template.yaml

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31

Parameters:
  ApplicationDomain:
    Type: String
    Description: "Domain used for the battleshiper endpoints."
  ApplicationDomainCertificateArn:
    Type: String
    Description: "ARN of the ACM certificate for the ApplicationDomain."
  ApplicationDomainWildcardCertificateArn:
    Type: String
    Description: "ARN of the wildcard ACM certificate for '*.ApplicationDomain'."
  GithubOAuthClientCredentialArn:
    Type: String
    Description: "ARN of the Secret containing Github Application App ID, App Secret Key, Client ID & Client Secret ('app_id', 'app_secret', 'client_id' & 'client_secret')."
  GithubAdministratorUsername:
    Type: String
    Description: "Github username of the user which will be given administrator access rights upon registration."

Globals:
  Function:
    Timeout: 5
    MemorySize: 128


Resources:

  # Using ugly separator comments because cloudformation is dogwater:
  # ============================================
  # =========== Router =========================
  # ============================================

  BattleshiperRouterApi:
    Type: AWS::Serverless::HttpApi
    Properties:
      Name: "battleshiper-router-api"

  BattleshiperRouterLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/lambda/battleshiper-router-logs
      LogGroupClass: STANDARD
      RetentionInDays: 14

  BattleshiperRouterLogReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-router-log-read-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "logs:StartQuery"
              - "logs:GetQueryResults"
            Resource: !GetAtt BattleshiperRouterLogGroup.Arn
      Roles:
        - !Ref BattleshiperApiAdminFuncRole

  BattleshiperRouterLogWritePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-router-log-write-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "logs:CreateLogStream"
              - "logs:PutLogEvents"
            Resource: !GetAtt BattleshiperRouterLogGroup.Arn
      Roles:
        - !Ref BattleshiperRouterFuncRole


  BattleshiperRouterFuncRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - "sts:AssumeRole"
      # Policies are defined as separate policy objects and attached to the IAM role.

  BattleshiperRouterFunc:
    Type: AWS::Serverless::Function
    Metadata:
      BuildMethod: go1.x
    Properties:
      CodeUri: router
      Handler: router
      Runtime: provided.al2023
      Role: !GetAtt BattleshiperRouterFuncRole.Arn
      Architectures:
        - x86_64
      Events:
        Auth:
          Type: HttpApi
          Properties:
            Path: /{proxy+}
            Method: ANY
            ApiId: !Ref BattleshiperRouterApi
      Environment:
        Variables:
          STATIC_BUCKET_NAME: !Ref BattleshiperProjectStaticBucket
          SERVER_NAME_PREFIX: "battleshiper-project-server-"
          ERROR_PAGE: !Sub "https://${ApplicationDomain}/error"
      LoggingConfig:
        LogGroup: !Ref BattleshiperRouterLogGroup 


  # ============================================
  # =========== Database =======================
  # ============================================

  BattleshiperUserTable:
    Type: AWS::DynamoDB::Table
    # Change this to Retain if you want to keep the user data after deleting the stack.
    DeletionPolicy: Delete
    Properties:
      TableName: battleshiper-users
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: "id"
          AttributeType: "S"
        - AttributeName: "installation_id"
          AttributeType: "N"
      GlobalSecondaryIndexes:
        - IndexName: gsi_installation_id
          KeySchema:
            - AttributeName: "installation_id"
              KeyType: "HASH"
          Projection:
            ProjectionType: ALL
          OnDemandThroughput:
            MaxReadRequestUnits: 100
            MaxWriteRequestUnits: 100
      KeySchema:
        - AttributeName: "id"
          KeyType: "HASH"
      OnDemandThroughput:
        MaxReadRequestUnits: 100
        MaxWriteRequestUnits: 100

  BattleshiperUserTableReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-users-table-read-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - dynamodb:GetItem
              - dynamodb:BatchGetItem
              - dynamodb:Query
              - dynamodb:Scan
              - dynamodb:DescribeTable
            Resource: 
              - !GetAtt BattleshiperUserTable.Arn
              - !Sub "${BattleshiperUserTable.Arn}/*"
      Roles:
        - !Ref BattleshiperApiAuthFuncRole
        - !Ref BattleshiperApiUserFuncRole
        - !Ref BattleshiperApiAdminFuncRole
        - !Ref BattleshiperApiResourceFuncRole
        - !Ref BattleshiperApiPipelineFuncRole
        - !Ref BattleshiperPipelineInitFuncRole
        - !Ref BattleshiperPipelineDeployFuncRole

  BattleshiperUserTableWritePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-users-table-write-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - dynamodb:PutItem
              - dynamodb:UpdateItem
              - dynamodb:DeleteItem
              - dynamodb:BatchWriteItem
            Resource: 
              - !GetAtt BattleshiperUserTable.Arn
              - !Sub "${BattleshiperUserTable.Arn}/*"
      Roles:
        - !Ref BattleshiperApiAuthFuncRole
        - !Ref BattleshiperApiUserFuncRole
        - !Ref BattleshiperApiResourceFuncRole
        - !Ref BattleshiperApiPipelineFuncRole
        - !Ref BattleshiperApiAdminFuncRole
        - !Ref BattleshiperPipelineDeployFuncRole


  BattleshiperProjectTable:
    Type: AWS::DynamoDB::Table
    # Change this to Retain if you want to keep the user data after deleting the stack.
    DeletionPolicy: Delete
    Properties:
      TableName: battleshiper-projects
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: "project_name"
          AttributeType: "S"
        - AttributeName: "owner_id"
          AttributeType: "S"
      GlobalSecondaryIndexes:
        - IndexName: gsi_owner_id
          KeySchema:
            - AttributeName: "owner_id"
              KeyType: "HASH"
          Projection:
            ProjectionType: ALL
          OnDemandThroughput:
            MaxReadRequestUnits: 100
            MaxWriteRequestUnits: 100
      KeySchema:
        - AttributeName: "project_name"
          KeyType: "HASH"
      OnDemandThroughput:
        MaxReadRequestUnits: 100
        MaxWriteRequestUnits: 100

  BattleshiperProjectTableReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-projects-table-read-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - dynamodb:GetItem
              - dynamodb:BatchGetItem
              - dynamodb:Query
              - dynamodb:Scan
              - dynamodb:DescribeTable
            Resource: 
              - !GetAtt BattleshiperProjectTable.Arn
              - !Sub "${BattleshiperProjectTable.Arn}/*"
      Roles:
        - !Ref BattleshiperApiAdminFuncRole
        - !Ref BattleshiperApiResourceFuncRole
        - !Ref BattleshiperApiPipelineFuncRole
        - !Ref BattleshiperPipelineInitFuncRole
        - !Ref BattleshiperPipelineDeployFuncRole
        - !Ref BattleshiperPipelineDeleteFuncRole

  BattleshiperProjectTableWritePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-projects-table-write-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - dynamodb:PutItem
              - dynamodb:UpdateItem
              - dynamodb:DeleteItem
              - dynamodb:BatchWriteItem
            Resource: 
              - !GetAtt BattleshiperProjectTable.Arn
              - !Sub "${BattleshiperProjectTable.Arn}/*"
      Roles:
        - !Ref BattleshiperApiAdminFuncRole
        - !Ref BattleshiperApiResourceFuncRole
        - !Ref BattleshiperApiPipelineFuncRole
        - !Ref BattleshiperPipelineInitFuncRole
        - !Ref BattleshiperPipelineDeployFuncRole
        - !Ref BattleshiperPipelineDeleteFuncRole


  BattleshiperSubscriptionTable:
    Type: AWS::DynamoDB::Table
    # Change this to Retain if you want to keep the user data after deleting the stack.
    DeletionPolicy: Delete
    Properties:
      TableName: battleshiper-subscriptions
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: "id"
          AttributeType: "S"
      KeySchema:
        - AttributeName: "id"
          KeyType: "HASH"
      OnDemandThroughput:
        MaxReadRequestUnits: 100
        MaxWriteRequestUnits: 100

  BattleshiperSubscriptionTableReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-subscriptions-table-read-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - dynamodb:GetItem
              - dynamodb:BatchGetItem
              - dynamodb:Query
              - dynamodb:Scan
              - dynamodb:DescribeTable
            Resource: 
              - !GetAtt BattleshiperSubscriptionTable.Arn
              - !Sub "${BattleshiperSubscriptionTable.Arn}/*"
      Roles:
        - !Ref BattleshiperApiAuthFuncRole
        - !Ref BattleshiperApiUserFuncRole
        - !Ref BattleshiperApiAdminFuncRole
        - !Ref BattleshiperApiResourceFuncRole
        - !Ref BattleshiperApiPipelineFuncRole
        - !Ref BattleshiperPipelineInitFuncRole
        - !Ref BattleshiperPipelineDeployFuncRole

  BattleshiperSubscriptionTableWritePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-subscriptions-table-write-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - dynamodb:PutItem
              - dynamodb:UpdateItem
              - dynamodb:DeleteItem
              - dynamodb:BatchWriteItem
            Resource: 
              - !GetAtt BattleshiperSubscriptionTable.Arn
              - !Sub "${BattleshiperSubscriptionTable.Arn}/*"
      Roles:
        - !Ref BattleshiperApiAdminFuncRole

  # ============================================
  # =========== API ============================
  # ============================================

  BattleshiperApi:
    Type: AWS::Serverless::HttpApi
    Properties:
      Name: "battleshiper-api"

  BattleshiperApiLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/lambda/battleshiper-api-logs
      LogGroupClass: STANDARD
      RetentionInDays: 14

  BattleshiperApiLogReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-api-log-read-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "logs:StartQuery"
              - "logs:GetQueryResults"
            Resource: !GetAtt BattleshiperApiLogGroup.Arn
      Roles:
        - !Ref BattleshiperApiAdminFuncRole

  BattleshiperApiLogWritePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-api-log-write-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "logs:CreateLogStream"
              - "logs:PutLogEvents"
            Resource: !GetAtt BattleshiperApiLogGroup.Arn
      Roles:
        - !Ref BattleshiperApiAuthFuncRole
        - !Ref BattleshiperApiUserFuncRole
        - !Ref BattleshiperApiAdminFuncRole
        - !Ref BattleshiperApiResourceFuncRole
        - !Ref BattleshiperApiPipelineFuncRole
        - !Ref BattleshiperApiWebFuncRole
        - !Ref BattleshiperApiWebBootstrapFuncRole
        - !Ref BattleshiperApiWebCleanupFuncRole


  BattleshiperApiJwtCredentials:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: "battleshiper-api-jwt-credentials"
      Description: "Battleshiper jwt secret used to sign and verify user tokens."
      GenerateSecretString:
        SecretStringTemplate: '{}'
        GenerateStringKey: "secret"
        PasswordLength: 40
        ExcludeCharacters: '"@/\\'

  BattleshiperApiJwtCredentialReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-api-jwt-credentials-read-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "secretsmanager:GetSecretValue"
            Resource: !Ref BattleshiperApiJwtCredentials
      Roles:
        - !Ref BattleshiperApiAuthFuncRole
        - !Ref BattleshiperApiUserFuncRole
        - !Ref BattleshiperApiAdminFuncRole
        - !Ref BattleshiperApiResourceFuncRole
        - !Ref BattleshiperApiPipelineFuncRole

  BattleshiperApiGhClientCredentialReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-api-gh-client-credentials-read-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "secretsmanager:GetSecretValue"
            Resource: !Ref GithubOAuthClientCredentialArn
      Roles:
        - !Ref BattleshiperApiAuthFuncRole
        - !Ref BattleshiperApiUserFuncRole
        - !Ref BattleshiperApiAdminFuncRole
        - !Ref BattleshiperApiResourceFuncRole
        - !Ref BattleshiperApiPipelineFuncRole


  BattleshiperApiAuthFuncRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - "sts:AssumeRole"
      # Policies are defined as separate policy objects and attached to the IAM role.

  BattleshiperApiAuthFunc:
    Type: AWS::Serverless::Function
    Metadata:
      BuildMethod: go1.x
    Properties:
      CodeUri: api/auth
      Handler: auth
      Runtime: provided.al2023
      Architectures:
        - x86_64
      Role: !GetAtt BattleshiperApiAuthFuncRole.Arn
      Events:
        Auth:
          Type: HttpApi
          Properties:
            Path: /api/auth/{proxy+}
            Method: ANY
            ApiId: !Ref BattleshiperApi
      Environment:
        Variables:
          BOOTSTRAP_TIMEOUT: "1500ms"
          JWT_CREDENTIAL_ARN: !Ref BattleshiperApiJwtCredentials
          USER_TOKEN_TTL: 172800 # 2 days
          GITHUB_CLIENT_CREDENTIAL_ARN: !Ref GithubOAuthClientCredentialArn
          REDIRECT_URI: !Sub "https://${ApplicationDomain}/api/auth/callback"
          FRONTEND_REDIRECT_URI: !Sub "https://${ApplicationDomain}/profile"
          USERTABLE: !Ref BattleshiperUserTable
          SUBSCRIPTIONTABLE: !Ref BattleshiperSubscriptionTable
      LoggingConfig:
        LogGroup: !Ref BattleshiperApiLogGroup 


  BattleshiperApiUserFuncRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - "sts:AssumeRole"
      # Policies are defined as separate policy objects and attached to the IAM role.

  BattleshiperApiUserFunc:
    Type: AWS::Serverless::Function
    # Function must depend on policies attached to the role
    # as described in docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html 
    Metadata:
      BuildMethod: go1.x
    Properties:
      CodeUri: api/user
      Handler: user
      Runtime: provided.al2023
      Architectures:
        - x86_64
      Role: !GetAtt BattleshiperApiUserFuncRole.Arn
      Events:
        User:
          Type: HttpApi
          Properties:
            Path: /api/user/{proxy+}
            Method: ANY
            ApiId: !Ref BattleshiperApi
      Environment:
        Variables:
          BOOTSTRAP_TIMEOUT: "1500ms"
          JWT_CREDENTIAL_ARN: !Ref BattleshiperApiJwtCredentials
          USERTABLE: !Ref BattleshiperUserTable
          SUBSCRIPTIONTABLE: !Ref BattleshiperSubscriptionTable
          ADMIN_GITHUB_USERNAME: !Ref GithubAdministratorUsername
      LoggingConfig:
        LogGroup: !Ref BattleshiperApiLogGroup 


  BattleshiperApiAdminFuncRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - "sts:AssumeRole"
      # Policies are defined as separate policy objects and attached to the IAM role.

