serverless.yml

# Welcome to Serverless!
#
# This file is the main config file for your service.
# It's very minimal at this point and uses default values.
# You can always add more config options for more control.
# We've included some commented out config examples here.
# Just uncomment any of them to get that config option.
#
# For full config options, check the docs:
#    docs.serverless.com
#
# Happy Coding!

service: iris

plugins:
  - serverless-offline

custom:
  serverless-offline:
    stage: local
    location: src
  config: ${file(config/${self:provider.stage}.json)}

provider:
  name: aws
  stage: ${opt:stage, 'dev'}
  runtime: nodejs8.10
  memorySize: 1536
  environment:

    # API Keys

    GOOGLE_API_KEY: ${ssm:/iris/GOOGLE_API_KEY}

    # Resources

    API_GATEWAY:    ${self:custom.config.resources.API_GATEWAY}
    BUCKET_DOMAIN:  ${self:custom.config.resources.BUCKET_DOMAIN}
    CERT_ARN:       ${self:custom.config.resources.CERT_ARN}
    CERT_DOMAIN:    ${self:custom.config.resources.CERT_DOMAIN}
    CERT_TLD:       ${self:custom.config.resources.CERT_TLD}

    # Handler

    BUCKET:         ${self:custom.config.handler.BUCKET}
    CLOUDFRONT_URL: ${self:custom.config.handler.CLOUDFRONT_URL}
    ERROR_DOCUMENT: ${self:custom.config.handler.ERROR_DOCUMENT}

  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "s3:*"
      Resource: "*"

package:
  artifact: dist/iris.zip

functions:
  resizeImage:
    handler: handler.resizeImage
    events:
      - http: GET resizeImage

resources:
  Resources:

    # Certificate Manager

    CDNCert:
      Type: AWS::CertificateManager::Certificate
      Properties:
        DomainName: ${self:provider.environment.CERT_DOMAIN}
        DomainValidationOptions:
          - DomainName: ${self:provider.environment.CERT_DOMAIN}
            ValidationDomain: ${self:provider.environment.CERT_TLD}

    # S3

    MediaServer:
      Type: AWS::S3::Bucket
      DeletionPolicy: Retain
      Properties:
        AccessControl: PublicRead
        WebsiteConfiguration:
          IndexDocument: index.html
          ErrorDocument: ${self:provider.environment.ERROR_DOCUMENT}
          RoutingRules:
            - RedirectRule:
                HttpRedirectCode: 307
                Protocol: https
                HostName: ${self:provider.environment.API_GATEWAY}
                ReplaceKeyPrefixWith: ${self:provider.stage}/resizeImage?key=
              RoutingRuleCondition:
                HttpErrorCodeReturnedEquals: 404

    MediaServerPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket: { "Ref": "MediaServer" }
        PolicyDocument:
          Statement:
            -
              "Effect": "Allow"
              "Principal": "*"
              "Action": "s3:GetObject"
              "Resource": { "Fn::Join": ["", ["arn:aws:s3:::", { "Ref": "MediaServer" }, "/*" ] ] }

    # CloudFormation

    MediaCDN:
      Type: AWS::CloudFront::Distribution
      Properties:
        DistributionConfig:
          Origins:
            - DomainName: ${self:provider.environment.BUCKET_DOMAIN}
              Id: MediaServerS3Origin
              CustomOriginConfig:
                HTTPPort: '80'
                HTTPSPort: '443'
                OriginProtocolPolicy: http-only
          Enabled: 'true'
          DefaultCacheBehavior:
            Compress: 'true'
            DefaultTTL: 0
            ForwardedValues:
              QueryString: 'false'
            TargetOriginId: MediaServerS3Origin
            ViewerProtocolPolicy: redirect-to-https
          Aliases:
            - ${self:provider.environment.CERT_DOMAIN}
          ViewerCertificate:
            AcmCertificateArn: ${self:provider.environment.CERT_ARN}
            SslSupportMethod: sni-only