serverless.yml

service: ${env:STACK_NAME}-${env:ROOTSTACK}

frameworkVersion: '2'
useDotenv: true

package:
  include:
    - artifacts/**/*
    - serverless.yml
    - .env
    - package.json
    - package-lock.json

provider:
  logRetentionInDays: 365 # Set the default RetentionInDays for a CloudWatch LogGroup
  name: aws
  runtime: nodejs14.x
  timeout: 30
  memorySize: 128
  region: ${env:REGION}
  stage: ${env:ENV}
  lambdaHashingVersion: 20201221
  deploymentBucket:
    blockPublicAccess: true 
    serverSideEncryption: AES256 
    tags: 
      StackName: ${env:STACK_NAME}
      Env: ${env:ENV}
  stackTags: # Optional CF stack tags
    StackName: ${env:STACK_NAME}
    Env: ${env:ENV}
  tags: # Optional service wide function tags
    StackName: ${env:STACK_NAME}
    Env: ${env:ENV}
  tracing:
    lambda: true
  vpc:
    securityGroupIds: !Split [",", "${env:SECURITYGP}"]
    subnetIds: !Split [",", "${env:PRIVATESUBNET}"]
  
  iam:
    role:
      statements: 
        - Effect: Allow
          Action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:DeleteLogGroup
            - logs:PutLogEvents
            - logs:DescribeLogStreams
            - logs:DescribeLogGroups
            - logs:FilterLogEvents
          Resource: "arn:aws:logs:*:*:*"
        - Effect: Allow
          Action:
            - lambda:AddPermission
            - lambda:CreateAlias
            - lambda:DeleteFunction
            - lambda:InvokeFunction
            - lambda:PublishVersion
            - lambda:RemovePermission
            - lambda:Update*
          Resource:
            - arn:aws:lambda:*:*:function:*
        - Effect: Allow
          Action:
            - apigateway:GET
            - apigateway:POST
            - apigateway:PUT
            - apigateway:DELETE
            - apigateway:PATCH
          Resource:
            - arn:aws:apigateway:*::/restapis*
            - arn:aws:apigateway:*::/apikeys*
            - arn:aws:apigateway:*::/usageplans*
        - Effect: Allow
          Action:
            - secretsmanager:GetSecretValue
            - ssm:*
          Resource:
            - arn:aws:secretsmanager:*:*:secret:*
        - Effect: "Allow" # xray permissions (required)
          Action:
            - "xray:PutTraceSegments"
            - "xray:PutTelemetryRecords"
          Resource:
            - "*"
        - Effect: Allow
          Action:
            - ec2:CreateNetworkInterface
            - ec2:AttachNetworkInterface
            - ec2:DescribeNetworkInterfaces
            - ec2:DetachNetworkInterface
            - ec2:DeleteNetworkInterface
            - ec2:DescribeSecurityGroups
            - ec2:DescribeSubnets
            - ec2:DescribeVpcs
          Resource: '*'
        - Effect: Allow
          Action:
            - s3:*
          Resource: 'arn:aws:s3:::${env:FILEAPIS3BUCKET}/*'


functions:
  services:
    handler: src/index.handler
    description: ${env:STACK_NAME}-${env:ROOTSTACK}-lambda

plugins:
  - serverless-plugin-aws-alerts
  - serverless-offline
  - serverless-plugin-typescript