  BattleshiperApiAdminFunc:
    Type: AWS::Serverless::Function
    # Function must depend on policies attached to the role
    # as described in docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html 
    Metadata:
      BuildMethod: go1.x
    Properties:
      CodeUri: api/admin
      Handler: admin
      Runtime: provided.al2023
      Architectures:
        - x86_64
      Role: !GetAtt BattleshiperApiAdminFuncRole.Arn
      Events:
        Admin:
          Type: HttpApi
          Properties:
            Path: /api/admin/{proxy+}
            Method: ANY
            ApiId: !Ref BattleshiperApi
      Environment:
        Variables:
          BOOTSTRAP_TIMEOUT: "1500ms"
          USERTABLE: !Ref BattleshiperUserTable
          PROJECTTABLE: !Ref BattleshiperProjectTable
          SUBSCRIPTIONTABLE: !Ref BattleshiperSubscriptionTable
          JWT_CREDENTIAL_ARN: !Ref BattleshiperApiJwtCredentials
          TICKET_CREDENTIAL_ARN: !Ref BattleshiperPipelineTicketCredentials
          API_LOG_GROUP: !Ref BattleshiperApiLogGroup
          PIPELINE_LOG_GROUP: !Ref BattleshiperPipelineLogGroup
          ROUTER_LOG_GROUP: !Ref BattleshiperRouterLogGroup
          DELETE_EVENTBUS_NAME: !Ref BattleshiperPipelineEventBus
          DELETE_EVENT_SOURCE: "ch.megakuul.battleshiper"
          DELETE_EVENT_ACTION: "battleshiper.delete"
          DELETE_EVENT_TICKET_TTL: 800
      LoggingConfig:
        LogGroup: !Ref BattleshiperApiLogGroup 


  BattleshiperApiResourceFuncRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - "sts:AssumeRole"
      # Policies are defined as separate policy objects and attached to the IAM role.

  BattleshiperApiResourceFunc:
    Type: AWS::Serverless::Function
    # Function must depend on policies attached to the role
    # as described in docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html 
    Metadata:
      BuildMethod: go1.x
    Properties:
      CodeUri: api/resource
      Handler: main.go
      Runtime: provided.al2023
      Architectures:
        - x86_64
      Role: !GetAtt BattleshiperApiResourceFuncRole.Arn
      Events:
        Resource:
          Type: HttpApi
          Properties:
            Path: /api/resource/{proxy+}
            Method: ANY
            ApiId: !Ref BattleshiperApi
      Environment:
        Variables:
          BOOTSTRAP_TIMEOUT: "1500ms"
          USERTABLE: !Ref BattleshiperUserTable
          PROJECTTABLE: !Ref BattleshiperProjectTable
          SUBSCRIPTIONTABLE: !Ref BattleshiperSubscriptionTable
          JWT_CREDENTIAL_ARN: !Ref BattleshiperApiJwtCredentials
          GITHUB_CLIENT_CREDENTIAL_ARN: !Ref GithubOAuthClientCredentialArn
          TICKET_CREDENTIAL_ARN: !Ref BattleshiperPipelineTicketCredentials
          INIT_EVENTBUS_NAME: !Ref BattleshiperPipelineEventBus
          INIT_EVENT_SOURCE: "ch.megakuul.battleshiper"
          INIT_EVENT_ACTION: "battleshiper.init"
          INIT_EVENT_TICKET_TTL: 800
          BUILD_EVENTBUS_NAME: !Ref BattleshiperPipelineEventBus
          BUILD_EVENT_SOURCE: "ch.megakuul.battleshiper"
          BUILD_EVENT_ACTION: "battleshiper.build"
          # deployment ticket is used as parameter of the aws.batch event
          # https://docs.aws.amazon.com/batch/latest/userguide/batch_cwe_events.html
          DEPLOY_EVENT_SOURCE: "aws.batch"
          DEPLOY_EVENT_ACTION: "Batch Job State Change"
          DEPLOY_EVENT_TICKET_TTL: 1400
          DELETE_EVENTBUS_NAME: !Ref BattleshiperPipelineEventBus
          DELETE_EVENT_SOURCE: "ch.megakuul.battleshiper"
          DELETE_EVENT_ACTION: "battleshiper.delete"
          DELETE_EVENT_TICKET_TTL: 800
          CLOUDFRONT_CACHE_ARN: !GetAtt BattleshiperProjectCDNRouteStore.Arn
      LoggingConfig:
        LogGroup: !Ref BattleshiperApiLogGroup 


  BattleshiperApiPipelineFuncRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - "sts:AssumeRole"
      # Policies are defined as separate policy objects and attached to the IAM role.

  BattleshiperApiPipelineFunc:
    Type: AWS::Serverless::Function
    Metadata:
      BuildMethod: go1.x
    Properties:
      CodeUri: api/pipeline
      Handler: pipeline
      Runtime: provided.al2023
      Architectures:
        - x86_64
      Role: !GetAtt BattleshiperApiPipelineFuncRole.Arn
      Events:
        Pipeline:
          Type: HttpApi
          Properties:
            Path: /api/pipeline/{proxy+}
            Method: ANY
            ApiId: !Ref BattleshiperApi
      Environment:
        Variables:
          BOOTSTRAP_TIMEOUT: "1500ms"
          USERTABLE: !Ref BattleshiperUserTable
          PROJECTTABLE: !Ref BattleshiperProjectTable
          SUBSCRIPTIONTABLE: !Ref BattleshiperSubscriptionTable
          GITHUB_CLIENT_CREDENTIAL_ARN: !Ref GithubOAuthClientCredentialArn
          TICKET_CREDENTIAL_ARN: !Ref BattleshiperPipelineTicketCredentials
          BUILD_EVENTBUS_NAME: !Ref BattleshiperPipelineEventBus
          BUILD_EVENT_SOURCE: "ch.megakuul.battleshiper"
          BUILD_EVENT_ACTION: "battleshiper.build"
          # deployment ticket is used as parameter of the aws.batch event
          # https://docs.aws.amazon.com/batch/latest/userguide/batch_cwe_events.html
          DEPLOY_EVENT_SOURCE: "aws.batch"
          DEPLOY_EVENT_ACTION: "Batch Job State Change"
          DEPLOY_EVENT_TICKET_TTL: 1000
      LoggingConfig:
        LogGroup: !Ref BattleshiperApiLogGroup 


  BattleshiperApiWebFuncRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - "sts:AssumeRole"
      # Policies are defined as separate policy objects and attached to the IAM role.

  BattleshiperApiWebFunc:
    Type: AWS::Serverless::Function
    Metadata:
      BuildMethod: makefile
    Properties:
      CodeUri: web
      Handler: index.handler
      Runtime: nodejs20.x
      Architectures:
        - x86_64
      AutoPublishAlias: live
      # I'm using traffic shifting here in a rather unusual way, I'm essentially using the pre traffic hook
      # to upload Sveltekit assets to s3 (while still keeping the old assets for a smooth update).
      # After the traffic shift completes, I use the post traffic hook to remove the old s3 assets.
      # Even if this is not the primary purpose of those hooks, I see this as an excellent use case,
      # as it allows me to smoothly rollout updates to the Sveltekit dashboard without any interruptions.
      DeploymentPreference:
        Enabled: True
        Type: AllAtOnce
        Hooks:
          PreTraffic: !Ref BattleshiperApiWebBootstrapFunc
          PostTraffic: !Ref BattleshiperApiWebCleanupFunc
      Role: !GetAtt BattleshiperApiWebFuncRole.Arn
      Events:
        Pipeline:
          Type: HttpApi
          Properties:
            Path: /{proxy+}
            Method: ANY
            ApiId: !Ref BattleshiperApi
      LoggingConfig:
        LogGroup: !Ref BattleshiperApiLogGroup 


  BattleshiperApiWebBootstrapFuncRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: "battleshiper-api-web-bootstrap-codedeploy-exec-access"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "codedeploy:PutLifecycleEventHookExecutionStatus"
                Resource: 
                  - !Sub 'arn:${AWS::Partition}:codedeploy:${AWS::Region}:${AWS::AccountId}:deploymentgroup:${ServerlessDeploymentApplication}/*'
      # Policies are defined as separate policy objects and attached to the IAM role.

