template.yml

# https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-authoring.html
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference.html
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: >
  Mailing list system providing address validation and unsubscribe URIs.
Parameters:
  ApiDomainName:
    Type: String
  ApiMappingKey:
    Type: String
  EmailDomainName:
    Type: String
  EmailSiteTitle:
    Type: String
  SenderName:
    Type: String
  SenderUserName:
    Type: String
  UnsubscribeUserName:
    Type: String
  UnsubscribeFormPath:
    Type: String
  ReceiptRuleSetName:
    Type: String
  SubscribersTableName:
    Type: String
  MaxBulkSendCapacity:
    Type: Number
    MinValue: "0"
    MaxValue: "1"
    Default:  "0.8"
    Description: Portion of quota to use for bulk sending, in range [0.0,1.0]
  InvalidRequestPath:
    Type: String
  AlreadySubscribedPath:
    Type: String
  VerifyLinkSentPath:
    Type: String
  SubscribedPath:
    Type: String
  NotSubscribedPath:
    Type: String
  UnsubscribedPath:
    Type: String

Resources:
  Function:
    # https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html
    Type: AWS::Serverless::Function
    # https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-build.html#examples-makefile-identifier
    # https://docs.aws.amazon.com/lambda/latest/dg/golang-package.html
    # https://github.com/aws-samples/sessions-with-aws-sam/tree/master/go-al2
    Metadata:
      BuildMethod: makefile
    DependsOn: FunctionLogs
    Properties:
      Handler: bootstrap
      # https://aws.amazon.com/blogs/compute/migrating-aws-lambda-functions-from-the-go1-x-runtime-to-the-custom-runtime-on-amazon-linux-2/
      Runtime: provided.al2
      Architectures:
      - "arm64"
      Description: Coordinates between the API Gateway, DynamoDB, SES, and SNS
      Timeout: 300
      FunctionName: !Sub "${AWS::StackName}-function"
      # https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-template-list.html
      Policies:
        - AWSLambdaBasicExecutionRole
        - Statement:
            Sid: DynamoDbPolicy
            Effect: Allow
            Action:
              - "dynamoDb:GetItem"
              - "dynamoDb:PutItem"
              - "dynamoDb:DeleteItem"
              - "dynamoDb:Scan"
            Resource:
              - !Sub "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${SubscribersTableName}"
              - !Sub "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${SubscribersTableName}/index/*"
        - Statement:
            Sid: SESSendEmailPolicy
            Effect: Allow
            Action:
              - "ses:SendRawEmail"
              - "ses:SendBounce"
            Resource:
              - !Sub "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${EmailDomainName}"
              - !Sub "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:configuration-set/${AWS::StackName}"
        - Statement:
            Sid: SESGeneralPolicy
            Effect: Allow
            Action:
              - "ses:GetAccount"
              - "ses:GetSuppressedDestination"
              - "ses:PutSuppressedDestination"
              - "ses:DeleteSuppressedDestination"
            Resource: "*"

