# Teams Meeting Fetcher - Complete Workflow

This notebook guides you through the complete setup and testing workflow for the Teams Meeting Fetcher system.

## üìã Workflow Overview

**Sequence of Operations:**

1. **Verify Setup** - Check environment and permissions
2. **Create Webhook Subscription** - Subscribe to calendar events
3. **Add User to Group** - Add test user to monitored group
4. **Create Test Meeting** - Create meeting with transcript enabled
5. **Test Webhook** - Verify webhook delivery
6. **Poll for Transcript** - Wait for and download transcript

---

## Prerequisites

- ‚úÖ Azure infrastructure deployed (run `terraform apply` in `iac/azure/`)
- ‚úÖ Admin consent granted for Graph API permissions
- ‚úÖ `.env.local.azure` configured with all values
- ‚úÖ Python dependencies installed: `pip install msal requests python-dotenv`

---

## Step 1: Verify Setup ‚úÖ

First, verify that your environment is correctly configured and you have the necessary permissions.

In [None]:
# Run verification script
%run scripts/graph/01-verify-setup.py

## Step 2: Create Webhook Subscription üîî

Subscribe to calendar event changes for your test user.

In [None]:
# Use the subscription script to create a webhook
# This will prompt you for user email and options
import sys
sys.path.append('scripts/graph')

from auth_helper import get_graph_headers, get_config
import requests
from datetime import datetime, timedelta

# Configuration
TEST_USER_EMAIL = "testuser@yourdomain.com"  # Replace with your test user email

def create_subscription_for_user(user_email):
    config = get_config()
    webhook_url = config['webhook_url']
    
    headers = get_graph_headers()
    url = "https://graph.microsoft.com/v1.0/subscriptions"
    
    expiration = datetime.utcnow() + timedelta(hours=24)
    
    payload = {
        "changeType": "created,updated",
        "notificationUrl": webhook_url,
        "resource": f"users/{user_email}/events",
        "expirationDateTime": expiration.strftime("%Y-%m-%dT%H:%M:%S.0000000Z"),
        "clientState": config.get('webhook_secret', 'test-state')[:255]
    }
    
    response = requests.post(url, headers=headers, json=payload, timeout=30)
    
    if response.status_code == 201:
        subscription = response.json()
        print("‚úÖ Subscription created!")
        print(f"   ID: {subscription['id']}")
        print(f"   Expires: {subscription['expirationDateTime']}")
        return subscription
    else:
        print(f"‚ùå Failed: {response.status_code}")
        print(response.text)
        return None

# Create subscription
subscription = create_subscription_for_user(TEST_USER_EMAIL)
if subscription:
    SUBSCRIPTION_ID = subscription['id']
    print(f"\nüíæ Save this subscription ID: {SUBSCRIPTION_ID}")

## Step 3: Add Test User to Monitored Group üë•

Ensure your test user is in the target Entra group so their meetings are tracked.

In [None]:
# Add user to target group
from auth_helper import get_config
import requests

def add_user_to_group(user_email):
    config = get_config()
    group_id = config['group_id']
    headers = get_graph_headers()
    
    # Get user ID
    user_url = f"https://graph.microsoft.com/v1.0/users/{user_email}"
    user_response = requests.get(user_url, headers=headers, timeout=10)
    
    if user_response.status_code == 200:
        user_id = user_response.json()['id']
        
        # Add to group
        group_url = f"https://graph.microsoft.com/v1.0/groups/{group_id}/members/$ref"
        payload = {"@odata.id": f"https://graph.microsoft.com/v1.0/users/{user_id}"}
        
        response = requests.post(group_url, headers=headers, json=payload, timeout=10)
        
        if response.status_code == 204:
            print(f"‚úÖ User {user_email} added to group")
            return True
        elif 'already exist' in response.text:
            print(f"‚úÖ User already in group")
            return True
        else:
            print(f"‚ùå Error: {response.status_code}")
            return False
    else:
        print(f"‚ùå User not found: {user_email}")
        return False

add_user_to_group(TEST_USER_EMAIL)

## Step 4: Create Test Meeting with Transcript Enabled üìÖ

Create a Teams meeting with automatic transcription enabled.