  BattleshiperApiWebBootstrapFunc:
    Type: AWS::Serverless::Function
    Metadata:
      BuildMethod: go1.x
    Properties:
      # FunctionName must be prefixed with "CodeDeployHook_" like poorly documented here:
      # https://github.com/aws/serverless-application-model/issues/250
      FunctionName: "CodeDeployHook_ApiWebBootstrapFunc"
      Timeout: 30
      CodeUri: web/hooks/bootstrap
      Handler: bootstrap
      Runtime: provided.al2023
      Architectures:
        - x86_64
      Role: !GetAtt BattleshiperApiWebBootstrapFuncRole.Arn
      DeploymentPreference:
        Enabled: False
      Environment:
        Variables:
          BOOTSTRAP_TIMEOUT: "1500ms"
          STATIC_BUCKET_NAME: !Ref BattleshiperStaticBucket
      LoggingConfig:
        LogGroup: !Ref BattleshiperApiLogGroup 


  BattleshiperApiWebCleanupFuncRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: "battleshiper-api-web-cleanup-codedeploy-exec-access"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "codedeploy:PutLifecycleEventHookExecutionStatus"
                Resource: 
                  - !Sub 'arn:${AWS::Partition}:codedeploy:${AWS::Region}:${AWS::AccountId}:deploymentgroup:${ServerlessDeploymentApplication}/*'
      # Policies are defined as separate policy objects and attached to the IAM role.

  BattleshiperApiWebCleanupFunc:
    Type: AWS::Serverless::Function
    Metadata:
      BuildMethod: go1.x
    Properties:
      # FunctionName must be prefixed with "CodeDeployHook_" like poorly documented here:
      # https://github.com/aws/serverless-application-model/issues/250
      FunctionName: "CodeDeployHook_ApiWebCleanupFunc"
      Timeout: 30
      CodeUri: web/hooks/cleanup
      Handler: cleanup
      Runtime: provided.al2023
      Architectures:
        - x86_64
      Role: !GetAtt BattleshiperApiWebCleanupFuncRole.Arn
      DeploymentPreference:
        Enabled: False
      Environment:
        Variables:
          BOOTSTRAP_TIMEOUT: "1500ms"
          STATIC_BUCKET_NAME: !Ref BattleshiperStaticBucket
      LoggingConfig:
        LogGroup: !Ref BattleshiperApiLogGroup 

  # ============================================
  # =========== S3 Static Bucket ===============
  # ============================================

  BattleshiperStaticBucket:
    Type: AWS::S3::Bucket
    # Change this to Retain if you want to keep the user data after deleting the stack.
    DeletionPolicy: Delete
    Properties:
      Tags:
        - Key: "Name"
          Value: "battleshiper-static-bucket"

  BattleshiperStaticBucketBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref BattleshiperStaticBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "s3:GetObject"
            Effect: Allow
            Resource:
              - !Sub "${BattleshiperStaticBucket.Arn}/*"
            Principal:
              Service: cloudfront.amazonaws.com

  BattleshiperStaticBucketFullPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-static-bucket-full-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "s3:HeadObject"
              - "s3:GetObject"
              - "s3:GetObjectTagging"
              - "s3:PutObject"
              - "s3:PutObjectTagging"
              - "s3:DeleteObject"
            Effect: Allow
            Resource:
              - !Sub "${BattleshiperStaticBucket.Arn}/*"
          - Action:
              - "s3:ListBucket"
            Effect: Allow
            Resource:
              - !Sub "${BattleshiperStaticBucket.Arn}"
      Roles: 
        - !Ref BattleshiperApiWebBootstrapFuncRole
        - !Ref BattleshiperApiWebCleanupFuncRole

  # ============================================
  # =========== CDN ============================
  # ============================================

  BattleshiperCDNWebCachePolicy:
    Type: AWS::CloudFront::CachePolicy
    Properties:
      CachePolicyConfig:
        Name: "battleshiper-web-cache-policy"
        DefaultTTL: 86400 # 1 day
        MinTTL: 1 # 1 second
        MaxTTL: 31536000 # 1 year
        ParametersInCacheKeyAndForwardedToOrigin:
          CookiesConfig:
            CookieBehavior: "none"
          EnableAcceptEncodingBrotli: true
          EnableAcceptEncodingGzip: true
          HeadersConfig:
            HeaderBehavior: none
          QueryStringsConfig:
            QueryStringBehavior: none

  BattleshiperCDNServerCachePolicy:
    Type: AWS::CloudFront::CachePolicy
    Properties:
      CachePolicyConfig:
        Name: "battleshiper-server-cache-policy"
        DefaultTTL: 0
        MinTTL: 0
        MaxTTL: 0
        ParametersInCacheKeyAndForwardedToOrigin:
          CookiesConfig:
            CookieBehavior: "none"
          EnableAcceptEncodingBrotli: false
          EnableAcceptEncodingGzip: false
          HeadersConfig:
            HeaderBehavior: "none"
          QueryStringsConfig:
            QueryStringBehavior: "none"

  BattleshiperCDNServerOriginRequestPolicy:
    Type: AWS::CloudFront::OriginRequestPolicy
    Properties:
      OriginRequestPolicyConfig:
        Name: "battleshiper-server-origin-policy"
        CookiesConfig:
          CookieBehavior: all
        HeadersConfig:
          HeaderBehavior: allExcept
          Headers:
            - host # exclude host implicitly tells cloudfront to replace it with the api gateway origin host (api gateway expects this)
        QueryStringsConfig:
          QueryStringBehavior: all

  BattleshiperCDNOriginAccessControl:
    Type: AWS::CloudFront::OriginAccessControl
    Properties:
      OriginAccessControlConfig:        
        Name: "battleshiper-cdn-origin-access"
        OriginAccessControlOriginType: s3
        SigningBehavior: always
        SigningProtocol: sigv4

  BattleshiperCDN:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true
        PriceClass: "PriceClass_100"
        ViewerCertificate:
          AcmCertificateArn: !Ref ApplicationDomainCertificateArn
          SslSupportMethod: "sni-only"
          MinimumProtocolVersion: "TLSv1.2_2021"
        Origins:
          - Id: "battleshiper-static-bucket"
            # RegionalDomainName is used to increase deployment speed (https://stackoverflow.com/questions/38735306/aws-cloudfront-redirecting-to-s3-bucket)
            DomainName: !GetAtt BattleshiperStaticBucket.RegionalDomainName 
            OriginAccessControlId: !GetAtt BattleshiperCDNOriginAccessControl.Id
            S3OriginConfig: {}
          - Id: "battleshiper-api"
            DomainName: !Sub "${BattleshiperApi}.execute-api.${AWS::Region}.amazonaws.com"
            CustomOriginConfig:
              OriginProtocolPolicy: "https-only"
        DefaultCacheBehavior:
          TargetOriginId: "battleshiper-api"
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
            - PUT
            - PATCH
            - POST
            - DELETE
          ViewerProtocolPolicy: redirect-to-https
          CachePolicyId: !Ref BattleshiperCDNServerCachePolicy
          OriginRequestPolicyId: !Ref BattleshiperCDNServerOriginRequestPolicy
        DefaultRootObject: index.html
        CacheBehaviors:
          - PathPattern: "/"
            TargetOriginId: "battleshiper-static-bucket"
            AllowedMethods:
              - GET
              - HEAD
            CachedMethods:
              - GET
              - HEAD
            Compress: true
            ViewerProtocolPolicy: redirect-to-https
            CachePolicyId: !Ref BattleshiperCDNWebCachePolicy
          - PathPattern: "/_app/*"
            TargetOriginId: "battleshiper-static-bucket"
            AllowedMethods:
              - GET
              - HEAD
            CachedMethods:
              - GET
              - HEAD
            Compress: true
            ViewerProtocolPolicy: redirect-to-https
            CachePolicyId: !Ref BattleshiperCDNWebCachePolicy
          - PathPattern: "/*.*"
            TargetOriginId: "battleshiper-static-bucket"
            AllowedMethods:
              - GET
              - HEAD
            CachedMethods:
              - GET
              - HEAD
            Compress: true
            ViewerProtocolPolicy: redirect-to-https
            CachePolicyId: !Ref BattleshiperCDNWebCachePolicy
        Aliases:
          - !Sub "${ApplicationDomain}"
      Tags:
        - Key: "Name"
          Value: "battleshiper-cdn"