custom:
  serverless-offline:
    host: 0.0.0.0


  alerts:
    stages:
      - live
      - test
      - dev
    topics:
      alarm:
        topic: {'Fn::ImportValue': !Sub '${env:STACK_NAME}-ChatBotSNSTopicARN-${env:ENV}'}
    definitions:  # these defaults are merged with your definitions
      functionErrors:
        namespace: 'AWS/Lambda'
        metric: Errors
        threshold: 5
        statistic: Sum
        period: 180
        evaluationPeriods: 3
        datapointsToAlarm: 3
        comparisonOperator: GreaterThanOrEqualToThreshold
        treatMissingData: notBreaching # override treatMissingData
      functionThrottles:
        namespace: 'AWS/Lambda'
        metric: Throttles
        threshold: 5
        statistic: Sum
        period: 180
        evaluationPeriods: 3
        datapointsToAlarm: 3
        comparisonOperator: GreaterThanOrEqualToThreshold
        treatMissingData: notBreaching # override treatMissingData
      functionInvocations:
        namespace: 'AWS/Lambda'
        metric: Invocations
        threshold: 1000
        statistic: Sum
        period: 180
        evaluationPeriods: 3
        datapointsToAlarm: 3
        comparisonOperator: GreaterThanOrEqualToThreshold
        treatMissingData: notBreaching # override treatMissingData
      functionDuration:
        namespace: 'AWS/Lambda'
        metric: Duration
        threshold: 28000 # 28 seconds
        statistic: 'p99'
        period: 180
        evaluationPeriods: 3
        datapointsToAlarm: 3
        comparisonOperator: GreaterThanOrEqualToThreshold
        treatMissingData: notBreaching # override treatMissingData
        evaluateLowSampleCountPercentile: ignore
      CustomMetricFilter:
        metric: CustomMetricFilterError
        threshold: 5
        statistic: Sum
        period: 180
        evaluationPeriods: 3
        datapointsToAlarm: 3
        comparisonOperator: GreaterThanOrEqualToThreshold
        pattern: 'ERROR'
        treatMissingData: notBreaching # override treatMissingData
    alarms:
      - functionErrors
      - functionThrottles
      - functionInvocations
      - functionDuration
      - CustomMetricFilter



resources:
    
  Resources:

    ## Specifying the CloudFront Origin Access Identity CDN Distribution to server your Web Application
    FileApiCloudFrontOriginAccessIdentity:
      Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
      Properties:
        CloudFrontOriginAccessIdentityConfig:
          Comment: "Cloudfront Origin identity for ${env:FILEAPIS3BUCKET}"

    ## Specifying the CloudFront Distribution to server your Web Application
    FileApiCloudFrontDistribution:
      DependsOn: [FileApiCloudFrontSecurityHeaderResponse]
      Type: AWS::CloudFront::Distribution
      Properties:
        DistributionConfig:
          Aliases:
            - ${env:FILEAPIS3BUCKET}
          Comment: "Cloudfront Origin identity for ${env:FILEAPIS3BUCKET}"
          DefaultCacheBehavior:
            AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
            - PUT
            - POST
            - PATCH
            - DELETE
            CachedMethods:
            - GET
            - HEAD
            - OPTIONS
            Compress: true
            DefaultTTL: 3600 # in seconds
            ForwardedValues:
              Cookies:
                Forward: none
              QueryString: false
            MaxTTL: 86400 # in seconds
            MinTTL: 60 # in seconds
            TargetOriginId: ${env:FILEAPIS3BUCKET}
            ViewerProtocolPolicy: 'redirect-to-https'
            ResponseHeadersPolicyId: !Ref FileApiCloudFrontSecurityHeaderResponse
          # DefaultRootObject: index.html
          CustomErrorResponses:
            - ErrorCode: 404
              ResponseCode: 200
              ResponsePagePath: /index.html #TBD
            - ErrorCode: 403
              ResponseCode: 200
              ResponsePagePath: /index.html #TBD
          Enabled: true
          HttpVersion: http2
          IPV6Enabled: true
          Origins:
          - DomainName: '${env:FILEAPIS3BUCKET}.s3.amazonaws.com'
            Id: ${env:FILEAPIS3BUCKET}
            S3OriginConfig:
              OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${FileApiCloudFrontOriginAccessIdentity}'
          PriceClass: 'PriceClass_All'
          ViewerCertificate:
            AcmCertificateArn: '${env:CDNSharedACMCertificateArn}'
            MinimumProtocolVersion: 'TLSv1.2_2021'  # OLD VALUE:'TLSv1.2_2019'
            SslSupportMethod: 'sni-only'


    # Specifying the CloudFront Distribution Security Response Header
    FileApiCloudFrontSecurityHeaderResponse:
      Type: AWS::CloudFront::ResponseHeadersPolicy
      Properties: 
        ResponseHeadersPolicyConfig: 
          Comment: "practera-security-headers-for-${env:FILEAPIS3BUCKET}"
          Name: "practera-security-headers-for-FileApi"
          SecurityHeadersConfig: 
            StrictTransportSecurity: 
              AccessControlMaxAgeSec: 31536000
              IncludeSubdomains: true
              Override: true
              Preload: true
            # ContentSecurityPolicy: 
            #   ContentSecurityPolicy: "frame-ancestors 'self' https://*.practera.com;"
            #   Override: true
            # ContentTypeOptions: 
            #   Override: true
            # ReferrerPolicy: 
            #   ReferrerPolicy: "strict-origin-when-cross-origin"
            #   Override: true
            # XSSProtection: 
            #   ModeBlock: true
            #   Override: true
            #   Protection: true
          # CustomHeadersConfig: 
          #   Items: 
          #     - 
          #       Header: "Server"
          #       Override: true
          #       Value: "Server"
          #     -  
          #       Header: "Permissions-Policy"
          #       Override: true
          #       Value: "accelerometer=(),camera=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),payment=(),usb=()"

