-
Notifications
You must be signed in to change notification settings - Fork 68
/
amplify.yml
85 lines (85 loc) · 5.12 KB
/
amplify.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
version: 0.1
backend:
phases:
preBuild:
commands:
- npm install -g @aws-amplify/[email protected] # pinned known working version
- make init # install OS packages and dev tools (awscli, sam-cli, linters, etc.)
- aws configure set cli_follow_urlparam false # fix for parameter store when storing URLs: https://github.com/aws/aws-cli/issues/2507
build:
commands:
- "# Execute Amplify CLI with the helper script"
- amplifyPush --simple
##
# Extract Environment data
##
- export STACK_NAME=$(jq -r '.providers.awscloudformation.StackName' ./amplify/#current-cloud-backend/amplify-meta.json)
- export DEPLOYMENT_BUCKET_NAME=$(jq -r '.providers.awscloudformation.DeploymentBucketName' ./amplify/#current-cloud-backend/amplify-meta.json)
- export AWS_DEFAULT_REGION=$(jq -r '.providers.awscloudformation.Region' amplify/#current-cloud-backend/amplify-meta.json)
- export COGNITO_IDENTITY_POOL_ID=$(jq -r '.auth.cognito.output.IdentityPoolId' ./amplify/#current-cloud-backend/amplify-meta.json)
- export COGNITO_USER_POOL_ID=$(jq -r '.auth.cognito.output.UserPoolId' ./amplify/#current-cloud-backend/amplify-meta.json)
- export COGNITO_USER_POOL_ARN=$(aws cognito-idp describe-user-pool --user-pool-id ${COGNITO_USER_POOL_ID} --query 'UserPool.Arn' --output text)
- export COGNITO_USER_POOL_CLIENT_ID=$(jq -r '.auth.cognito.output.AppClientIDWeb' ./amplify/#current-cloud-backend/amplify-meta.json)
- export UPLOAD_BUCKET_NAME=$(jq -r '.storage.uploadBucket.output.BucketName' ./amplify/#current-cloud-backend/amplify-meta.json)
##
# Export key deployed resources to System Manager Parameter Store
##
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/deployment/stackName" VALUE=${STACK_NAME}
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/deployment/deploymentBucket" VALUE=${DEPLOYMENT_BUCKET_NAME}
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/auth/identitypool/id" VALUE=${COGNITO_IDENTITY_POOL_ID}
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/auth/userpool/id" VALUE=${COGNITO_USER_POOL_ID}
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/auth/userpool/arn" VALUE=${COGNITO_USER_POOL_ARN}
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/auth/userpool/clientId" VALUE=${COGNITO_USER_POOL_CLIENT_ID}
- make export.parameter NAME="/${AWS_BRANCH}/service/auth/userpool/url" VALUE=https://cognito-idp.${AWS_DEFAULT_REGION}.amazonaws.com/
- make export.parameter NAME="/${AWS_BRANCH}/service/storage/uploadBucket/name" VALUE=${UPLOAD_BUCKET_NAME}
##
# Deploy SAM based back-end
##
- make deploy
frontend:
phases:
preBuild:
commands:
- cd source/webui
- npm install
build:
commands:
# Extract environment data
- export PUBSUB_ENDPOINT_NAME=$(aws iot describe-endpoint --endpoint-type iot:Data-ATS --query 'endpointAddress' --output text)
- export PUBSUB_REGION_NAME=$(jq -r '.providers.awscloudformation.Region' ../../amplify/#current-cloud-backend/amplify-meta.json)
# Push environment data into frontend build
- printf "VUE_APP_PUBSUB_ENDPOINT=${PUBSUB_ENDPOINT_NAME}\nVUE_APP_PUBSUB_REGION=${PUBSUB_REGION_NAME}" > .env
# Expose variables from env or SSM to front end as required:
#- export ENV_VAR_NAME=$(aws ssm get-parameter --name/${AWS_BRANCH}/service/... --query 'Parameter.Value --output text')
- npm run build
artifacts:
baseDirectory: source/webui/dist
files:
- "**/*"
cache:
paths:
- node_modules/**/*
- source/webui/node_modules/**/*
customHeaders:
- pattern: "**/*"
headers: # https://infosec.mozilla.org/guidelines/web_security
- key: "Strict-Transport-Security"
value: "max-age=31536000; includeSubDomains"
- key: "X-Content-Type-Options"
value: "nosniff"
- key: "X-XSS-Protection"
value: "1; mode=block"
- key: "X-Frame-Options"
value: "DENY"
- key: "Referrer-Policy"
value: "same-origin"
- key: "Feature-Policy"
value: "microphone 'none'; camera 'none'; notifications 'self'"
# CSP generated using Laboratory: https://github.com/april/laboratory
# Caveats
## Stripe Elements adds inline JS and iFrame (unsafe-eval, frame-src)
## Allows any endpoint hosted on AWS - NOTE: Use custom domains for production
### REST and GraphQL have random identifiers so we allow the sub-domain (connect-src)
### connect-src doesn't parse cognito-idp.*.amazonaws.com used by Amplify Auth - for prod, use region(s) endpoint
#- key: "Content-Security-Policy"
# value: "'default-src 'none'; connect-src https://*.amazonaws.com; font-src 'self' https://fonts.gstatic.com; frame-src https://js.stripe.com; img-src 'self'; script-src 'self' 'unsafe-eval' https://js.stripe.com/v3/; style-src 'self' https://fonts.googleapis.com/css?family=Raleway 'unsafe-inline' https://fonts.googleapis.com'"