Created
September 11, 2018 22:02
-
-
Save aldarund/ff6217cbaae1eddfb47afef55e467ff1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| service: "project-serverless" # Edit service name | |
| provider: | |
| name: aws | |
| runtime: nodejs8.10 | |
| stage: ${env:STAGE} | |
| region: ${env:AWS_REGION, 'us-east-1'} # Edit region name | |
| # domainName: ${env:DOMAIN_NAME, 'project.net'} | |
| # certificateName: '*.project.net' # TODO https://github.com/serverless/serverless/issues/4959 | |
| allowedOrigin: '*' | |
| bucketName: project-serverless-${env:STAGE} | |
| environment: | |
| NODE_ENV: production | |
| GRAPHQL_URL: ${env:API_URL, 'http://localhost:8000/'} | |
| iamRoleStatements: | |
| - Effect: 'Allow' | |
| Action: | |
| - 'lambda:InvokeFunction' | |
| - lambda:ListAliases | |
| - lambda:ListFunctions | |
| Resource: "*" | |
| functions: | |
| preSignUp: | |
| handler: presignup.handler | |
| events: | |
| - cognitoUserPool: | |
| pool: Project | |
| trigger: PreSignUp | |
| nuxtRenderer: | |
| handler: handler.render | |
| memorySize: ${env:LAMBDA_MEMORY, '128'} | |
| timeout: 30 | |
| package: | |
| exclude: | |
| - src/** | |
| - tests/** | |
| - .nuxt/dist/client/*.js.map | |
| - node_modules/.cache/** | |
| include: | |
| - src/modules/** | |
| - src/static/** | |
| - serverless.yml | |
| events: | |
| - http: | |
| path: / | |
| method: ANY | |
| cors: true | |
| - http: | |
| path: /{proxy+} | |
| method: ANY | |
| cors: true | |
| resources: | |
| - ${file(resources/cognito-user-pool.yml)} | |
| - ${file(resources/cognito-identity-pool.yml)} | |
| - ${file(resources/s3.yml)} | |
| plugins: | |
| - serverless-offline | |
| - serverless-s3-sync | |
| # - serverless-domain-manager | |
| - serverless-prune-plugin | |
| custom: | |
| serverless-offline: | |
| port: 4001 | |
| myStage: ${self:provider.stage} | |
| s3Sync: | |
| - bucketName: ${self:provider.bucketName} # Retype the bucket name specified above | |
| localDir: .nuxt/dist | |
| acl: public-read | |
| params: # optional | |
| - "*.js": | |
| CacheControl: 'public, max-age=31536000' | |
| - "img/*.*": | |
| CacheControl: 'public, max-age=31536000' | |
| - "fonts/*.*": | |
| CacheControl: 'public, max-age=31536000' | |
| - "icons/*.*": | |
| CacheControl: 'public, max-age=31536000' | |
| - "*.css": | |
| CacheControl: 'public, max-age=31536000' | |
| - "*.map": | |
| ACL: private | |
| # | |
| # customDomain: | |
| # domainName: ${self:provider.domainName} # Specify a new domain name to be created | |
| # stage: ${self:provider.stage} | |
| # certificateName: ${self:provider.certificateName} # Enter the Certificate name with that domain | |
| # createRoute53Record: false | |
| ---- | |
| Resources: | |
| # The federated identity for our user pool to auth with | |
| CognitoIdentityPool: | |
| Type: AWS::Cognito::IdentityPool | |
| Properties: | |
| # Generate a name based on the stage | |
| IdentityPoolName: ${self:provider.stage}ProjectIdeaIdentityPool | |
| # Don't allow unathenticated users | |
| AllowUnauthenticatedIdentities: true | |
| # Link to our User Pool | |
| CognitoIdentityProviders: | |
| - ClientId: | |
| Ref: CognitoUserPoolClient | |
| ProviderName: | |
| Fn::GetAtt: [ "CognitoUserPoolProject", "ProviderName" ] | |
| # # Assigns the roles to the Identity Pool | |
| IdentityPoolRoleMapping: | |
| Type: "AWS::Cognito::IdentityPoolRoleAttachment" | |
| Properties: | |
| IdentityPoolId: | |
| Ref: CognitoIdentityPool | |
| Roles: | |
| authenticated: | |
| 'Fn::GetAtt': [CognitoAuthorizedRole, Arn] | |
| unauthenticated: | |
| 'Fn::GetAtt': [CognitoUnAuthorizedRole, Arn] | |
| # Create a role for unauthorized acces to AWS resources. Very limited access. Only allows users in the previously created Identity Pool | |
