service:
  name: accounts
  awsKmsKeyArn: ${ssm:/aws/reference/secretsmanager/${self:custom.stage}/all/kmsArn~true}

provider:
  name: aws
  endpointType: regional
  runtime: python3.6
  stage: alpha
  region: eu-central-1
  apiName: offen-${self:provider.stage}
  logs:
    restApi: true
  iamRoleStatements:
    - Effect: 'Allow'
      Action:
        - secretsmanager:GetSecretValue
      Resource: arn:aws:secretsmanager:eu-central-1:#{AWS::AccountId}:secret:${self:custom.stage}/*

package:
  individually: true
  exclude:
    - tests

plugins:
  - serverless-domain-manager
  - serverless-python-requirements
  - serverless-wsgi
  - serverless-pseudo-parameters

custom:
  stage: ${opt:stage, self:provider.stage}
  origin:
    production: https://vault.offen.dev
    staging: https://vault-staging.offen.dev
    alpha: https://vault-alpha.offen.dev
  serverHost:
    production: https://server.offen.dev
    staging: https://server-staging.offen.dev
    alpha: https://server-alpha.offen.dev
  domain:
    production: accounts.offen.dev
    staging: accounts-staging.offen.dev
    alpha: accounts-alpha.offen.dev
  cookieDomain:
    production: .offen.dev
    staging: .offen.dev
    alpha: .offen.dev
  customDomain:
    basePath: ''
    certificateName: '*.offen.dev'
    domainName: ${self:custom.domain.${self:custom.stage}}
    stage: ${self:custom.stage}
    endpointType: regional
    createRoute53Record: false
  wsgi:
    app: accounts.app
    packRequirements: false
  pythonRequirements:
    slim: true
    dockerizePip: non-linux
    fileName: requirements.txt

functions:
  authorizer:
    handler: lambdas.authorizer.handler
    environment:
      STAGE: ${self:custom.stage}
  rotateKeys:
    handler: lambdas.rotate_keys.handler
    environment:
      STAGE: ${self:custom.stage}
  app:
    handler: wsgi_handler.handler
    timeout: 30
    events:
      - http:
          path: /admin/
          method: any
          authorizer:
            name: authorizer
            resultTtlInSeconds: 0
            identitySource: method.request.header.Authorization
      - http:
          path: /admin/{proxy+}
          method: any
          authorizer:
            name: authorizer
            resultTtlInSeconds: 0
            identitySource: method.request.header.Authorization
      - http:
          path: '/'
          method: any
      - http:
          path: '/{proxy+}'
          method: any
    environment:
      CONFIG_CLASS: accounts.config.SecretsManagerConfig
      STAGE: ${self:custom.stage}
      CORS_ORIGIN: ${self:custom.origin.${self:custom.stage}}
      COOKIE_DOMAIN: ${self:custom.cookieDomain.${self:custom.stage}}
      SERVER_HOST: ${self:custom.serverHost.${self:custom.stage}}

resources:
  Resources:
    GatewayResponse:
      Type: 'AWS::ApiGateway::GatewayResponse'
      Properties:
        ResponseParameters:
          gatewayresponse.header.WWW-Authenticate: "'Basic'"
        ResponseType: UNAUTHORIZED
        RestApiId:
          Ref: 'ApiGatewayRestApi'
        StatusCode: '401'