service:
  name: accounts
  awsKmsKeyArn: ${ssm:/aws/reference/secretsmanager/${self:custom.stage}/all/kmsArn~true}

provider:
  name: aws
  endpointType: regional
  runtime: python3.6
  stage: alpha
  region: eu-central-1
  apiName: offen-${self:provider.stage}
  logs:
    restApi: true

package:
  individually: true

plugins:
  - serverless-domain-manager
  - serverless-python-requirements
  - serverless-wsgi

custom:
  stage: ${opt:stage, self:provider.stage}
  origin:
    production: vault.offen.dev
    staging: vault-staging.offen.dev
    alpha: vault-alpha.offen.dev
  serverHost:
    production: server.offen.dev
    staging: server-staging.offen.dev
    alpha: server-alpha.offen.dev
  domain:
    production: accounts.offen.dev
    staging: accounts-staging.offen.dev
    alpha: accounts-alpha.offen.dev
  cookieDomain:
    production: .offen.dev
    staging: .offen.dev
    alpha: .offen.dev
  customDomain:
    basePath: ''
    certificateName: '*.offen.dev'
    domainName: ${self:custom.domain.${self:custom.stage}}
    stage: ${self:custom.stage}
    endpointType: regional
    createRoute53Record: false
  wsgi:
    app: accounts.app
    packRequirements: false
  pythonRequirements:
    slim: true
    dockerizePip: non-linux
    fileName: requirements.txt

functions:
  authorizer:
    handler: authorizer.handler
    environment:
      BASIC_AUTH_USER: ${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/basicAuthUser~true}
      HASHED_BASIC_AUTH_PASSWORD: ${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/hashedBasicAuthPassword~true}
  app:
    handler: wsgi_handler.handler
    events:
      - http:
          path: /admin/
          method: any
          authorizer:
            name: authorizer
            resultTtlInSeconds: 0
            identitySource: method.request.header.Authorization
      - http:
          path: /admin/{proxy+}
          method: any
          authorizer:
            name: authorizer
            resultTtlInSeconds: 0
            identitySource: method.request.header.Authorization
      - http:
          path: '/'
          method: any
      - http:
          path: '/{proxy+}'
          method: any
    environment:
      CORS_ORIGIN: https://${self:custom.origin.${self:custom.stage}}
      COOKIE_DOMAIN: ${self:custom.cookieDomain.${self:custom.stage}}
      SERVER_URL: ${self:custom.serverHost.${self:custom.stage}}
      JWT_PRIVATE_KEY: '${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/jwtPrivateKey~true}'
      JWT_PUBLIC_KEY: '${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/jwtPublicKey~true}'
      BASIC_AUTH_USER: ${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/basicAuthUser~true}
      HASHED_BASIC_AUTH_PASSWORD: ${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/hashedBasicAuthPassword~true}
      SESSION_SECRET: '${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/sessionSecret~true}'
      MYSQL_CONNECTION_STRING: '${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/mysqlConnectionString~true}'

resources:
  Resources:
    GatewayResponse:
      Type: 'AWS::ApiGateway::GatewayResponse'
      Properties:
        ResponseParameters:
          gatewayresponse.header.WWW-Authenticate: "'Basic'"
        ResponseType: UNAUTHORIZED
        RestApiId:
          Ref: 'ApiGatewayRestApi'
        StatusCode: '401'