| CognitoUnAuthorizedRole: | |
| Type: "AWS::IAM::Role" | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: "Allow" | |
| Principal: | |
| Federated: "cognito-identity.amazonaws.com" | |
| Action: | |
| - "sts:AssumeRoleWithWebIdentity" | |
| Condition: | |
| StringEquals: | |
| "cognito-identity.amazonaws.com:aud": | |
| Ref: CognitoIdentityPool | |
| "ForAnyValue:StringLike": | |
| "cognito-identity.amazonaws.com:amr": unauthenticated | |
| Policies: | |
| - PolicyName: "CognitoUnauthorizedPolicy" | |
| PolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: "Allow" | |
| Action: | |
| - "mobileanalytics:PutEvents" | |
| - "cognito-sync:*" | |
| Resource: "*" | |
| # Create a role for authorized acces to AWS resources. Control what your user can access. This example only allows Lambda invokation | |
| # Only allows users in the previously created Identity Pool | |
| CognitoAuthorizedRole: | |
| Type: "AWS::IAM::Role" | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: "Allow" | |
| Principal: | |
| Federated: "cognito-identity.amazonaws.com" | |
| Action: | |
| - "sts:AssumeRoleWithWebIdentity" | |
| Condition: | |
| StringEquals: | |
| "cognito-identity.amazonaws.com:aud": | |
| Ref: CognitoIdentityPool | |
| "ForAnyValue:StringLike": | |
| "cognito-identity.amazonaws.com:amr": authenticated | |
| Policies: | |
| - PolicyName: "CognitoAuthorizedPolicy" | |
| PolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: "Allow" | |
| Action: | |
| - "mobileanalytics:PutEvents" | |
| - "cognito-sync:*" | |
| - "cognito-identity:*" | |
| Resource: "*" | |
| # - Effect: "Allow" | |
| # Action: | |
| # - "lambda:InvokeFunction" | |
| # Resource: "*" | |
| # Print out the Id of the Identity Pool that is created | |
| Outputs: | |
| IdentityPoolId: | |
| Value: | |
| Ref: CognitoIdentityPool | |
| Export: | |
| Name: "CognitoIdentityPool::Id" | |
| ---- | |
| Resources: | |
| CognitoUserPoolProject: | |
| Type: AWS::Cognito::UserPool | |
| Properties: | |
| # Generate a name based on the stage | |
| UserPoolName: ${self:provider.stage}ProjectIdeaUserPool | |
| # Set email as an alias | |
| UsernameAttributes: | |
| AutoVerifiedAttributes: | |
| CognitoUserPoolClient: | |
| Type: AWS::Cognito::UserPoolClient | |
| Properties: | |
| # Generate an app client name based on the stage | |
| ClientName: ${self:provider.stage}ProjectIdeaUserPoolClient | |
| UserPoolId: | |
| Ref: CognitoUserPoolProject | |
| ExplicitAuthFlows: | |
| - ADMIN_NO_SRP_AUTH | |
| GenerateSecret: false | |
| # Print out the Id of the User Pool that is created | |
| Outputs: | |
| UserPoolId: | |
| Value: | |
| Ref: CognitoUserPoolProject | |
| Export: | |
| Name: "CognitoUserPool::Id" | |
| UserPoolClientId: | |
| Value: | |
| Ref: CognitoUserPoolClient | |
| Export: | |
| Name: "CognitoUserPoolClient::Id" | |
| ---- | |
| Resources: | |
| AssetsBucket: | |
| Type: AWS::S3::Bucket | |
| Properties: | |
| BucketName: ${self:provider.bucketName} # Specify a new bucket name for client assets | |
| CorsConfiguration: | |
| CorsRules: | |
| - AllowedHeaders: | |
| - "*" | |
| AllowedMethods: | |
| - GET | |
| AllowedOrigins: | |
| - ${self:provider.allowedOrigin} | |
| AssetsBucketPolicy: | |
| Type: AWS::S3::BucketPolicy | |
| Properties: | |
| Bucket: | |
| Ref: AssetsBucket | |
| PolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - | |
| Action: | |
| - s3:GetObject | |
| Effect: Allow | |
| Resource: | |
| Fn::Join: | |
| - "" | |
| - | |
| - "arn:aws:s3:::" | |
| - | |
| Ref: AssetsBucket | |
| - "/*" | |
| Principal: | |
| Service: "s3.amazonaws.com" | |
| ---- | |
| @vuetify/vuex-cognito-module |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment