-
Notifications
You must be signed in to change notification settings - Fork 12
/
sam-template.yaml
259 lines (227 loc) · 7.91 KB
/
sam-template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: "DC Website Django app: Lambda, API Gateway"
Globals:
Function:
Timeout: 10
Api:
BinaryMediaTypes:
- "*/*"
Parameters:
AppSecretKey:
Default: AppSecretKey
Description: "The SECRET_KEY environment variable passed to the app."
Type: AWS::SSM::Parameter::Value<String>
AppSentryDSN:
Default: AppSentryDSN
Description: "The SENTRY_DSN environment variable passed to the app."
Type: AWS::SSM::Parameter::Value<String>
AppPostgresHost:
Default: AppPostgresHost
Description: "The Postgres database host for this deploy."
Type: AWS::SSM::Parameter::Value<String>
AppPostgresDatabaseName:
Default: AppPostgresDatabaseName
Description: "The Postgres database name for this deploy."
Type: AWS::SSM::Parameter::Value<String>
AppPostgresPassword:
Default: AppPostgresPassword
Description: "The password for the postgres user"
Type: AWS::SSM::Parameter::Value<String>
AppSendgridAPIKey:
Default: AppSendgridAPIKey
Description: "The SendGrid API key"
Type: AWS::SSM::Parameter::Value<String>
FQDN:
Default: FQDN
Description: "The domain name this app is mounted on"
Type: AWS::SSM::Parameter::Value<String>
CertificateArn:
Default: CertificateArn
Description: "The ARN of the cert to use"
Type: AWS::SSM::Parameter::Value<String>
AppStorageBucketName:
Default: AppStorageBucketName
Description: "The ARN of the cert to use"
Type: AWS::SSM::Parameter::Value<String>
AppDjangoSettingsModule:
Description: "The DJANGO_SETTINGS_MODULE environment variable passed to the app."
Type: String
Default: "democracy_club.settings.aws_lambda"
AppIsBehindCloudFront:
Description: "The APP_IS_BEHIND_CLOUDFRONT environment variable passed to the app, which modifies various path- and host-related settings."
Type: String
AllowedValues:
- "True"
- "False"
Default: "True"
GitHash:
Description: "The Hash of the git commit that's deployed"
Type: String
DCEnvironment:
Default: DC_ENVIRONMENT
Description: "The DC_ENVIRONMENT environment variable passed to the app."
Type: AWS::SSM::Parameter::Value<String>
Resources:
DependenciesLayer:
Type: AWS::Serverless::LayerVersion
Properties:
ContentUri: ./lambda-layers/DependenciesLayer/
CompatibleRuntimes:
- python3.12
Metadata:
BuildMethod: makefile
RetentionPolicy: Delete
DCWebsiteFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: DCWebsiteFunction
Timeout: 60
Role: !Sub "arn:aws:iam::${AWS::AccountId}:role/DCWebsiteLambdaExecutionRole"
CodeUri: .
Handler: democracy_club.lambda_wsgi.handler
Layers:
- !Ref DependenciesLayer
Runtime: python3.12
MemorySize: 512
Environment:
Variables:
SECRET_KEY: !Ref AppSecretKey
SENTRY_DSN: !Ref AppSentryDSN
DJANGO_SETTINGS_MODULE: !Ref AppDjangoSettingsModule
APP_IS_BEHIND_CLOUDFRONT: !Ref AppIsBehindCloudFront
GIT_HASH: !Ref GitHash
DATABASE_HOST: !Ref AppPostgresHost
POSTGRES_DATABASE_NAME: !Ref AppPostgresDatabaseName
DATABASE_PASS: !Ref AppPostgresPassword
FQDN: !Ref FQDN
STORAGE_BUCKET_NAME: !Ref AppStorageBucketName
DC_ENVIRONMENT: !Ref DCEnvironment
Events:
HTTPRequests:
Type: Api
Properties:
Path: /{proxy+}
Method: ANY
HTTPRequestRoots:
Type: Api
Properties:
Path: /
Method: ANY
DCWebsiteManagementFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: DCWebsiteManagementFunction
Timeout: 60
Role: !Sub "arn:aws:iam::${AWS::AccountId}:role/DCWebsiteLambdaExecutionRole"
CodeUri: .
