Parameters: stage: Type: String Description: Stage officeIpRange: Type: String Description: officeIpRange salesForceIpRanges: Type: CommaDelimitedList Description: salesForceIpRanges Resources: sfMoveSubscriptionsFnRole6D1AF23F: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Version: "2012-10-17" Tags: - Key: App Value: sf-move-subscriptions-api - Key: Stage Value: Ref: stage - Key: Stack Value: membership sfMoveSubscriptionsFnRoleDefaultPolicyBD9AFEB9: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - sqs:GetQueueUrl - sqs:SendMessage Effect: Allow Resource: Fn::Join: - "" - - "arn:aws:sqs:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - ":supporter-product-data-" - Ref: stage - Action: ssm:GetParametersByPath Effect: Allow Resource: Fn::Join: - "" - - "arn:aws:ssm:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - :parameter/ - Ref: stage - /membership/sf-move-subscriptions-api - Action: kms:Decrypt Effect: Allow Resource: Fn::Join: - "" - - "arn:aws:kms:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - :alias/aws/ssm - Action: logs:CreateLogGroup Effect: Allow Resource: Fn::Join: - "" - - "arn:aws:logs:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - :* - Action: - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: Fn::Join: - "" - - "arn:aws:logs:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - :log-group:/aws/lambda/sf-move-subscriptions-api- - Ref: stage - :* Version: "2012-10-17" PolicyName: sfMoveSubscriptionsFnRoleDefaultPolicyBD9AFEB9 Roles: - Ref: sfMoveSubscriptionsFnRole6D1AF23F sfMoveSubscriptionsLambdaFFEA4DBB: Type: AWS::Lambda::Function Properties: Code: S3Bucket: support-service-lambdas-dist S3Key: Fn::Join: - "" - - membership/ - Ref: stage - /sf-move-subscriptions-api/sf-move-subscriptions-api.jar Handler: com.gu.sf.move.subscriptions.api.Handler::handle Role: Fn::GetAtt: - sfMoveSubscriptionsFnRole6D1AF23F - Arn Runtime: java21 Environment: Variables: App: sf-move-subscriptions-api Stage: Ref: stage Stack: membership FunctionName: Fn::Join: - "" - - sf-move-subscriptions-api- - Ref: stage MemorySize: 1536 Tags: - Key: App Value: sf-move-subscriptions-api - Key: Stage Value: Ref: stage - Key: Stack Value: membership Timeout: 300 Architectures: - arm64 DependsOn: - sfMoveSubscriptionsFnRoleDefaultPolicyBD9AFEB9 - sfMoveSubscriptionsFnRole6D1AF23F sfmovesubscriptionsapi1E2B2153: Type: AWS::ApiGateway::RestApi Properties: ApiKeySourceType: HEADER Description: Fn::Join: - "" - - "API for for moving subscriptions in Salesforce in " - Ref: stage - " env" Name: Fn::Join: - "" - - sf-move-subscriptions-api- - Ref: stage Policy: Statement: - Action: execute-api:Invoke Effect: Allow Principal: "*" Resource: execute-api:/*/*/* - Action: execute-api:Invoke Condition: NotIpAddress: aws:SourceIp: Fn::Split: - "," - Fn::Join: - "" - - Fn::Join: - "," - Ref: salesForceIpRanges - "," - Ref: officeIpRange Effect: Deny Principal: "*" Resource: execute-api:/*/*/* Version: "2012-10-17" Tags: - Key: App Value: sf-move-subscriptions-api - Key: Stage Value: Ref: stage - Key: Stack Value: membership sfmovesubscriptionsapiDeployment823989FDa9cd173c0ce8c01baea2dede41b4f2f8: Type: AWS::ApiGateway::Deployment Properties: RestApiId: Ref: sfmovesubscriptionsapi1E2B2153 Description: Automatically created by the RestApi construct DependsOn: - sfmovesubscriptionsapiproxyANY8BB1BC8E - sfmovesubscriptionsapiproxy4CE36BC9 - sfmovesubscriptionsapiANYC6788DCE sfmovesubscriptionsapiDeploymentStageobjectObject0B1836AE: Type: AWS::ApiGateway::Stage Properties: RestApiId: Ref: sfmovesubscriptionsapi1E2B2153 DeploymentId: Ref: sfmovesubscriptionsapiDeployment823989FDa9cd173c0ce8c01baea2dede41b4f2f8 StageName: Ref: stage Tags: - Key: App Value: sf-move-subscriptions-api - Key: Stage Value: Ref: stage - Key: Stack Value: membership sfmovesubscriptionsapiCloudWatchRoleEB8406DC: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: apigateway.