posterit-e/template.yaml at main · jmbs-dev/posterit-e · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  posterit-e-lambdas: Serverless backend for the Posterit-E digital legacy platform.

Globals:
  Function:
    Timeout: 10
    MemorySize: 128
    Runtime: python3.9
    Architectures:
      - x86_64
    Environment:
      Variables:
        DYNAMODB_TABLE_NAME: "{{resolve:ssm:/posterite/dynamodb_table}}"
        S3_BUCKET_NAME: "{{resolve:ssm:/posterite/s3_bucket}}"
        SENDER_EMAIL_ADDRESS: "{{resolve:ssm:/posterite/sender_email}}"
        BASE_URL: "{{resolve:ssm:/posterite/base_url}}"
        TOKEN_TTL_SECONDS: "{{resolve:ssm:/posterite/token_ttl}}"
        OTP_TTL_SECONDS: "{{resolve:ssm:/posterite/otp_ttl}}"

Resources:
  # --- API Gateway ---
  ApiGatewayLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/api-gateway/posterit-e-mvp-api
      RetentionInDays: 7

  PosteritEApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      Cors:
        AllowMethods: "'POST, GET, OPTIONS'"
        AllowHeaders: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
        AllowOrigin: "'*'" # Production Recommended: "'{{resolve:ssm:/posterite/frontend_url:1}}'"
      AccessLogSetting:
        DestinationArn: !GetAtt ApiGatewayLogGroup.Arn
        Format: '{"requestId":"$context.requestId","ip":"$context.identity.sourceIp","caller":"$context.identity.caller","user":"$context.identity.user","requestTime":"$context.requestTime","httpMethod":"$context.httpMethod","resourcePath":"$context.resourcePath","status":"$context.status","protocol":"$context.protocol","responseLength":"$context.responseLength"}'
      MethodSettings:
        - ResourcePath: '/*'
          HttpMethod: '*'
          LoggingLevel: INFO
          DataTraceEnabled: true
          MetricsEnabled: true

  # --- Lambda Functions ---
  StoreSecretLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: functions/store_secret_lambda/
      Handler: app.lambda_handler
      Policies:
        - Statement:
            - Effect: Allow
              Action:
                - dynamodb:PutItem
                - dynamodb:UpdateItem
                - dynamodb:DeleteItem
                - dynamodb:TransactWriteItems
              Resource: !GetAtt PosteritETable.Arn
        - S3WritePolicy:
            BucketName: "{{resolve:ssm:/posterite/s3_bucket}}"
      Events:
        ApiEvent:
          Type: Api
          Properties:
            Path: /secrets
            Method: post
            RestApiId: !Ref PosteritEApi
            Auth:
              ApiKeyRequired: true

  ActivationLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: functions/activation_lambda/
      Handler: app.lambda_handler
      Environment:
        Variables:
          RELEASE_LAMBDA_ARN: !GetAtt ReleaseLambdaFunction.Arn
          SCHEDULER_ROLE_ARN: !GetAtt SchedulerToLambdaRole.Arn
      Policies:
        - Statement:
            - Sid: AllowReadAndUpdateStateInDynamoDB
              Effect: Allow
              Action:
                - dynamodb:GetItem
                - dynamodb:UpdateItem
              Resource: "{{resolve:ssm:/posterite/dynamodb_table_arn}}"
            - Sid: AllowSendEmails
              Effect: Allow
              Action:
                - ses:SendEmail
                - ses:SendRawEmail
              Resource: "{{resolve:ssm:/posterite/ses_identity_arn}}"
            - Sid: AllowCreateEventBridgeSchedule
              Effect: Allow
              Action: scheduler:CreateSchedule
              Resource: '*'
            - Sid: AllowPassSchedulerRole
              Effect: Allow
              Action: iam:PassRole
              Resource: !GetAtt SchedulerToLambdaRole.Arn
      Events:
        GetEvent:
          Type: Api
          Properties:
            Path: /activation/{secretId}
            Method: get
            RestApiId: !Ref PosteritEApi
        PostEvent:
          Type: Api
          Properties:
            Path: /activation
            Method: post
            RestApiId: !Ref PosteritEApi

  CancellationLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: functions/cancellation_lambda/
      Handler: app.lambda_handler
      Policies:
        - Statement:
            - Sid: AllowReadAndUpdateStateForCancellation
              Effect: Allow
              Action:
                - dynamodb:GetItem
                - dynamodb:UpdateItem
                - dynamodb:DeleteItem
              Resource: !GetAtt PosteritETable.Arn
            - Sid: AllowQueryTokenIndex
              Effect: Allow
              Action:
                - dynamodb:Query
              Resource:
                - !GetAtt PosteritETable.Arn
                - !Sub "${PosteritETable.Arn}/index/TokenIndex"
            - Sid: AllowSendEmails
              Effect: Allow
              Action:
                - ses:SendEmail
                - ses:SendRawEmail
              Resource: "{{resolve:ssm:/posterite/ses_identity_arn}}"
            - Sid: AllowDeleteEventBridgeSchedule
              Effect: Allow
              Action: scheduler:DeleteSchedule
              Resource: !Sub "arn:aws:scheduler:${AWS::Region}:${AWS::AccountId}:schedule/default/*"
      Events:
        ApiEvent:
          Type: Api
          Properties:
            Path: /cancel
            Method: post
            RestApiId: !Ref PosteritEApi

  ReleaseLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: functions/release_lambda/
      Handler: app.lambda_handler
      Policies:
        - S3ReadPolicy:
            BucketName: "{{resolve:ssm:/posterite/s3_bucket}}"
        - Statement:
            - Sid: AllowManageStateAndTokensInDynamoDB
              Effect: Allow
              Action:
                - dynamodb:GetItem
                - dynamodb:UpdateItem
                - dynamodb:DeleteItem
                - dynamodb:PutItem
              Resource: "{{resolve:ssm:/posterite/dynamodb_table_arn}}"
            - Sid: AllowSendEmails
              Effect: Allow
              Action:
                - ses:SendEmail
                - ses:SendRawEmail
              Resource: "{{resolve:ssm:/posterite/ses_identity_arn}}"
      Events:
        VerifyMfaEvent:
          Type: Api
          Properties:
            Path: /mfa/verify
            Method: post
            RestApiId: !Ref PosteritEApi
        GetSecretDataEvent:
          Type: Api
          Properties:
            Path: /secrets/{secretId}/data
            Method: get
            RestApiId: !Ref PosteritEApi

  # --- IAM Roles and Custom Domain ---
  SchedulerToLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: scheduler.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: AllowInvokeReleaseLambda
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - lambda:InvokeFunction
                Resource: !GetAtt ReleaseLambdaFunction.Arn

  PosteriteEApiDomainName:
    Type: AWS::ApiGateway::DomainName
    DeletionPolicy: Retain
    Properties:
      DomainName: "{{resolve:ssm:/posterite/api_domain}}"
      EndpointConfiguration:
        Types:
          - REGIONAL
      RegionalCertificateArn: "{{resolve:ssm:/posterite/certificate_arn}}"

  PosteritEApiBasePathMapping:
    Type: AWS::ApiGateway::BasePathMapping
    DependsOn: PosteritEApiProdStage
    Properties:
      DomainName: !Ref PosteriteEApiDomainName
      RestApiId: !Ref PosteritEApi
      Stage: Prod
      BasePath: ""

  PosteritETable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: "{{resolve:ssm:/posterite/dynamodb_table}}"
      AttributeDefinitions:
        - AttributeName: PK
          AttributeType: S
        - AttributeName: SK
          AttributeType: S
        - AttributeName: tokenValue
          AttributeType: S
      KeySchema:
        - AttributeName: PK
          KeyType: HASH
        - AttributeName: SK
          KeyType: RANGE
      GlobalSecondaryIndexes:
        - IndexName: TokenIndex
          KeySchema:
            - AttributeName: tokenValue
              KeyType: HASH
          Projection:
            ProjectionType: KEYS_ONLY
      BillingMode: PAY_PER_REQUEST

Outputs:
  PosteritEApiUrl:
    Description: "API Gateway endpoint URL for Prod stage"
    Value: !Sub "https://${PosteritEApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/"
  PosteritEApiId:
    Description: "API Gateway REST API ID"
    Value: !Ref PosteritEApi