/
serverless.yml
164 lines (154 loc) · 4.91 KB
/
serverless.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
service: oss-nameguard
custom:
stage: ${opt:stage}
apiDomain: api.nameguard.io
hostedZoneName: nameguard.io.
hostedZoneId: Z00825691ZLCWE2VKJQW0
prune:
automatic: true
number: 5
region: us-east-1
provider:
name: aws
stage: ${self:custom.stage}
architecture: arm64
ecr:
images:
oss-nameguard:
path: ./
platform: linux/arm64
plugins:
- serverless-prune-plugin
functions:
oss-nameguard:
image:
name: oss-nameguard
name: oss-nameguard-${self:custom.stage}
memorySize: 1769
timeout: 10
versionFunctions: true
url: true
role: DefaultNameGuardRole
provisionedConcurrency: 1
tags:
Stage: ${self:custom.stage}
environment:
PROVIDER_URI_MAINNET: ${param:PROVIDER_URI_MAINNET}
PROVIDER_URI_SEPOLIA: ${param:PROVIDER_URI_SEPOLIA}
resources:
Resources:
DefaultNameGuardRole:
Type: AWS::IAM::Role
Properties:
Path: /my/default/path/
RoleName: DefaultNameGuardRole # required if you want to use 'serverless deploy --function' later on
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: NameGuardPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow # note that these rights are given in the default policy and are required if you want logs out of your lambda(s)
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:TagResource
Resource:
- 'Fn::Join':
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'log-group:/aws/lambda/*:*:*'
- Effect: "Allow"
Action:
- "s3:PutObject"
Resource:
Fn::Join:
- ""
- - "arn:aws:s3:::"
- "Ref" : "ServerlessDeploymentBucket"
- Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetDownloadUrlForLayer
Resource: [ "*" ]
ACMCertificate:
Type: "AWS::CertificateManager::Certificate"
Properties:
DomainName: ${self:custom.apiDomain}
DomainValidationOptions:
- DomainName: ${self:custom.apiDomain}
HostedZoneId: ${self:custom.hostedZoneId}
ValidationMethod: DNS
ApiCloudFrontDistribution:
Type: AWS::CloudFront::Distribution
DeletionPolicy: Delete
Properties:
DistributionConfig:
Enabled: true
PriceClass: PriceClass_100
HttpVersion: http2
Comment: Api distribution for ${self:custom.apiDomain}
Origins:
- Id: ApiGateway
DomainName: !Select [2, !Split ["/", !GetAtt OssDashnameguardLambdaFunctionUrl.FunctionUrl]]
OriginPath: ''
CustomOriginConfig:
HTTPPort: 80
HTTPSPort: 443
OriginProtocolPolicy: https-only
OriginSSLProtocols: [TLSv1, TLSv1.1, TLSv1.2]
DefaultCacheBehavior:
TargetOriginId: ApiGateway
ViewerProtocolPolicy: redirect-to-https
Compress: true
DefaultTTL: 0
AllowedMethods:
- HEAD
- DELETE
- POST
- GET
- OPTIONS
- PUT
- PATCH
CachedMethods:
- HEAD
- OPTIONS
- GET
ForwardedValues:
QueryString: false
Headers:
- Accept
- x-api-key
- Authorization
Cookies:
Forward: none
Aliases:
- ${self:custom.apiDomain}
ViewerCertificate:
SslSupportMethod: sni-only
MinimumProtocolVersion: TLSv1.2_2019
AcmCertificateArn: !Ref ACMCertificate
ApiRecordSetGroup:
Type: AWS::Route53::RecordSetGroup
DeletionPolicy: Delete
DependsOn:
- ApiCloudFrontDistribution
Properties:
HostedZoneName: ${self:custom.hostedZoneName}
RecordSets:
- Name: ${self:custom.apiDomain}
Type: A
AliasTarget:
HostedZoneId: Z2FDTNDATAQYW2 #default for cloudfront
DNSName: { 'Fn::GetAtt': [ApiCloudFrontDistribution, DomainName] } # set the domain of your cloudfront distribution