AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: MCP Tool Lambda for Bedrock AgentCore Gateway MCP testing

# Note: This template uses the bedrock-agentcore.amazonaws.com service principal
# instead of a hardcoded service account ID for better maintainability and security

Parameters:
  Environment:
    Type: String
    Default: dev
    AllowedValues:
      - dev
      - staging
      - prod
    Description: Environment name

Globals:
  Function:
    Timeout: 900  # 15 minutes
    MemorySize: 3008  # Maximum memory for performance

Resources:
  # Custom Lambda Execution Role with Bedrock AgentCore Trust and AWS Service Permissions
  MCPToolFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          # Allow Lambda service to assume this role
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
          # Allow Bedrock AgentCore service to assume this role
          - Effect: Allow
            Principal:
              Service: bedrock-agentcore.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        - arn:aws:iam::aws:policy/ReadOnlyAccess
      Policies:
        - PolicyName: BedrockInvokePolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - bedrock:InvokeModel
                  - bedrock:InvokeModelWithResponseStream
                Resource: '*'
        - PolicyName: CloudWatchLogsPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${Environment}-bedrock-agentcore-mcp-tool:*"
      Tags:
        - Key: Project
          Value: lambda-adaptor-bedrock-agentcore
        - Key: Component
          Value: mcp-tool-lambda
        - Key: Environment
          Value: !Ref Environment

  # MCP Tool Lambda Function
  MCPToolFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub "${Environment}-bedrock-agentcore-mcp-tool"
      PackageType: Image
      ImageUri: mcp-tool-lambda:latest
      Description: MCP Tool Lambda for Bedrock AgentCore Gateway MCP testing
      Role: !GetAtt MCPToolFunctionRole.Arn
      
      # Environment variables
      Environment:
        Variables:
          ENVIRONMENT: !Ref Environment
          LOG_LEVEL: INFO
      
      # Tracing
      Tracing: Active
      
      Tags:
        Project: lambda-adaptor-bedrock-agentcore
        Component: mcp-tool-lambda
        Environment: !Ref Environment
        ManagedBy: SAM

    Metadata:
      DockerTag: !Sub "${Environment}-bedrock-agentcore-mcp-tool"
      DockerContext: ./lambda
      Dockerfile: Dockerfile

  # CloudWatch Log Group
  MCPToolLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub "/aws/lambda/${Environment}-bedrock-agentcore-mcp-tool"
      RetentionInDays: 14

Outputs:
  MCPToolFunctionArn:
    Description: MCP Tool Lambda Function ARN
    Value: !GetAtt MCPToolFunction.Arn
    Export:
      Name: !Sub "${AWS::StackName}-MCPToolFunctionArn"

  MCPToolFunctionName:
    Description: MCP Tool Lambda Function Name
    Value: !Ref MCPToolFunction
    Export:
      Name: !Sub "${AWS::StackName}-MCPToolFunctionName"

  MCPToolFunctionRoleArn:
    Description: MCP Tool Lambda Function Role ARN
    Value: !GetAtt MCPToolFunctionRole.Arn
    Export:
      Name: !Sub "${AWS::StackName}-MCPToolFunctionRoleArn"