AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: eth-demo — Lambda + Step Functions demo

Parameters:
  Prefix:
    Type: String
    Default: 2026/04/
    Description: >-
      S3 key prefix the function scans for PDFs. Matches the seed script's
      default. Override with --parameter-overrides Prefix=other/ to target a
      different prefix without changing the template. Trailing slash required.
    AllowedPattern: ".+/"
    ConstraintDescription: "must end with '/' (e.g. 2026/04/)"

Globals:
  Function:
    Runtime: python3.13
    Timeout: 30
    MemorySize: 256
    Architectures: [arm64]
    LoggingConfig:
      LogFormat: JSON

Resources:

  ReportsBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub eth-demo-reports-${AWS::AccountId}
      LifecycleConfiguration:
        Rules:
          - Id: expire-manifests
            Status: Enabled
            Prefix: manifests/
            ExpirationInDays: 1

  SignPdfsLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/lambda/eth-demo-sign-pdfs
      RetentionInDays: 7

  DedupTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: !Sub ${AWS::StackName}-sign-pdfs-dedup
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: id
          AttributeType: S
      KeySchema:
        - AttributeName: id
          KeyType: HASH
      TimeToLiveSpecification:
        AttributeName: ttl
        Enabled: true

  SignPdfsFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: eth-demo-sign-pdfs
      CodeUri: functions/sign_pdfs/
      Handler: handler.handler
      LoggingConfig:
        LogFormat: JSON
        LogGroup: !Ref SignPdfsLogGroup
      Environment:
        Variables:
          BUCKET_NAME: !Ref ReportsBucket
          PREFIX: !Ref Prefix
          URL_EXPIRY_SECONDS: "900"
          DEDUP_TABLE: !Ref DedupTable
      Policies:
        - Statement:
            - Sid: ListReportsBucket
              Effect: Allow
              Action: s3:ListBucket
              Resource: !GetAtt ReportsBucket.Arn
            - Sid: ReadReports
              Effect: Allow
              Action: s3:GetObject
              Resource: !Sub "${ReportsBucket.Arn}/*"
            - Sid: WriteManifests
              Effect: Allow
              Action: s3:PutObject
              Resource: !Sub "${ReportsBucket.Arn}/manifests/*"
            - Sid: DedupTableAccess
              Effect: Allow
              Action:
                - dynamodb:GetItem
                - dynamodb:PutItem
              Resource: !GetAtt DedupTable.Arn

Outputs:
  ReportsBucketName:
    Description: S3 bucket for seed PDFs and manifest output
    Value: !Ref ReportsBucket
  SignPdfsFunctionArn:
    Description: ARN of the main Lambda
    Value: !GetAtt SignPdfsFunction.Arn