template.yml

AWSTemplateFormatVersion: 2010-09-09
Description: >-
  Task Dashboard for yourself.

Transform: AWS::Serverless-2016-10-31

Parameters:
  AppId:
    Type: String
  Password:
    Type: String

Globals:
  Function:
    Timeout: 10
    Layers:
      - !Ref Taskboxlayer

Resources:
  taskbox:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: taskbox
      CodeUri: ./src
      Handler: taskbox.index.lambda_handler
      Runtime: python3.9
      MemorySize: 180
      Description: A crontask frame and HTTP service.
      Environment:
        Variables:
          DDB_TABLE: !Ref taskboxddbtable
          LOG_GROUP: '/aws/lambda/taskbox'
          # 用来登录web的强密码
          auth_passwd: !Sub '${Password}'
          FUNC_ARN: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:taskbox'
          ROLE_ARN: !GetAtt excrole.Arn
      # 如果日志出现缺少dynamodb get权限，在函数配置界面创个不用鉴权的函数url再试试
      Events:
        ExplicitApi:
          Type: HttpApi
          Properties:
            ApiId: !Ref http
            Path: /auth/login
            Method: POST
      Role: !GetAtt excrole.Arn

  http:
    Type: AWS::Serverless::HttpApi
    Properties:
      AccessLogSettings:
        DestinationArn: !GetAtt AccessLogs.Arn
        Format: >-
          {"id": "$context.requestId", "Time":"$context.requestTime",
          "srcip": "$context.identity.sourceIp",
          "path": "$context.path", "status":"$context.status"}
      DefaultRouteSettings:
        ThrottlingBurstLimit: 50
      FailOnWarnings: true
      RouteSettings:
        "POST /auth/login":
          ThrottlingBurstLimit: 1 # overridden in HttpApi Event

  Taskboxlayer:
    Type: AWS::Serverless::LayerVersion
    Properties:
      LayerName: Taskboxlayer
      Description: "flask rsa requests"
      ContentUri: dependencies/
      CompatibleRuntimes:
        - python3.9
      RetentionPolicy: Delete

  # libs:
  #   Type: AWS::Lambda::LayerVersion
  #   Properties:
  #     LayerName: taskboxlayer
  #     Description: jinja2 + rsa + requests + boto3 1.26
  #     Content:
  #       S3Bucket: !Sub 'aws-${AWS::Region}-${AWS::AccountId}-${AppId}-pipe'
  #       S3Key: layer/taskboxlayer.zip

  AccessLogs:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: 'lambda_taskbox_apigw_log'
      RetentionInDays: 90

  taskboxddbtable:
    Type: AWS::DynamoDB::Table
    Properties:
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        -
          AttributeName: "id"
          AttributeType: "S"
        -
          AttributeName: "name"
          AttributeType: "S"
      KeySchema:
        -
          AttributeName: "id"
          KeyType: "HASH"
        -
          AttributeName: "name"
          KeyType: "RANGE"

  excrole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: taskboxexc
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
                - scheduler.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Description: Role for exc lambda
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AWSLambda_FullAccess'
        - 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'
        - 'arn:aws:iam::aws:policy/AmazonEventBridgeSchedulerFullAccess'
        - 'arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess'
        - 'arn:aws:iam::aws:policy/AWSLambdaExecute'