  # ============================================
  # =========== Pipeline Build Network =========
  # ============================================

  BattleshiperBuildVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: "10.120.0.0/16"
      EnableDnsSupport: true
      EnableDnsHostnames: true

  BattleshiperBuildVPCInternetGateway:
    Type: AWS::EC2::InternetGateway

  BattleshiperBuildVPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref BattleshiperBuildVPCInternetGateway
      VpcId: !Ref BattleshiperBuildVPC


  BattleshiperBuildSubnetRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref BattleshiperBuildVPC

  BattleshiperBuildSubnetInternetRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref BattleshiperBuildSubnetRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref BattleshiperBuildVPCInternetGateway

  BattleshiperBuildSubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref BattleshiperBuildVPC
      CidrBlock: "10.120.110.0/24"
      AvailabilityZone: !Select [0, !GetAZs ""]

  BattleshiperBuildSubnet1RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref BattleshiperBuildSubnet1
      RouteTableId: !Ref BattleshiperBuildSubnetRouteTable

  BattleshiperBuildSubnet2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref BattleshiperBuildVPC
      CidrBlock: "10.120.120.0/24"
      AvailabilityZone: !Select [1, !GetAZs ""]

  BattleshiperBuildSubnet2RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref BattleshiperBuildSubnet2
      RouteTableId: !Ref BattleshiperBuildSubnetRouteTable

  BattleshiperBuildSubnet3:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref BattleshiperBuildVPC
      CidrBlock: "10.120.130.0/24"
      AvailabilityZone: !Select [2, !GetAZs ""]

  BattleshiperBuildSubnet3RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref BattleshiperBuildSubnet3
      RouteTableId: !Ref BattleshiperBuildSubnetRouteTable


  BattleshiperBuildEgressGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: "battleshiper-build-egress"
      GroupDescription: "Allows HTTPS egress traffic"
      VpcId: !Ref BattleshiperBuildVPC
      SecurityGroupEgress:
        - IpProtocol: "-1"
          CidrIp: 0.0.0.0/0

  # ============================================
  # ======= Pipeline Ticket Credentials ========
  # ============================================

  BattleshiperPipelineTicketCredentials:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: "battleshiper-pipeline-ticket-credentials"
      Description: "Battleshiper pipeline ticket secret used to sign and verify pipeline tickets."
      GenerateSecretString:
        SecretStringTemplate: '{}'
        GenerateStringKey: "secret"
        PasswordLength: 40
        ExcludeCharacters: '"@/\\'

  BattleshiperPipelineTicketCredentialReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-pipeline-ticket-credentials-read-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "secretsmanager:GetSecretValue"
            Resource: !Ref BattleshiperPipelineTicketCredentials
      Roles:
        - !Ref BattleshiperApiResourceFuncRole
        - !Ref BattleshiperApiAdminFuncRole
        - !Ref BattleshiperApiPipelineFuncRole
        - !Ref BattleshiperPipelineInitFuncRole
        - !Ref BattleshiperPipelineDeployFuncRole
        - !Ref BattleshiperPipelineDeleteFuncRole


  # ============================================
  # =========== Pipeline Policies ==============
  # ============================================

  BattleshiperPipelineCloudformationServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - cloudformation.amazonaws.com
            Action:
              "sts:AssumeRole"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/IAMFullAccess
        - arn:aws:iam::aws:policy/AmazonS3FullAccess
        - arn:aws:iam::aws:policy/AWSLambda_FullAccess
        - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
        - arn:aws:iam::aws:policy/AWSBatchFullAccess
        - arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess
        - arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator


  BattleshiperPipelineProjectEventLogReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-pipeline-project-event-log-read-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "logs:StartQuery"
              - "logs:GetQueryResults"
            Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/battleshiper/project/event/*"
      Roles:
        - !Ref BattleshiperApiResourceFuncRole

  BattleshiperPipelineProjectEventLogExecPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-pipeline-project-event-log-exec-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "logs:CreateLogStream"
              - "logs:PutLogEvents"
            Resource: 
              - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/battleshiper/project/event/*"
              - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/battleshiper/project/event/*:log-stream:*"

      Roles:
        - !Ref BattleshiperApiResourceFuncRole
        - !Ref BattleshiperApiPipelineFuncRole

  BattleshiperPipelineProjectBuildLogReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-pipeline-project-build-log-read-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "logs:StartQuery"
              - "logs:GetQueryResults"
            Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/battleshiper/project/build/*"
      Roles:
        - !Ref BattleshiperApiResourceFuncRole

  BattleshiperPipelineProjectDeployLogReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-pipeline-project-deploy-log-read-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "logs:StartQuery"
              - "logs:GetQueryResults"
            Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/battleshiper/project/deploy/*"
      Roles:
        - !Ref BattleshiperApiResourceFuncRole

  BattleshiperPipelineProjectDeployLogExecPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-pipeline-project-deploy-log-exec-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "logs:CreateLogStream"
              - "logs:PutLogEvents"
            Resource: 
              - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/battleshiper/project/deploy/*"
              - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/battleshiper/project/deploy/*:log-stream:*"
      Roles:
        - !Ref BattleshiperPipelineDeployFuncRole


  # ============================================
  # =========== Pipeline S3 Storage ============
  # ============================================

  BattleshiperPipelineBuildAssetBucket:
    Type: AWS::S3::Bucket
    # Change this to Retain if you want to keep the user data after deleting the stack.
    DeletionPolicy: Delete
    Properties:
      Tags:
        - Key: "Name"
          Value: "battleshiper-pipeline-build-asset-bucket"
      LifecycleConfiguration:
        Rules:
          - Id: "delete-assets"
            Status: "Enabled"
            ExpirationInDays: 1
            Prefix: ""
  
  BattleshiperPipelineBuildAssetBucketFullPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-pipeline-build-asset-bucket-full-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "s3:HeadObject"
              - "s3:GetObject"
              - "s3:PutObject"
              - "s3:DeleteObject"
            Effect: Allow
            Resource:
              - !Sub "${BattleshiperPipelineBuildAssetBucket.Arn}/*"
          - Action:
              - "s3:ListBucket"
            Effect: Allow
            Resource:
              - !Sub "${BattleshiperPipelineBuildAssetBucket.Arn}"
      Roles:
        - !Ref BattleshiperPipelineDeployFuncRole
        - !Ref BattleshiperPipelineDeleteFuncRole


  # ============================================
  # =========== Pipeline EventBus ==============
  # ============================================

  BattleshiperPipelineEventBus:
    Type: AWS::Events::EventBus
    Properties:
      Name: "battleshiper-pipeline-eventbus"

  BattleshiperPipelineEventBusExecPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-pipeline-eventbus-exec-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "events:PutEvents"
            Resource: !GetAtt BattleshiperPipelineEventBus.Arn
      Roles:
        - !Ref BattleshiperApiPipelineFuncRole
        - !Ref BattleshiperApiResourceFuncRole
        - !Ref BattleshiperApiAdminFuncRole


  # ============================================
  # =========== Pipeline Batch Environment =====
  # ============================================

  BattleshiperPipelineBuildComputeEnvironment:
    Type: AWS::Batch::ComputeEnvironment
    Properties:
      ComputeEnvironmentName: "battleshiper-pipeline-build-computer-environment"
      State: ENABLED
      Type: MANAGED
      ComputeResources:
        Type: FARGATE_SPOT
        MaxvCpus: 20
        Subnets:
          - !Ref BattleshiperBuildSubnet1
          - !Ref BattleshiperBuildSubnet2
          - !Ref BattleshiperBuildSubnet3
        SecurityGroupIds:
          - !Ref BattleshiperBuildEgressGroup
      UpdatePolicy:
        JobExecutionTimeoutMinutes: 3

