-
Notifications
You must be signed in to change notification settings - Fork 117
Expand file tree
/
Copy pathtemplate.yaml
More file actions
93 lines (87 loc) · 3.83 KB
/
template.yaml
File metadata and controls
93 lines (87 loc) · 3.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: SAM Template for APIGateway Lambda Example
# This is an example SAM template for the purpose of this project.
# When deploying such infrastructure in production environment,
# we strongly encourage you to follow these best practices for improved security and resiliency
# - Enable access loggin on API Gateway
# See: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html)
# - Ensure that AWS Lambda function is configured for function-level concurrent execution limit
# See: https://docs.aws.amazon.com/lambda/latest/dg/lambda-concurrency.html
# https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html
# - Check encryption settings for Lambda environment variable
# See: https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars-encryption.html
# - Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
# See: https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html#invocation-dlq
# - Ensure that AWS Lambda function is configured inside a VPC when it needs to access private resources
# See: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html
# Code Example: https://github.com/awslabs/swift-aws-lambda-runtime/tree/main/Examples/ServiceLifecycle%2BPostgres
Resources:
# The API Gateway
MyProtectedApi:
Type: AWS::Serverless::HttpApi
Properties:
Auth:
DefaultAuthorizer: MyLambdaRequestAuthorizer
Authorizers:
MyLambdaRequestAuthorizer:
FunctionArn: !GetAtt AuthorizerLambda.Arn
Identity:
Headers:
- Authorization
AuthorizerPayloadFormatVersion: "2.0"
EnableSimpleResponses: true
# Give the API Gateway permissions to invoke the Lambda authorizer
AuthorizerPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !Ref AuthorizerLambda
Principal: apigateway.amazonaws.com
SourceArn: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${MyProtectedApi}/*
# Lambda business function
APIGatewayLambda:
Type: AWS::Serverless::Function
Properties:
CodeUri: .build/plugins/AWSLambdaPackager/outputs/AWSLambdaPackager/APIGatewayLambda/APIGatewayLambda.zip
Timeout: 60
Handler: swift.bootstrap # ignored by the Swift runtime
Runtime: provided.al2
MemorySize: 128
Architectures:
- arm64
Environment:
Variables:
# by default, AWS Lambda runtime produces no log
# use `LOG_LEVEL: debug` for for lifecycle and event handling information
# use `LOG_LEVEL: trace` for detailed input event information
LOG_LEVEL: debug
Events:
HttpApiEvent:
Type: HttpApi
Properties:
ApiId: !Ref MyProtectedApi
Path: /demo
Method: ANY
# Lambda authorizer function
AuthorizerLambda:
Type: AWS::Serverless::Function
Properties:
CodeUri: .build/plugins/AWSLambdaPackager/outputs/AWSLambdaPackager/AuthorizerLambda/AuthorizerLambda.zip
Timeout: 29 # max 29 seconds for Lambda authorizers
Handler: swift.bootstrap # ignored by the Swift runtime
Runtime: provided.al2
MemorySize: 128
Architectures:
- arm64
Environment:
Variables:
# by default, AWS Lambda runtime produces no log
# use `LOG_LEVEL: debug` for for lifecycle and event handling information
# use `LOG_LEVEL: trace` for detailed input event information
LOG_LEVEL: debug
Outputs:
# print API Gateway endpoint
APIGatewayEndpoint:
Description: API Gateway endpoint URI
Value: !Sub "https://${MyProtectedApi}.execute-api.${AWS::Region}.amazonaws.com/demo"