In [None]:
# Create Teams meeting with transcript enabled
from datetime import datetime, timedelta

def create_meeting_with_transcript(user_email):
    headers = get_graph_headers()
    url = f"https://graph.microsoft.com/v1.0/users/{user_email}/events"
    
    start_time = datetime.utcnow() + timedelta(hours=1)
    end_time = start_time + timedelta(minutes=60)
    
    payload = {
        "subject": "Test Teams Meeting - Transcript Enabled",
        "body": {
            "contentType": "HTML",
            "content": "<b>Test meeting with transcription enabled</b><br>Join and record to test workflow."
        },
        "start": {
            "dateTime": start_time.strftime("%Y-%m-%dT%H:%M:%S"),
            "timeZone": "UTC"
        },
        "end": {
            "dateTime": end_time.strftime("%Y-%m-%dT%H:%M:%S"),
            "timeZone": "UTC"
        },
        "isOnlineMeeting": True,
        "onlineMeetingProvider": "teamsForBusiness"
    }
    
    response = requests.post(url, headers=headers, json=payload, timeout=30)
    
    if response.status_code == 201:
        event = response.json()
        print("‚úÖ Meeting created!")
        print(f"   Event ID: {event['id']}")
        print(f"   Start: {start_time.strftime('%Y-%m-%d %H:%M UTC')}")
        
        if 'onlineMeeting' in event:
            meeting = event['onlineMeeting']
            print(f"   Join URL: {meeting.get('joinUrl', 'N/A')}")
            
            # Try to enable transcript
            if meeting.get('id'):
                enable_transcript_url = f"https://graph.microsoft.com/v1.0/communications/onlineMeetings/{meeting['id']}"
                transcript_payload = {
                    "recordAutomatically": True,
                    "allowTranscription": True
                }
                
                transcript_response = requests.patch(enable_transcript_url, headers=headers, json=transcript_payload, timeout=10)
                
                if transcript_response.status_code == 200:
                    print("   ‚úÖ Transcript enabled!")
                else:
                    print(f"   ‚ö†Ô∏è  Could not enable transcript (may require additional permissions)")
        
        return event
    else:
        print(f"‚ùå Failed: {response.status_code}")
        print(response.text)
        return None

# Create the meeting
meeting_event = create_meeting_with_transcript(TEST_USER_EMAIL)
if meeting_event:
    MEETING_ID = meeting_event['id']
    ONLINE_MEETING_ID = meeting_event.get('onlineMeeting', {}).get('id')
    print(f"\nüíæ Save these IDs:")
    print(f"   Event ID: {MEETING_ID}")
    print(f"   Online Meeting ID: {ONLINE_MEETING_ID}")

## Step 5: Test Webhook Delivery üîå

Verify that webhooks are being received and processed correctly.

In [None]:
# Test webhook with a mock payload
def test_webhook():
    config = get_config()
    webhook_url = config['webhook_url']
    webhook_secret = config.get('webhook_secret')
    
    test_payload = {
        "value": [{
            "subscriptionId": SUBSCRIPTION_ID if 'SUBSCRIPTION_ID' in globals() else "test-id",
            "changeType": "created",
            "resource": f"users/{TEST_USER_EMAIL}/events/{MEETING_ID if 'MEETING_ID' in globals() else 'test-123'}",
            "resourceData": {
                "@odata.type": "#Microsoft.Graph.event",
                "id": MEETING_ID if 'MEETING_ID' in globals() else "test-123"
            },
            "clientState": webhook_secret
        }]
    }
    
    headers = {'Content-Type': 'application/json'}
    if webhook_secret:
        headers['Authorization'] = f'Bearer {webhook_secret}'
    
    response = requests.post(webhook_url, json=test_payload, headers=headers, timeout=10)
    
    print(f"Webhook Response: {response.status_code}")
    print(f"Body: {response.text[:200]}")
    
    return response.status_code == 200

# Test the webhook
test_webhook()

## Step 6: Poll for Transcript (After Meeting) üìù

‚ö†Ô∏è **Important**: This step should be run AFTER you:
1. Join the meeting
2. Start recording in Teams
3. Speak to generate some transcript content
4. Stop recording and end the meeting

Transcripts typically become available 5-10 minutes after the meeting ends.