  BattleshiperPipelineBuildQueue:
    Type: AWS::Batch::JobQueue
    DependsOn: BattleshiperPipelineBuildComputeEnvironment
    Properties:
      JobQueueName: "battleshiper-pipeline-build-queue"
      State: ENABLED
      Priority: 1
      JobStateTimeLimitActions:
        - Action: CANCEL
          State: RUNNABLE
          MaxTimeSeconds: 600 # the timeout is also set on each job definition (BUILD_JOB_TIMEOUT)
          # it's not specified in the cloudformation docs, but this parameter must exactly match
          # one of the predefined reasons here: https://docs.aws.amazon.com/batch/latest/userguide/troubleshooting.html#job_stuck_in_runnable
          Reason: "CAPACITY:INSUFFICIENT_INSTANCE_CAPACITY"
      ComputeEnvironmentOrder:
        - Order: 1
          ComputeEnvironment: !Ref BattleshiperPipelineBuildComputeEnvironment


  # ============================================
  # =========== Pipeline API ===================
  # ============================================

  BattleshiperPipelineLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/lambda/battleshiper-pipeline-logs
      LogGroupClass: STANDARD
      RetentionInDays: 14

  BattleshiperPipelineLogReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-pipeline-log-read-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "logs:StartQuery"
              - "logs:GetQueryResults"
            Resource: !GetAtt BattleshiperPipelineLogGroup.Arn
      Roles:
        - !Ref BattleshiperApiAdminFuncRole

  BattleshiperPipelineLogWritePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-pipeline-log-write-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "logs:CreateLogStream"
              - "logs:PutLogEvents"
            Resource: !GetAtt BattleshiperPipelineLogGroup.Arn
      Roles:
        - !Ref BattleshiperPipelineInitFuncRole
        - !Ref BattleshiperPipelineDeployFuncRole
        - !Ref BattleshiperPipelineDeleteFuncRole


  BattleshiperPipelineInitFuncRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: "battleshiper-pipeline-init-cloudformation-access"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "cloudformation:DescribeStacks"
                  - "cloudformation:CreateStack"
                Resource: "*"
              - Effect: Allow
                Action:
                  - "iam:PassRole"
                Resource: !GetAtt BattleshiperPipelineCloudformationServiceRole.Arn
      # further policies are defined as separate policy objects and attached to the IAM role.

  BattleshiperPipelineInitFunc:
    Type: AWS::Serverless::Function
    Metadata:
      BuildMethod: go1.x
    Properties:
      CodeUri: pipeline/init
      Handler: init
      Runtime: provided.al2023
      Timeout: 600
      Architectures:
        - x86_64
      Role: !GetAtt BattleshiperPipelineInitFuncRole.Arn
      Events:
        BuildEvent:
          Type: EventBridgeRule
          Properties:
            RuleName: "battleshiper-pipeline-init-rule"
            EventBusName: !Ref BattleshiperPipelineEventBus
            Pattern:
              source:
                - "ch.megakuul.battleshiper"
              detail-type:
                - "battleshiper.init"
      Environment:
        Variables:
          BOOTSTRAP_TIMEOUT: "1500ms"
          USERTABLE: !Ref BattleshiperUserTable
          PROJECTTABLE: !Ref BattleshiperProjectTable
          SUBSCRIPTIONTABLE: !Ref BattleshiperSubscriptionTable
          TICKET_CREDENTIAL_ARN: !Ref BattleshiperPipelineTicketCredentials
          DEPLOYMENT_SERVICE_ROLE_ARN: !GetAtt BattleshiperPipelineCloudformationServiceRole.Arn
          DEPLOYMENT_TIMEOUT: "400s"
          STATIC_BUCKET_NAME: !Ref BattleshiperProjectStaticBucket
          BUILD_ASSET_BUCKET_NAME: !Ref BattleshiperPipelineBuildAssetBucket
          EVENT_LOG_GROUP_PREFIX: "/battleshiper/project/event"
          BUILD_LOG_GROUP_PREFIX: "/battleshiper/project/build"
          DEPLOY_LOG_GROUP_PREFIX: "/battleshiper/project/deploy"
          SERVER_LOG_GROUP_PREFIX: "/battleshiper/project/server"
          LOG_GROUP_RETENTION_DAYS: 14
          BUILD_EVENTBUS_NAME: !Ref BattleshiperPipelineEventBus
          BUILD_EVENT_SOURCE: "ch.megakuul.battleshiper"
          BUILD_EVENT_ACTION: "battleshiper.build"
          BUILD_QUEUE_ARN: !Ref BattleshiperPipelineBuildQueue
          BUILD_JOB_TIMEOUT: "600s"
          # VCPU and MEMORY values must be a supported fargate combination
          # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-batch-jobdefinition-resourcerequirement.html
          BUILD_JOB_VCPUS: "0.5"
          BUILD_JOB_MEMORY: "1024"
      LoggingConfig:
        LogGroup: !Ref BattleshiperPipelineLogGroup 


  BattleshiperPipelineDeployFuncRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: "battleshiper-pipeline-deploy-cloudformation-access"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "cloudformation:DescribeStacks"
                  - "cloudformation:GetTemplate"
                  - "cloudformation:ValidateTemplate"
                  - "cloudformation:CreateChangeSet"
                  - "cloudformation:DescribeChangeSet"
                  - "cloudformation:ExecuteChangeSet"
                  - "cloudformation:DeleteChangeSet"
                Resource: "*"
              - Effect: Allow
                Action:
                  - "iam:PassRole"
                Resource: !GetAtt BattleshiperPipelineCloudformationServiceRole.Arn
      # Policies are defined as separate policy objects and attached to the IAM role.

  BattleshiperPipelineDeployFunc:
    Type: AWS::Serverless::Function
    Metadata:
      BuildMethod: go1.x
    Properties:
      CodeUri: pipeline/deploy
      Handler: deploy
      Runtime: provided.al2023
      Timeout: 600
      Architectures:
        - x86_64
      Role: !GetAtt BattleshiperPipelineDeployFuncRole.Arn
      Events:
        DeployEvent:
          Type: EventBridgeRule
          Properties:
            RuleName: "battleshiper-pipeline-deploy-rule"
            # DeployFunc rule is by design located on the default eventbus
            # this is because aws.batch sends events ONLY to the default bus.
            Pattern:
              # Pattern accepts incomming batch events from the build queue
              # this behavior is specified here: https://docs.aws.amazon.com/batch/latest/userguide/batch_cwe_events.html
              source:
                - "aws.batch"
              detail:
                jobQueue: 
                  - !Ref BattleshiperPipelineBuildQueue
                status:
                  - "SUCCEEDED"
                  - "FAILED"
      Environment:
        Variables:
          BOOTSTRAP_TIMEOUT: "1500ms"
          USERTABLE: !Ref BattleshiperUserTable
          PROJECTTABLE: !Ref BattleshiperProjectTable
          SUBSCRIPTIONTABLE: !Ref BattleshiperSubscriptionTable
          TICKET_CREDENTIAL_ARN: !Ref BattleshiperPipelineTicketCredentials
          CHANGESET_TIMEOUT: "100s"
          DEPLOYMENT_TIMEOUT: "400s"
          CLOUDFRONT_CACHE_ARN: !GetAtt BattleshiperProjectCDNRouteStore.Arn
          CLOUDFRONT_DISTRIBUTION_ID: !Ref BattleshiperProjectCDN
          SERVER_NAME_PREFIX: "battleshiper-project-server-"
          SERVER_RUNTIME: "nodejs20.x" # https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html#runtimes-supported
          SERVER_MEMORY: 128
          SERVER_TIMEOUT: 3 # ideally this should be lower then the timeout of the core router function
      LoggingConfig:
        LogGroup: !Ref BattleshiperPipelineLogGroup 


  BattleshiperPipelineDeleteFuncRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: "battleshiper-pipeline-delete-cloudformation-access"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "cloudformation:DescribeStacks"
                  - "cloudformation:DeleteStack"
                Resource: "*"
              - Effect: Allow
                Action:
                  - "iam:PassRole"
                Resource: !GetAtt BattleshiperPipelineCloudformationServiceRole.Arn
      # Policies are defined as separate policy objects and attached to the IAM role.

