maceto/sam-api-auth-template.yml

## sam-api-auth-template.yml
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
  your-api

  SAM Template for your API

Globals:
  Api:
    Cors:
      AllowOrigin: "'*'"
  Function:
    Timeout: 20
    MemorySize: 1024
    Environment:
      Variables:
        DEPLOY_ENVIRONMENT: !Ref DeployEnvironment

Parameters:
  DomainName:
    Type: String
    Default: api.domain.net
  HostedZoneName:
    Type: String
    Default: domain.net.


Resources:
  APIDomainName:
    Type: AWS::ApiGateway::DomainName
    Properties:
      CertificateArn: !Ref CertificateArn
      DomainName: !Ref DomainName

  YourApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      TracingEnabled: true
      Auth:
        DefaultAuthorizer: MyLambdaTokenAuthorizer
        Authorizers:
          MyLambdaTokenAuthorizer:
            FunctionArn: !GetAtt MyAuthFunction.Arn
            # NOTE: Additional options:
            # FunctionInvokeRole: !Ref MyRole
            Identity:
              Header: Authorization
              ValidationExpression: Bearer.*
              ReauthorizeEvery: 300

  APIBasePathMapping:
    Type: AWS::ApiGateway::BasePathMapping
    Properties:
      DomainName: !Ref APIDomainName
      BasePath: v2
      RestApiId: !Ref YourApi
      Stage: Prod

  APIDomain:
    Type: AWS::Route53::RecordSetGroup
    Properties:
      HostedZoneName: !Ref HostedZoneName
      RecordSets:
        - Name: !Ref DomainName
          Type: A
          AliasTarget:
            DNSName: !GetAtt APIDomainName.DistributionDomainName
            HostedZoneId: !Ref HostedZoneId

  MyAuthFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: auth/
      Handler: auth.lambda_handler
      Runtime: ruby2.5
      Policies:
        - AWSLambdaVPCAccessExecutionRole
        - CloudWatchLogsFullAccess
        - AWSXrayFullAccess
        - AmazonVPCFullAccess
        - AmazonSSMReadOnlyAccess
	AWSTemplateFormatVersion: "2010-09-09"
	Transform: AWS::Serverless-2016-10-31
	Description: >
	your-api

	SAM Template for your API

	Globals:
	Api:
	Cors:
	AllowOrigin: "'*'"
	Function:
	Timeout: 20
	MemorySize: 1024
	Environment:
	Variables:
	DEPLOY_ENVIRONMENT: !Ref DeployEnvironment

	Parameters:
	DomainName:
	Type: String
	Default: api.domain.net
	HostedZoneName:
	Type: String
	Default: domain.net.


	Resources:
	APIDomainName:
	Type: AWS::ApiGateway::DomainName
	Properties:
	CertificateArn: !Ref CertificateArn
	DomainName: !Ref DomainName

	YourApi:
	Type: AWS::Serverless::Api
	Properties:
	StageName: Prod
	TracingEnabled: true
	Auth:
	DefaultAuthorizer: MyLambdaTokenAuthorizer
	Authorizers:
	MyLambdaTokenAuthorizer:
	FunctionArn: !GetAtt MyAuthFunction.Arn
	# NOTE: Additional options:
	# FunctionInvokeRole: !Ref MyRole
	Identity:
	Header: Authorization
	ValidationExpression: Bearer.*
	ReauthorizeEvery: 300

	APIBasePathMapping:
	Type: AWS::ApiGateway::BasePathMapping
	Properties:
	DomainName: !Ref APIDomainName
	BasePath: v2
	RestApiId: !Ref YourApi
	Stage: Prod

	APIDomain:
	Type: AWS::Route53::RecordSetGroup
	Properties:
	HostedZoneName: !Ref HostedZoneName
	RecordSets:
	- Name: !Ref DomainName
	Type: A
	AliasTarget:
	DNSName: !GetAtt APIDomainName.DistributionDomainName
	HostedZoneId: !Ref HostedZoneId

	MyAuthFunction:
	Type: AWS::Serverless::Function
	Properties:
	CodeUri: auth/
	Handler: auth.lambda_handler
	Runtime: ruby2.5
	Policies:
	- AWSLambdaVPCAccessExecutionRole
	- CloudWatchLogsFullAccess
	- AWSXrayFullAccess
	- AmazonVPCFullAccess
	- AmazonSSMReadOnlyAccess