template.yml

AWSTemplateFormatVersion: "2010-09-09"
Transform: "AWS::Serverless-2016-10-31"

Description: >
  Code Scanning Alerts to Slack

Resources:
  AccessLogs:
    Type: "AWS::Logs::LogGroup"

  CodeScanningToSlack:
    Type: "AWS::Serverless::Function"
    Properties:
      CodeUri: functions/codeScanningToSlack
      Description: "A Lambda that connects GitHub Code Scanning Results to a Slack Channel"
      Environment:
        Variables:
          NODE_ENV: Production
          REGION: !Ref "AWS::Region"
      Events:
        GatewayEndpoint:
          Properties:
            ApiId: !Ref HttpApi
            Method: POST
            Path: /codescanning
          Type: HttpApi
      Handler: lib/main.handler
      Policies:
        - AmazonSSMReadOnlyAccess
      Runtime: nodejs20.x
      Timeout: 60
      Tracing: Active

  GitHubWebhookIPValidator:
    Type: "AWS::Serverless::Function"
    Properties:
      CodeUri: functions/githubWebhookIPValidator
      Description: "A Lambda Function that validates the IP comes from GitHub"
      Environment:
        Variables:
          NODE_ENV: Production
          REGION: !Ref "AWS::Region"
      Handler: lib/main.handler
      Policies:
        - AmazonSSMReadOnlyAccess
      Runtime: nodejs20.x
      Timeout: 60
      Tracing: Active

  HttpApi:
    Type: "AWS::Serverless::HttpApi"
    Properties:
      AccessLogSettings:
        DestinationArn: !GetAtt AccessLogs.Arn
        Format: >-
          { "requestId":"$context.requestId","ip": "$context.identity.sourceIp",
          "requestTime":"$context.requestTime","httpMethod":"$context.httpMethod",
          "routeKey":"$context.routeKey","status":"$context.status",
          "protocol":"$context.protocol","responseLength":"$context.responseLength",
          "error" : $context.authorizer.error }
      Auth:
        Authorizers:
          LambdaAuthorizer:
            AuthorizerPayloadFormatVersion: "2.0"
            EnableSimpleResponses: true
            FunctionArn: !GetAtt GitHubWebhookIPValidator.Arn
            FunctionInvokeRole: !GetAtt LambdaInvokeRole.Arn
            Identity:
              Headers:
                - X-Hub-Signature
        DefaultAuthorizer: LambdaAuthorizer
      RouteSettings:
        "POST /codescanning":
          ThrottlingBurstLimit: 10

  LambdaInvokeRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - apigateway.amazonaws.com
            Action:
              - "sts:AssumeRole"

  LambdaInvokePolicy:
    Type: "AWS::IAM::Policy"
    Properties:
      PolicyName: "LambdaInvokePolicy"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action: "lambda:InvokeFunction"
            Resource: !GetAtt GitHubWebhookIPValidator.Arn
      Roles:
        - Ref: "LambdaInvokeRole"

Outputs:
  HttpApiUrl:
    Description: HTTP API URL
    Value:
      Fn::Sub: "https://${HttpApi}.execute-api.${AWS::Region}.${AWS::URLSuffix}/"