In [None]:
# Poll for transcription
import time

def poll_for_transcript(user_email, meeting_id, max_attempts=10, delay_seconds=30):
    headers = get_graph_headers()
    url = f"https://graph.microsoft.com/v1.0/users/{user_email}/onlineMeetings/{meeting_id}/transcripts"
    
    for attempt in range(1, max_attempts + 1):
        print(f"[{datetime.now().strftime('%H:%M:%S')}] Attempt {attempt}/{max_attempts}...")
        
        response = requests.get(url, headers=headers, timeout=10)
        
        if response.status_code == 200:
            transcripts = response.json().get('value', [])
            
            if transcripts:
                print(f"\n‚úÖ Found {len(transcripts)} transcript(s)!")
                
                for idx, transcript in enumerate(transcripts, 1):
                    print(f"\nTranscript {idx}:")
                    print(f"  ID: {transcript['id']}")
                    print(f"  Created: {transcript.get('createdDateTime', 'N/A')}")
                    
                    # Download transcript content
                    content_url = f"https://graph.microsoft.com/v1.0/users/{user_email}/onlineMeetings/{meeting_id}/transcripts/{transcript['id']}/content"
                    content_response = requests.get(content_url, headers=headers, timeout=30)
                    
                    if content_response.status_code == 200:
                        filename = f"transcript_{meeting_id}_{idx}.vtt"
                        with open(filename, 'w', encoding='utf-8') as f:
                            f.write(content_response.text)
                        print(f"  ‚úÖ Saved to: {filename}")
                        
                        # Display first few lines
                        lines = content_response.text.split('\n')[:10]
                        print(f"\n  Preview:")
                        for line in lines:
                            print(f"    {line}")
                
                return transcripts
        
        if attempt < max_attempts:
            print(f"  No transcript yet, waiting {delay_seconds}s...\n")
            time.sleep(delay_seconds)
    
    print("\n‚ö†Ô∏è No transcript found after maximum attempts")
    return None

# Poll for transcript (only run after meeting is recorded)
if 'ONLINE_MEETING_ID' in globals() and ONLINE_MEETING_ID:
    print("Starting transcript polling...")
    print("Make sure you've already:")
    print("- Joined the meeting")
    print("- Started recording")
    print("- Spoke to generate transcript")
    print("- Ended the recording\n")
    
    # Uncomment the line below when ready to poll
    # transcripts = poll_for_transcript(TEST_USER_EMAIL, ONLINE_MEETING_ID, max_attempts=10, delay_seconds=30)
    print("‚ö†Ô∏è Uncomment the poll_for_transcript call above when ready to poll")
else:
    print("‚ùå Meeting not created yet. Run Step 4 first.")

---

## üìä Workflow Summary

### Execution Sequence

1. ‚úÖ **Verify Setup** (`01-verify-setup.py`)
   - Check environment variables
   - Verify Graph API permissions
   - Confirm group exists
   - Test webhook endpoint reachability

2. üîî **Create Webhook Subscription** (`02-create-webhook-subscription.py`)
   - Subscribe to user calendar events
   - Store subscription ID for renewal

3. üë• **Add User to Group** (`05-manage-group.py`)
   - Add test user to monitored Entra group
   - Verify membership

4. üìÖ **Create Test Meeting** (`03-create-test-meeting.py`)
   - Create Teams meeting with transcript enabled
   - Save meeting IDs

5. üîå **Test Webhook** (`06-test-webhook.py`)
   - Send mock notification
   - Verify webhook processing

6. üìù **Poll for Transcript** (`04-poll-transcription.py`)
   - Wait for transcript after meeting
   - Download transcript content

---

### Script Files Reference

All scripts are located in `scripts/graph/`:

- `auth_helper.py` - Shared authentication logic
- `01-verify-setup.py` - Environment verification
- `02-create-webhook-subscription.py` - Subscription management
- `03-create-test-meeting.py` - Meeting creation
- `04-poll-transcription.py` - Transcript polling
- `05-manage-group.py` - Group management
- `06-test-webhook.py` - Webhook testing

---

### Next Steps

After completing this workflow:

1. **Set up monitoring** - Monitor webhook delivery in CloudWatch (AWS) or App Insights (Azure)
2. **Test real meetings** - Schedule actual meetings and verify workflow
3. **Implement backend service** - Create Azure service to process webhooks
4. **Build UI dashboard** - Display meetings and transcripts
5. **Set up subscription renewal** - Automate 29-day subscription renewal