Handler: democracy_club.lambda_wsgi.management_handler
Layers:
- !Ref DependenciesLayer
Runtime: python3.12
MemorySize: 512
Environment:
Variables:
SECRET_KEY: !Ref AppSecretKey
SENTRY_DSN: !Ref AppSentryDSN
DJANGO_SETTINGS_MODULE: !Ref AppDjangoSettingsModule
APP_IS_BEHIND_CLOUDFRONT: !Ref AppIsBehindCloudFront
GIT_HASH: !Ref GitHash
DATABASE_HOST: !Ref AppPostgresHost
POSTGRES_DATABASE_NAME: !Ref AppPostgresDatabaseName
DATABASE_PASS: !Ref AppPostgresPassword
FQDN: !Ref FQDN
STORAGE_BUCKET_NAME: !Ref AppStorageBucketName
DC_ENVIRONMENT: !Ref DCEnvironment
DCWebsiteFunctionLogGroup:
Type: AWS::Logs::LogGroup
DependsOn: [ DCWebsiteFunction ]
Properties:
LogGroupName: !Sub /aws/lambda/${DCWebsiteFunction}
RetentionInDays: 60
CloudFrontDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
Comment: 'Cloudfront Distribution pointing to Lambda origin'
Origins:
- Id: Dynamic
DomainName: !Sub "${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com"
OriginPath: "/Prod"
CustomOriginConfig:
OriginProtocolPolicy: "https-only"
OriginCustomHeaders:
- HeaderName: X-Forwarded-Host
HeaderValue: !Ref FQDN
- HeaderName: X-Forwarded-Proto
HeaderValue: https
- Id: Media
DomainName: !Sub "${AppStorageBucketName}.s3.eu-west-2.amazonaws.com"
CustomOriginConfig:
OriginProtocolPolicy: "https-only"
OriginShield:
Enabled: false
Enabled: true
HttpVersion: 'http2'
Aliases:
- !Ref FQDN
PriceClass: "PriceClass_100"
ViewerCertificate:
AcmCertificateArn: !Ref CertificateArn
MinimumProtocolVersion: TLSv1.1_2016
SslSupportMethod: sni-only
DefaultCacheBehavior:
AllowedMethods: [ GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE ]
TargetOriginId: Dynamic
ForwardedValues:
QueryString: true
Cookies:
Forward: "all"
Headers:
- Authorization
- Origin
- Referer
ViewerProtocolPolicy: "redirect-to-https"
CacheBehaviors:
- AllowedMethods: [ GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE ]
PathPattern: admin/*
TargetOriginId: Dynamic
Compress: true
ViewerProtocolPolicy: "redirect-to-https"
ForwardedValues:
QueryString: true
Cookies:
Forward: "all"
Headers:
- Authorization
- Origin
- Referer
DefaultTTL: 0
MaxTTL: 0
- AllowedMethods: [ GET, HEAD, OPTIONS ]
PathPattern: static/*
TargetOriginId: Dynamic
Compress: true
CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6"
ViewerProtocolPolicy: "redirect-to-https"
- AllowedMethods: [ GET, HEAD ]
PathPattern: media/*
TargetOriginId: Media
Compress: true
CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6"
ViewerProtocolPolicy: "redirect-to-https"
DnsRecord:
Type: AWS::Route53::RecordSet
Properties:
AliasTarget:
DNSName: !GetAtt CloudFrontDistribution.DomainName
HostedZoneId: Z2FDTNDATAQYW2 # this is an AWS-owned, global singleton required for Aliases to CloudFront
HostedZoneName: !Sub "${FQDN}."
Name: !Sub "${FQDN}."
Type: A
Outputs:
DCWebsiteFqdn:
Description: "API Gateway endpoint FQDN for DC Website function"
Value: !Sub "${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com"
Export:
Name: !Join [ ":", [ !Ref "AWS::StackName", "DCWebsiteFqdn" ] ]