-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.yaml
289 lines (277 loc) · 11.8 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: Miro Banner Terms Accepters
Resources:
## S3 Bucket
MiroTermsBannerFrontend:
Type: AWS::S3::Bucket
Properties:
BucketName: !Join ['', ['s3-', !Join ['-', ['miro-terms-banner-frontend', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]]]]
CorsConfiguration:
CorsRules:
- AllowedHeaders:
- '*'
AllowedMethods:
- GET
AllowedOrigins:
- !Join ['', ['https://s3-', !Join ['-', ['miro-terms-banner-frontend', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]], '.s3.', !Ref AWS::Region, '.amazonaws.com']]
- !Join ['', ['https://s3-', !Join ['-', ['miro-terms-banner-frontend', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]], '.s3.amazonaws.com']]
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: false
RestrictPublicBuckets: false
## S3 Bucket Policy - This permission will make the contents of the S3 bucket publicly readable
ProductBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref MiroTermsBannerFrontend
PolicyDocument:
Id: PublicReadPolicy
Version: '2012-10-17'
Statement:
- Sid: PublicReadForGetBucketObjects
Effect: Allow
Principal: '*'
Action: s3:GetObject
Resource: !Sub 'arn:aws:s3:::${MiroTermsBannerFrontend}/*'
Condition: {}
## Database where users who have accepted the Miro Banner will be captured.
## The "id" will be the numeric Miro User ID, stored as a string. You may use a hashed version of the Miro ID in this table instead (if desired)
MiroBannerTermsAcceptersTable:
Type: 'AWS::Serverless::SimpleTable'
Properties:
TableName: !Join ['-', ['miro-terms-banner-accepters-database', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]]
PrimaryKey:
Name: id
Type: String
## IAM Role for the "Read" Lambda Function to query/read the database
MiroBannerTermsReadFunctionRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: MiroBannerTermsReadFunctionRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: 'sts:AssumeRole'
Policies:
- PolicyName: MiroBannerTermsDynamoDBReadPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'dynamodb:GetItem'
Resource: !GetAtt MiroBannerTermsAcceptersTable.Arn
## IAM Role for the "Write" Lambda Function to write on the database
MiroBannerTermsWriteFunctionRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: MiroBannerTermsWriteFunctionRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: 'sts:AssumeRole'
Policies:
- PolicyName: MiroBannerTermsDynamoDBWritePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'dynamodb:UpdateItem'
Resource: !GetAtt MiroBannerTermsAcceptersTable.Arn
## Lambda "Read" Function
MiroBannerTermsReadFunction:
Type: 'AWS::Serverless::Function'
Properties:
FunctionName: !Join ['-', ['MiroBannerTermsReadFunction', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]]
Description: !Sub 'Lambda function for the "Miro Terms Modal app". It reads data from the DynamoDB table "${MiroBannerTermsAcceptersTable}"'
Handler: app.handler
Runtime: nodejs16.x
CodeUri: readApp/
Timeout: 10
Role: !GetAtt MiroBannerTermsReadFunctionRole.Arn
Environment:
Variables:
TABLE_NAME: !Ref MiroBannerTermsAcceptersTable
## Lambda "Write" Function
MiroBannerTermsWriteFunction:
Type: 'AWS::Serverless::Function'
Properties:
FunctionName: !Join ['-', ['MiroBannerTermsWriteFunction', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]]
Description: !Sub 'Lambda function for the "Miro Terms Modal app". It writes data on the DynamoDB table "${MiroBannerTermsAcceptersTable}"'
Handler: app.handler
Runtime: nodejs16.x
CodeUri: writeApp/
Timeout: 10
Role: !GetAtt MiroBannerTermsWriteFunctionRole.Arn
Environment:
Variables:
TABLE_NAME: !Ref MiroBannerTermsAcceptersTable
## API Gateway
MiroBannerTermsAPI:
Type: 'AWS::Serverless::Api'
Properties:
Name: !Join ['', ['api-', !Join ['-', [!Ref AWS::StackName, !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]]]]
Description: !Sub 'API endpoint for the "Miro Terms Modal app". It handles requests to read/write on the DynamoDB table "${MiroBannerTermsAcceptersTable}"'
StageName: Prod
DefinitionBody:
swagger: '2.0'
info:
title: 'MiroBannerTermsAPI'
paths:
/w:
post:
x-amazon-apigateway-integration:
uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MiroBannerTermsWriteFunction.Arn}/invocations
