-
Notifications
You must be signed in to change notification settings - Fork 1
/
serverless.yml
110 lines (101 loc) · 2.88 KB
/
serverless.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
service: bitbucket-code-pipeline-integration
variablesResolutionMode: 20210326
configValidationMode: error
provider:
name: aws
runtime: nodejs14.x
stage: ${opt:stage, 'default'}
region: us-east-1
lambdaHashingVersion: 20201221
iam:
role:
statements:
- Effect: Allow
Action:
- ssm:GetParameters
Resource:
- !Sub arn:aws:ssm:\${AWS::Region}:\${AWS::AccountId}:parameter/bitbucket-code-pipeline-integration/${opt:stage, 'default'}/*
- Effect: Allow
Action:
- s3:PutObject
Resource:
- !Join
- ''
- - !GetAtt Bucket.Arn
- '/*'
functions:
webhook:
handler: src/webhook.webhookHandler
environment:
AWS_STAGE: ${opt:stage, 'default'}
S3_BUCKET: !Ref Bucket
events:
- httpApi:
method: POST
path: /
memorySize: 512
layers:
- !Sub arn:aws:lambda:\${AWS::Region}:553035198032:layer:git-lambda2:8
resources:
Resources:
Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
VersioningConfiguration:
Status: Enabled
CloudTrailBucket:
Type: AWS::S3::Bucket
CloudTrailBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref CloudTrailBucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AWSCloudTrailAclCheck
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource: !Sub arn:aws:s3:::${CloudTrailBucket}
- Sid: AWSCloudTrailWrite
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: !Sub arn:aws:s3:::${CloudTrailBucket}/AWSLogs/${AWS::AccountId}/*
Condition:
StringEquals:
's3:x-amz-acl': bucket-owner-full-control
- Sid: AllowSSLRequestsOnly
Effect: Deny
Principal: '*'
Action: s3:*
Resource:
- !GetAtt CloudTrailBucket.Arn
- !Sub ${CloudTrailBucket.Arn}/*
Condition:
Bool:
'aws:SecureTransport': false
CloudTrail:
Type: AWS::CloudTrail::Trail
DependsOn:
- CloudTrailBucketPolicy
Properties:
IsLogging: true
S3BucketName: !Ref CloudTrailBucket
EventSelectors:
- ReadWriteType: WriteOnly
IncludeManagementEvents: false
DataResources:
- Type: AWS::S3::Object
Values:
- !Sub arn:aws:s3:::${Bucket}/
plugins:
- serverless-webpack
custom:
webpack:
includeModules:
forceExclude:
- aws-sdk