serverless.yml

---
# Copyright The Linux Foundation and each contributor to CommunityBridge.
# SPDX-License-Identifier: MIT

service: cla-backend
frameworkVersion: '^3.28.1'

package:
  # Exclude all first - selectively add in lambda functions
  # Support for "package.include" and "package.exclude" will be removed with next major release. Please use "package.patterns" instead
  # More Info: https://www.serverless.com/framework/docs/deprecations/#NEW_PACKAGE_PATTERNS
  patterns:
    - '!auth/**'
    - '!bin/*'
    - '!dev.sh'
    - '!docs/**'
    - '!helpers/**'
    - '!Makefile'
    - '!.env/**'
    - '!.venv/**'
    - '!.git*'
    - '!.git/**'
    - '!.vscode/**'
    - '!.pylintrc'
    - '!node_modules/**'
    - '!package-lock.json'
    - '!yarn.lock'
    - '.serverless-wsgi'

custom:
  allowed_origins: ${file(./env.json):cla-allowed-origins-${sls:stage}, ssm:/cla-allowed-origins-${sls:stage}}
  datadog:
    dd_env:
      dev: dev
      staging: staging
      prod: prod
    site: ${file(./env.json):dd-site-${sls:stage}, ssm:/cla-dd-site-${sls:stage}}
    apiKeySecretArn: ${file(./env.json):dd-api-key-secret-arn-${sls:stage}, ssm:/cla-dd-api-key-secret-arn-${sls:stage}}
    extensionLayerArn: ${file(./env.json):dd-extension-layer-arn-${sls:stage}, ssm:/cla-dd-extension-layer-arn-${sls:stage}}
  wsgi:
    app: cla.routes.__hug_wsgi__
    pythonBin: python
    pythonRequirements: false
  pythonRequirements:
    dockerizePip: true
    dockerImage: public.ecr.aws/sam/build-python3.11:latest
    slim: false
    strip: false
    useDownloadCache: true
    useStaticCache: true
  # Config for serverless-prune-plugin - remove all but the 10 most recent
  # versions to avoid the "Code storage limit exceeded" error
  prune:
    automatic: true
    number: 3
  userEventsSNSTopicARN: arn:aws:sns:us-east-2:${aws:accountId}:userservice-triggers-${sls:stage}-user-sns-topic

  certificate:
    arn:
      # From env Certificate Manager -
      # currently, PROD is managed externally, DEV and STAGING are still managed by serverless
      dev: arn:aws:acm:us-east-1:395594542180:certificate/b3bb6710-c11c-4bd1-a370-ec7c09f5ce52
      staging: arn:aws:acm:us-east-1:844390194980:certificate/f8ed594d-b1b5-47de-bf94-32eade2a2e4c
      prod: arn:aws:acm:us-east-1:716487311010:certificate/4a3c3018-df9e-4c3a-84a6-231317f8bcec
  product:
    domain:
      name:
        dev: 'api.lfcla.dev.platform.linuxfoundation.org'
        staging: 'api.lfcla.staging.platform.linuxfoundation.org'
        prod: 'api.easycla.lfx.linuxfoundation.org'
        other: 'api.dev.lfcla.com'
        enabled:
          dev: true
          staging: true
          prod: true
          other: true
      alt:
        dev: 'api.dev.lfcla.com'
        staging: 'api.staging.lfcla.com'
        prod: 'api.easycla.lfx.linuxfoundation.org'
        other: 'api.dev.lfcla.com'
        enabled:
          dev: true
          staging: true
          prod: false
          other: true

  customDomains:
    # https://github.com/amplify-education/serverless-domain-manager
    - primaryDomain:
      domainName: ${self:custom.product.domain.name.${sls:stage}, self:custom.product.domain.name.other}
      stage: ${sls:stage}
      basePath: ''  # a value of '/' will not work
      securityPolicy: tls_1_2
      apiType: rest
      certificateArn: ${self:custom.certificate.arn.${sls:stage}, self:custom.certificate.arn.other}
      protocols:
        - https
      enabled: true

