AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::Serverless-2016-10-31 Parameters: OAuth2Table: Type: String Default: betaeducacao-prod-users_d2o3r5gmm4it7j Globals: Function: CodeUri: app/ Runtime: python3.13 Tracing: Active Architectures: - x86_64 Layers: - !Sub arn:aws:lambda:sa-east-1:336641857101:layer:layercake:96 Environment: Variables: TZ: America/Sao_Paulo LOG_LEVEL: DEBUG POWERTOOLS_LOGGER_SAMPLE_RATE: 0.1 POWERTOOLS_LOGGER_LOG_EVENT: true DYNAMODB_PARTITION_KEY: id DYNAMODB_SORT_KEY: sk OAUTH2_TABLE: !Ref OAuth2Table ISSUER: https://id.saladeaula.digital SESSION_SECRET: 7DUTFB1iLeSpiXvmxbOZim1yPVmQbmBpAzgscob0RDzrL2wVwRi1ti2ZSry7jJAf OAUTH2_SCOPES_SUPPORTED: openid profile email offline_access read:users read:enrollments read:orders read:courses write:courses Resources: HttpLog: Type: AWS::Logs::LogGroup Properties: RetentionInDays: 90 HttpApi: Type: AWS::Serverless::HttpApi Properties: CorsConfiguration: AllowOrigins: ["*"] AllowMethods: [GET, POST, OPTIONS] AllowHeaders: [Content-Type, X-Requested-With, Authorization] HttpApiFunction: Type: AWS::Serverless::Function Properties: Handler: app.lambda_handler LoggingConfig: LogGroup: !Ref HttpLog Policies: - DynamoDBCrudPolicy: TableName: !Ref OAuth2Table - Version: 2012-10-17 Statement: - Effect: Allow Action: - cognito-idp:InitiateAuth Resource: !Sub arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/* Events: Session: Type: HttpApi Properties: Path: /session Method: POST ApiId: !Ref HttpApi Authorize: Type: HttpApi Properties: Path: /authorize Method: GET ApiId: !Ref HttpApi OpenIDConfiguration: Type: HttpApi Properties: Path: /.well-known/openid-configuration Method: GET ApiId: !Ref HttpApi JWKS: Type: HttpApi Properties: Path: /.well-known/jwks.json Method: GET ApiId: !Ref HttpApi Token: Type: HttpApi Properties: Path: /token Method: POST ApiId: !Ref HttpApi Revoke: Type: HttpApi Properties: Path: /revoke Method: POST ApiId: !Ref HttpApi UserInfo: Type: HttpApi Properties: Path: /userinfo Method: GET ApiId: !Ref HttpApi OIDCDistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: Enabled: true Origins: - Id: OidcApiOrigin DomainName: !Sub "${HttpApi}.execute-api.${AWS::Region}.${AWS::URLSuffix}" CustomOriginConfig: OriginProtocolPolicy: https-only DefaultCacheBehavior: TargetOriginId: OidcApiOrigin ViewerProtocolPolicy: redirect-to-https AllowedMethods: [GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE] CachedMethods: [GET, HEAD] ForwardedValues: QueryString: true Cookies: Forward: all DefaultTTL: 0 MinTTL: 0 MaxTTL: 0 CacheBehaviors: - PathPattern: "/.well-known/*" TargetOriginId: OidcApiOrigin ViewerProtocolPolicy: redirect-to-https AllowedMethods: [GET, HEAD, OPTIONS] CachedMethods: [GET, HEAD, OPTIONS] ForwardedValues: QueryString: false DefaultTTL: 3600 # 1 hour MinTTL: 300 # 5 minutes MaxTTL: 86400 # 1 day Outputs: HttpApiUrl: Description: URL of your API endpoint Value: Fn::Sub: "https://${HttpApi}.execute-api.${AWS::Region}.${AWS::URLSuffix}" HttpApiId: Description: Api ID of HttpApi Value: Ref: HttpApi OIDCDistributionDomain: Description: Domain of CloudFront Distribution domain for OIDC endpoints Value: !GetAtt OIDCDistribution.DomainName