  BattleshiperPipelineDeleteFunc:
    Type: AWS::Serverless::Function
    Metadata:
      BuildMethod: go1.x
    Properties:
      CodeUri: pipeline/delete
      Handler: delete
      Runtime: provided.al2023
      Architectures:
        - x86_64
      Timeout: 600
      Role: !GetAtt BattleshiperPipelineDeleteFuncRole.Arn
      Events:
        DeleteEvent:
          Type: EventBridgeRule
          Properties:
            RuleName: "battleshiper-pipeline-delete-rule"
            EventBusName: !Ref BattleshiperPipelineEventBus
            Pattern:
              source:
                - "ch.megakuul.battleshiper"
              detail-type:
                - "battleshiper.delete"
      Environment:
        Variables:
          BOOTSTRAP_TIMEOUT: "1500ms"
          PROJECTTABLE: !Ref BattleshiperProjectTable
          TICKET_CREDENTIAL_ARN: !Ref BattleshiperPipelineTicketCredentials
          DELETION_TIMEOUT: "400s"
          STATIC_BUCKET_NAME: !Ref BattleshiperProjectStaticBucket
          CLOUDFRONT_CACHE_ARN: !GetAtt BattleshiperProjectCDNRouteStore.Arn
      LoggingConfig:
        LogGroup: !Ref BattleshiperPipelineLogGroup 
          


  # ============================================
  # =========== Project Policies ===============
  # ============================================

  BattleshiperProjectServerExecPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-project-server-exec-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "lambda:InvokeFunction"
            Resource: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:battleshiper-project-server-*"
      Roles:
        - !Ref BattleshiperRouterFuncRole

  BattleshiperProjectServerLogReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-pipeline-project-server-log-read-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "logs:StartQuery"
              - "logs:GetQueryResults"
            Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/battleshiper/project/server/*"
      Roles:
        - !Ref BattleshiperApiResourceFuncRole


  # ============================================
  # =========== Project S3 Storage =============
  # ============================================

  BattleshiperProjectStaticBucket:
    Type: AWS::S3::Bucket
    # Change this to Retain if you want to keep the user data after deleting the stack.
    DeletionPolicy: Delete
    Properties:
      Tags:
        - Key: "Name"
          Value: "battleshiper-project-static-bucket"

  BattleshiperProjectStaticBucketBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref BattleshiperProjectStaticBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "s3:GetObject"
            Effect: Allow
            Resource:
              - !Sub "${BattleshiperProjectStaticBucket.Arn}/*"
            Principal:
              Service: cloudfront.amazonaws.com

  BattleshiperProjectStaticBucketReadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-project-static-bucket-read-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "s3:HeadObject"
              - "s3:GetObject"
            Effect: Allow
            Resource:
              - !Sub "${BattleshiperProjectStaticBucket.Arn}/*"
          - Action:
              - "s3:ListBucket"
            Effect: Allow
            Resource:
              - !Sub "${BattleshiperProjectStaticBucket.Arn}"
      Roles:
        - !Ref BattleshiperRouterFuncRole

  BattleshiperProjectStaticBucketFullPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-project-static-bucket-full-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "s3:HeadObject"
              - "s3:GetObject"
              - "s3:PutObject"
              - "s3:DeleteObject"
            Effect: Allow
            Resource:
              - !Sub "${BattleshiperProjectStaticBucket.Arn}/*"
          - Action:
              - "s3:ListBucket"
            Effect: Allow
            Resource:
              - !Sub "${BattleshiperProjectStaticBucket.Arn}"
      Roles: 
        - !Ref BattleshiperPipelineDeployFuncRole
        - !Ref BattleshiperPipelineDeleteFuncRole


  # ============================================
  # =========== Project CDN Router =============
  # ============================================

  BattleshiperProjectCDNRouteStore:
    Type: AWS::CloudFront::KeyValueStore
    Properties:
      Name: "battleshiper-cdn-route-store"
      Comment: "Store used to lookup the path based on the requested host or prerendered pages."

  BattleshiperProjectCDNRouteStoreWritePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-cdn-route-store-write-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "cloudfront-keyvaluestore:DescribeKeyValueStore"
              - "cloudfront-keyvaluestore:UpdateKeys"
              - "cloudfront-keyvaluestore:PutKey"
            Resource: !GetAtt BattleshiperProjectCDNRouteStore.Arn
      Roles:
        - !Ref BattleshiperApiResourceFuncRole
        - !Ref BattleshiperPipelineDeployFuncRole
        - !Ref BattleshiperPipelineDeleteFuncRole

  BattleshiperProjectCDNCacheRouteFunc:
    Type: AWS::CloudFront::Function
    Properties:
      Name: "battleshiper-cdn-cache-route-func"
      AutoPublish: true
      FunctionConfig:
        Comment: "Function to route cdn cache requests to the project path based on the requested host."
        Runtime: cloudfront-js-2.0
        KeyValueStoreAssociations:
          - KeyValueStoreARN: !GetAtt BattleshiperProjectCDNRouteStore.Arn
      FunctionCode: !Sub |
        import cf from "cloudfront";

        const kvsHandle = cf.kvs("${BattleshiperProjectCDNRouteStore.Id}");

        const domainSuffix = ".${ApplicationDomain}";

        async function handler(event) {
          let request = event.request;

          try {
            const authorityHeader = request.headers[":authority"];
            const hostHeader = request.headers["host"];
            
            // extract host (prefer :authority if present)
            const host = authorityHeader ? authorityHeader.value : hostHeader.value;
            if (!host) {
              throw new Error("no host specified");
            }

            // remove the application domain from the host
            if (!host.endsWith(domainSuffix)) {
              throw new Error("unexpected host");
            }
            const alias = host.slice(0, -domainSuffix.length);

            const pathSegments = request.uri.split('/');
            
            const project = await kvsHandle.get(alias, { format: "string" });
            pathSegments.splice(1, 0, project); // set the project as first segment in the uri
            
            request.uri = pathSegments.join('/');

            return request;
          } catch (err) {
            // exceptions are redirected to the battleshiper error page
            const queryString = "type=EdgeRouter Error&message=" + err.message;
            return {
              statusCode: 302,
              statusDescription: "Found",
              headers: {
                "location": {
                  "value": "https://${ApplicationDomain}/error?" + queryString
                }
              }
            };
          }
        }

  BattleshiperProjectCDNServerRouteFunc:
    Type: AWS::CloudFront::Function
    Properties:
      Name: "battleshiper-cdn-server-route-func"
      AutoPublish: true
      FunctionConfig:
        Comment: "Function to tag cdn requests with the project based on the requested host and to add .html extension on prerendered pages."
        Runtime: cloudfront-js-2.0
        KeyValueStoreAssociations:
          - KeyValueStoreARN: !GetAtt BattleshiperProjectCDNRouteStore.Arn
      FunctionCode: !Sub |
        import cf from "cloudfront";

        const kvsHandle = cf.kvs("${BattleshiperProjectCDNRouteStore.Id}");

        const domainSuffix = ".${ApplicationDomain}";

        async function handler(event) {
          let request = event.request;

          try {
            const authorityHeader = request.headers[":authority"];
            const hostHeader = request.headers["host"];
            