    - alternateDomain:
      domainName: ${self:custom.product.domain.alt.${sls:stage}, self:custom.product.domain.alt.other}
      stage: ${sls:stage}
      basePath: ''  # a value of '/' will not work
      securityPolicy: tls_1_2
      apiType: rest
      certificateArn: ${self:custom.certificate.arn.${sls:stage}, self:custom.certificate.arn.other}
      protocols:
        - https
      enabled: ${self:custom.product.domain.alt.enabled.${sls:stage}, self:custom.product.domain.alt.enabled.other}

  ses_from_email:
    dev: admin@dev.lfcla.com
    staging: admin@staging.lfcla.com
    prod: admin@lfx.linuxfoundation.org

provider:
  name: aws
  runtime: python3.11
  stage: ${env:STAGE}
  region: us-east-1
  timeout: 60 # optional, in seconds, default is 6
  logRetentionInDays: 14
  lambdaHashingVersion: '20201221' # Resolution of lambda version hashes was improved with better algorithm, which will be used in next major release. Switch to it now by setting "provider.lambdaHashingVersion" to "20201221"

  apiGateway:
    # https://www.serverless.com/framework/docs/deprecations/#AWS_API_GATEWAY_NAME_STARTING_WITH_SERVICE
    shouldStartNameWithService: true
    # Configuring API Gateway to return binary media can be done via the binaryMediaTypes config:
    binaryMediaTypes:
      - 'image/*'
      - 'application/pdf'
      - 'application/zip'
      - 'application/octet-stream'
      - 'application/x-zip-compressed'
      - 'application/x-rar-compressed'
      - 'multipart/x-zip'
    minimumCompressionSize: 1024
    metrics: true

  logs:
    restApi: true

  tracing:
    apiGateway: true
    lambda: true # optional, enables tracing for all functions (can be true (true equals 'Active') 'Active' or 'PassThrough')

  iam:
    role:
      # Alongside provider.iam.role.statements managed policies can also be added to this service-wide Role
      # These will also be merged into the generated IAM Role
      managedPolicies:
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole"
      statements:
        - Effect: Allow
          Action:
            # - cloudwatch:*
            - cloudwatch:PutMetricData
          Resource: "*"
        - Effect: Allow
          Action:
            - xray:PutTraceSegments
            - xray:PutTelemetryRecords
          Resource: "*"
        - Effect: Allow
          Action:
            - s3:GetObject
            - s3:PutObject
            - s3:DeleteObject
            - s3:PutObjectAcl
          Resource:
            - "arn:aws:s3:::cla-signature-files-${sls:stage}/*"
            - "arn:aws:s3:::cla-project-logo-${sls:stage}/*"
        - Effect: Allow
          Action:
            - s3:ListBucket
          Resource:
            - "arn:aws:s3:::cla-signature-files-${sls:stage}"
            - "arn:aws:s3:::cla-project-logo-${sls:stage}"
        - Effect: Allow
          Action:
            - lambda:InvokeFunction
          Resource:
            # - "arn:aws:lambda:${self:provider.region}:${aws:accountId}:function:cla-backend-${sls:stage}-zipbuilder-lambda"
            - "arn:aws:lambda:${self:provider.region}:${aws:accountId}:function:cla-backend-${sls:stage}-zip-builder-lambda"
        - Effect: Allow
          Action:
            - ssm:GetParameter
          Resource:
            - "arn:aws:ssm:${self:provider.region}:${aws:accountId}:parameter/cla-*"
        - Effect: Allow
          Action:
            - ses:SendEmail
            - ses:SendRawEmail
          Resource:
            - "*"
          Condition:
            StringEquals:
              ses:FromAddress: ${self:custom.ses_from_email.${sls:stage}}
        - Effect: Allow
          Action:
            - sns:Publish
          Resource:
            - "*"
        - Effect: Allow
          Action:
            - sqs:SendMessage
          Resource:
            - "*"
        - Effect: Allow
          Action:
            - dynamodb:Query
            - dynamodb:DeleteItem
            - dynamodb:UpdateItem
            - dynamodb:PutItem
            - dynamodb:GetItem
            - dynamodb:Scan
            - dynamodb:DescribeTable
            - dynamodb:BatchGetItem
            - dynamodb:GetRecords
            - dynamodb:GetShardIterator
            - dynamodb:DescribeStream
            - dynamodb:ListStreams
          Resource:
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-api-log"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-ccla-whitelist-requests"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-cla-manager-requests"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-companies"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-company-invites"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-events"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-gerrit-instances"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-github-orgs"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-projects"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-repositories"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-session-store"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-signatures"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-store"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-user-permissions"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-users"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-metrics"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-projects-cla-groups"
            - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-gitlab-orgs"


