/
template.yml
128 lines (120 loc) · 4.01 KB
/
template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# An example on how to package the authorizer in your own SAM-managed stack
#
# Edit the details below and then deploy with:
#
# ```bash
# sam build --beta-features --template examples/sam/template.yml
# sam deploy --template .aws-sam/build/template.yaml --guided --capabilities CAPABILITY_AUTO_EXPAND CAPABILITY_NAMED_IAM CAPABILITY_IAM
# ```
#
# Clean up with:
#
# ```bash
# sam delete --config-file .aws-sam/build/samconfig.toml
# ```
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
ApiGatewayApi:
Type: AWS::Serverless::Api
DependsOn: ApiCWLRoleArn
Properties:
StageName: prod
Description: A demo app to test the OIDC authorizer # 👀 CHANGE IF NEEDED
# 👀 CHANGE IF NEEDED: enable traces and logs (best practice)
TracingEnabled: true
MethodSettings:
- HttpMethod: "*"
LoggingLevel: INFO
ResourcePath: "/*"
MetricsEnabled: true
DataTraceEnabled: true
Auth:
DefaultAuthorizer: OidcAuthorizer
Authorizers:
OidcAuthorizer:
FunctionArn: !GetAtt OidcLambdaAuthorizer.Arn
ApiCWLRoleArn:
Type: AWS::ApiGateway::Account
Properties:
CloudWatchRoleArn: !GetAtt CloudWatchRole.Arn
CloudWatchRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Action: "sts:AssumeRole"
Effect: Allow
Principal:
Service: apigateway.amazonaws.com
Path: /
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
# Authorizer Lambda
OidcLambdaAuthorizer:
Type: AWS::Serverless::Function
Metadata:
BuildMethod: rust-cargolambda
Properties:
CodeUri: ../..
Handler: bootstrap
Runtime: provided.al2
Timeout: 3 # 👀 CHANGE IF NEEDED
MemorySize: 128 # 👀 CHANGE IF NEEDED
Architectures:
- arm64
Environment:
Variables:
# 👀 CHANGE THE FOLLOWING VALUES:
JWKS_URI: "https://login.microsoftonline.com/3e4abf5a-fdc9-485c-9853-af03c4a32976/discovery/v2.0/keys"
MIN_REFRESH_RATE: "900"
PRINCIPAL_ID_CLAIMS: "preferred_username, sub"
DEFAULT_PRINCIPAL_ID: "unknown"
ACCEPTED_ISSUERS: "https://login.microsoftonline.com/3e4abf5a-fdc9-485c-9853-af03c4a32976/v2.0"
ACCEPTED_AUDIENCES: "5c8efa13-dfa5-48b5-83c3-6fe8bb819a0f"
ACCEPTED_ALGORITHMS: ""
# 👀 CHANGE: Define your APIs here
SampleApiFunction1:
Type: AWS::Serverless::Function
Properties:
Events:
ApiEvent:
Type: Api
Properties:
Path: /1
Method: get
RestApiId:
Ref: ApiGatewayApi
Runtime: python3.9
Handler: index.handler
InlineCode: |
def handler(event, context):
return {'body': 'Hello from endpoint1!', 'statusCode': 200}
SampleApiFunction2:
Type: AWS::Serverless::Function
Properties:
Events:
ApiEvent:
Type: Api
Properties:
Path: /2
Method: get
RestApiId:
Ref: ApiGatewayApi
Runtime: python3.9
Handler: index.handler
InlineCode: |
def handler(event, context):
return {'body': 'Hello ' + event['requestContext']['authorizer']['principalId'] + ' from endpoint2!\nThese are your claims: ' + event['requestContext']['authorizer']['jwtClaims'], 'statusCode': 200}
Outputs:
ApiBaseUrl:
Description: "API Gateway base URL"
Value: !Sub "https://${ApiGatewayApi}.execute-api.${AWS::Region}.amazonaws.com/prod/"
ApiEndpoint1:
Description: "API Gateway endpoint 1"
Value: !Sub "https://${ApiGatewayApi}.execute-api.${AWS::Region}.amazonaws.com/prod/1"
ApiEndpoint2:
Description: "API Gateway endpoint 2"
Value: !Sub "https://${ApiGatewayApi}.execute-api.${AWS::Region}.amazonaws.com/prod/2"