---

### Troubleshooting

**No webhooks received?**
- Check webhook URL is publicly accessible
- Verify subscription is active (`02-create-webhook-subscription.py` list)
- Check CloudWatch logs (AWS) or Application Insights (Azure)

**No transcript available?**
- Ensure meeting was recorded (manual step in Teams)
- Wait 5-10 minutes after meeting ends
- Verify `allowTranscription` was set on meeting
- Check user has Teams license with transcription enabled

**Permission errors?**
- Grant admin consent in Azure Portal
- Verify service principal has required permissions
- Check RBAC assignments in Azure

---

## üéâ Success!

You now have a complete workflow for:
- Creating Teams meetings with transcription
- Receiving webhook notifications
- Downloading meeting transcripts

Proceed to implement the backend service to automate this workflow!

---

## üîê Lambda Authorizer Deployment & Testing

### Overview

The Lambda REQUEST authorizer secures the webhook API by validating Microsoft Graph callback requests. It validates:
- **GET requests**: `validationToken` parameter (subscription setup)
- **POST requests**: `clientState` in notification body (webhook delivery)

### Prerequisites

- AWS CLI configured with appropriate profile
- Terraform >= 1.0.0
- OpenSSL or PowerShell (for generating secrets)

### Task 1: Deploy Authorizer to AWS

Generate a strong `client_state` secret that will be shared between the authorizer and Microsoft Graph subscriptions.

In [None]:
# Generate a strong random secret for client_state (Windows PowerShell)
$bytes = New-Object Byte[] 32
[Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
$clientState = [Convert]::ToBase64String($bytes)
Write-Host "Generated client_state (save this securely):"
Write-Host $clientState

# Alternative: Using OpenSSL (if available)
# openssl rand -base64 32

Create `iac/aws/terraform.tfvars` file with the generated secret (copy from terraform.tfvars.example):

In [None]:
# Navigate to AWS IAC directory
cd ../../iac/aws

# Initialize Terraform (downloads authorizer module)
terraform init

# Preview changes
terraform plan

# Deploy authorizer and update API Gateway
terraform apply

# Note the API Gateway URL and authorizer function name from outputs

### Task 2: Test Authorizer Functionality

Verify the authorizer validates requests correctly. Replace `<API_GATEWAY_URL>` with your actual endpoint.

In [None]:
# Set your API Gateway URL and client_state
$apiUrl = "<API_GATEWAY_URL>"  # e.g., https://abc123.execute-api.us-east-1.amazonaws.com/prod/webhook
$clientState = "<YOUR_CLIENT_STATE>"  # Same value from terraform.tfvars

# Test 1: GET request with validationToken (should succeed with 200)
Write-Host "`nTest 1: Subscription validation (GET with validationToken)"
$response = Invoke-WebRequest -Uri "$apiUrl?validationToken=test123" -Method GET -UseBasicParsing
Write-Host "Status: $($response.StatusCode) - Expected: 200"
Write-Host "Body: $($response.Content)"

# Test 2: POST request with valid clientState (should succeed with 202)
Write-Host "`nTest 2: Webhook notification with valid clientState"
$validBody = @{
    value = @(
        @{
            clientState = $clientState
            subscriptionId = "test-sub-123"
            resource = "users/test@example.com/events/AAA123"
        }
    )
} | ConvertTo-Json -Depth 10

$response = Invoke-WebRequest -Uri $apiUrl -Method POST -Body $validBody -ContentType "application/json" -UseBasicParsing
Write-Host "Status: $($response.StatusCode) - Expected: 202"

# Test 3: POST request with invalid clientState (should fail with 403)
Write-Host "`nTest 3: Webhook notification with invalid clientState"
$invalidBody = @{
    value = @(
        @{
            clientState = "WRONG_SECRET"
            subscriptionId = "test-sub-123"
            resource = "users/test@example.com/events/AAA123"
        }
    )
} | ConvertTo-Json -Depth 10

try {
    $response = Invoke-WebRequest -Uri $apiUrl -Method POST -Body $invalidBody -ContentType "application/json" -UseBasicParsing
    Write-Host "Status: $($response.StatusCode) - UNEXPECTED: Should have been denied!"
} catch {
    Write-Host "Status: 403 (Denied) - Expected: Request correctly denied"
}

Monitor CloudWatch logs to verify authorization decisions:

In [None]:
# Monitor authorizer logs in real-time
$authorizerLogGroup = "/aws/lambda/tmf-authorizer-dev"  # Update based on your environment
aws logs tail $authorizerLogGroup --follow --profile tmf-dev

# Look for log messages like:
# - "Authorization: Allow - validationToken present"
# - "Authorization: Allow - clientState valid"
# - "Authorization: Deny - Invalid clientState"

### Task 3: Update Microsoft Graph Subscriptions

Update existing subscriptions or create new ones with the `clientState` matching your Terraform configuration.