  environment:
    STAGE: ${sls:stage}
    HOME: /tmp
    REGION: us-east-1
    DYNAMODB_AWS_REGION: us-east-1
    GH_APP_WEBHOOK_SECRET: ${file(./env.json):gh-app-webhook-secret, ssm:/cla-gh-app-webhook-secret-${sls:stage}}
    GH_APP_ID: ${file(./env.json):gh-app-id, ssm:/cla-gh-app-id-${sls:stage}}
    GH_OAUTH_CLIENT_ID: ${file(./env.json):gh-oauth-client-id, ssm:/cla-gh-oauth-client-id-${sls:stage}}
    GH_OAUTH_SECRET: ${file(./env.json):gh-oauth-secret, ssm:/cla-gh-oauth-secret-${sls:stage}}
    GITHUB_OAUTH_TOKEN: ${file(./env.json):gh-access-token, ssm:/cla-gh-access-token-${sls:stage}}
    GITHUB_APP_WEBHOOK_SECRET: ${file(./env.json):gh-app-webhook-secret, ssm:/cla-gh-app-webhook-secret-${sls:stage}}
    GH_STATUS_CTX_NAME: "EasyCLA"
    AUTH0_DOMAIN: ${file(./env.json):auth0-domain, ssm:/cla-auth0-domain-${sls:stage}}
    AUTH0_CLIENT_ID: ${file(./env.json):auth0-clientId, ssm:/cla-auth0-clientId-${sls:stage}}
    AUTH0_USERNAME_CLAIM: ${file(./env.json):auth0-username-claim, ssm:/cla-auth0-username-claim-${sls:stage}}
    AUTH0_USERNAME_CLAIM_CLI: ${file(./env.json):auth0-username-cli-claim, ssm:/cla-auth0-username-claim-cli-${sls:stage}, env:AUTH0_USERNAME_CLAIM_CLI, ''}
    AUTH0_EMAIL_CLAIM_CLI: ${file(./env.json):auth0-email-cli-claim, ssm:/cla-auth0-email-claim-cli-${sls:stage}, env:AUTH0_EMAIL_CLAIM_CLI, ''}
    AUTH0_NAME_CLAIM_CLI: ${file(./env.json):auth0-name-cli-claim, ssm:/cla-auth0-name-claim-cli-${sls:stage}, env:AUTH0_NAME_CLAIM_CLI, ''}
    AUTH0_ALGORITHM: ${file(./env.json):auth0-algorithm, ssm:/cla-auth0-algorithm-${sls:stage}}
    SF_INSTANCE_URL: ${file(./env.json):sf-instance-url, ssm:/cla-sf-instance-url-${sls:stage}}
    SF_CLIENT_ID: ${file(./env.json):sf-client-id, ssm:/cla-sf-consumer-key-${sls:stage}}
    SF_CLIENT_SECRET: ${file(./env.json):sf-client-secret, ssm:/cla-sf-consumer-secret-${sls:stage}}
    SF_USERNAME: ${file(./env.json):sf-username, ssm:/cla-sf-username-${sls:stage}}
    SF_PASSWORD: ${file(./env.json):sf-password, ssm:/cla-sf-password-${sls:stage}}
    DOCRAPTOR_API_KEY: ${file(./env.json):doc-raptor-api-key, ssm:/cla-doc-raptor-api-key-${sls:stage}}
    DOCUSIGN_ROOT_URL: ${file(./env.json):docusign-root-url, ssm:/cla-docusign-root-url-${sls:stage}}
    DOCUSIGN_USERNAME: ${file(./env.json):docusign-username, ssm:/cla-docusign-username-${sls:stage}}
    DOCUSIGN_PASSWORD: ${file(./env.json):docusign-password, ssm:/cla-docusign-password-${sls:stage}} 
    DOCUSIGN_AUTH_SERVER: ${file(./env.json):docusign-auth-server, ssm:/cla-docusign-auth-server-${sls:stage}}
    CLA_API_BASE: ${file(./env.json):cla-api-base, ssm:/cla-api-base-${sls:stage}}
    CLA_CONTRIBUTOR_BASE: ${file(./env.json):cla-contributor-base, ssm:/cla-contributor-base-${sls:stage}}
