-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserverless-cloudfront.yml
199 lines (181 loc) · 6.68 KB
/
serverless-cloudfront.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
service: ${self:custom.serviceName}
plugins:
- serverless-s3-sync
provider:
name: aws
runtime: nodejs12.x
stage: ${opt:stage, 'demo'}
region: ${env:region, 'eu-west-1'}
memorySize: 128
stackTags:
name: ${self:service}
resources:
Resources:
GatewayResponseDefault4XX:
Type: 'AWS::ApiGateway::GatewayResponse'
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: DEFAULT_4XX
RestApiId:
Ref: 'ApiGatewayRestApi'
GatewayResponseDefault5XX:
Type: 'AWS::ApiGateway::GatewayResponse'
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: DEFAULT_5XX
RestApiId:
Ref: 'ApiGatewayRestApi'
S3Front:
Type: AWS::S3::Bucket
Properties:
BucketName: ${self:custom.frontBucket}
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
FrontEndBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: S3Front
PolicyDocument:
Statement:
- Sid: PublicReadGetObject
Effect: Allow
Principal: "*"
Action:
- s3:GetObject
Resource:
Fn::Join: [
"", [
"arn:aws:s3:::",
{
"Ref": "S3Front"
},
"/*"
]
]
WebAppCloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- DomainName: ${self:custom.frontBucket}.s3.amazonaws.com
Id: ${self:custom.serviceName}-bucket
CustomOriginConfig:
HTTPPort: 80
HTTPSPort: 443
OriginProtocolPolicy: https-only
- DomainName:
!Join
- ''
- - !Ref ApiGatewayRestApi
- '.execute-api.'
- ${self:provider.region}
- '.amazonaws.com'
Id: ${self:custom.serviceName}-api
CustomOriginConfig:
HTTPPort: 80
HTTPSPort: 443
OriginProtocolPolicy: https-only
Enabled: 'true'
DefaultRootObject: index.html
CustomErrorResponses:
- ErrorCode: 404
ResponseCode: 200
ResponsePagePath: /index.html
DefaultCacheBehavior:
AllowedMethods:
- HEAD
- GET
TargetOriginId: ${self:custom.serviceName}-bucket
DefaultTTL: 0
MaxTTL: 0
MinTTL: 0
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: whitelist
WhitelistedNames:
- Authorization
Headers:
- Authorization
- Referer
ViewerProtocolPolicy: redirect-to-https
CacheBehaviors:
- AllowedMethods:
- HEAD
- DELETE
- POST
- GET
- OPTIONS
- PUT
- PATCH
TargetOriginId: ${self:custom.serviceName}-api
DefaultTTL: 0
PathPattern: ${self:provider.stage}/*
MaxTTL: 0
MinTTL: 0
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: all
Headers:
- Authorization
- Referer
ViewerProtocolPolicy: redirect-to-https
ViewerCertificate:
CloudFrontDefaultCertificate: 'true'
functions:
login:
handler: backend/app.handler
events:
- http:
path: /{proxy+}
method: any
cors: true
environment:
ALLOWED_DOMAINS:
!Join
- ','
- - ${self:custom.frontBucket}.s3-${self:provider.region}.amazonaws.com
- 'Fn::GetAtt': [ WebAppCloudFrontDistribution, DomainName ]
IDP_HOST: ${env:IDP_HOST, "samltest.id"}
JWT_SAML_PROFILE: urn:oid:2.5.4.42, urn:oid:0.9.2342.19200300.100.1.3, urn:oid:2.16.840.1.113730.3.1.241
JWT_SECRET: ${env:JWT_SECRET, "12345678"}
SAML_CERT: ${env:SAML_CERT, "MIIDEjCCAfqgAwIBAgIVAMECQ1tjghafm5OxWDh9hwZfxthWMA0GCSqGSIb3DQEB CwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4 MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC0Z4QX1NFKs71ufbQwoQoW7qkNAJRIANGA4iM0 ThYghul3pC+FwrGv37aTxWXfA1UG9njKbbDreiDAZKngCgyjxj0uJ4lArgkr4AOE jj5zXA81uGHARfUBctvQcsZpBIxDOvUUImAl+3NqLgMGF2fktxMG7kX3GEVNc1kl bN3dfYsaw5dUrw25DheL9np7G/+28GwHPvLb4aptOiONbCaVvh9UMHEA9F7c0zfF /cL5fOpdVa54wTI0u12CsFKt78h6lEGG5jUs/qX9clZncJM7EFkN3imPPy+0HC8n spXiH/MZW8o2cqWRkrw3MzBZW3Ojk5nQj40V6NUbjb7kfejzAgMBAAGjVzBVMB0G A1UdDgQWBBQT6Y9J3Tw/hOGc8PNV7JEE4k2ZNTA0BgNVHREELTArggtzYW1sdGVz dC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsF AAOCAQEASk3guKfTkVhEaIVvxEPNR2w3vWt3fwmwJCccW98XXLWgNbu3YaMb2RSn 7Th4p3h+mfyk2don6au7Uyzc1Jd39RNv80TG5iQoxfCgphy1FYmmdaSfO8wvDtHT TNiLArAxOYtzfYbzb5QrNNH/gQEN8RJaEf/g/1GTw9x/103dSMK0RXtl+fRs2nbl D1JJKSQ3AdhxK/weP3aUPtLxVVJ9wMOQOfcy02l+hHMb6uAjsPOpOVKqi3M8XmcU ZOpx4swtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu 3kXPjhSfj1AJGR1l9JGvJrHki1iHTA=="}
SAML_DOMAIN: { "Fn::GetAtt" : [ "WebAppCloudFrontDistribution", "DomainName" ] }
SAML_ISSUER: ${env:SAML_ISSUER, "saml-jwt"}
JWT_SAML_TTL: 60
STAGE: ${self:provider.stage}
custom-auth:
handler: backend/custom-auth/index.handler
environment:
JWT_SECRET: ${env:JWT_SECRET, "12345678"}
BUCKET: ${self:custom.frontBucket}
FILE: permissions.csv
private-service:
handler: backend/auth-protected/index.handler
events:
- http:
path: /private
method: get
cors: true
authorizer:
name: custom-auth
resultTtlInSeconds: 1
custom:
setupFile: ./setup.${self:provider.stage}.json
serviceName: ${file(${self:custom.setupFile}):serviceName}
frontBucket: ${self:custom.serviceName}-${file(${self:custom.setupFile}):frontendBucket}
s3Sync:
- bucketName: ${self:custom.frontBucket}
localDir: html
deleteRemoved: true
package:
exclude:
- node_modules/**
- html/**