serverless.yml

service: invoices

frameworkVersion: ">=1.1.0 <2.0.0"

plugins:
  - serverless-single-page-app-plugin
  - serverless-kms-secrets
  - serverless-dynamodb-local
  - serverless-offline
  - serverless-s3-local

custom:
  defaultStage: sand
  accounts:
    prod:
      stage: prod011
      domainName: trade.commerceblock.com
    sand:
      stage: sand010
      domainName: trade.commerceblock.ninja
  selectedStage: ${env:CB_ENV, self:custom.defaultStage}
  stage: ${self:custom.accounts.${self:custom.selectedStage}.stage}
  externalEnv: ${file(env.${self:custom.stage}.${opt:region, self:provider.region}.yml)}
  kmsSecrets: ${file(kms-secrets.${self:custom.stage}.${opt:region, self:provider.region}.yml)}
  cors: ${self:custom.externalEnv.cors}
  dynamodbThroughput: ${self:custom.externalEnv.dynamodbThroughput}
  s3Bucket: cb-${self:provider.environment.CB_ENV_NAME}-website
  localWebsiteDestination: build/frontend/
  remoteWebsiteDestination: s3://${self:custom.s3Bucket}/
  domainName: ${self:custom.accounts.${self:custom.selectedStage}.domainName}
  # dev env
  dynamodb: ${self:custom.externalEnv.dynamodb}
  s3: ${self:custom.externalEnv.s3}
  serverless-offline: ${self:custom.externalEnv.serverless-offline}


provider:
  name: aws
  stage: ${self:custom.stage}
  region: eu-west-1
  runtime: nodejs6.10
  memorySize: 256
  timeout: 5
  versionFunctions: true
  environment:
    CB_ENV_NAME: ${self:custom.stage}-${self:service}
    CB_STORAGE_ACCESS_KEY: ${self:custom.kmsSecrets.secrets.CB_STORAGE_ACCESS_KEY}
    CB_STORAGE_SECRET_KEY: ${self:custom.kmsSecrets.secrets.CB_STORAGE_SECRET_KEY}
  iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:Query
        - dynamodb:GetItem
        - dynamodb:BatchGetItem
        - dynamodb:PutItem
        - dynamodb:BatchWriteItem
      Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/${self:service}-${self:custom.stage}-*"
    - Effect: Allow
      Action:
        - KMS:Decrypt
      Resource: ${self:custom.kmsSecrets.keyArn}

functions:

  portal-signup-api:
    handler: lambda/portal-signup-api.post
    events:
      - http:
          path: /portal/v1.0/signup
          method: post
          cors: true

  portal-login-api:
    handler: lambda/portal-login-api.post
    events:
      - http:
          path: /portal/v1.0/login
          method: post
          cors: true

  portal-graphql-api:
    handler: lambda/portal-graphql-api.post
    events:
    - http:
        path: /portal/v1.0/graphql
        method: post
        cors: true

  invoices-graphql-api:
    handler: lambda/invoices-graphql-api.post
    events:
    - http:
        path: /invoices/v1.0/graphql
        method: post
        cors: true

