serverless.yml

service: nebula-serverless

# app and org for use with dashboard.serverless.com
# app: nebula
# org: ORG_NAME

frameworkVersion: "2"

package:
  individually: true

provider:
  name: aws
  runtime: nodejs12.x
  stage: dev
  profile: ${opt:profile, self:custom.profiles.${self:custom.stage}}
  stackName: ${self:service}-${self:custom.stage}
  region: us-east-1
  environment:
    AUTH0_DOMAIN: ${ssm:/${self:custom.stage}/auth0/domain, env:NEXT_PUBLIC_AUTH0_DOMAIN}
    AUTH0_AUDIENCE: ${ssm:/${self:custom.stage}/auth0/audience}
    AUTH0_CLIENT_ID: ${ssm:/${self:custom.stage}/auth0/client_id,
      env:NEXT_PUBLIC_AUTH0_CLIENT_ID}
    AUTH0_CLIENT_SECRET: ${ssm:/${self:custom.stage}/auth0/client_secret~true}
    JWT_TOKEN_ISSUER: ${ssm:/${self:custom.stage}/jwt/token_issuer}
    JWKS_URI: ${ssm:/${self:custom.stage}/jwt/jwks_uri}
    POSTER_TABLE: ${self:custom.posterTable}
    CONNECTION_TABLE: ${self:custom.connectionTable}
    POSTER_BUCKET: ${self:custom.posterBucketName}
    STAGE: ${self:custom.stage}
  lambdaHashingVersion: 20201221
  apiGateway:
    shouldStartNameWithService: true
  iamRoleStatements:
    - Effect: Allow
      Action:
        - ses:SendEmail
      Resource:
        Fn::Join:
          - ""
          - - "arn:aws:ses:"
            - Ref: AWS::Region
            - ":"
            - Ref: AWS::AccountId
            - ":identity/*"
    - Effect: Allow
      Action:
        - s3:PutObject
      Resource: arn:aws:s3:::${self:custom.posterBucketName}/*
    - Effect: Allow
      Action:
        - "execute-api:Invoke"
      Resource:
        - "arn:aws:execute-api:*:*:**/@connections/*"
    - Effect: "Allow"
      Action:
        - sqs:SendMessage
        - sqs:DeleteMessage
      Resource:
        Fn::GetAtt: [PosterQueue, Arn]
    - Effect: Allow
      Action:
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
        - dynamodb:DescribeTable
      Resource: "arn:aws:dynamodb:${opt:region, self:provider.region}:*:table/*"

custom:
  stage: ${opt:stage, self:provider.stage, 'dev'}
  posterTable: ${self:service}-poster-${self:custom.stage}
  connectionTable: ${self:service}-connection-${self:custom.stage}
  posterBucketName: ${self:service}-poster-bucket-${self:custom.stage}
  profiles:
    dev: nebulaDev
    staging: nebulaStaging
    production: nebulaProduction
  logs:
    restApi: true
  serverless-offline:
    httpPort: 1337
  functionsBasePath: api
  webpack:
    webpackConfig: api/webpack.config.js
    includeModules:
      forceExclude:
        - chrome-aws-lambda
      forceInclude:
        - uuid
    packager: "yarn"
  domainRoot: yearincode.dev
  cdnDomains:
    production: cdn.${self:custom.domainRoot}
    staging: staging-cdn.${self:custom.domainRoot}
    dev: dev-cdn.${self:custom.domainRoot}
  domains:
    production: api.${self:custom.domainRoot}
    staging: staging-api.${self:custom.domainRoot}
    dev: dev-api.${self:custom.domainRoot}
  customDomain:
    rest:
      domainName: ${self:custom.domains.${self:custom.stage}}
      stage: ${self:custom.stage}
      createRoute53Record: true
      endpointType: regional
      autoDomain: true
    websocket:
      domainName: ws-${self:custom.domains.${self:custom.stage}}
      stage: ${self:custom.stage}
      createRoute53Record: true
      endpointType: regional
      autoDomain: true
  serverless-offline-sqs:
    autoCreate: true
    apiVersion: "2012-11-05"
    endpoint: http://0.0.0.0:9324
    region: us-east-1
    accessKeyId: local
    secretAccessKey: local
    skipCacheInvalidation: false
  dotenvInclude:
    dev: ""
    staging: ""
    production: []
  dotenv:
    logging: false
    include: ${self:custom.dotenvInclude.${self:custom.stage}}
    required:
      file: false
  dynamodb: # DynamoDB Local Instance
    stages:
      - dev
    start:
      host: localhost
      port: "8000" # the port of our Dynamo docker container
      noStart: true
      migrate: true
  s3:
    host: localhost
    directory: api/tmp
    cors: api/serverless-s3-local.xml
  ses:
    stages:
      - dev
    port: 9001
    outputDir: api/output
    clean: true

