148 lines
4.0 KiB
YAML
148 lines
4.0 KiB
YAML
AWSTemplateFormatVersion: 2010-09-09
|
|
Transform: AWS::Serverless-2016-10-31
|
|
|
|
Parameters:
|
|
OAuth2Table:
|
|
Type: String
|
|
Default: betaeducacao-prod-users_d2o3r5gmm4it7j
|
|
|
|
Globals:
|
|
Function:
|
|
CodeUri: app/
|
|
Runtime: python3.13
|
|
Tracing: Active
|
|
Architectures:
|
|
- x86_64
|
|
Layers:
|
|
- !Sub arn:aws:lambda:sa-east-1:336641857101:layer:layercake:98
|
|
Environment:
|
|
Variables:
|
|
TZ: America/Sao_Paulo
|
|
LOG_LEVEL: DEBUG
|
|
POWERTOOLS_LOGGER_SAMPLE_RATE: 0.1
|
|
POWERTOOLS_LOGGER_LOG_EVENT: true
|
|
DYNAMODB_PARTITION_KEY: id
|
|
DYNAMODB_SORT_KEY: sk
|
|
OAUTH2_TABLE: !Ref OAuth2Table
|
|
ISSUER: https://id.saladeaula.digital
|
|
|
|
Resources:
|
|
HttpLog:
|
|
Type: AWS::Logs::LogGroup
|
|
Properties:
|
|
RetentionInDays: 90
|
|
|
|
HttpApi:
|
|
Type: AWS::Serverless::HttpApi
|
|
Properties:
|
|
CorsConfiguration:
|
|
AllowOrigins: ["*"]
|
|
AllowMethods: [GET, POST, OPTIONS]
|
|
AllowHeaders: [Content-Type, X-Requested-With, Authorization]
|
|
|
|
HttpApiFunction:
|
|
Type: AWS::Serverless::Function
|
|
Properties:
|
|
Handler: app.lambda_handler
|
|
LoggingConfig:
|
|
LogGroup: !Ref HttpLog
|
|
Policies:
|
|
- DynamoDBCrudPolicy:
|
|
TableName: !Ref OAuth2Table
|
|
- Version: 2012-10-17
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- cognito-idp:InitiateAuth
|
|
Resource: !Sub arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/*
|
|
Events:
|
|
Session:
|
|
Type: HttpApi
|
|
Properties:
|
|
Path: /session
|
|
Method: POST
|
|
ApiId: !Ref HttpApi
|
|
Authorize:
|
|
Type: HttpApi
|
|
Properties:
|
|
Path: /authorize
|
|
Method: GET
|
|
ApiId: !Ref HttpApi
|
|
OpenIDConfiguration:
|
|
Type: HttpApi
|
|
Properties:
|
|
Path: /.well-known/openid-configuration
|
|
Method: GET
|
|
ApiId: !Ref HttpApi
|
|
JWKS:
|
|
Type: HttpApi
|
|
Properties:
|
|
Path: /.well-known/jwks.json
|
|
Method: GET
|
|
ApiId: !Ref HttpApi
|
|
Token:
|
|
Type: HttpApi
|
|
Properties:
|
|
Path: /token
|
|
Method: POST
|
|
ApiId: !Ref HttpApi
|
|
Revoke:
|
|
Type: HttpApi
|
|
Properties:
|
|
Path: /revoke
|
|
Method: POST
|
|
ApiId: !Ref HttpApi
|
|
UserInfo:
|
|
Type: HttpApi
|
|
Properties:
|
|
Path: /userinfo
|
|
Method: GET
|
|
ApiId: !Ref HttpApi
|
|
|
|
OIDCDistribution:
|
|
Type: AWS::CloudFront::Distribution
|
|
Properties:
|
|
DistributionConfig:
|
|
Enabled: true
|
|
Origins:
|
|
- Id: OidcApiOrigin
|
|
DomainName: !Sub "${HttpApi}.execute-api.${AWS::Region}.${AWS::URLSuffix}"
|
|
CustomOriginConfig:
|
|
OriginProtocolPolicy: https-only
|
|
DefaultCacheBehavior:
|
|
TargetOriginId: OidcApiOrigin
|
|
ViewerProtocolPolicy: redirect-to-https
|
|
AllowedMethods: [GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE]
|
|
CachedMethods: [GET, HEAD]
|
|
ForwardedValues:
|
|
QueryString: true
|
|
Cookies:
|
|
Forward: all
|
|
DefaultTTL: 0
|
|
MinTTL: 0
|
|
MaxTTL: 0
|
|
CacheBehaviors:
|
|
- PathPattern: "/.well-known/*"
|
|
TargetOriginId: OidcApiOrigin
|
|
ViewerProtocolPolicy: redirect-to-https
|
|
AllowedMethods: [GET, HEAD, OPTIONS]
|
|
CachedMethods: [GET, HEAD, OPTIONS]
|
|
ForwardedValues:
|
|
QueryString: false
|
|
DefaultTTL: 3600 # 1 hour
|
|
MinTTL: 300 # 5 minutes
|
|
MaxTTL: 86400 # 1 day
|
|
|
|
Outputs:
|
|
HttpApiUrl:
|
|
Description: URL of your API endpoint
|
|
Value:
|
|
Fn::Sub: "https://${HttpApi}.execute-api.${AWS::Region}.${AWS::URLSuffix}"
|
|
HttpApiId:
|
|
Description: Api ID of HttpApi
|
|
Value:
|
|
Ref: HttpApi
|
|
OIDCDistributionDomain:
|
|
Description: Domain of CloudFront Distribution domain for OIDC endpoints
|
|
Value: !GetAtt OIDCDistribution.DomainName
|