Skip to content

Instantly share code, notes, and snippets.

@arjabbar

arjabbar/serverless.yml

Created July 18, 2018 17:27
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save arjabbar/07c38f68c5d497603e886f825def219c to your computer and use it in GitHub Desktop.
Save arjabbar/07c38f68c5d497603e886f825def219c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
serverless.yml
service: wbh-gatekeeper
plugins:
- serverless-offline
- serverless-plugin-typescript
- serverless-pseudo-parameters
provider:
name: aws
runtime: nodejs6.10
stage: dev
custom:
apiEndpoint: ${opt:stage, self:provider.stage}.internal.api.wbh.cubyard.com
functions:
hello:
handler: handler.hello
events:
- http:
path: hello
method: GET
resources:
Resources:
APIGatewayClientCertificate:
Type: AWS::ApiGateway::ClientCertificate
Properties:
Description: "The client certificate for stage ${opt:stage, self:provider.stage}"
APIGatewayDomainCertificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: "*.api.wbh.cubyard.com"
SubjectAlternativeNames:
- api.wbh.cubyard.com
Tags:
-
Key: Name
Value: "WBH API Cert"
APIGatewayBasePathMapping:
Type: AWS::ApiGateway::BasePathMapping
Properties:
BasePath: ''
Stage: ${opt:stage, self:provider.stage}
DomainName:
Ref: APIGatewayDomainName
RestApiId:
Ref: ApiGatewayRestApi
APIGatewayDomainName:
Type: AWS::ApiGateway::DomainName
Properties:
CertificateArn:
Ref: APIGatewayDomainCertificate
DomainName: ${opt:stage, self:provider.stage}.api.wbh.cubyard.com
ProxyResource:
Type: AWS::ApiGateway::Resource
Properties:
ParentId:
Fn::GetAtt:
- ApiGatewayRestApi # our default Rest API logical ID
- RootResourceId
PathPart: '{proxy+}' # the endpoint in your API that is set as proxy
RestApiId:
Ref: ApiGatewayRestApi
ProxyMethodAuthorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
RestApiId:
Ref: ApiGatewayRestApi
IdentitySource: method.request.header.Token
Type: COGNITO_USER_POOLS
Name: WBHCognitoUserPoolAuthorizer_${opt:stage, self:provider.stage}
ProviderARNs:
- Fn::GetAtt:
- CognitoUserPool
- Arn
ProxyMethod:
Type: AWS::ApiGateway::Method
Properties:
ResourceId:
Ref: ProxyResource
RestApiId:
Ref: ApiGatewayRestApi
HttpMethod: ANY # the method of your proxy. Is it GET or POST or ... ?
AuthorizationType: COGNITO_USER_POOLS
AuthorizerId:
Ref: ProxyMethodAuthorizer
RequestParameters:
method.request.path.proxy: true
Integration:
IntegrationHttpMethod: ANY
Type: HTTP_PROXY
Uri: https://${self:custom.apiEndpoint}/{proxy} # the URL you want to set a proxy to
RequestParameters:
integration.request.path.proxy: method.request.path.proxy
integration.request.header.Accept-Encoding: "'identity'"
OptionsMethod:
Type: AWS::ApiGateway::Method
Properties:
AuthorizationType: NONE
RestApiId:
Ref: ApiGatewayRestApi
ResourceId:
Ref: ProxyResource
HttpMethod: OPTIONS
Integration:
IntegrationResponses:
- StatusCode: 200
ResponseParameters:
method.response.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,Token'"
method.response.header.Access-Control-Allow-Methods: "'GET,POST,HEAD,DELETE,OPTIONS'"
method.response.header.Access-Control-Allow-Origin: "'*'"
ResponseTemplates:
application/json: ''
PassthroughBehavior: WHEN_NO_MATCH
RequestTemplates:
application/json: '{"statusCode": 200}'
Type: MOCK
MethodResponses:
- StatusCode: 200
ResponseModels:
application/json: 'Empty'
ResponseParameters:
method.response.header.Access-Control-Allow-Headers: false
method.response.header.Access-Control-Allow-Methods: false
method.response.header.Access-Control-Allow-Origin: false
CognitoIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: WBHIdentityPool_${opt:stage, self:provider.stage}
AllowUnauthenticatedIdentities: false
CognitoIdentityProviders:
- ClientId:
Ref: CognitoUserPoolClient
ProviderName:
Fn::GetAtt:
- CognitoUserPool
- ProviderName
CognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: WBHUserPool_${opt:stage, self:provider.stage}
CognitoUserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: MobileUser
UserPoolId:
Ref: CognitoUserPool
CognitoIdentityPoolRoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: CognitoIdentityPool
Roles:
authenticated:
Fn::GetAtt:
- WBHAuthenticatedUsersRole
- Arn
unauthenticated:
Fn::GetAtt:
- WBHUnauthenticatedUsersRole
- Arn
WBHAuthenticatedUsersRole:
Type: AWS::IAM::Role
Properties:
RoleName: WBHAuthenticatedUsersRole_${opt:stage, self:provider.stage}
Policies:
- PolicyName: AllowAPIInvocations
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "apigateway:*"
Resource:
"Fn::Join":
- ''
-
- 'arn:aws:apigateway:'
- Ref: 'AWS::Region'
- '::/restapis/'
- Ref: ApiGatewayRestApi
- '/*'
- Effect: "Allow"
Action:
- "cognito-sync:*"
- "mobileanalytics:PutEvents"
Resource: "*"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
Ref: CognitoIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr: authenticated
WBHUnauthenticatedUsersRole:
Type: AWS::IAM::Role
Properties:
RoleName: WBHUnauthenticatedUsersRole_${opt:stage, self:provider.stage}
Policies:
- PolicyName: CognitoOnly
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "cognito-sync:*"
- "mobileanalytics:PutEvents"
Resource: "*"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
Ref: CognitoIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr: unauthenticated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment