-
Notifications
You must be signed in to change notification settings - Fork 40
/
template.yaml
139 lines (130 loc) · 4.06 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
FramesBucket:
Type: AWS::S3::Bucket
Properties:
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
StaticWebsiteBucket:
Type: AWS::S3::Bucket
Properties:
VersioningConfiguration:
Status: Enabled
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
ChallengesTable:
Type: AWS::Serverless::SimpleTable
TokenSecret:
Type: AWS::SecretsManager::Secret
Properties:
GenerateSecretString: {}
ChallengeApi:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Cors:
AllowOrigin: "'*'"
AllowMethods: "'*'"
AllowHeaders: "'*'"
ChallengeFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: lambda/
Handler: app.lambda_handler
Runtime: python3.7
Role: !GetAtt ChallengeFunctionRole.Arn
Timeout: 120
MemorySize: 512
Environment:
Variables:
REGION_NAME: !Ref AWS::Region
BUCKET_NAME: !Ref FramesBucket
DDB_TABLE: !Ref ChallengesTable
TOKEN_SECRET_ARN: !Ref TokenSecret
Events:
StartChallenge:
Type: Api
Properties:
Path: /challenge/start
Method: post
RestApiId: !Ref ChallengeApi
PutChallengeFrame:
Type: Api
Properties:
Path: /challenge/{challengeId}/frames
Method: put
RestApiId: !Ref ChallengeApi
VerifyChallenge:
Type: Api
Properties:
Path: /challenge/{challengeId}/verify
Method: post
RestApiId: !Ref ChallengeApi
ChallengeFunctionRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
- arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
- arn:aws:iam::aws:policy/AmazonRekognitionFullAccess
- arn:aws:iam::aws:policy/AmazonS3FullAccess
- arn:aws:iam::aws:policy/SecretsManagerReadWrite
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
CloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: "S3 CloudFront OAI"
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
DefaultCacheBehavior:
ForwardedValues:
QueryString: false
TargetOriginId: the-s3-bucket
ViewerProtocolPolicy: redirect-to-https
DefaultRootObject: index.html
Enabled: true
Origins:
- DomainName: !Sub "${StaticWebsiteBucket}.s3.${AWS::Region}.amazonaws.com"
Id: the-s3-bucket
S3OriginConfig:
OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}"
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref StaticWebsiteBucket
PolicyDocument:
Statement:
- Action:
- s3:GetObject
Effect: Allow
Resource: !Sub "arn:aws:s3:::${StaticWebsiteBucket}/*"
Principal:
CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
Outputs:
ApiUrl:
Description: The API URL
Value: !Sub 'https://${ChallengeApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/challenge/'
StaticWebsiteUrl:
Description: The static website URL
Value: !Sub "https://${CloudFrontDistribution.DomainName}/"
StaticWebsiteBucket:
Description: The static website S3 bucket
Value: !Ref StaticWebsiteBucket