service: name: accounts awsKmsKeyArn: ${ssm:/aws/reference/secretsmanager/${self:custom.stage}/all/kmsArn~true} provider: name: aws endpointType: regional runtime: python3.6 stage: alpha region: eu-central-1 apiName: offen-${self:provider.stage} logs: restApi: true package: individually: true plugins: - serverless-domain-manager - serverless-python-requirements - serverless-wsgi custom: stage: ${opt:stage, self:provider.stage} origin: production: vault.offen.dev staging: vault-staging.offen.dev alpha: vault-alpha.offen.dev serverHost: production: server.offen.dev staging: server-staging.offen.dev alpha: server-alpha.offen.dev domain: production: accounts.offen.dev staging: accounts-staging.offen.dev alpha: accounts-alpha.offen.dev cookieDomain: production: .offen.dev staging: .offen.dev alpha: .offen.dev customDomain: basePath: '' certificateName: '*.offen.dev' domainName: ${self:custom.domain.${self:custom.stage}} stage: ${self:custom.stage} endpointType: regional createRoute53Record: false wsgi: app: accounts.app packRequirements: false pythonRequirements: slim: true dockerizePip: non-linux fileName: requirements.txt functions: authorizer: handler: authorizer.handler environment: BASIC_AUTH_USER: ${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/basicAuthUser~true} HASHED_BASIC_AUTH_PASSWORD: ${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/hashedBasicAuthPassword~true} app: handler: wsgi_handler.handler events: - http: path: /admin/ method: any authorizer: name: authorizer resultTtlInSeconds: 0 identitySource: method.request.header.Authorization - http: path: /admin/{proxy+} method: any authorizer: name: authorizer resultTtlInSeconds: 0 identitySource: method.request.header.Authorization - http: path: '/' method: any - http: path: '/{proxy+}' method: any environment: CORS_ORIGIN: https://${self:custom.origin.${self:custom.stage}} COOKIE_DOMAIN: ${self:custom.cookieDomain.${self:custom.stage}} JWT_PRIVATE_KEY: '${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/jwtPrivateKey~true}' JWT_PUBLIC_KEY: '${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/jwtPublicKey~true}' HASHED_BASIC_AUTH_PASSWORD: ${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/hashedBasicAuthPassword~true} BASIC_AUTH_USER: ${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/basicAuthUser~true} SESSION_SECRET: '${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/sessionSecret~true}' SERVER_URL: ${self:custom.serverHost.${self:custom.stage}} POSTGRES_CONNECTION_STRING: '${ssm:/aws/reference/secretsmanager/${self:custom.stage}/accounts/postgresConnectionString~true}' resources: Resources: GatewayResponse: Type: 'AWS::ApiGateway::GatewayResponse' Properties: ResponseParameters: gatewayresponse.header.WWW-Authenticate: "'Basic'" ResponseType: UNAUTHORIZED RestApiId: Ref: 'ApiGatewayRestApi' StatusCode: '401'