AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Parameters:
  endpoint:
    Type: String
    Description: The Secrets Manager endpoint to hit
  functionName:
    Type: String
    Description: The name of the lambda function
  vpcSubnetIds:
    Type: CommaDelimitedList
    Description: List of VPC subnet IDs
    Default: ''
  vpcSecurityGroupIds:
    Type: CommaDelimitedList
    Description: List of VPC security grouop IDs
    Default: ''
Conditions:
  AddVpcConfig:
    Fn::And:
    - Fn::Not:
      - Fn::Equals:
        - ''
        - Fn::Join:
          - ''
          - Ref: vpcSubnetIds
    - Fn::Not:
      - Fn::Equals:
        - ''
        - Fn::Join:
          - ''
          - Ref: vpcSecurityGroupIds
Resources:
  SecretsManagerMongoDBRotationSingleUser:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName:
        Ref: functionName
      Description: Conducts an AWS SecretsManager secret rotation for MongoDB using single user rotation scheme
      Handler: lambda_function.lambda_handler
      Runtime: python2.7
      CodeUri:
        Bucket: <%REPO_BUCKET%>
        Key: 8f1ec01b-17ab-4b22-ad16-7df753a52df4
      Timeout: 30
      Policies:
      - VPCAccessPolicy: {}
      - AWSSecretsManagerRotationPolicy:
          FunctionName:
            Ref: functionName
      Environment:
        Variables:
          SECRETS_MANAGER_ENDPOINT:
            Ref: endpoint
      VpcConfig:
        Fn::If:
        - AddVpcConfig
        - SubnetIds:
            Ref: vpcSubnetIds
          SecurityGroupIds:
            Ref: vpcSecurityGroupIds
        - Ref: AWS::NoValue
      Tags:
        SecretsManagerLambda: Rotation
Outputs:
  RotationLambdaARN:
    Description: The ARN of the rotation lambda
    Value:
      Fn::GetAtt:
      - SecretsManagerMongoDBRotationSingleUser
      - Arn