    CLA_CONTRIBUTOR_V2_BASE: ${file(./env.json):cla-contributor-v2-base, ssm:/cla-contributor-v2-base-${sls:stage}}
    CLA_CORPORATE_BASE: ${file(./env.json):cla-corporate-base, ssm:/cla-corporate-base-${sls:stage}}
    CLA_CORPORATE_V2_BASE: ${file(./env.json):cla-corporate-v2-base, ssm:/cla-corporate-v2-base-${sls:stage}}
    CLA_LANDING_PAGE: ${file(./env.json):cla-landing-page, ssm:/cla-landing-page-${sls:stage}}
    CLA_SIGNATURE_FILES_BUCKET: ${file(./env.json):cla-signature-files-bucket, ssm:/cla-signature-files-bucket-${sls:stage}}
    CLA_BUCKET_LOGO_URL: ${file(./env.json):cla-logo-url, ssm:/cla-logo-url-${sls:stage}}
    SES_SENDER_EMAIL_ADDRESS: ${file(./env.json):cla-ses-sender-email-address, ssm:/cla-ses-sender-email-address-${sls:stage}}
    SMTP_SENDER_EMAIL_ADDRESS: ${file(./env.json):cla-smtp-sender-email-address, ssm:/cla-smtp-sender-email-address-${sls:stage}}
    LF_GROUP_CLIENT_ID: ${file(./env.json):lf-group-client-id, ssm:/cla-lf-group-client-id-${sls:stage}}
    LF_GROUP_CLIENT_SECRET: ${file(./env.json):lf-group-client-secret, ssm:/cla-lf-group-client-secret-${sls:stage}}
    LF_GROUP_REFRESH_TOKEN: ${file(./env.json):lf-group-refresh-token, ssm:/cla-lf-group-refresh-token-${sls:stage}}
    LF_GROUP_CLIENT_URL: ${file(./env.json):lf-group-client-url, ssm:/cla-lf-group-client-url-${sls:stage}}
    SNS_EVENT_TOPIC_ARN: ${file(./env.json):sns-event-topic-arn, ssm:/cla-sns-event-topic-arn-${sls:stage}}
    PLATFORM_AUTH0_URL: ${file(./env.json):cla-auth0-platform-url, ssm:/cla-auth0-platform-url-${sls:stage}}
    PLATFORM_AUTH0_CLIENT_ID: ${file(./env.json):cla-auth0-platform-client-id, ssm:/cla-auth0-platform-client-id-${sls:stage}}
    PLATFORM_AUTH0_CLIENT_SECRET: ${file(./env.json):cla-auth0-platform-client-secret, ssm:/cla-auth0-platform-client-secret-${sls:stage}}
    PLATFORM_AUTH0_AUDIENCE: ${file(./env.json):cla-auth0-platform-audience, ssm:/cla-auth0-platform-audience-${sls:stage}}
    PLATFORM_GATEWAY_URL: ${file(./env.json):platform-gateway-url, ssm:/cla-auth0-platform-api-gw-${sls:stage}}
    PLATFORM_MAINTAINERS: ${file(./env.json):platform-maintainers, ssm:/cla-lf-platform-maintainers-${sls:stage}}
    # Set to true for verbose API logging - useful when Debugging API calls for Core Platform Services or other external services
    # LOG_DEVEL: debug              # default is debug
    # DEBUG: false                  # default is false
    LOG_FORMAT: json
    # GH_ORG_VALIDATION: true       # default is true/enabled
    # COMPANY_USER_VALIDATION: true # default is true/enabled
    # 08/31/2020 - SETUPTOOLS needs to be set for the Python run-time + Debian/Ubuntu (current lambda run-time),
    # See:
    # https://github.com/pypa/setuptools/issues/2350 and
    # https://github.com/pypa/setuptools/issues/2232
    SETUPTOOLS_USE_DISTUTILS: stdlib

