service: name: accounts awsKmsKeyArn: ${ssm:/aws/reference/secretsmanager/${self:custom.stage}/all/kmsArn~true} provider: name: aws endpointType: regional runtime: python3.6 stage: alpha region: eu-central-1 apiName: offen-${self:provider.stage} logs: restApi: true iamRoleStatements: - Effect: 'Allow' Action: - secretsmanager:GetSecretValue Resource: arn:aws:secretsmanager:eu-central-1:#{AWS::AccountId}:secret:${self:custom.stage}/* package: individually: true exclude: - tests plugins: - serverless-domain-manager - serverless-python-requirements - serverless-wsgi - serverless-pseudo-parameters custom: stage: ${opt:stage, self:provider.stage} origin: production: https://vault.offen.dev staging: https://vault-staging.offen.dev alpha: https://vault-alpha.offen.dev serverHost: production: https://server.offen.dev staging: https://server-staging.offen.dev alpha: https://server-alpha.offen.dev domain: production: accounts.offen.dev staging: accounts-staging.offen.dev alpha: accounts-alpha.offen.dev cookieDomain: production: .offen.dev staging: .offen.dev alpha: .offen.dev customDomain: basePath: '' certificateName: '*.offen.dev' domainName: ${self:custom.domain.${self:custom.stage}} stage: ${self:custom.stage} endpointType: regional createRoute53Record: false wsgi: app: accounts.app packRequirements: false pythonRequirements: slim: true dockerizePip: non-linux fileName: requirements.txt functions: authorizer: handler: lambdas.authorizer.handler environment: STAGE: ${self:custom.stage} rotateKeys: handler: lambdas.rotate_keys.handler environment: STAGE: ${self:custom.stage} app: handler: wsgi_handler.handler timeout: 30 events: - http: path: /admin/ method: any authorizer: name: authorizer resultTtlInSeconds: 0 identitySource: method.request.header.Authorization - http: path: /admin/{proxy+} method: any authorizer: name: authorizer resultTtlInSeconds: 0 identitySource: method.request.header.Authorization - http: path: '/' method: any - http: path: '/{proxy+}' method: any environment: CONFIG_CLASS: accounts.config.SecretsManagerConfig STAGE: ${self:custom.stage} CORS_ORIGIN: ${self:custom.origin.${self:custom.stage}} COOKIE_DOMAIN: ${self:custom.cookieDomain.${self:custom.stage}} SERVER_HOST: ${self:custom.serverHost.${self:custom.stage}} resources: Resources: GatewayResponse: Type: 'AWS::ApiGateway::GatewayResponse' Properties: ResponseParameters: gatewayresponse.header.WWW-Authenticate: "'Basic'" ResponseType: UNAUTHORIZED RestApiId: Ref: 'ApiGatewayRestApi' StatusCode: '401'