-
Notifications
You must be signed in to change notification settings - Fork 9
/
serverless.yml
139 lines (129 loc) · 4.18 KB
/
serverless.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
service: secure-static-s3-site
provider:
name: aws
runtime: nodejs8.10
region: us-east-1
timeout: 30
custom:
stage: ${opt:stage, self:provider.stage}
region: ${opt:region, self:provider.region}
plugins:
- serverless-plugin-optimize
- serverless-plugin-cloudfront-lambda-edge
package:
individually: true
functions:
auth:
description: "auth lambda"
labels: "auth"
handler: main.auth
memorySize: 128
timeout: 5
role: SecureS3SiteLambdaRole
lambdaAtEdge:
distribution: 'WebsiteDistribution'
eventType: 'viewer-request'
pathPattern: 'index.html'
resources:
Resources:
WebsiteBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: '<static-site-bucket-name>'
AccessControl: 'PublicRead'
WebsiteConfiguration:
IndexDocument: 'index.html'
ErrorDocument: 'error.html'
WebsiteDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
DefaultCacheBehavior:
TargetOriginId: 'WebsiteBucketOrigin'
ViewerProtocolPolicy: 'redirect-to-https'
DefaultTTL: 600 # ten minutes
MaxTTL: 600 # ten minutes
Compress: true
ForwardedValues:
QueryString: false
Cookies:
Forward: 'none'
CacheBehaviors:
- TargetOriginId: 'WebsiteBucketOrigin'
AllowedMethods:
- "GET"
- "HEAD"
ViewerProtocolPolicy: 'redirect-to-https'
DefaultTTL: 600 # ten minutes
MaxTTL: 600 # ten minutes
Compress: true
PathPattern: 'index.html'
ForwardedValues:
QueryString: false
Cookies:
Forward: 'none'
DefaultRootObject: 'main.html'
Enabled: true
PriceClass: 'PriceClass_100'
HttpVersion: 'http2'
ViewerCertificate:
CloudFrontDefaultCertificate: true
Origins:
-
Id: 'WebsiteBucketOrigin'
DomainName: { 'Fn::GetAtt': [ 'WebsiteBucket', 'DomainName' ] }
S3OriginConfig: {}
LambdaGetPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:GetFunction
FunctionName:
Ref: AuthLambdaFunction
Principal: events.amazonaws.com
SourceArn:
Fn::Join:
- ':'
-
- 'arn:aws:events'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- '*'
DependsOn:
- AuthLambdaFunction
SecureS3SiteLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: SecureS3SiteLambdaRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
- Effect: Allow
Principal:
Service:
- edgelambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "logs:DescribeLogStreams"
Resource: arn:aws:logs:*:*:*
- Effect: Allow
Action:
- "s3:PutObject"
- "s3:PutObjectAcl"
- "s3:GetObject"
- "s3:ListBucket"
Resource:
- "arn:aws:s3:::<static-site-bucket-name>/*"