    # API usage logging toggles:
    DDB_API_LOGGING: ${file(./env.json):ddb-api-logging-${sls:stage}, ssm:/cla-ddb-api-logging-${sls:stage}}
    OTEL_DATADOG_API_LOGGING: ${file(./env.json):otel-datadog-api-logging-${sls:stage}, ssm:/cla-otel-datadog-api-logging-${sls:stage}}

    # Datadog/OTel placeholders (Python OTel is stubbed for now)
    DD_ENV: ${self:custom.datadog.dd_env.${sls:stage}, self:custom.datadog.dd_env.dev}
    DD_SERVICE: easycla-backend
    # DD_VERSION: ${ssm:/cla-dd-version-${sls:stage}, env:DD_VERSION, '1.0'}
    DD_VERSION: ${env:DD_VERSION, '1.0'}
    # DD_SITE: ${self:custom.datadog.site}
    # DD_API_KEY_SECRET_ARN: ${self:custom.datadog.apiKeySecretArn}
    DD_SITE: ${file(./env.json):dd-site-${sls:stage}, ssm:/cla-dd-site-${sls:stage}}
    DD_API_KEY_SECRET_ARN: ${file(./env.json):dd-api-key-secret-arn-${sls:stage}, ssm:/cla-dd-api-key-secret-arn-${sls:stage}}
    DD_OTLP_CONFIG_RECEIVER_PROTOCOLS_HTTP_ENDPOINT: localhost:4318
    OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: http://localhost:4318/v1/traces

  stackTags:
    Name: ${self:service}
    stage: ${sls:stage}
    Project: "EasyCLA"
    Product: "EasyCLA"
    ManagedBy: "Serverless CloudFormation"
    ServiceType: "Product"
    Service: ${self:service}
    ServiceRole: "Backend"
    ProgrammingPlatform: Go
    Owner: "David Deal"
  tags:
    Name: ${self:service}
    stage: ${sls:stage}
    Project: "EasyCLA"
    Product: "EasyCLA"
    ManagedBy: "Serverless CloudFormation"
    ServiceType: "Product"
    Service: ${self:service}
    ServiceRole: "Backend"
    ProgrammingPlatform: Go
    Owner: "David Deal"

plugins:
  - serverless-python-requirements
  - serverless-wsgi
  - serverless-plugin-tracing
  # Serverless Finch does s3 uploading. Called with 'sls client deploy'.
  # Also allows bucket removal with 'sls client remove'.
  - serverless-finch
  # To avoid a Code Storage Limit after tons of deploys and revisions - we can prune old versions
  # This plugin allows us to remove/prune the old versions either manually or automatically
  - serverless-prune-plugin
  - serverless-domain-manager

functions:
  authorizer:
    handler: auth/bin/authorizer
    description: "EasyCLA API authorizer"
    runtime: provided.al2
    package:
      individually: true
      patterns:
        - 'auth/bin/**'
        - 'bootstrap'

  api-v3-lambda:
    name: ${self:service}-${sls:stage, 'dev'}-api-v3-lambda
    description: "EasyCLA Golang API handler for the /v3 endpoints"
    runtime: provided.al2
    handler: 'bin/backend-aws-lambda'
    events:
      - http:
          method: ANY
          path: v3/{proxy+}
          # cors: true # CORS handled at the API implementation
    package:
      individually: true
      patterns:
        - 'bin/backend-aws-lambda'
        - 'bootstrap'
    layers:
      - ${self:custom.datadog.extensionLayerArn}

  dynamo-projects-events-lambda:
    name: ${self:service}-${sls:stage, 'dev'}-dynamo-projects-lambda
    description: "EasyCLA DynamoDB stream events handler for the projects table"
    handler: 'bin/dynamo-events-lambda'
    runtime: provided.al2
    package:
      individually: true
      patterns:
        - 'bin/dynamo-events-lambda'
        - 'bootstrap'

  dynamo-signatures-events-lambda:
    handler: 'bin/dynamo-events-lambda'
    name: ${self:service}-${sls:stage, 'dev'}-dynamo-signatures-events-lambda
    description: "EasyCLA DynamoDB stream events handler for the signatures table"
    runtime: provided.al2
    package:
      individually: true
      patterns:
        - 'bin/dynamo-events-lambda'
        - 'bootstrap'