      Tracing: Active
      Environment:
        Variables:
          API_DOMAIN_NAME: !Ref ApiDomainName
          API_MAPPING_KEY: !Ref ApiMappingKey
          EMAIL_DOMAIN_NAME: !Ref EmailDomainName
          EMAIL_SITE_TITLE: !Ref EmailSiteTitle
          SENDER_NAME: !Ref SenderName
          SENDER_USER_NAME: !Ref SenderUserName
          UNSUBSCRIBE_USER_NAME: !Ref UnsubscribeUserName
          UNSUBSCRIBE_FORM_PATH: !Ref UnsubscribeFormPath
          SUBSCRIBERS_TABLE_NAME: !Ref SubscribersTableName
          CONFIGURATION_SET: !Ref SendingConfigurationSet
          MAX_BULK_SEND_CAPACITY: !Ref MaxBulkSendCapacity
          INVALID_REQUEST_PATH: !Ref InvalidRequestPath
          ALREADY_SUBSCRIBED_PATH: !Ref AlreadySubscribedPath
          VERIFY_LINK_SENT_PATH: !Ref VerifyLinkSentPath
          SUBSCRIBED_PATH: !Ref SubscribedPath
          NOT_SUBSCRIBED_PATH: !Ref NotSubscribedPath
          UNSUBSCRIBED_PATH: !Ref UnsubscribedPath
      Events:
        Subscribe:
          Type: Api
          Properties:
            RestApiId: !Ref Api
            Path: /subscribe
            Method: POST
        Verify:
          Type: Api
          Properties:
            RestApiId: !Ref Api
            Path: /verify/{email}/{uid}
            Method: GET
        UnsubscribeGet:
          Type: Api
          Properties:
            RestApiId: !Ref Api
            Path: /unsubscribe/{email}/{uid}
            Method: GET
        UnsubscribePost:
          Type: Api
          Properties:
            RestApiId: !Ref Api
            Path: /unsubscribe/{email}/{uid}
            Method: POST
        DeliveryNotification:
          Type: SNS
          Properties:
            Topic: !Ref DeliveryNotificationsTopic

  ApiMapping:
    Type: AWS::ApiGatewayV2::ApiMapping
    Properties:
      ApiId: !Ref Api
      DomainName: !Ref ApiDomainName
      ApiMappingKey: !Ref ApiMappingKey
      # https://github.com/aws/serverless-application-model/issues/192#issuecomment-520893111
      Stage: !Ref Api.Stage

  Api:
    # https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html
    Type: AWS::Serverless::Api
    DependsOn: ApiAccessLogs
    Properties:
      # Block automatic creation of the "Stage" stage per:
      # https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-openapiversion
      OpenApiVersion: "3.0.1"
      StageName: !Ref AWS::StackName
      AccessLogSetting:
        # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigatewayv2-stage-accesslogsettings.html
        # https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging.html
        # https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging-variables.html
        DestinationArn: !GetAtt ApiAccessLogs.Arn
        Format: '"$context.identity.sourceIp - - [$context.requestTime] "$context.httpMethod $context.path $context.protocol" $context.status $context.responseLength $context.requestId"'
      MethodSettings:
        # https://stackoverflow.com/a/70423772
        # https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html
        - HttpMethod: "*"
          ResourcePath: "/*"
          ThrottlingRateLimit: 10
          ThrottlingBurstLimit: 100

  FunctionLogs:
    # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html#cfn-logs-loggroup-retentionindays
    # https://awslabs.github.io/serverless-rules/rules/lambda/log_retention/
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub "/aws/lambda/${AWS::StackName}-function"
      RetentionInDays: 14

  ApiAccessLogs:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub "${AWS::StackName}-api"
      RetentionInDays: 14

  WebAcl:
    # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html
    Type: AWS::WAFv2::WebACL
    Properties:
      Name: !Sub "${AWS::StackName}-api-acl"
      Description: "Protect the /subscribe form from spam bots"
      DefaultAction:
        Allow: {}
      Scope: REGIONAL
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: !Sub "${AWS::StackName}-api-acl"
        SampledRequestsEnabled: true
      TokenDomains:
        - !Ref EmailDomainName
      Rules:
        - Name: "subscribe"
          Priority: 0
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: !Sub "${AWS::StackName}-api-acl-subscribe"
            SampledRequestsEnabled: true
          Statement:
            ByteMatchStatement:
              FieldToMatch:
                UriPath: {}
              SearchString: !Sub "/${ApiMappingKey}/subscribe"
              PositionalConstraint: STARTS_WITH
              TextTransformations:
                - Priority: 0
                  Type: URL_DECODE
                - Priority: 1
                  Type: NORMALIZE_PATH
          Action:
            Captcha: {}
          CaptchaConfig:
            ImmunityTimeProperty:
              ImmunityTime: 60

  WebAclAssociation:
    # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      # https://docs.aws.amazon.com/apigateway/latest/developerguide/arn-format-reference.html
      ResourceArn: !Sub "arn:${AWS::Partition}:apigateway:${AWS::Region}:${AWS::AccountId}:/restapis/${Api}/stages/${AWS::StackName}"
      WebACLArn: !GetAtt WebAcl.Arn

  ReceiptRuleSetPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: "lambda:InvokeFunction"
      FunctionName: !GetAtt Function.Arn
      Principal: "ses.amazonaws.com"
      SourceArn: !Sub "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:receipt-rule-set/${ReceiptRuleSetName}:receipt-rule/${UnsubscribeUserName}"

  UnsubscribeReceiptRule:
    # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ses-receiptrule.html
    # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ses-receiptruleset.html
    Type: AWS::SES::ReceiptRule
    Properties:
      RuleSetName: !Ref ReceiptRuleSetName
      Rule:
        Name: !Ref UnsubscribeUserName
        Enabled: true
        TlsPolicy: Require
        ScanEnabled: true
        Recipients:
          - !Sub "${UnsubscribeUserName}@${EmailDomainName}"
        Actions:
          - LambdaAction:
              FunctionArn: !GetAtt Function.Arn
    DependsOn: ReceiptRuleSetPermission

  DeliveryNotificationsTopic:
    # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topic.html
    Type: AWS::SNS::Topic
    Properties:
      TopicName: !Ref AWS::StackName

  DeliveryNotificationsTopicPolicy:
    # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-policy.html
    Type: AWS::SNS::TopicPolicy
    Properties:
      Topics:
        - !Ref DeliveryNotificationsTopic
      PolicyDocument:
          # Note that this is for an event destination for event publishing:
          # - https://docs.aws.amazon.com/ses/latest/dg/event-publishing-add-event-destination-sns.html
          #
          # as opposed to notifications for a verified identity:
          # - https://docs.aws.amazon.com/ses/latest/dg/configure-sns-notifications.html
          #
          # It's subtle. It's possible to have one topic for multiple
          # deployments using the verified identity notifications. For this
          # application, however, we set up different topics and destinations
          # for each deployment. This keeps each deployment's notifications
          # encapsulated from one another.
          Version: "2012-10-17"
          Id: !Sub "${AWS::StackName}-notification-policy"
          Statement:
            - Effect: Allow
              Principal:
                Service: ses.amazonaws.com
              Action: "sns:Publish"
              Resource: !Ref DeliveryNotificationsTopic
              Condition:
                ArnEquals:
                  "AWS:SourceArn": !Sub "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:configuration-set/${SendingConfigurationSet}"

  SendingConfigurationSet:
    # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ses-configurationset.html
    Type: AWS::SES::ConfigurationSet
    Properties:
      Name: !Ref AWS::StackName
      DeliveryOptions:
        TlsPolicy: REQUIRE
      SendingOptions:
        SendingEnabled: true
      SuppressionOptions:
        SuppressedReasons:
          - COMPLAINT
          - BOUNCE

  SendingConfigurationSetDestination:
    # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ses-configurationseteventdestination.html
    Type: AWS::SES::ConfigurationSetEventDestination
    Properties:
      ConfigurationSetName: !Ref SendingConfigurationSet
      EventDestination:
        Name: !Sub "${AWS::StackName}-delivery-notifications"
        Enabled: true
        MatchingEventTypes:
          - send
          - delivery
          - reject
          - bounce
          - complaint
        SnsDestination:
          TopicARN: !Ref DeliveryNotificationsTopic

Outputs:
  # https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api
  ApiRootUrl:
    Description: "Root URL for the EListMan API Gateway endpoint"
    Value: !Sub "https://${ApiDomainName}/${ApiMappingKey}"
  EListManFunctionArn:
    Description: "EListMan Lambda function ARN"
    Value: !GetAtt Function.Arn
  IamRole:
    Description: "Implicit IAM Role created for EListMan function"
    Value: !GetAtt FunctionRole.Arn
  SenderEmailAddress:
    Description: "Sender address for EListMan verification emails"
    Value: !Sub "${SenderName} <${SenderUserName}@${EmailDomainName}>"