In [None]:
import os
import sys
sys.path.append('../../scripts/graph')

from auth_helper import get_graph_token
import requests

# Get the same client_state from your Terraform deployment
CLIENT_STATE = os.getenv('CLIENT_STATE', 'YOUR_CLIENT_STATE_HERE')  # Set this to match terraform.tfvars
WEBHOOK_URL = os.getenv('WEBHOOK_URL', 'https://YOUR_API_GATEWAY_URL/webhook')

# Get access token
token = get_graph_token()

# Create new subscription with clientState
subscription_payload = {
    "changeType": "created,updated",
    "notificationUrl": WEBHOOK_URL,
    "resource": f"users/{os.getenv('USER_EMAIL')}/events",
    "expirationDateTime": "2026-02-19T11:00:00.0000000Z",  # 7 days from now
    "clientState": CLIENT_STATE  # Must match authorizer configuration
}

response = requests.post(
    'https://graph.microsoft.com/v1.0/subscriptions',
    headers={'Authorization': f'Bearer {token}', 'Content-Type': 'application/json'},
    json=subscription_payload
)

if response.status_code == 201:
    subscription = response.json()
    print(f"‚úÖ Subscription created successfully!")
    print(f"   Subscription ID: {subscription['id']}")
    print(f"   Expires: {subscription['expirationDateTime']}")
    print(f"   Client State: Configured ‚úì")
    
    # Save subscription ID for renewal
    with open('subscription_id.txt', 'w') as f:
        f.write(subscription['id'])
else:
    print(f"‚ùå Failed to create subscription: {response.status_code}")
    print(f"   Error: {response.text}")

### Task 4: Setup Monitoring and Alerting

Create CloudWatch alarms to monitor authorizer security events.

In [None]:
# Create CloudWatch alarm for high denied request rate
aws cloudwatch put-metric-alarm `
    --alarm-name "tmf-authorizer-high-deny-rate" `
    --alarm-description "Alert when authorizer denies >5 requests in 5 minutes" `
    --metric-name "Denied" `
    --namespace "AWS/Lambda/Authorizer" `
    --statistic Sum `
    --period 300 `
    --threshold 5 `
    --comparison-operator GreaterThanThreshold `
    --evaluation-periods 1 `
    --alarm-actions "arn:aws:sns:us-east-1:ACCOUNT_ID:tmf-notifications-dev" `
    --profile tmf-dev

# Create CloudWatch alarm for authorizer errors
aws cloudwatch put-metric-alarm `
    --alarm-name "tmf-authorizer-errors" `
    --alarm-description "Alert when authorizer has errors" `
    --metric-name Errors `
    --namespace AWS/Lambda `
    --dimensions Name=FunctionName,Value=tmf-authorizer-dev `
    --statistic Sum `
    --period 300 `
    --threshold 1 `
    --comparison-operator GreaterThanThreshold `
    --evaluation-periods 1 `
    --alarm-actions "arn:aws:sns:us-east-1:ACCOUNT_ID:tmf-notifications-dev" `
    --profile tmf-dev

Write-Host "`n‚úÖ CloudWatch alarms created successfully!"
Write-Host "   You'll receive email notifications for:"
Write-Host "   - High denied request rate (potential attack)"
Write-Host "   - Authorizer Lambda errors"

Query CloudWatch Logs Insights to analyze authorization patterns:

In [None]:
# CloudWatch Insights query for authorization statistics
$query = @"
fields @timestamp, @message
| filter @message like /Authorization:/
| stats count() by @message as decision
| sort count desc
"@

# Run the query (last 1 hour)
$startTime = [DateTimeOffset]::UtcNow.AddHours(-1).ToUnixTimeSeconds()
$endTime = [DateTimeOffset]::UtcNow.ToUnixTimeSeconds()