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - :iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs Tags: - Key: App Value: sf-move-subscriptions-api - Key: Stage Value: Ref: stage - Key: Stack Value: membership sfmovesubscriptionsapiAccount21F56D5B: Type: AWS::ApiGateway::Account Properties: CloudWatchRoleArn: Fn::GetAtt: - sfmovesubscriptionsapiCloudWatchRoleEB8406DC - Arn DependsOn: - sfmovesubscriptionsapi1E2B2153 sfmovesubscriptionsapiANYApiPermissionsfmovesubscriptionsapi1DE2022EANYA9CD3D65: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunction FunctionName: Fn::GetAtt: - sfMoveSubscriptionsLambdaFFEA4DBB - Arn Principal: apigateway.amazonaws.com SourceArn: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":execute-api:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - ":" - Ref: sfmovesubscriptionsapi1E2B2153 - / - Ref: sfmovesubscriptionsapiDeploymentStageobjectObject0B1836AE - /*/ sfmovesubscriptionsapiANYApiPermissionTestsfmovesubscriptionsapi1DE2022EANY3BB4E7B4: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunction FunctionName: Fn::GetAtt: - sfMoveSubscriptionsLambdaFFEA4DBB - Arn Principal: apigateway.amazonaws.com SourceArn: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":execute-api:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - ":" - Ref: sfmovesubscriptionsapi1E2B2153 - /test-invoke-stage/*/ sfmovesubscriptionsapiANYC6788DCE: Type: AWS::ApiGateway::Method Properties: HttpMethod: ANY ResourceId: Fn::GetAtt: - sfmovesubscriptionsapi1E2B2153 - RootResourceId RestApiId: Ref: sfmovesubscriptionsapi1E2B2153 ApiKeyRequired: true AuthorizationType: NONE Integration: IntegrationHttpMethod: POST Type: AWS_PROXY Uri: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":apigateway:" - Ref: AWS::Region - :lambda:path/2015-03-31/functions/ - Fn::GetAtt: - sfMoveSubscriptionsLambdaFFEA4DBB - Arn - /invocations sfmovesubscriptionsapiproxy4CE36BC9: Type: AWS::ApiGateway::Resource Properties: ParentId: Fn::GetAtt: - sfmovesubscriptionsapi1E2B2153 - RootResourceId PathPart: "{proxy+}" RestApiId: Ref: sfmovesubscriptionsapi1E2B2153 sfmovesubscriptionsapiproxyANYApiPermissionsfmovesubscriptionsapi1DE2022EANYproxy4A941C79: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunction FunctionName: Fn::GetAtt: - sfMoveSubscriptionsLambdaFFEA4DBB - Arn Principal: apigateway.amazonaws.com SourceArn: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":execute-api:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - ":" - Ref: sfmovesubscriptionsapi1E2B2153 - / - Ref: sfmovesubscriptionsapiDeploymentStageobjectObject0B1836AE - /*/{proxy+} sfmovesubscriptionsapiproxyANYApiPermissionTestsfmovesubscriptionsapi1DE2022EANYproxyBAF27DB4: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunction FunctionName: Fn::GetAtt: - sfMoveSubscriptionsLambdaFFEA4DBB - Arn Principal: apigateway.amazonaws.com SourceArn: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":execute-api:" - Ref: AWS::Region - ":" - Ref: AWS::AccountId - ":" - Ref: sfmovesubscriptionsapi1E2B2153 - /test-invoke-stage/*/{proxy+} Metadata: aws:cdk:path: sf-move-subscriptions-api/sf-move-subscriptions-api/Default/{proxy+}/ANY/ApiPermission.Test.sfmovesubscriptionsapi1DE2022E.ANY..{proxy+} sfmovesubscriptionsapiproxyANY8BB1BC8E: Type: AWS::ApiGateway::Method Properties: HttpMethod: ANY ResourceId: Ref: sfmovesubscriptionsapiproxy4CE36BC9 RestApiId: Ref: sfmovesubscriptionsapi1E2B2153 ApiKeyRequired: true AuthorizationType: NONE Integration: IntegrationHttpMethod: POST Type: AWS_PROXY Uri: Fn::Join: - "" - - "arn:" - Ref: AWS::Partition - ":apigateway:" - Ref: AWS::Region - :lambda:path/2015-03-31/functions/ - Fn::GetAtt: - sfMoveSubscriptionsLambdaFFEA4DBB - Arn - /invocations sfMoveSubscriptionsApiKeyBDEEA81B: Type: AWS::ApiGateway::ApiKey Properties: Enabled: true Name: Fn::Join: - "" - - sf-move-subscriptions-api-key- - Ref: stage StageKeys: - RestApiId: Ref: sfmovesubscriptionsapi1E2B2153 StageName: Ref: sfmovesubscriptionsapiDeploymentStageobjectObject0B1836AE sfMoveSubscriptionsApiUsagePlan6EC96D73: Type: AWS::ApiGateway::UsagePlan Properties: ApiStages: - ApiId: Ref: sfmovesubscriptionsapi1E2B2153 Stage: Ref: sfmovesubscriptionsapiDeploymentStageobjectObject0B1836AE Throttle: {} UsagePlanName: Fn::Join: - "" - - sf-move-subscriptions-api-usage-plan- - Ref: stage sfMoveSubscriptionsApiUsagePlanUsagePlanKeyResource6EAD919B: Type: AWS::ApiGateway::UsagePlanKey Properties: KeyId: Ref: sfMoveSubscriptionsApiKeyBDEEA81B KeyType: API_KEY UsagePlanId: Ref: sfMoveSubscriptionsApiUsagePlan6EC96D73 Outputs: sfmovesubscriptionsapiEndpoint4288D4E9: Value: Fn::Join: - "" - - https:// - Ref: sfmovesubscriptionsapi1E2B2153 - .execute-api. - Ref: AWS::Region - "." - Ref: AWS::URLSuffix - / - Ref: sfmovesubscriptionsapiDeploymentStageobjectObject0B1836AE - /