# Security Header Response CFN END


    ## Specifying the policies to make sure all files inside the Bucket are avaialble to CloudFront
    FileApiS3BucketPolicy:
      DependsOn: [FileApiCloudFrontOriginAccessIdentity]
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket: ${env:FILEAPIS3BUCKET}
        PolicyDocument:
          Statement:
          - Sid: S3-Bucket-Accesible via CDN OAI only
            Action: 's3:*'
            Effect: Allow
            Resource: 'arn:aws:s3:::${env:FILEAPIS3BUCKET}/*'
            Principal:
              CanonicalUser: !GetAtt FileApiCloudFrontOriginAccessIdentity.S3CanonicalUserId 
          - Sid: AllowSSLRequestsOnly # AWS Foundational Security Best Practices v1.0.0 S3.5
            Effect: Deny
            Principal: '*'
            Action: 's3:*'
            Resource:
            - 'arn:aws:s3:::${env:FILEAPIS3BUCKET}'
            - 'arn:aws:s3:::${env:FILEAPIS3BUCKET}/*'
            Condition:
              Bool:
                'aws:SecureTransport': false
          - Sid: S3-Bucket-Accesible to filestack uploads
            Action: 
              - 's3:PutObjectAcl'
              - 's3:PutObject'
              - 's3:GetObject'
            Effect: Allow
            Resource: 
            - 'arn:aws:s3:::${env:FILEAPIS3BUCKET}'
            - 'arn:aws:s3:::${env:FILEAPIS3BUCKET}/*'
            Principal:
              AWS: 
                - 'arn:aws:iam::${env:FILESTACKAWSID}:user/filestack-uploads'
          # - Sid: S3-Bucket-Accesible to main practera account
          #   Action: 
          #     - 's3:PutObjectAcl'
          #     - 's3:PutObject'
          #     - 's3:GetObject'
          #   Effect: Allow
          #   Resource: 
          #   - 'arn:aws:s3:::${env:FILEAPIS3BUCKET}'
          #   - 'arn:aws:s3:::${env:FILEAPIS3BUCKET}/*'
          #   Principal:
          #     AWS: 
          #       - 'arn:aws:iam::${env:P1STACKAWSID}:user/practera'


    Route53RecordV2:
      Type: 'AWS::Route53::RecordSetGroup'
      Properties:
        HostedZoneId: {'Fn::ImportValue': '${env:STACK_NAME}-PublicHostedZoneId-${env:ENV}'}
        RecordSets:
        - Name: ${env:FILEAPIS3BUCKET}
          Type: CNAME
          TTL: '3200'
          ResourceRecords:
            - !GetAtt 'FileApiCloudFrontDistribution.DomainName'

    
  Outputs:
    FileApiCloudFrontDistributionOutput:
      Value:
        'Fn::GetAtt': [ FileApiCloudFrontDistribution, DomainName ]
      Export:
        Name: ${env:STACK_NAME}-FileApiCloudFrontDistributionOutput-${env:ENV}
    

    FileApiS3BucketURL:
      Description: 'URL to static website.'
      Value: https://${env:FILEAPIS3BUCKET}
      Export:
        Name: ${env:STACK_NAME}-FileApiS3BucketURL-${env:ENV}

    FileApiCloudFrontDistributionID:
      Description: 'CloudFront distribution id'
      Value: !Ref FileApiCloudFrontDistribution
      Export:
        Name: ${env:STACK_NAME}-FileApiCloudFrontDistributionID-${env:ENV}


    FileApiS3Bucket:
      Description: 'Name of the S3 bucket storing the static files.'
      Value: '${env:FILEAPIS3BUCKET}'
      Export:
        Name: ${env:STACK_NAME}-FileApiS3Bucket-${env:ENV}