  dynamo-events-events-lambda:
    handler: 'bin/dynamo-events-lambda'
    name: ${self:service}-${sls:stage, 'dev'}-dynamo-events-events-lambda
    description: "EasyCLA DynamoDB stream events handler for the events table"
    runtime: provided.al2
    package:
      individually: true
      patterns:
        - 'bin/dynamo-events-lambda'
        - 'bootstrap'

  dynamo-repositories-events-lambda:
    handler: 'bin/dynamo-events-lambda'
    name: ${self:service}-${sls:stage, 'dev'}-dynamo-repositories-events-lambda
    description: "EasyCLA DynamoDB stream events handler for the repositories table"
    runtime: provided.al2
    package:
      individually: true
      patterns:
        - 'bin/dynamo-events-lambda'
        - 'bootstrap'

  dynamo-projects-cla-groups-events-lambda:
    handler: 'bin/dynamo-events-lambda'
    name: ${self:service}-${sls:stage, 'dev'}-dynamo-projects-cla-groups-events-lambda
    description: "EasyCLA DynamoDB stream events handler for the projects-cla-groups table"
    runtime: provided.al2
    package:
      individually: true
      patterns:
        - 'bin/dynamo-events-lambda'
        - 'bootstrap'

  dynamo-github-orgs-events-lambda:
    handler: 'bin/dynamo-events-lambda'
    name: ${self:service}-${sls:stage, 'dev'}-dynamo-github-orgs-events-lambda
    description: "EasyCLA DynamoDB stream events handler for cla-<stage>-github-orgs the table"
    runtime: provided.al2
    package:
      individually: true
      patterns:
        - 'bin/dynamo-events-lambda'
        - 'bootstrap'

  save-metrics-lambda:
    name: ${self:service}-${sls:stage, 'dev'}-save-metrics-lambda
    description: "EasyCLA Save Metrics API handler"
    runtime: provided.al2
    handler: 'bin/metrics-aws-lambda'
    timeout: 900 # maximum time allowed
    events:
      - schedule:
          description: 'A function that gathers metrics on a given schedule'
          rate: rate(1 hour)
          enabled: true
    package:
      individually: true
      patterns:
        - 'bin/metrics-aws-lambda'
        - 'bootstrap'

  report-metrics-lambda:
    name: ${self:service}-${sls:stage, 'dev'}-report-metrics-lambda
    description: "EasyCLA Report Metrics API handler"
    runtime: provided.al2
    handler: 'bin/metrics-report-lambda'
    timeout: 900 # maximum time allowed
    events:
      - schedule:
          description: 'A function that reports metrics on a given schedule'
          rate: rate(1 day)
          enabled: true
    package:
      individually: true
      patterns:
        - 'bin/metrics-report-lambda'
        - 'bootstrap'

  zip-builder-scheduler-lambda:
    name: ${self:service}-${sls:stage, 'dev'}-zip-builder-scheduler-lambda
    description: "call zipbuilder-lambda for all cla groups periodically"
    handler: 'bin/zipbuilder-scheduler-lambda'
    runtime: provided.al2
    timeout: 900 # maximum time allowed
    events:
      - schedule:
          description: 'build zip file of signed PDFs for CLA Groups'
          rate: rate(15 minutes)
          enabled: true
    package:
      individually: true
      patterns:
        - 'bin/zipbuilder-scheduler-lambda'
        - 'bootstrap'

  zip-builder-lambda:
    handler: 'bin/zipbuilder-lambda'
    name: ${self:service}-${sls:stage, 'dev'}-zip-builder-lambda
    description: "build zip of signed signature pdf for cla group"
    runtime: provided.al2
    timeout: 900 # maximum time allowed
    memorySize: 1024
    package:
      individually: true
      patterns:
        - 'bin/zipbuilder-lambda'
        - 'bootstrap'

  gitlab-repository-check-lambda:
    handler: 'bin/gitlab-repository-check-lambda'
    name: ${self:service}-${sls:stage, 'dev'}-gitlab-repository-check-lambda
    description: "routine to periodically check the GitLab repository list for auto-enabled GitLab Groups"
    runtime: provided.al2
    timeout: 900 # maximum time allowed
    memorySize: 1024
    events:
      - schedule:
          description: 'periodically check the GitLab repository list for auto-enabled GitLab Groups'
          rate: rate(15 minutes)
          enabled: true
    package:
      individually: true
      patterns:
        - 'bin/gitlab-repository-check-lambda'
        - 'bootstrap'

