AWSTemplateFormatVersion: '2010-09-09'
Description: Governor is Stronghold's GitHub Bot for engineering standards.

Parameters:
  EcrImageUri:
    Type: String
    Description: ECR image URI for the Lambda function
    Default: ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/stronghold/governor:0.0.4-arm64

  ConfigUrl:
    Type: String
    Description: GitHub URL to the bot configuration file
    Default: https://github.com/example/.stronghold/config.yaml

  SecretName:
    Type: String
    Description: AWS Secrets Manager secret name containing GitHub App credentials
    Default: governor-github

  DebugMode:
    Type: String
    Description: Enable debug logging
    Default: 'false'
    AllowedValues:
      - 'true'
      - 'false'

Resources:
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: governor-execution-role
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: governor-logs-policy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*
              - Effect: Allow
                Action:
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/governor:*
        - PolicyName: governor-secrets-policy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - secretsmanager:GetSecretValue
                Resource: !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretName}*
        - PolicyName: governor-ses-policy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - ses:SendEmail
                  - ses:SendRawEmail
                Resource: '*'

  GovernorFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: governor
      Role: !GetAtt LambdaExecutionRole.Arn
      PackageType: Image
      Code:
        ImageUri: !Ref EcrImageUri
      Architectures:
        - arm64
      Timeout: 300
      MemorySize: 256
      Environment:
        Variables:
          CONFIG_URL: !Ref ConfigUrl
          SECRET_NAME: !Ref SecretName
          DEBUG_MODE: !Ref DebugMode

  GovernorFunctionUrl:
    Type: AWS::Lambda::Url
    Properties:
      AuthType: NONE
      TargetFunctionArn: !GetAtt GovernorFunction.Arn

  GovernorFunctionUrlPermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !Ref GovernorFunction
      Action: lambda:InvokeFunctionUrl
      Principal: '*'
      FunctionUrlAuthType: NONE

Outputs:
  WebhookUrl:
    Description: URL to configure in GitHub App webhook settings
    Value: !GetAtt GovernorFunctionUrl.FunctionUrl

  LambdaFunctionArn:
    Description: ARN of the Lambda function
    Value: !GetAtt GovernorFunction.Arn

  LambdaRoleArn:
    Description: ARN of the Lambda execution role
    Value: !GetAtt LambdaExecutionRole.Arn