website/accounts/serverless.yml

service:
  name: accounts
  awsKmsKeyArn: ${ssm:/aws/reference/secretsmanager/${self:custom.stage}/all/kmsArn~true}

provider:
  name: aws
  endpointType: regional
  runtime: python3.6
  stage: alpha
  region: eu-central-1
  apiName: offen-${self:provider.stage}
  logs:
    restApi: true
  iamRoleStatements:
    - Effect: 'Allow'
      Action:
        - secretsmanager:GetSecretValue
      Resource: arn:aws:secretsmanager:eu-central-1:#{AWS::AccountId}:secret:${self:custom.stage}/*

package:
  individually: true
  exclude:
    - tests

plugins:
  - serverless-domain-manager
  - serverless-python-requirements
  - serverless-wsgi
  - serverless-pseudo-parameters

custom:
  stage: ${opt:stage, self:provider.stage}
  origin:
    production: https://vault.offen.dev
    staging: https://vault-staging.offen.dev
    alpha: https://vault-alpha.offen.dev
  serverHost:
    production: https://server.offen.dev
    staging: https://server-staging.offen.dev
    alpha: https://server-alpha.offen.dev
  domain:
    production: accounts.offen.dev
    staging: accounts-staging.offen.dev
    alpha: accounts-alpha.offen.dev
  cookieDomain:
    production: .offen.dev
    staging: .offen.dev
    alpha: .offen.dev
  customDomain:
    basePath: ''
    certificateName: '*.offen.dev'
    domainName: ${self:custom.domain.${self:custom.stage}}
    stage: ${self:custom.stage}
    endpointType: regional
    createRoute53Record: false
  wsgi:
    app: accounts.app
    packRequirements: false
  pythonRequirements:
    slim: true
    dockerizePip: non-linux
    fileName: requirements.txt

functions:
  authorizer:
    handler: lambdas.authorizer.handler
    environment:
      STAGE: ${self:custom.stage}
  rotateKeys:
    handler: lambdas.rotate_keys.handler
    environment:
      STAGE: ${self:custom.stage}
  app:
    handler: wsgi_handler.handler
    timeout: 30
    events:
      - http:
          path: /admin/
          method: any
          authorizer:
            name: authorizer
            resultTtlInSeconds: 0
            identitySource: method.request.header.Authorization
      - http:
          path: /admin/{proxy+}
          method: any
          authorizer:
            name: authorizer
            resultTtlInSeconds: 0
            identitySource: method.request.header.Authorization
      - http:
          path: '/'
          method: any
      - http:
          path: '/{proxy+}'
          method: any
    environment:
      CONFIG_CLASS: accounts.config.SecretsManagerConfig
      STAGE: ${self:custom.stage}
      CORS_ORIGIN: ${self:custom.origin.${self:custom.stage}}
      COOKIE_DOMAIN: ${self:custom.cookieDomain.${self:custom.stage}}
      SERVER_HOST: ${self:custom.serverHost.${self:custom.stage}}

resources:
  Resources:
    GatewayResponse:
      Type: 'AWS::ApiGateway::GatewayResponse'
      Properties:
        ResponseParameters:
          gatewayresponse.header.WWW-Authenticate: "'Basic'"
        ResponseType: UNAUTHORIZED
        RestApiId:
          Ref: 'ApiGatewayRestApi'
        StatusCode: '401'
scaffold accounts app 2019-07-05 19:54:54 +02:00			`service:`
			`name: accounts`
			`awsKmsKeyArn: ${ssm:/aws/reference/secretsmanager/${self:custom.stage}/all/kmsArn~true}`

