AWSTemplateFormatVersion: "2010-09-09"
Parameters:
    GitLfsUsername:
        Type: String
        Description: Username for authenticating against Git LFS endpoint
    GitLfsPassword:
        Type: String
        Description: Password for authenticating against Git LFS endpoint
Outputs:
    LfsEndpoint:
        Description: The Git LFS endpoint to use
        Value: !Sub 'https://${RestApi}.execute-api.${AWS::Region}.amazonaws.com/lfs'
Resources:
    StorageBucket:
        Type: AWS::S3::Bucket
        DeletionPolicy: Retain
    RestApi:
        Type: AWS::ApiGateway::RestApi
        Properties:
            Body:
                swagger: '2.0'
                info:
                    description: 'Describes a proxy to a Lambda function to sign S3 requests.'
                    title: 'Git LFS REST API'
                version: '1.0.0'
                paths:
                    /{proxy+}:
                        x-amazon-apigateway-any-method:
                            produces:
                                - application/json
                            parameters:
                                - name: proxy
                                  in: path
                                  required: true
                                  type: string
                            responses: {}
                            x-amazon-apigateway-integration:
                                responses:
                                    default:
                                        statusCode: 200
                                uri: !Sub 'arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${SigningLambda}/invocations'
                                passthroughBehavior: when_no_match
                                httpMethod: POST
                                contentHandling: CONVERT_TO_TEXT
                                type: aws_proxy
            Description: Git LFS endpoint
            FailOnWarnings: true
            Name: !Ref AWS::StackName
    RestDeployment:
        Type: AWS::ApiGateway::Deployment
        Properties:
            RestApiId: !Ref RestApi
            StageName: lfs
    SigningLambda:
        Type: AWS::Lambda::Function
        Properties:
            Code:
                S3Bucket: !Sub 'ae-infrastructure-${AWS::Region}'
                S3Key: git-lfs/6.1.0/Estranged.Lfs.Hosting.Lambda.zip
            Description: Generates S3 signed URLs for Git LFS
            FunctionName: !Ref AWS::StackName
            Handler: Estranged.Lfs.Hosting.Lambda::Estranged.Lfs.Hosting.Lambda.LambdaEntryPoint::FunctionHandlerAsync
            MemorySize: 512
            Role: !GetAtt SigningLambdaRole.Arn
            Runtime: dotnet10
            Timeout: 30
            Environment:
                Variables:
                    LFS_BUCKET: !Ref StorageBucket
                    LFS_USERNAME: !Ref GitLfsUsername
                    LFS_PASSWORD: !Ref GitLfsPassword
    SigningLambdaGatewayPermission:
        Type: AWS::Lambda::Permission
        Properties: 
            Action: lambda:InvokeFunction
            FunctionName: !GetAtt SigningLambda.Arn
            Principal: apigateway.amazonaws.com
            SourceArn: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${RestApi}/*
    SigningLambdaRole:
        Type: AWS::IAM::Role
        Properties:
            AssumeRolePolicyDocument:
                Version: "2012-10-17"
                Statement:
                - 
                    Effect: Allow
                    Principal:
                        Service:
                            - lambda.amazonaws.com
                    Action:
                        - sts:AssumeRole
            ManagedPolicyArns:
                - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
                - arn:aws:iam::aws:policy/AmazonS3FullAccess