real handler, sign_pdfs CodeUri, env vars, S3 IAM, fail-loud config

2026-05-18 06:31:29 -03:00
parent 5bfabae7a5
commit 84fef80339
4 changed files with 146 additions and 52 deletions
--- a/template.yaml
+++ b/template.yaml
@@ -2,6 +2,17 @@ AWSTemplateFormatVersion: '2010-09-09'
 Transform: AWS::Serverless-2016-10-31
 Description: eth-demo — Lambda + Step Functions demo

+Parameters:
+  Prefix:
+    Type: String
+    Default: 2026/04/
+    Description: >-
+      S3 key prefix the function scans for PDFs. Matches the seed script's
+      default. Override with --parameter-overrides Prefix=other/ to target a
+      different prefix without changing the template. Trailing slash required.
+    AllowedPattern: ".+/"
+    ConstraintDescription: "must end with '/' (e.g. 2026/04/)"
+
 Globals:
  Function:
    Runtime: python3.13
@@ -34,11 +45,30 @@ Resources:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: eth-demo-sign-pdfs
-      CodeUri: functions/stub/
+      CodeUri: functions/sign_pdfs/
      Handler: handler.handler
      LoggingConfig:
        LogFormat: JSON
        LogGroup: !Ref SignPdfsLogGroup
+      Environment:
+        Variables:
+          BUCKET_NAME: !Ref ReportsBucket
+          PREFIX: !Ref Prefix
+          URL_EXPIRY_SECONDS: "900"
+      Policies:
+        - Statement:
+            - Sid: ListReportsBucket
+              Effect: Allow
+              Action: s3:ListBucket
+              Resource: !GetAtt ReportsBucket.Arn
+            - Sid: ReadReports
+              Effect: Allow
+              Action: s3:GetObject
+              Resource: !Sub "${ReportsBucket.Arn}/*"
+            - Sid: WriteManifests
+              Effect: Allow
+              Action: s3:PutObject
+              Resource: !Sub "${ReportsBucket.Arn}/manifests/*"

 Outputs:
  ReportsBucketName: