-
Notifications
You must be signed in to change notification settings - Fork 0
/
serverless.yml
203 lines (185 loc) · 6.41 KB
/
serverless.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
service: ${self:custom.serviceName}
plugins:
- serverless-s3-sync
provider:
name: aws
runtime: nodejs12.x
stage: ${opt:stage, 'demo'}
region: ${env:region, 'eu-west-1'}
memorySize: 128
stackTags:
name: ${self:service}
iamRoleStatements:
- Effect: 'Allow'
Action:
- 's3:*'
Resource: "*"
- Effect: 'Allow'
Action:
- sts:AssumeRole
Resource: "*"
environment:
ROLE: { "Fn::GetAtt" : [ "IamRoleLambdaExecution", "Arn" ] }
#ORIGIN: https://${self:custom.frontBucket}.s3-${self:provider.region}.amazonaws.com
ORIGIN: "*"
resources:
Resources:
GatewayResponseDefault4XX:
Type: 'AWS::ApiGateway::GatewayResponse'
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: DEFAULT_4XX
RestApiId:
Ref: 'ApiGatewayRestApi'
GatewayResponseDefault5XX:
Type: 'AWS::ApiGateway::GatewayResponse'
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: DEFAULT_5XX
RestApiId:
Ref: 'ApiGatewayRestApi'
S3Data:
Type: AWS::S3::Bucket
Properties:
BucketName: ${self:custom.dataBucket}
CorsConfiguration:
CorsRules:
- AllowedMethods:
- GET
- POST
- HEAD
AllowedOrigins:
#- https://${self:custom.frontBucket}.s3-${self:provider.region}.amazonaws.com
- "*"
S3Data2:
Type: AWS::S3::Bucket
Properties:
BucketName: ${self:custom.dataBucket}-2
CorsConfiguration:
CorsRules:
- AllowedMethods:
- GET
- POST
- HEAD
AllowedOrigins:
#- https://${self:custom.frontBucket}.s3-${self:provider.region}.amazonaws.com
- "*"
S3Front:
Type: AWS::S3::Bucket
Properties:
BucketName: ${self:custom.frontBucket}
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
FrontEndBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: S3Front
PolicyDocument:
Statement:
- Sid: PublicReadGetObject
Effect: Allow
Principal: "*"
Action:
- s3:GetObject
Resource:
Fn::Join: [
"", [
"arn:aws:s3:::",
{
"Ref": "S3Front"
},
"/*"
]
]
functions:
browse:
handler: backend/browsing/index.handler
events:
- http:
path: getfiles
method: get
cors: true
authorizer:
name: custom-auth
resultTtlInSeconds: 1
delete:
handler: backend/delete-keys/index.handler
events:
- http:
path: deletekeys
method: post
cors: true
authorizer:
name: custom-auth
resultTtlInSeconds: 1
upload:
handler: backend/form-signing-sts/index.handler
events:
- http:
path: getuploadform
method: get
cors: true
authorizer:
name: custom-auth
resultTtlInSeconds: 1
download:
handler: backend/get-presigned-urls/index.handler
events:
- http:
path: getpresignedurls
method: post
cors: true
authorizer:
name: custom-auth
resultTtlInSeconds: 1
login:
handler: backend/login/app.handler
events:
- http:
path: /{proxy+}
method: any
cors: true
environment:
ALLOWED_DOMAINS: ${self:custom.frontBucket}.s3-${self:provider.region}.amazonaws.com,localhost:8080
IDP_HOST: ${env:IDP_HOST, "samltest.id"}
JWT_SAML_PROFILE: urn:oid:2.5.4.42, urn:oid:0.9.2342.19200300.100.1.3, urn:oid:2.16.840.1.113730.3.1.241
JWT_SECRET: ${env:JWT_SECRET, "12345678"}
SAML_CERT: ${env:SAML_CERT, "MIIDEjCCAfqgAwIBAgIVAMECQ1tjghafm5OxWDh9hwZfxthWMA0GCSqGSIb3DQEB CwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4 MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC0Z4QX1NFKs71ufbQwoQoW7qkNAJRIANGA4iM0 ThYghul3pC+FwrGv37aTxWXfA1UG9njKbbDreiDAZKngCgyjxj0uJ4lArgkr4AOE jj5zXA81uGHARfUBctvQcsZpBIxDOvUUImAl+3NqLgMGF2fktxMG7kX3GEVNc1kl bN3dfYsaw5dUrw25DheL9np7G/+28GwHPvLb4aptOiONbCaVvh9UMHEA9F7c0zfF /cL5fOpdVa54wTI0u12CsFKt78h6lEGG5jUs/qX9clZncJM7EFkN3imPPy+0HC8n spXiH/MZW8o2cqWRkrw3MzBZW3Ojk5nQj40V6NUbjb7kfejzAgMBAAGjVzBVMB0G A1UdDgQWBBQT6Y9J3Tw/hOGc8PNV7JEE4k2ZNTA0BgNVHREELTArggtzYW1sdGVz dC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsF AAOCAQEASk3guKfTkVhEaIVvxEPNR2w3vWt3fwmwJCccW98XXLWgNbu3YaMb2RSn 7Th4p3h+mfyk2don6au7Uyzc1Jd39RNv80TG5iQoxfCgphy1FYmmdaSfO8wvDtHT TNiLArAxOYtzfYbzb5QrNNH/gQEN8RJaEf/g/1GTw9x/103dSMK0RXtl+fRs2nbl D1JJKSQ3AdhxK/weP3aUPtLxVVJ9wMOQOfcy02l+hHMb6uAjsPOpOVKqi3M8XmcU ZOpx4swtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu 3kXPjhSfj1AJGR1l9JGvJrHki1iHTA=="}
SAML_DOMAIN:
!Join
- ''
- - !Ref ApiGatewayRestApi
- '.execute-api.'
- ${self:provider.region}
- '.amazonaws.com'
SAML_ISSUER: saml-jwt-${self:custom.serviceName}
STAGE: ${self:provider.stage}
custom-auth:
handler: backend/custom-auth/index.handler
environment:
JWT_SECRET: ${env:JWT_SECRET, "12345678"}
BUCKET: ${self:custom.dataBucket}
FILE: permissions.csv
custom:
setupFile: ./setup.${self:provider.stage}.json
serviceName: ${file(${self:custom.setupFile}):serviceName}
frontBucket: ${self:custom.serviceName}-${file(${self:custom.setupFile}):frontendBucket}
dataBucket: ${self:custom.serviceName}-${file(${self:custom.setupFile}):dataBucket}
s3Sync:
- bucketName: ${self:custom.frontBucket}
localDir: frontend/dist
deleteRemoved: true
- bucketName: ${self:custom.dataBucket}
localDir: data
#deleteRemoved: true
package:
exclude:
- node_modules/**
- frontend/**
- data/**