            // extract host (prefer :authority if present)
            const host = authorityHeader ? authorityHeader.value : hostHeader.value;
            if (!host) {
              throw new Error("no host specified");
            }
            
            // remove the application domain from the host
            if (!host.endsWith(domainSuffix)) {
              throw new Error("unexpected host");
            }
            const alias = host.slice(0, -domainSuffix.length);
            
            const project = await kvsHandle.get(alias, { format: "string" });
            request.headers["battleshiper-project"] = { value: project };
            request.headers["x-forwarded-host"] = { value: host };

            const prerenderedPageKey = "/" + project + request.uri;
            const prerenderedPage = await kvsHandle.get(prerenderedPageKey.replace(/\/$/, ""), { format: "string" }).catch(() => null);
            if (prerenderedPage) {
              request.uri = prerenderedPage;
            }

            return request;
          } catch (err) {
            // exceptions are redirected to the battleshiper error page
            const queryString = "type=EdgeRouter Error&message=" + err.message;
            return {
              statusCode: 302,
              statusDescription: "Found",
              headers: {
                "location": {
                  "value": "https://${ApplicationDomain}/error?" + queryString
                }
              }
            };
          }
        }

  # ============================================
  # =========== Project CDN ====================
  # ============================================

  BattleshiperProjectCDNWebCachePolicy:
    Type: AWS::CloudFront::CachePolicy
    Properties:
      CachePolicyConfig:
        Name: "battleshiper-project-web-cache-policy"
        DefaultTTL: 86400 # 1 day
        MinTTL: 1 # 1 second
        MaxTTL: 31536000 # 1 year
        ParametersInCacheKeyAndForwardedToOrigin:
          CookiesConfig:
            CookieBehavior: "none"
          EnableAcceptEncodingBrotli: true
          EnableAcceptEncodingGzip: true
          HeadersConfig:
            HeaderBehavior: none
          QueryStringsConfig:
            QueryStringBehavior: all

  BattleshiperProjectCDNServerCachePolicy:
    Type: AWS::CloudFront::CachePolicy
    Properties:
      CachePolicyConfig:
        Name: "battleshiper-project-server-cache-policy"
        DefaultTTL: 0
        MinTTL: 0
        MaxTTL: 0
        ParametersInCacheKeyAndForwardedToOrigin:
          CookiesConfig:
            CookieBehavior: "none"
          EnableAcceptEncodingBrotli: false
          EnableAcceptEncodingGzip: false
          HeadersConfig:
            HeaderBehavior: "none"
          QueryStringsConfig:
            QueryStringBehavior: "none"

  BattleshiperProjectCDNServerOriginRequestPolicy:
    Type: AWS::CloudFront::OriginRequestPolicy
    Properties:
      OriginRequestPolicyConfig:
        Name: "battleshiper-project-server-origin-policy"
        CookiesConfig:
          CookieBehavior: all
        HeadersConfig:
          HeaderBehavior: allExcept
          Headers:
            - host # exclude host implicitly tells cloudfront to replace it with the api gateway origin host (api gateway expects this)
        QueryStringsConfig:
          QueryStringBehavior: all

  BattleshiperProjectCDNOriginAccessControl:
    Type: AWS::CloudFront::OriginAccessControl
    Properties:
      OriginAccessControlConfig:        
        Name: "battleshiper-project-cdn-origin-access"
        OriginAccessControlOriginType: s3
        SigningBehavior: always
        SigningProtocol: sigv4

  BattleshiperProjectCDN:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true
        PriceClass: "PriceClass_All"
        ViewerCertificate:
          AcmCertificateArn: !Ref ApplicationDomainWildcardCertificateArn
          SslSupportMethod: "sni-only"
          MinimumProtocolVersion: "TLSv1.2_2021"
        Origins:
          - Id: "battleshiper-project-static-bucket"
            # RegionalDomainName is used to increase deployment speed (https://stackoverflow.com/questions/38735306/aws-cloudfront-redirecting-to-s3-bucket)
            DomainName: !GetAtt BattleshiperProjectStaticBucket.RegionalDomainName
            OriginAccessControlId: !GetAtt BattleshiperProjectCDNOriginAccessControl.Id
            S3OriginConfig: {}
          - Id: "battleshiper-project-server"
            DomainName: !Sub "${BattleshiperRouterApi}.execute-api.${AWS::Region}.amazonaws.com"
            CustomOriginConfig:
              OriginProtocolPolicy: "https-only"
        DefaultCacheBehavior:
          TargetOriginId: "battleshiper-project-server"
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
            - PUT
            - PATCH
            - POST
            - DELETE
          ViewerProtocolPolicy: redirect-to-https
          CachePolicyId: !Ref BattleshiperProjectCDNServerCachePolicy
          OriginRequestPolicyId: !Ref BattleshiperProjectCDNServerOriginRequestPolicy
          FunctionAssociations:
            - EventType: viewer-request
              FunctionARN: !GetAtt BattleshiperProjectCDNServerRouteFunc.FunctionMetadata.FunctionARN
        CacheBehaviors:
          - PathPattern: "*/__data.json"
            TargetOriginId: "battleshiper-project-server"
            AllowedMethods:
              - GET
              - HEAD
            CachedMethods:
              - GET
              - HEAD
            Compress: true
            ViewerProtocolPolicy: redirect-to-https
            CachePolicyId: !Ref BattleshiperProjectCDNServerCachePolicy
            OriginRequestPolicyId: !Ref BattleshiperProjectCDNServerOriginRequestPolicy
            FunctionAssociations:
              - EventType: viewer-request
                FunctionARN: !GetAtt BattleshiperProjectCDNServerRouteFunc.FunctionMetadata.FunctionARN
          - PathPattern: "/_app/*"
            TargetOriginId: "battleshiper-project-static-bucket"
            AllowedMethods:
              - GET
              - HEAD
            CachedMethods:
              - GET
              - HEAD
            Compress: true
            ViewerProtocolPolicy: redirect-to-https
            CachePolicyId: !Ref BattleshiperProjectCDNWebCachePolicy
            FunctionAssociations:
              - EventType: viewer-request
                FunctionARN: !GetAtt BattleshiperProjectCDNCacheRouteFunc.FunctionMetadata.FunctionARN
          - PathPattern: "/*.*"
            TargetOriginId: "battleshiper-project-static-bucket"
            AllowedMethods:
              - GET
              - HEAD
            CachedMethods:
              - GET
              - HEAD
            Compress: true
            ViewerProtocolPolicy: redirect-to-https
            CachePolicyId: !Ref BattleshiperProjectCDNWebCachePolicy
            FunctionAssociations:
              - EventType: viewer-request
                FunctionARN: !GetAtt BattleshiperProjectCDNCacheRouteFunc.FunctionMetadata.FunctionARN

        Aliases:
          - !Sub "*.${ApplicationDomain}"
      Tags:
        - Key: "Name"
          Value: "battleshiper-project-cdn"

  BattleshiperProjectCDNInvalidationExecPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: "battleshiper-project-cdn-invalidation-exec-access"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "cloudfront:CreateInvalidation"
            Resource: !Sub 'arn:aws:cloudfront::${AWS::AccountId}:distribution/${BattleshiperProjectCDN}'
      Roles:
        - !Ref BattleshiperPipelineDeployFuncRole


Outputs:
  BattleshiperCDNHost:
    Description: "Hostname of the battleshiper-cdn."
    Value: !GetAtt BattleshiperCDN.DomainName
  BattleshiperProjectCDNHost:
    Description: "Hostname of the battleshiper-project-cdn."
    Value: !GetAtt BattleshiperProjectCDN.DomainName