зеркало из https://github.com/mozilla/subhub.git
303 строки
10 KiB
YAML
303 строки
10 KiB
YAML
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, You can obtain one at https://mozilla.org/MPL/2.0/.
|
|
|
|
---
|
|
service:
|
|
name: fxa
|
|
|
|
package:
|
|
individually: true
|
|
exclude:
|
|
- 'node_modules/*'
|
|
include:
|
|
- 'handler.py'
|
|
- 'src/**'
|
|
|
|
custom:
|
|
stage: ${opt:stage, self:provider.stage}
|
|
|
|
# AWS DynamoDB Table definitions used by resources/dynamodb-table.yml
|
|
usersTable: ${env:USER_TABLE}
|
|
deletedUsersTable: ${env:DELETED_USER_TABLE}
|
|
eventsTable: ${env:EVENT_TABLE}
|
|
|
|
prefix: ${self:provider.stage}-${self:service.name}
|
|
subdomain: ${self:provider.stage}.${self:service.name}
|
|
pythonRequirements:
|
|
dockerizePip: 'non-linux'
|
|
fileName: "../../src/app_requirements.txt"
|
|
packageExternal:
|
|
external:
|
|
- '../../src/sub'
|
|
- '../../src/hub'
|
|
- '../../src/shared'
|
|
- '../../src'
|
|
git-repo: "https://github.com/mozilla/subhub"
|
|
alerts:
|
|
dashboards: true
|
|
serverlessTerminationProtection:
|
|
stages:
|
|
- prod
|
|
customDomain:
|
|
domainName: ${self:custom.subdomain}.mozilla-subhub.app
|
|
certificateName: ${self:custom.subdomain}.mozilla-subhub.app
|
|
basePath: 'v1'
|
|
stage: ${self:provider.stage}
|
|
createRoute53Record: true
|
|
hostedZoneId: Z2KY0AWCLX3H6L
|
|
endpointType: regional
|
|
access:
|
|
prod: restricted
|
|
prod-test: restricted
|
|
stage: restricted
|
|
qa: restricted
|
|
dev: unfettered
|
|
fab: unfettered
|
|
resourcePolicies:
|
|
unfettered:
|
|
- Effect: Allow
|
|
Principal: "*"
|
|
Action: execute-api:Invoke
|
|
Resource:
|
|
- execute-api:/*/*/*
|
|
restricted:
|
|
- Effect: Allow
|
|
Principal: "*"
|
|
Action: execute-api:Invoke
|
|
Resource:
|
|
- execute-api:/*/*/version
|
|
- Effect: Allow
|
|
Principal: "*"
|
|
Action: execute-api:Invoke
|
|
Resource:
|
|
- execute-api:/*/*/deployed
|
|
- Effect: Allow
|
|
Principal: "*"
|
|
Action: execute-api:Invoke
|
|
Resource:
|
|
- execute-api:/*/*/swagger.json
|
|
- Effect: Allow
|
|
Principal: "*"
|
|
Action: execute-api:Invoke
|
|
Resource:
|
|
- execute-api:/*/*/ui/*
|
|
- Effect: Allow
|
|
Principal: "*"
|
|
Action: execute-api:Invoke
|
|
Resource:
|
|
- execute-api:/*/*/support/*
|
|
Condition:
|
|
IpAddress:
|
|
aws:SourceIp: ${file(whitelist.yml):support.${self:provider.stage}}
|
|
- Effect: Allow
|
|
Principal: "*"
|
|
Action: execute-api:Invoke
|
|
Resource:
|
|
- execute-api:/*/*/customer/*
|
|
- execute-api:/*/*/plans
|
|
Condition:
|
|
IpAddress:
|
|
aws:SourceIp: ${file(whitelist.yml):payments.${self:provider.stage}}
|
|
- Effect: Allow
|
|
Principal: "*"
|
|
Action: execute-api:Invoke
|
|
Resource:
|
|
- execute-api:/*/*/hub
|
|
Condition:
|
|
IpAddress:
|
|
aws:SourceIp: ${file(whitelist.yml):hub}
|
|
|
|
plugins:
|
|
- serverless-python-requirements
|
|
- serverless-domain-manager
|
|
- serverless-plugin-tracing
|
|
- serverless-package-external
|
|
- serverless-plugin-canary-deployments
|
|
- serverless-stack-termination-protection
|
|
|
|
provider:
|
|
name: aws
|
|
runtime: python3.7
|
|
region: us-west-2
|
|
stage: ${opt:stage}