			`provider:`
			`name: aws`
			`endpointType: regional`
			`runtime: python3.6`
			`stage: alpha`
			`region: eu-central-1`
			`apiName: offen-${self:provider.stage}`
			`logs:`
			`restApi: true`
add iam role for accessing secrets manager 2019-07-19 20:21:59 +02:00			`iamRoleStatements:`
			`- Effect: 'Allow'`
			`Action:`
			`- secretsmanager:GetSecretValue`
properly scope secrets access 2019-07-19 22:00:55 +02:00			`Resource: arn:aws:secretsmanager:eu-central-1:#{AWS::AccountId}:secret:${self:custom.stage}/*`
scaffold accounts app 2019-07-05 19:54:54 +02:00
			`package:`
			`individually: true`
add iam role for accessing secrets manager 2019-07-19 20:21:59 +02:00			`exclude:`
			`- tests`
scaffold accounts app 2019-07-05 19:54:54 +02:00
			`plugins:`
			`- serverless-domain-manager`
			`- serverless-python-requirements`
			`- serverless-wsgi`
properly scope secrets access 2019-07-19 22:00:55 +02:00			`- serverless-pseudo-parameters`
scaffold accounts app 2019-07-05 19:54:54 +02:00
			`custom:`
			`stage: ${opt:stage, self:provider.stage}`
move authentication to jwt based token system handled by account app 2019-07-07 13:21:20 +02:00			`origin:`
allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`production: https://vault.offen.dev`
			`staging: https://vault-staging.offen.dev`
			`alpha: https://vault-alpha.offen.dev`
add accounts and user CRUD and connect to auth layer 2019-07-10 17:17:50 +02:00			`serverHost:`
add protocol to host 2019-07-17 21:20:21 +02:00			`production: https://server.offen.dev`
			`staging: https://server-staging.offen.dev`
			`alpha: https://server-alpha.offen.dev`
scaffold accounts app 2019-07-05 19:54:54 +02:00			`domain:`
			`production: accounts.offen.dev`
			`staging: accounts-staging.offen.dev`
			`alpha: accounts-alpha.offen.dev`
further define cookie specifics, break auditorium into testable pieces 2019-07-08 15:11:06 +02:00			`cookieDomain:`
			`production: .offen.dev`
			`staging: .offen.dev`
			`alpha: .offen.dev`
scaffold accounts app 2019-07-05 19:54:54 +02:00			`customDomain:`
			`basePath: ''`
			`certificateName: '*.offen.dev'`
			`domainName: ${self:custom.domain.${self:custom.stage}}`
			`stage: ${self:custom.stage}`
			`endpointType: regional`
			`createRoute53Record: false`
			`wsgi:`
fix serverless module config for accounts app 2019-07-09 18:59:24 +02:00			`app: accounts.app`
scaffold accounts app 2019-07-05 19:54:54 +02:00			`packRequirements: false`
			`pythonRequirements:`
			`slim: true`
			`dockerizePip: non-linux`
fix serverless module config for accounts app 2019-07-09 18:59:24 +02:00			`fileName: requirements.txt`
scaffold accounts app 2019-07-05 19:54:54 +02:00
			`functions:`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`authorizer:`
allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`handler: lambdas.authorizer.handler`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`environment:`
allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`STAGE: ${self:custom.stage}`
			`rotateKeys:`
			`handler: lambdas.rotate_keys.handler`
			`environment:`
			`STAGE: ${self:custom.stage}`
scaffold accounts app 2019-07-05 19:54:54 +02:00			`app:`
			`handler: wsgi_handler.handler`
increase timeout value for accounts admin 2019-07-17 21:44:13 +02:00			`timeout: 30`
scaffold accounts app 2019-07-05 19:54:54 +02:00			`events:`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`- http:`
			`path: /admin/`
			`method: any`
			`authorizer:`
			`name: authorizer`
			`resultTtlInSeconds: 0`
			`identitySource: method.request.header.Authorization`
			`- http:`
			`path: /admin/{proxy+}`
			`method: any`
			`authorizer:`
			`name: authorizer`
			`resultTtlInSeconds: 0`
			`identitySource: method.request.header.Authorization`
scaffold accounts app 2019-07-05 19:54:54 +02:00			`- http:`
			`path: '/'`
			`method: any`
			`- http:`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00			`path: '/{proxy+}'`
scaffold accounts app 2019-07-05 19:54:54 +02:00			`method: any`
move authentication to jwt based token system handled by account app 2019-07-07 13:21:20 +02:00			`environment:`
allow checking JWTs against multiple public keys 2019-07-19 14:49:35 +02:00			`CONFIG_CLASS: accounts.config.SecretsManagerConfig`
			`STAGE: ${self:custom.stage}`
			`CORS_ORIGIN: ${self:custom.origin.${self:custom.stage}}`
fix missing config vars 2019-07-09 19:25:58 +02:00			`COOKIE_DOMAIN: ${self:custom.cookieDomain.${self:custom.stage}}`
use correct env key for server host 2019-07-17 21:11:22 +02:00			`SERVER_HOST: ${self:custom.serverHost.${self:custom.stage}}`
add basic auth authorizer for admin 2019-07-14 11:50:13 +02:00
			`resources:`
			`Resources:`
			`GatewayResponse:`
			`Type: 'AWS::ApiGateway::GatewayResponse'`
			`Properties:`
			`ResponseParameters:`
			`gatewayresponse.header.WWW-Authenticate: "'Basic'"`
			`ResponseType: UNAUTHORIZED`
			`RestApiId:`
			`Ref: 'ApiGatewayRestApi'`
			`StatusCode: '401'`