passthroughBehavior: 'when_no_match'
httpMethod: POST
type: aws_proxy
responses: {}
security:
- sigv4: []
options:
summary: CORS support
description: |
Enable CORS by returning correct headers
consumes:
- application/json
produces:
- application/json
tags:
- CORS
x-amazon-apigateway-integration:
type: mock
requestTemplates:
application/json: |
{
'statusCode' : 200
}
responses:
'default':
statusCode: '200'
responseParameters:
method.response.header.Access-Control-Allow-Headers : "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,Cache-Control,Pragma'"
method.response.header.Access-Control-Allow-Methods : "'OPTIONS,POST'"
method.response.header.Access-Control-Allow-Origin :
!Join
- ''
- - "'"
- !If
- IsNotUSEast1
- Fn::Sub: 'https://${MiroTermsBannerFrontend}.s3.${AWS::Region}.amazonaws.com'
- Fn::Sub: 'https://${MiroTermsBannerFrontend}.s3.amazonaws.com'
- "'"
responseTemplates:
application/json: |
{}
responses:
'200':
description: Default response for CORS method
headers:
Access-Control-Allow-Headers:
type: 'string'
Access-Control-Allow-Methods:
type: 'string'
Access-Control-Allow-Origin:
type: 'string'
/q:
get:
x-amazon-apigateway-integration:
uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MiroBannerTermsReadFunction.Arn}/invocations
passthroughBehavior: 'when_no_match'
httpMethod: POST
type: aws_proxy
responses: {}
security:
- sigv4: []
options:
summary: CORS support
description: |
Enable CORS by returning correct headers
consumes:
- application/json
produces:
- application/json
tags:
- CORS
x-amazon-apigateway-integration:
type: mock
requestTemplates:
application/json: |
{
'statusCode' : 200
}
responses:
'default':
statusCode: '200'
responseParameters:
method.response.header.Access-Control-Allow-Headers : "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,Cache-Control,Pragma'"
method.response.header.Access-Control-Allow-Methods : "'OPTIONS,GET'"
method.response.header.Access-Control-Allow-Origin :
!Join
- ''
- - "'"
- !If
- IsNotUSEast1
- Fn::Sub: 'https://${MiroTermsBannerFrontend}.s3.${AWS::Region}.amazonaws.com'
- Fn::Sub: 'https://${MiroTermsBannerFrontend}.s3.amazonaws.com'
- "'"
responseTemplates:
application/json: |
{}
responses:
'200':
description: Default response for CORS method
headers:
Access-Control-Allow-Headers:
type: 'string'
Access-Control-Allow-Methods:
type: 'string'
Access-Control-Allow-Origin:
type: 'string'
## "Read" Lambda Function Invoke Permission
MiroBannerTermsApiInvokePermissionRead:
Type: 'AWS::Lambda::Permission'
Properties:
Action: 'lambda:InvokeFunction'
FunctionName: !GetAtt MiroBannerTermsReadFunction.Arn
Principal: 'apigateway.amazonaws.com'
SourceArn: !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${MiroBannerTermsAPI}/*/*/*'
## "Write" Lambda Function Invoke Permission
MiroBannerTermsApiInvokePermissionWrite:
Type: 'AWS::Lambda::Permission'
Properties:
Action: 'lambda:InvokeFunction'
FunctionName: !GetAtt MiroBannerTermsWriteFunction.Arn
Principal: 'apigateway.amazonaws.com'
SourceArn: !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${MiroBannerTermsAPI}/*/*/*'
## Take a note of the outputs for deploying the workflow templates in this sample application
Outputs:
S3BucketBaseUrl:
Description: 'Base URL of the S3 bucket where the web assets of the Miro app will be hosted'
Value: !If
- IsNotUSEast1
- Fn::Sub: 'https://${MiroTermsBannerFrontend}.s3.${AWS::Region}.amazonaws.com'
- Fn::Sub: 'https://${MiroTermsBannerFrontend}.s3.amazonaws.com'
ApiBaseURL:
Description: 'Base URL of HTTP API endpoint to read and write on the MiroBannerTermsAcceptersTable database'
Value: !Sub 'https://${MiroBannerTermsAPI}.execute-api.${AWS::Region}.amazonaws.com'
DynamoDBTableName:
Description: 'Name of the DynamoDB table that captures users who have accepted the terms banner in Miro'
Value: !Ref MiroBannerTermsAcceptersTable
S3BucketName:
Description: 'Name of the S3 bucket where the web assets of the Miro app will be hosted (app.html, modal.html and variables.js)'
Value: !Ref MiroTermsBannerFrontend
## Condition to adjust URLs based on region (the Default region "us-eat-1" is not added to URLs. For other regions the region is part of the URLs)
Conditions:
IsNotUSEast1: !Not [!Equals [!Ref "AWS::Region", "us-east-1"]]