-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.yaml
104 lines (99 loc) · 4.42 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: S3 Miro Banner Accepters
Resources:
## S3 bucket
S3MiroBannerAccepters:
Type: AWS::S3::Bucket
Properties:
BucketName: !Join ['', ['s3-', !Join ['-', [!Ref AWS::StackName, !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]]]]
CorsConfiguration:
CorsRules:
- AllowedHeaders:
- '*'
AllowedMethods:
- GET
- PUT
- HEAD
AllowedOrigins:
- !Join ['', ['https://s3-', !Join ['-', [!Ref AWS::StackName, !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]], '.s3.', !Ref AWS::Region, '.amazonaws.com']]
- !Join ['', ['https://s3-', !Join ['-', [!Ref AWS::StackName, !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]], '.s3.amazonaws.com']]
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: false
RestrictPublicBuckets: false
## This permission will make the contents of the S3 bucket publicly readable
ProductBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref S3MiroBannerAccepters
PolicyDocument:
Id: PublicReadPolicy
Version: '2012-10-17'
Statement:
- Sid: PublicReadForGetBucketObjects
Effect: Allow
Principal: '*'
Action: s3:GetObject
Resource: !Sub 'arn:aws:s3:::${S3MiroBannerAccepters}/*'
# HTTP API
MiroBannerAPI:
Type: AWS::Serverless::HttpApi
Properties:
Name: !Join ['', ['api-', !Join ['-', [!Ref AWS::StackName, !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]]]]
Description: !Sub 'API endpoint for the "Miro Terms Modal app". It handles requests to write on the S3 bucket "${S3MiroBannerAccepters}/users"'
# CORS configuration - The s3 bucket origin will be added as the only allowed origin.
# See https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-httpapi-httpapicorsconfiguration.html
CorsConfiguration:
AllowMethods:
- GET
- OPTIONS
AllowHeaders:
- '*'
AllowOrigins:
- !Sub 'https://${S3MiroBannerAccepters}.s3.${AWS::Region}.amazonaws.com'
- !Sub 'https://${S3MiroBannerAccepters}.s3.amazonaws.com'
## Lambda function
MiroBannerAcceptersRequestFunction:
# More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Type: AWS::Serverless::Function
Properties:
FunctionName: !Join ['-', [!Ref AWS::StackName, !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]]
Description: !Sub 'Lambda function for the "Miro Terms Modal app". It writes data on the S3 bucket "${S3MiroBannerAccepters}/users"'
CodeUri: getSignedURL/
Handler: app.handler
Runtime: nodejs16.x
Timeout: 3
MemorySize: 128
Environment:
Variables:
MiroBannerAccepters: !Ref S3MiroBannerAccepters
Policies:
- S3WritePolicy:
BucketName: !Ref S3MiroBannerAccepters
## This permission allows the Lambda function to request signed URLs
## for objects that will be publicly readable. Uncomment if you want this ACL.
- Statement:
- Effect: Allow
Resource: !Sub 'arn:aws:s3:::${S3MiroBannerAccepters}/'
Action:
- s3:putObjectAcl
Events:
UploadAssetAPI:
Type: HttpApi
Properties:
Path: /uploads
Method: get
ApiId: !Ref MiroBannerAPI
## Take a note of the outputs for deploying the workflow templates in this sample application
Outputs:
S3RecordTermsAcceptanceEndpointUrl:
Description: 'HTTP API endpoint URL to get the S3 signed URL to write on the S3 bucket'
Value: !Sub 'https://${MiroBannerAPI}.execute-api.${AWS::Region}.amazonaws.com'
S3BucketName:
Description: 'Name of the S3 bucket that captures users who have accepted the terms modal in Miro'
Value: !Ref S3MiroBannerAccepters
S3BucketBaseUrl:
Description: 'Base URL of the S3 bucket - it will be used to query/read users who have already accepted the terms modal'
Value: !Sub 'https://${S3MiroBannerAccepters}.s3.${AWS::Region}.amazonaws.com'