serverlessunicorn · September 30, 2019 22:26
diff --git a/MediumCFArticle9.yaml b/MediumCFArticle9.yaml
  # NATPunch websocket deployment descriptor; see 'stage' below.
  NATPunchWebSocketDeployment:
    Type: AWS::ApiGatewayV2::Deployment
    # See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-deployment.html for
    # an explanation on why the routes below are listed as explicit dependencies for
    # the API's deployment in CloudFormation. This feels like a bug/hack; hopefully AWS
    # fixes it over time.
    DependsOn:
      - NATPunchConnectRoute
      - NATPunchDisconnectRoute
      - NATPunchDefaultRoute
      - NATPunchPairRoute
      - NATPunchStatusRoute
    Properties:
      ApiId: !Ref NATPunchWebSocket

  # NATPunch websocket deployment stage descriptor; see 'deployment' above.
  NATPunchWebSocketStage:
    Type: AWS::ApiGatewayV2::Stage
    Properties:
      StageName: !Sub '${Stage}'
      Description: !Sub '${Stage} traffic'
      DeploymentId: !Ref NATPunchWebSocketDeployment
      ApiId: !Ref NATPunchWebSocket
      DefaultRouteSettings:
        DetailedMetricsEnabled: true
        LoggingLevel: INFO
        DataTraceEnabled: true
        #ThrottlingBurstLimit: 10 ... TODO, revisit later!
        #ThrottlingRateLimit: 10  ... TODO, revisit later!
      AccessLogSettings:
        DestinationArn: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ProjectId}-wss-access-logs'
        Format: >-2
          '{"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
          "caller":"$context.identity.caller",
          "user":"$context.identity.user","requestTime":"$context.requestTime",
          "eventType":"$context.eventType","routeKey":"$context.routeKey",
          "status":"$context.status","connectionId":"$context.connectionId"}'

  # NATPunch websocket custom domain setting
  NATPunchWebSocketCustomDomain:
    Type: 'AWS::ApiGatewayV2::DomainName'
    Properties:
      DomainName: !Sub '${CustomDomainName}'
      DomainNameConfigurations:
        - EndpointType: REGIONAL
          CertificateArn: arn:aws:acm:us-east-1:293602984666:certificate/64a38c17-c56e-45a2-9b51-f3368b5e90ef
          CertificateName: serverlesstech.net # Display name only, no meaning

  # NATPunch websocket custom domain path-to-API binding.
  # This 'labels' the DNS CNAME described (and certed) above to the websocket endpoint.
  NATPunchWebSocketCustomDomainPathMapping:
    Type: AWS::ApiGatewayV2::ApiMapping
    Properties: 
      ApiId: !Ref NATPunchWebSocket
      ApiMappingKey: natpunch
      DomainName: !Ref NATPunchWebSocketCustomDomain
      Stage: !Sub '${Stage}'

  # This will set a resource policy on the NATPunch Lambda function to enable all the
  # API Gateway NATPunch route proxy integrations to invoke it.
  NATPunchIntegPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref NATPunchFunction
      Principal: apigateway.amazonaws.com
      # Unfortunately, AWS hasn't made ARN an attribute of API Gateway APIs (or routes), so we have to
      # construct it manually from its component parts.
      # Each route has an ARN that follows this pattern (shown for $connect route;
      # that asterisk is in the real ARN and not a typo):
      #     arn:aws:execute-api:us-east-1:293602984666:0n5jrln2pi/*/$connect
      # We generate a single policy entry that accommodates all the routes for this
      # websocket by cutting this off after the asterisk:
      #     arn:aws:execute-api:us-east-1:293602984666:0n5jrln2pi/*
      SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${NATPunchWebSocket}/*"
	# NATPunch websocket deployment descriptor; see 'stage' below.
	NATPunchWebSocketDeployment:
	Type: AWS::ApiGatewayV2::Deployment
	# See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-deployment.html for
	# an explanation on why the routes below are listed as explicit dependencies for
	# the API's deployment in CloudFormation. This feels like a bug/hack; hopefully AWS
	# fixes it over time.
	DependsOn:
	- NATPunchConnectRoute
	- NATPunchDisconnectRoute
	- NATPunchDefaultRoute
	- NATPunchPairRoute
	- NATPunchStatusRoute
	Properties:
	ApiId: !Ref NATPunchWebSocket

	# NATPunch websocket deployment stage descriptor; see 'deployment' above.
	NATPunchWebSocketStage:
	Type: AWS::ApiGatewayV2::Stage
	Properties:
	StageName: !Sub '${Stage}'
	Description: !Sub '${Stage} traffic'
	DeploymentId: !Ref NATPunchWebSocketDeployment
	ApiId: !Ref NATPunchWebSocket
	DefaultRouteSettings:
	DetailedMetricsEnabled: true
	LoggingLevel: INFO
	DataTraceEnabled: true
	#ThrottlingBurstLimit: 10 ... TODO, revisit later!
	#ThrottlingRateLimit: 10 ... TODO, revisit later!
	AccessLogSettings:
	DestinationArn: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ProjectId}-wss-access-logs'
	Format: >-2
	'{"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
	"caller":"$context.identity.caller",
	"user":"$context.identity.user","requestTime":"$context.requestTime",
	"eventType":"$context.eventType","routeKey":"$context.routeKey",
	"status":"$context.status","connectionId":"$context.connectionId"}'

	# NATPunch websocket custom domain setting
	NATPunchWebSocketCustomDomain:
	Type: 'AWS::ApiGatewayV2::DomainName'
	Properties:
	DomainName: !Sub '${CustomDomainName}'
	DomainNameConfigurations:
	- EndpointType: REGIONAL
	CertificateArn: arn:aws:acm:us-east-1:293602984666:certificate/64a38c17-c56e-45a2-9b51-f3368b5e90ef
	CertificateName: serverlesstech.net # Display name only, no meaning

	# NATPunch websocket custom domain path-to-API binding.
	# This 'labels' the DNS CNAME described (and certed) above to the websocket endpoint.
	NATPunchWebSocketCustomDomainPathMapping:
	Type: AWS::ApiGatewayV2::ApiMapping
	Properties:
	ApiId: !Ref NATPunchWebSocket
	ApiMappingKey: natpunch
	DomainName: !Ref NATPunchWebSocketCustomDomain
	Stage: !Sub '${Stage}'

	# This will set a resource policy on the NATPunch Lambda function to enable all the
	# API Gateway NATPunch route proxy integrations to invoke it.
	NATPunchIntegPermission:
	Type: AWS::Lambda::Permission
	Properties:
	Action: lambda:InvokeFunction
	FunctionName: !Ref NATPunchFunction
	Principal: apigateway.amazonaws.com
	# Unfortunately, AWS hasn't made ARN an attribute of API Gateway APIs (or routes), so we have to
	# construct it manually from its component parts.
	# Each route has an ARN that follows this pattern (shown for $connect route;
	# that asterisk is in the real ARN and not a typo):
	# arn:aws:execute-api:us-east-1:293602984666:0n5jrln2pi/*/$connect
	# We generate a single policy entry that accommodates all the routes for this
	# websocket by cutting this off after the asterisk:
	# arn:aws:execute-api:us-east-1:293602984666:0n5jrln2pi/*
	SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${NATPunchWebSocket}/*"