layers:
  puppeteer:
    package:
      artifact: api/layers/chrome_aws_lambda.zip
    name: ${self:custom.stage}-chrome-aws-lambda
    description: Layer to add puppeteer to Lambda functions.
    retain: false
    compatibleRuntimes:
      - nodejs12.x

functions:
  authorize:
    handler: auth/authorize.authorize

  authorizeWS:
    handler: auth/authorizeWS.authorizeWS
    environment:
      WEBSOCKET_PAYLOAD_SECRET:
        ${ssm:/${self:custom.stage}/websocket/payload_secret~true,
        env:WEBSOCKET_PAYLOAD_SECRET}

  queuePoster:
    handler: posters/queuePoster.queuePoster
    environment:
      SQS_QUEUE_URL: { Ref: PosterQueue }
    events:
      - http:
          path: users/{userId}/posters/queue
          method: post
          authorizer: authorize
          cors: true

  getPosters:
    handler: posters/getPosters.getPosters
    events:
      - http:
          path: users/{userId}/posters
          method: get
          authorizer: authorize
          cors: true

  getPosterBySlug:
    handler: posters/getPosterBySlug.getPosterBySlug
    events:
      - http:
          path: posters/{slug}
          method: get
          cors: true

  getGalleryPosters:
    handler: posters/getGalleryPosters.getGalleryPosters
    events:
      - http:
          path: posters/gallery
          method: get
          cors: true

  sendPosterStatistics:
    handler: posters/statistics/send.sendPosterStatistics
    environment:
      SEND_POSTER_ANALYTICS_RECIPIENTS:
        ${ssm:/${self:custom.stage}/ses/poster_analytics_recipients,
        env:SEND_POSTER_ANALYTICS_RECIPIENTS}
      AWS_SOURCE_EMAIL: ${ssm:/${self:custom.stage}/ses/source_email, env:AWS_SOURCE_EMAIL}
    events:
      - schedule: cron(0 0 ? * 1 *) # Notify at the start of the week

  connect:
    handler: posters/connect.connect
    environment:
      WEBSOCKET_PAYLOAD_SECRET:
        ${ssm:/${self:custom.stage}/websocket/payload_secret~true,
        env:WEBSOCKET_PAYLOAD_SECRET}
    events:
      - websocket:
          route: $connect
          authorizer:
            name: authorizeWS
            identitySource:
              - "route.request.querystring.wsPayload"

  disconnect:
    handler: posters/disconnect.disconnect
    events:
      - websocket:
          route: $disconnect

  start:
    handler: posters/start/start.start
    timeout: 900
    reservedConcurrency: 8 # No more than 8 concurrent invocations
    memorySize: 2048
    layers:
      - { Ref: PuppeteerLambdaLayer }
    environment:
      AWS_SOURCE_EMAIL: ${ssm:/${self:custom.stage}/ses/source_email, env:AWS_SOURCE_EMAIL}
      SITE_URL: ${ssm:/${self:custom.stage}/site/url,
        env:NEXT_PUBLIC_POST_LOGOUT_REDIRECT_URI}
      WEBSOCKET_API_ENDPOINT:
        Fn::Join:
          - ""
          - - Ref: WebsocketsApi
            - .execute-api.
            - Ref: AWS::Region
            - .amazonaws.com/
            - ${self:custom.stage}
    events:
      - sqs:
          arn:
            Fn::GetAtt:
              - PosterQueue
              - Arn

resources:
  Resources:
    # SQS
    PosterQueue:
      Type: "AWS::SQS::Queue"
      Properties:
        QueueName: sqs-poster-queue-${self:custom.stage}
        VisibilityTimeout: 900

    # DynamoDB
    ConnectionTable:
      Type: AWS::DynamoDB::Table
      DeletionPolicy: Retain
      Properties:
        TableName: ${self:custom.connectionTable}
        AttributeDefinitions:
          - AttributeName: connectionId
            AttributeType: S
          - AttributeName: userId
            AttributeType: S
        KeySchema:
          - AttributeName: connectionId
            KeyType: HASH
        GlobalSecondaryIndexes:
          - IndexName: userIdIndex
            KeySchema:
              - AttributeName: userId
                KeyType: HASH
            Projection:
              ProjectionType: ALL
        BillingMode: PAY_PER_REQUEST
    PosterTable:
      Type: AWS::DynamoDB::Table
      DeletionPolicy: Retain
      Properties:
        TableName: ${self:custom.posterTable}
        AttributeDefinitions:
          - AttributeName: userId
            AttributeType: S
          - AttributeName: posterSlug
            AttributeType: S
        KeySchema:
          - AttributeName: posterSlug
            KeyType: HASH
          - AttributeName: userId
            KeyType: RANGE
        GlobalSecondaryIndexes:
          - IndexName: userIdIndex
            KeySchema:
              - AttributeName: userId
                KeyType: HASH
            Projection:
              ProjectionType: ALL
        BillingMode: PAY_PER_REQUEST

    # API Gateway
    GatewayResponse:
      Type: "AWS::ApiGateway::GatewayResponse"
      Properties:
        ResponseParameters:
          gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
          gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
        ResponseType: EXPIRED_TOKEN
        RestApiId:
          Ref: "ApiGatewayRestApi"
        StatusCode: "401"
    AuthFailureGatewayResponse:
      Type: "AWS::ApiGateway::GatewayResponse"
      Properties:
        ResponseParameters:
          gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
          gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
        ResponseType: UNAUTHORIZED
        RestApiId:
          Ref: "ApiGatewayRestApi"
        StatusCode: "401"

    # S3
    PosterBucket:
      Type: AWS::S3::Bucket
      DeletionPolicy: Retain
      Properties:
        BucketName: ${self:custom.posterBucketName}
        AccessControl: Private
        CorsConfiguration:
          CorsRules:
            - AllowedHeaders: ["*"]
              AllowedMethods: ["PUT", "GET"]
              AllowedOrigins: ["*"] # Update with domain when available
    PosterBucketPolicy:
      Type: AWS::S3::BucketPolicy
      DeletionPolicy: Retain
      Properties:
        Bucket:
          Ref: PosterBucket
        PolicyDocument:
          Statement:
            - Action: s3:GetObject
              Effect: "Allow"
              Resource: arn:aws:s3:::${self:custom.posterBucketName}/*
              Principal:
                CanonicalUser:
                  Fn::GetAtt:
                    - CloudFrontOriginAccessIdentity
                    - S3CanonicalUserId
    CloudFrontOriginAccessIdentity:
      Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
      DeletionPolicy: Retain
      Properties:
        CloudFrontOriginAccessIdentityConfig:
          Comment: "Identity for accessing CloudFront from S3 within stack
            #{AWS::StackName}"
    PosterCdnDistribution:
      Type: AWS::CloudFront::Distribution
      DeletionPolicy: Retain
      Properties:
        DistributionConfig:
          Origins:
            # S3 origin for static content
            - DomainName: "${self:custom.posterBucketName}.s3.amazonaws.com"
              Id: PosterBucketS3Origin
              S3OriginConfig:
                OriginAccessIdentity:
                  Fn::Join:
                    - ""
                    - - "origin-access-identity/cloudfront/"
                      - Ref: CloudFrontOriginAccessIdentity
          Comment: CDN for poster photos.
          Enabled: true
          DefaultRootObject: index.html
          HttpVersion: http2
          DefaultCacheBehavior:
            AllowedMethods:
              - HEAD
              - GET
              - OPTIONS
            Compress: true
            TargetOriginId: PosterBucketS3Origin
            ForwardedValues:
              Headers:
                [
                  "Access-Control-Request-Headers",
                  "Access-Control-Request-Method",
                  "Origin",
                ]
              QueryString: false
              Cookies:
                Forward: none
            ViewerProtocolPolicy: redirect-to-https
          PriceClass: PriceClass_100

plugins:
  - serverless-domain-manager
  - serverless-dotenv-plugin
  - serverless-functions-base-path
  - serverless-offline-ses
  - serverless-webpack
  - serverless-s3-local
  - serverless-dynamodb-local
  - serverless-offline-sqs
  - serverless-offline