.12

# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
  Function:
    Timeout: 3

Resources:
  TBReport:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
      MemorySize: 512
      Timeout: 300
      Environment:
        Variables:
          username: henry.pump.automation@gmail.com
          password: Henry Pump @ 2022
          TBREPORTBUCKET_BUCKET_NAME: !Ref TBReportBucket
          TBREPORTBUCKET_BUCKET_ARN: !GetAtt TBReportBucket.Arn
      Architectures:
        - arm64
      CodeUri: tbreport
      Runtime: python3.12
      Handler: tbreport.lambda_handler
      Policies:
        - AmazonSESFullAccess
        - Statement:
            - Effect: Allow
              Action:
                - s3:PutObject
              Resource:
                - !Sub arn:${AWS::Partition}:s3:::${TBReportBucket}
                - !Sub arn:${AWS::Partition}:s3:::${TBReportBucket}/*
      Layers:
        - !Ref TBReportLayer
  TBReportLayer:
    Type: AWS::Serverless::LayerVersion
    Properties:
      ContentUri: tbreportlayer/
      CompatibleRuntimes:
        - python3.9
        - python3.10
        - python3.11
        - python3.12
    Metadata:
      BuildMethod: python3.9
  Schedule:
    Type: AWS::Scheduler::Schedule
    Properties:
      ScheduleExpression: cron(0 5 * * ? *)
      FlexibleTimeWindow:
        Mode: 'OFF'
      ScheduleExpressionTimezone: America/Chicago
      Target:
        Arn: !GetAtt TBReport.Arn
        RoleArn: !GetAtt ScheduleToTBReportRole.Arn
  ScheduleToTBReportRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          Effect: Allow
          Principal:
            Service: !Sub scheduler.${AWS::URLSuffix}
          Action: sts:AssumeRole
      Policies:
        - PolicyName: StartExecutionPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: lambda:InvokeFunction
                Resource: !GetAtt TBReport.Arn
  TBReportBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub thingsboard-email-reports
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: alias/aws/s3
      PublicAccessBlockConfiguration:
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  TBReportBucketBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref TBReportBucket
      PolicyDocument:
        Id: RequireEncryptionInTransit
        Version: '2012-10-17'
        Statement:
          - Principal: '*'
            Action: '*'
            Effect: Deny
            Resource:
              - !GetAtt TBReportBucket.Arn
              - !Sub ${TBReportBucket.Arn}/*
            Condition:
              Bool:
                aws:SecureTransport: 'false'
Outputs:
  
  TBReportBucketExport:
    Value: !Ref TBReportBucket
    Export:
      Name: TBReportBucket