Write-Host "To run this query in AWS Console:"
Write-Host "1. Go to CloudWatch > Logs > Insights"
Write-Host "2. Select log group: /aws/lambda/tmf-authorizer-dev"
Write-Host "3. Paste this query:"
Write-Host $query
Write-Host "`nOr run via CLI:"
Write-Host "aws logs start-query --log-group-name /aws/lambda/tmf-authorizer-dev --start-time $startTime --end-time $endTime --query-string '$query' --profile tmf-dev"

### Task 5: Security Operations & Maintenance

#### Client State Rotation Procedure

Rotate the `client_state` secret periodically (recommended: every 90 days).

**Steps:**
1. Generate new client_state secret (use code from Task 1)
2. Update `terraform.tfvars` with new value
3. Run `terraform apply` to update authorizer Lambda
4. Update Microsoft Graph subscriptions with new clientState (use code from Task 3)
5. Verify webhooks still work (use tests from Task 2)
6. Document rotation in security log

#### Troubleshooting Guide

**All webhooks being denied (403)?**
- Verify `client_state` matches between Terraform and Graph subscription
- Check authorizer CloudWatch logs for exact error message
- Ensure Lambda environment variable `CLIENT_STATE` is set correctly
- Test with validation token (GET request) to isolate issue

**High deny rate alert triggered?**
- Review CloudWatch logs for patterns (same IP, timing)
- Check if legitimate subscriptions have wrong clientState
- Investigate for potential security incident
- Consider blocking suspicious IPs at API Gateway level

**Authorizer errors?**
- Check Lambda execution role has CloudWatch Logs permissions
- Verify Lambda timeout is sufficient (default: 10 seconds)
- Review Lambda metrics for memory/CPU issues
- Check for malformed requests in logs

#### Cost Analysis

- **Lambda authorizer**: ~$0.20/million requests
- **CloudWatch Logs**: ~$0.50/GB ingested, ~$0.03/GB stored
- **API Gateway**: Included with existing API calls
- **Estimate**: <$1/month for typical workload (100 webhooks/day)

#### Security Best Practices

‚úÖ **DO:**
- Rotate client_state every 90 days
- Monitor CloudWatch logs for denied requests
- Set up alerts for high deny rates
- Use strong random values for client_state (32+ bytes)
- Keep client_state in secure parameter store (future enhancement)

‚ùå **DON'T:**
- Share client_state in plain text (email, Slack, etc.)
- Commit terraform.tfvars to git (already in .gitignore)
- Use the same client_state across environments
- Disable CloudWatch logging (needed for security audit)

#### Additional Resources

- Full documentation: `docs/aws-lambda-authorizer.md`
- Authorizer source code: `apps/aws-lambda-authorizer/authorizer.js`
- Terraform module: `iac/aws/modules/authorizer/`
- Microsoft Graph webhook docs: https://learn.microsoft.com/en-us/graph/webhooks

---

## üéØ Deployment Checklist

Track your progress through the authorizer deployment:

- [ ] **Task 1**: Generate client_state and deploy authorizer via Terraform
- [ ] **Task 2**: Test authorizer with GET/POST requests (valid and invalid)
- [ ] **Task 3**: Update Microsoft Graph subscriptions with clientState
- [ ] **Task 4**: Setup CloudWatch alarms and monitoring
- [ ] **Task 5**: Document security procedures and rotation schedule

### Success Criteria

‚úÖ Authorizer Lambda deployed and integrated with API Gateway  
‚úÖ GET requests with validationToken return 200 OK  
‚úÖ POST requests with valid clientState return 202 Accepted  
‚úÖ POST requests with invalid/missing clientState return 403 Forbidden  
‚úÖ CloudWatch logs show authorization decisions  
‚úÖ CloudWatch alarms configured for security events  
‚úÖ Microsoft Graph subscriptions updated with matching clientState  

---

## üîê Security Status: ENABLED

Your webhook API is now protected by Lambda REQUEST authorizer. Only webhooks with the correct `clientState` will be processed, preventing unauthorized access and potential security incidents.

**Next Steps:**
- Test end-to-end flow with real Microsoft Teams meetings
- Set up subscription renewal automation (every 29 days)
- Implement webhook processing logic in Lambda function
- Build monitoring dashboard for webhook delivery statistics