resources:
  Resources:
    WebsiteS3Bucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: ${self:custom.s3Bucket}
        AccessControl: PublicRead
        WebsiteConfiguration:
          IndexDocument: index.html
          ErrorDocument: index.html
    WebsiteS3BucketPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket:
          Ref: WebsiteS3Bucket
        PolicyDocument:
          Statement:
            - Sid: PublicReadGetObject
              Effect: Allow
              Principal: "*"
              Action:
              - s3:GetObject
              Resource:
              - Fn::Join:
                - ''
                - - 'arn:aws:s3:::'
                  - Ref: WebsiteS3Bucket
                  - "/*"
    StorageBucket:
      Type: "AWS::S3::Bucket"
      DeletionPolicy: Retain
      Properties:
        BucketName: cb-${self:provider.environment.CB_ENV_NAME}-storage
        CorsConfiguration:
          CorsRules:
          - AllowedHeaders: ["*"]
            AllowedMethods: [GET, POST, PUT]
            AllowedOrigins: ["*"]
            ExposedHeaders: [Date]
            Id: FirstRule
            MaxAge: "3600"
    StorageDynamoDbTable:
      Type: "AWS::DynamoDB::Table"
      DeletionPolicy: Retain
      Properties:
        TableName: ${self:provider.environment.CB_ENV_NAME}-storage
        AttributeDefinitions:
          -
            AttributeName: file_id
            AttributeType: S
        KeySchema:
          -
            AttributeName: file_id
            KeyType: HASH
        ProvisionedThroughput:
          ReadCapacityUnits: ${self:custom.dynamodbThroughput.storage.read}
          WriteCapacityUnits: ${self:custom.dynamodbThroughput.storage.write}
    EventsDynamoDbTable:
      Type: "AWS::DynamoDB::Table"
      DeletionPolicy: Retain
      Properties:
        TableName: ${self:provider.environment.CB_ENV_NAME}-events
        AttributeDefinitions:
          -
            AttributeName: trader_id
            AttributeType: S
          -
            AttributeName: event_id
            AttributeType: S
          -
            AttributeName: link_id
            AttributeType: S
        KeySchema:
          -
            AttributeName: trader_id
            KeyType: HASH
          -
            AttributeName: event_id
            KeyType: RANGE
        ProvisionedThroughput:
          ReadCapacityUnits: ${self:custom.dynamodbThroughput.events.read}
          WriteCapacityUnits: ${self:custom.dynamodbThroughput.events.write}
        StreamSpecification:
          StreamViewType: NEW_IMAGE
        GlobalSecondaryIndexes:
          - IndexName: InvoiceSummaryIndex
            KeySchema:
             - AttributeName: link_id
               KeyType: HASH
            Projection:
              ProjectionType: INCLUDE
              NonKeyAttributes: [invoice_id, trader_id]
            ProvisionedThroughput:
              ReadCapacityUnits: ${self:custom.dynamodbThroughput.events.read}
              WriteCapacityUnits: ${self:custom.dynamodbThroughput.events.write}
    AccessTokensDynamoDbTable:
      Type: "AWS::DynamoDB::Table"
      DeletionPolicy: Retain
      Properties:
        TableName: ${self:provider.environment.CB_ENV_NAME}-access-tokens
        AttributeDefinitions:
          -
            AttributeName: access_token_id
            AttributeType: S
        KeySchema:
          -
            AttributeName: access_token_id
            KeyType: HASH
        ProvisionedThroughput:
          ReadCapacityUnits: ${self:custom.dynamodbThroughput.accessTokens.read}
          WriteCapacityUnits: ${self:custom.dynamodbThroughput.accessTokens.write}
    WebAppCloudFrontDistribution:
      Type: AWS::CloudFront::Distribution
      Properties:
        DistributionConfig:
          Aliases:
            - ${self:custom.domainName}
          Origins:
            - DomainName: ${self:custom.s3Bucket}.s3-website-${self:provider.region}.amazonaws.com
              ## An identifier for the origin which must be unique within the distribution
              Id: WebApp
              CustomOriginConfig:
                HTTPPort: 80
                HTTPSPort: 443
                OriginProtocolPolicy: https-only
          Enabled: 'true'
          DefaultRootObject: index.html
          CustomErrorResponses:
            - ErrorCode: 404
              ResponseCode: 200
              ResponsePagePath: /index.html
          DefaultCacheBehavior:
            AllowedMethods:
              - HEAD
              - GET
              - OPTIONS
            TargetOriginId: WebApp
            ForwardedValues:
              QueryString: 'false'
              Cookies:
                Forward: none
            ViewerProtocolPolicy: redirect-to-https
          ViewerCertificate:
            AcmCertificateArn: ${self:custom.kmsSecrets.certificateArn}
            SslSupportMethod: sni-only

  Outputs:
    WebAppCloudFrontDistributionOutput:
      Value:
        'Fn::GetAtt': [ WebAppCloudFrontDistribution, DomainName ]