|
|
stackName: ${self:custom.prefix}-stack
|
|
apiName: ${self:custom.prefix}-apigw
|
|
deploymentPrefix: ${self:custom.prefix}
|
|
endpointType: regional
|
|
logRetentionInDays: 90
|
|
logs:
|
|
# NOTE: https://github.com/serverless/serverless/issues/6112
|
|
# Logging documentation:
|
|
# https://serverless.com/framework/docs/providers/aws/events/apigateway/
|
|
restApi: true
|
|
tracing: true
|
|
memorySize: ${file(functions.yml):${self:provider.stage}.LAMBDA_MEMORY_SIZE}
|
|
timeout: ${file(functions.yml):${self:provider.stage}.LAMBDA_TIMEOUT}
|
|
snsaccount: ${file(accounts.yml):fxa.${self:provider.stage}}
|
|
environment: ${file(env.yml):${self:custom.stage}, file(env.yml):default}
|
|
tags: ${file(resources/tags.yml):${self:custom.stage}, file(resources/tags.yml):default}
|
|
stackTags:
|
|
service: ${self:service}
|
|
# Reference: https://serverless.com/blog/abcs-of-iam-permissions/
|
|
iamRoleStatements:
|
|
- Effect: Allow
|
|
Action:
|
|
- codedeploy:*
|
|
Resource:
|
|
- "*"
|
|
- Effect: Allow
|
|
Action:
|
|
- 'dynamodb:Query'
|
|
- 'dynamodb:Scan'
|
|
- 'dynamodb:GetItem'
|
|
- 'dynamodb:PutItem'
|
|
- 'dynamodb:UpdateItem'
|
|
- 'dynamodb:DeleteItem'
|
|
- 'dynamodb:DescribeTable'
|
|
- 'dynamodb:CreateTable'
|
|
Resource: 'arn:aws:dynamodb:us-west-2:*:*'
|
|
- Effect: Allow
|
|
Action:
|
|
- 'secretsmanager:GetSecretValue'
|
|
Resource:
|
|
- 'Fn::Join': [':', ['arn:aws:secretsmanager', Ref: AWS::Region, Ref: AWS::AccountId, 'secret:${self:provider.stage}/*']]
|
|
- Effect: Allow
|
|
Action:
|
|
- logs:CreateLogGroup
|
|
- logs:CreateLogStream
|
|
- logs:PutLogEvents
|
|
Resource:
|
|
- 'Fn::Join': [':', ['arn:aws:logs', Ref: AWS::Region, Ref: AWS::AccountId, 'log-group:/aws/lambda/*:*:*']]
|
|
- Effect: Allow
|
|
Action:
|
|
- kms:Decrypt
|
|
Resource:
|
|
- 'Fn::Join': [':', ['arn:aws:kms', Ref: AWS::Region, Ref: AWS::AccountId, 'alias/*']]
|
|
- 'Fn::Join': [':', ['arn:aws:kms', Ref: AWS::Region, Ref: AWS::AccountId, 'key/*']]
|
|
- Effect: Allow
|
|
Action:
|
|
- 'xray:PutTraceSegments'
|
|
- 'xray:PutTelemetryRecords'
|
|
Resource:
|
|
- '*'
|
|
- Effect: Allow
|
|
Action:
|
|
- sns:Publish
|
|
Resource:
|
|
- 'Fn::Join': [':', ['arn:aws:sns', Ref: AWS::Region, Ref: AWS::AccountId, '${self:provider.stage}-fxa-event-data']]
|
|
resourcePolicy: ${self:custom.resourcePolicies.${self:custom.access.${self:provider.stage}}}
|
|
functions:
|
|
sub:
|
|
name: '${self:custom.prefix}-sub'
|
|
description: "Function for handling subscription services interactions\n"
|
|
handler: subhandler.handle
|
|
events:
|
|
- http: {
|
|
path: "/sub/{proxy+}",
|
|
method: any,
|
|
cors: false,
|
|
private: false
|
|
}
|
|
type: ${file(functions.yml):${self:provider.stage}.DEPLOYMENT_TYPE}
|
|
reservedConcurrency: ${file(functions.yml):${self:provider.stage}.LAMBDA_RESERVED_CONCURRENCY}
|
|
deploymentSettings:
|
|
# Available AWS CodeDeploy Preference Types
|
|
# Canary10Percent30Minutes
|
|
# Canary10Percent5Minutes
|
|
# Canary10Percent10Minutes
|
|
# Canary10Percent15Minutes
|
|
# Linear10PercentEvery10Minutes
|
|
# Linear10PercentEvery1Minute
|
|
# Linear10PercentEvery2Minutes
|