  # User Subscribe event for dynamodb cla-stage-users table.
  easycla-user-event-handler-lambda:
    handler: 'bin/user-subscribe-lambda'
    name: ${self:service}-${sls:stage, 'dev'}-user-event-handler-lambda
    runtime: provided.al2
    description: Update easycla user data to user object in dynamodb
    package:
      individually: true
      patterns:
        - 'bin/user-subscribe-lambda'
        - 'bootstrap'
    reservedConcurrency: 5
    events:
      - sns:
          arn: ${self:custom.userEventsSNSTopicARN}

  apiv1:
    handler: wsgi_handler.handler
    description: "EasyCLA Python API handler for the /v1 endpoints"
    events:
      - http:
          method: ANY
          path: v1/{proxy+}
          cors: true
    layers:
      - ${self:custom.datadog.extensionLayerArn}

  apiv2:
    handler: wsgi_handler.handler
    description: "EasyCLA Python API handler for the /v2 endpoints"
    events:
      - http:
          method: ANY
          path: v2/{proxy+}
          cors: true
    layers:
      - ${self:custom.datadog.extensionLayerArn}

  salesforceprojects:
    handler: cla.salesforce.get_projects
    description: "EasyCLA API Callback Handler for fetching all SalesForce projects"
    events:
      - http:
          method: ANY
          path: v1/salesforce/projects
          cors: true
    layers:
      - ${self:custom.datadog.extensionLayerArn}

  salesforceprojectbyID:
    handler: cla.salesforce.get_project
    description: "EasyCLA API Callback Handler for fetching SalesForce projects by ID"
    events:
      - http:
          method: ANY
          path: v1/salesforce/project
          cors: true
    layers:
      - ${self:custom.datadog.extensionLayerArn}

  # GitHub callback handler
  githubinstall:
    handler: wsgi_handler.handler
    description: "EasyCLA API Callback Handler for GitHub bot installations"
    events:
      - http:
          method: ANY
          path: v2/github/installation
    layers:
      - ${self:custom.datadog.extensionLayerArn}

  # GitHub callback handler
  githubactivity:
    handler: wsgi_handler.handler
    description: "EasyCLA API Callback Handler for GitHub activity"
    events:
      - http:
          method: POST
          path: v2/github/activity
    layers:
      - ${self:custom.datadog.extensionLayerArn}


resources:
  Conditions:
    # Helper functions since we conditionally create some resources
    # https://gist.github.com/DavidWells/be078deef45f8cb2e280ccc7af947392
    isProd: { "Fn::Equals": [ "${env:STAGE}", "prod" ] }
    isStaging: { "Fn::Equals": [ "${env:STAGE}", "staging" ] }
    isDev: { "Fn::Equals": [ "${env:STAGE}", "dev" ] }
    isNotProd: { "Fn::Or": [ { "Condition": "isDev" }, { "Condition": "isStaging" } ] }
    # true when a TSL certificate should be created by serverless (false created externally)
    ShouldGenerateCertificate:
      Fn::Not: [ Fn::Equals: [ "${env:STAGE}", "prod" ] ]

  Resources:
    DatadogApiKeySecretReadPolicy:
      Type: AWS::IAM::Policy
      Properties:
        PolicyName: ${self:service}-${sls:stage}-datadog-api-key-secret-read
        Roles:
          - Ref: IamRoleLambdaExecution
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Action:
                - secretsmanager:GetSecretValue
              Resource:
                - ${self:custom.datadog.apiKeySecretArn}

    DynamoDBIndexQueryPolicy:
      Type: AWS::IAM::Policy
      Properties:
        PolicyName: ${self:service}-${sls:stage}-dynamodb-index-query
        Roles:
          - Ref: IamRoleLambdaExecution
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Action:
                - dynamodb:Query
              Resource:
                - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-*/index/*"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-api-log/index/bucket-dt-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-ccla-whitelist-requests/index/company-id-project-id-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-ccla-whitelist-requests/index/ccla-approval-list-request-project-id-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-users/index/github-id-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-users/index/github-username-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-users/index/gitlab-id-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-users/index/gitlab-username-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-users/index/github-user-external-id-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-users/index/lf-username-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-users/index/lf-email-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-gerrit-instances/index/gerrit-name-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-gerrit-instances/index/gerrit-project-id-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-gerrit-instances/index/gerrit-project-sfid-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-signatures/index/project-signature-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-signatures/index/project-signature-date-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-signatures/index/reference-signature-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-signatures/index/signature-project-reference-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-signatures/index/signature-user-ccla-company-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-signatures/index/project-signature-external-id-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-signatures/index/signature-company-signatory-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-signatures/index/reference-signature-search-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-signatures/index/signature-project-id-type-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-signatures/index/signature-company-initial-manager-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-signatures/index/signature-project-id-sigtype-signed-approved-id-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-companies/index/external-company-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-companies/index/company-name-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-companies/index/company-signing-entity-name-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-projects/index/external-project-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-projects/index/project-name-search-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-projects/index/project-name-lower-search-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-projects/index/foundation-sfid-project-name-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-repositories/index/project-repository-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-repositories/index/repository-name-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-repositories/index/repository-organization-name-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-repositories/index/external-repository-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-repositories/index/sfdc-repository-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-repositories/index/project-sfid-repository-organization-name-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-repositories/index/project-sfid-repository-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-repositories/index/repository-type-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-github-orgs/index/github-org-sfid-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-github-orgs/index/project-sfid-organization-name-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-github-orgs/index/organization-name-lower-search-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-company-invites/index/requested-company-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-events/index/event-type-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-events/index/user-id-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-events/index/company-id-external-project-id-event-epoch-time-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-events/index/event-project-id-event-time-epoch-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-events/index/event-cla-group-id-event-time-epoch-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-events/index/event-date-and-contains-pii-event-time-epoch-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-events/index/company-sfid-foundation-sfid-event-time-epoch-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-events/index/company-sfid-project-id-event-time-epoch-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-events/index/company-id-event-type-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-events/index/event-foundation-sfid-event-time-epoch-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-events/index/event-company-sfid-event-data-lower-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-events/index/company-sfid-cla-group-id-event-time-epoch-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-metrics/index/metric-type-salesforce-id-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-cla-manager-requests/index/cla-manager-requests-company-project-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-cla-manager-requests/index/cla-manager-requests-external-company-project-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-cla-manager-requests/index/cla-manager-requests-project-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-projects-cla-groups/index/cla-group-id-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-projects-cla-groups/index/foundation-sfid-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-gitlab-orgs/index/gitlab-org-sfid-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-gitlab-orgs/index/gitlab-project-sfid-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-gitlab-orgs/index/gitlab-organization-name-lower-search-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-gitlab-orgs/index/gitlab-project-sfid-organization-name-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-gitlab-orgs/index/gitlab-full-path-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-gitlab-orgs/index/gitlab-external-group-id-index"
#                 - "arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/cla-${sls:stage}-gitlab-orgs/index/gitlab-org-url-index"

    # ApiGatewayRestApi, and GatewayResponse are used to enable Cors on custom authorizer responses.
    # This let's the client read the HTTP status on error.
    # see link for more detail
    # https://serverless.com/blog/cors-api-gateway-survival-guide/#cors-with-custom-authorizers
    ApiGatewayRestApi:
      Type: AWS::ApiGateway::RestApi
      Properties:
        Name: ${self:service}-${sls:stage}
        Description: EasyCLA API Gateway

    GatewayResponse:
      Type: 'AWS::ApiGateway::GatewayResponse'
      Properties:
        ResponseParameters:
          gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
          gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
        ResponseType: DEFAULT_4XX
        RestApiId:
          Ref: 'ApiGatewayRestApi'

#     Cert:
#       Type: AWS::CertificateManager::Certificate
#       Condition: ShouldGenerateCertificate
#       Properties:
#         DomainName: ${self:custom.product.domain.name.${sls:stage}, self:custom.product.domain.name.other}
#         SubjectAlternativeNames:
#           - ${self:custom.product.domain.alt.${sls:stage}, self:custom.product.domain.alt.other}
#         ValidationMethod: DNS

  Outputs:
    APIGatewayRootResourceID:
      Value:
        Fn::GetAtt:
          - ApiGatewayRestApi
          - RootResourceId
      Export:
        Name: APIGatewayRootResourceID