-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathserverless.yml
173 lines (167 loc) · 4.11 KB
/
serverless.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
service: git-lfs-s3
plugins:
- serverless-esbuild
- serverless-iam-roles-per-function
provider:
architecture: arm64
name: aws
runtime: nodejs20.x
package:
individually: true
custom:
esbuild:
bundle: true
minify: true
sourcemap: true
functions:
batch:
handler: src/batch/batch.handler
iamRoleStatements:
- Action:
- s3:ListBucket
Effect: "Allow"
Resource:
Fn::GetAtt:
- StorageBucket
- Arn
- Action:
- s3:GetObject
- s3:PutObject
Effect: "Allow"
Resource:
Fn::Join:
- ""
- - Fn::GetAtt:
- StorageBucket
- Arn
- "/*"
environment:
BUCKET_NAME:
Ref: StorageBucket
events:
- http:
path: objects/batch
method: post
integration: lambda-proxy
authorizer: &authorizer
name: authorizer
resultTtlInSeconds: 0
identitySource: method.request.header.Authorization
type: request
locks:
handler: src/locks/locks.handler
iamRoleStatements:
- Action:
- dynamodb:DeleteItem
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:Query
- dynamodb:Scan
Effect: "Allow"
Resource:
Fn::GetAtt:
- LockTable
- Arn
- Action:
- dynamodb:Query
Effect: "Allow"
Resource:
Fn::Join:
- ""
- - Fn::GetAtt:
- LockTable
- Arn
- /index/*
environment:
TABLE_NAME:
Ref: LockTable
ID_INDEX_NAME: &idindexname IdIndex
events:
- http:
path: locks/{proxy+}
method: post
integration: lambda-proxy
authorizer: *authorizer
- http:
path: locks
method: get # list locks
integration: lambda-proxy
authorizer: *authorizer
- http:
path: locks
method: post # create lock
integration: lambda-proxy
authorizer: *authorizer
authorizer:
handler: src/authorizer/authorizer.handler
environment:
USER_POOL_ID:
Ref: UserPool
USER_POOL_CLIENT_ID:
Ref: UserPoolClient
iamRoleStatements:
- Action:
- cognito-idp:AdminInitiateAuth
Effect: "Allow"
Resource:
Fn::GetAtt:
- UserPool
- Arn
resources:
Outputs:
UserPoolId:
Description: Id of the Cognito User Pool
Value:
Ref: UserPool
Resources:
GatewayResponse:
Type: AWS::ApiGateway::GatewayResponse
Properties:
ResponseParameters:
gatewayresponse.header.WWW-Authenticate: "'Basic'"
ResponseType: UNAUTHORIZED
RestApiId:
Ref: ApiGatewayRestApi
StatusCode: '401'
StorageBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
LockTable:
Type: AWS::DynamoDB::Table
DeletionPolicy: Retain
Properties:
AttributeDefinitions:
- AttributeName: path
AttributeType: S
- AttributeName: id
AttributeType: S
BillingMode: PAY_PER_REQUEST
GlobalSecondaryIndexes:
- IndexName: *idindexname
KeySchema:
- AttributeName: id
KeyType: HASH
Projection:
ProjectionType: ALL
KeySchema:
- AttributeName: path
KeyType: HASH
UserPool:
Type: AWS::Cognito::UserPool
Properties:
AdminCreateUserConfig:
AllowAdminCreateUserOnly: true
UserPoolName: "${self:service}-${opt:stage}"
UserPoolTags:
STAGE: "${opt:stage}"
UserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: "${self:service}-${opt:stage}"
ExplicitAuthFlows:
- ADMIN_NO_SRP_AUTH
GenerateSecret: false
SupportedIdentityProviders:
- COGNITO
UserPoolId:
Ref: UserPool