|
# Linear10PercentEvery3Minutes
|
|
# AllAtOnce
|
|
# Reference: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/automating-updates-to-serverless-apps.html
|
|
type: Linear10PercentEvery1Minute
|
|
alias: Live
|
|
alarms:
|
|
- name: SubAlarm
|
|
namespace: 'AWS/Lambda'
|
|
metric: Errors
|
|
threshold: 1
|
|
statistic: Minimum
|
|
period: 60
|
|
evaluationPeriods: 1
|
|
comparisonOperator: GreaterThanOrEqualToThreshold
|
|
hub:
|
|
name: ${self:custom.prefix}-hub
|
|
description: >
|
|
Function for handling subscription services interactions
|
|
handler: hubhandler.handle
|
|
events:
|
|
- http: {
|
|
path: /hub,
|
|
method: post,
|
|
cors: false,
|
|
private: false
|
|
}
|
|
- http: {
|
|
path: "/hub/{proxy+}",
|
|
method: any,
|
|
cors: false,
|
|
private: false
|
|
}
|
|
type: ${file(functions.yml):${self:provider.stage}.DEPLOYMENT_TYPE}
|
|
reservedConcurrency: ${file(functions.yml):${self:provider.stage}.LAMBDA_RESERVED_CONCURRENCY}
|
|
deploymentSettings:
|
|
# Available AWS CodeDeploy Preference Types
|
|
# Canary10Percent30Minutes
|
|
# Canary10Percent5Minutes
|
|
# Canary10Percent10Minutes
|
|
# Canary10Percent15Minutes
|
|
# Linear10PercentEvery10Minutes
|
|
# Linear10PercentEvery1Minute
|
|
# Linear10PercentEvery2Minutes
|
|
# Linear10PercentEvery3Minutes
|
|
# AllAtOnce
|
|
# Reference: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/automating-updates-to-serverless-apps.html
|
|
type: Linear10PercentEvery1Minute
|
|
alias: Live
|
|
alarms:
|
|
- name: HubAlarm
|
|
namespace: 'AWS/Lambda'
|
|
metric: Errors
|
|
threshold: 1
|
|
statistic: Minimum
|
|
period: 60
|
|
evaluationPeriods: 1
|
|
comparisonOperator: GreaterThanOrEqualToThreshold
|
|
mia:
|
|
name: ${self:custom.prefix}-mia
|
|
description: >
|
|
Function for reconcilation of missing hub events
|
|
handler: miahandler.handle
|
|
events:
|
|
# Invoke Lambda function on a schedule (either cron or rate limited). This fires an
|
|
#
|
|
# Reference: Serverless Event Scheduling
|
|
# https://serverless.com/framework/docs/providers/aws/events/schedule/
|
|
# Reference: AWS Cloudwatch Scheduled Event:
|
|
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/EventTypes.html#schedule_event_type
|
|
#
|
|
# Rate Syntax, http://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html#RateExpressions
|
|
# rate(value unit)
|
|
# where value is an unsigned integer
|
|
# and the unit is a unit of time in the set of (minute, minutes, hour, hours, day, days)
|
|
#
|
|
# Cron Syntax, http://docs.aws.amazon.com/lambda/latest/dg/tutorial-scheduled-events-schedule-expressions.html
|
|
# cron(minutes day-of-month(DOM) month day-of-week(DOW) year)
|
|
# where
|
|
# Field | Values | Wildcards
|
|
# Minutes | 0-59 | ,-*/
|
|
# Hours | 0-23 | ,-*/
|
|
# DOM | 1-31 | ,-*/?LW
|
|
# Month | 1-12 | ,-*/
|
|
# DOW | 1-7 | ,-*?/L#
|
|
# Year | 192199 | ,-*/
|
|
- schedule: rate(${file(functions.yml):${self:provider.stage}.MIA_RATE_SCHEDULE})
|
|
reservedConcurrency: ${file(functions.yml):${self:provider.stage}.LAMBDA_RESERVED_CONCURRENCY}
|
|
resources:
|
|
- ${file(resources/dynamodb-table.yml)}
|
|
- ${file(resources/sns-topic.yml)}
|