serverless.yml

frameworkVersion: '>=1.46.1'

service:
  name: ${self:provider.application}

plugins:
  - serverless-plugin-typescript
  - serverless-dotenv-plugin

custom:
  dotenv:
    include:
      - GETSTREAM_KEY
      - GETSTREAM_APPID


provider:
  application: ${env:APPLICATION, "beenion"}
  stage: ${env:STAGE, "dev"}
  name: aws
  region: ${env:AWS_REGION, us-east-1}
  runtime: nodejs12.x
  timeout: 30
  versionFunctions: false
  variableSyntax: "\\${((?!AWS)[ ~:a-zA-Z0-9._'\",\\-\\/\\(\\)]+?)}"

  environment:
    EVENTSTORE_TABLE: !Ref EventStoreTable
    LINKS_TABLE: !Ref LinksTable
    GETSTREAM_QUEUE: !Ref GetStreamQueue
    COSMOS_QUEUE: !Ref CosmosQueue
    # Create this key in SSM with getstream.io secret
    GETSTREAM_SECRET: ${ssm:/${self:provider.application}/${self:provider.stage}/getstreamSecret}

  iamRoleStatements:
    # Dynamo Event Store Permissions
    - Effect: Allow
      Action:
        - dynamodb:Query
        - dynamodb:GetItem
        - dynamodb:PutItem
      Resource:
        - !GetAtt EventStoreTable.Arn
    # Dynamp LinkTable Permissions
    # Dynamo Caches
    - Effect: Allow
      Action:
        - dynamodb:Query
        - dynamodb:GetItem
        - dynamodb:PutItem
      Resource:
        - !GetAtt LinksTable.Arn
    # SQS Same Account
    # Required by dynamo stream handler
    - Effect: Allow
      Action:
        - sqs:*
      Resource:
        # Sub style prevents circular reference
        - !Sub arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:*

    - Effect: Allow
      Action:
        - cognito-idp:ListUsers
        - cognito-idp:AdminGetUser
      Resource:
        # Sub style prevents circular reference
        - !Sub arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/*

functions:

  # Invoke via lambda api from sqspoller.ts
  ec2ToEventHandlers: #should be renamed to lambdaToEventHandlers
    handler: infrastructure/eventHandlers/lambda/lambdaToEventHandlers.handler

  dynamoStreamToSQS:
    handler: infrastructure/eventHandlers/dynamodbStream/dynamoStreamToSQS.handler
    description: 'Streams Dynamo EventStore Events to SQS FIFO queues'
    events:
      - stream:
          type: dynamodb
          startingPosition: LATEST
          batchSize: 1 # TODO: Lambda Handler only looks at first Record
          enabled: true
          arn: !GetAtt EventStoreTable.StreamArn

  # Query Handlers
  getFeed:
    handler: ports/http-query/getFeed.handler
    environment:
      POOL_ID: !Ref CognitoUserPoolBeenion
    events:
      - http:
          cors: true
          path: feed
          method: get
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId: !Ref CognitoAuthorizer


  getFeedPerUser:
    handler: ports/http-query/getFeedPerUser.handler
    environment:
      POOL_ID: !Ref CognitoUserPoolBeenion
    events:
      - http:
          cors: true
          path: userfeed/{username}
          method: get
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId: !Ref CognitoAuthorizer

  getLinkRatings:
    handler: ports/http-query/getLinkRatings.handler
    environment:
      POOL_ID: !Ref CognitoUserPoolBeenion
    events:
      - http:
          cors: true
          path: linkratings
          method: get
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId: !Ref CognitoAuthorizer

  checkLast:
    handler: ports/http-query/checkLast.handler
    environment:
      POOL_ID: !Ref CognitoUserPoolBeenion
    events:
      - http:
          cors: true
          path: checklast
          method: get
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId: !Ref CognitoAuthorizer

  listUsers:
    handler: ports/http-query/listUsers.handler
    environment:
      POOL_ID: !Ref CognitoUserPoolBeenion
    events:
      - http:
          cors: true
          path: listUsers
          method: get
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId: !Ref CognitoAuthorizer

  getUserData:
    handler: ports/http-query/getUserData.handler
    environment:
      POOL_ID: !Ref CognitoUserPoolBeenion
    events:
      - http:
          cors: true
          path: getUserData
          method: get
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId: !Ref CognitoAuthorizer

  # Command  Handlers
  linkCommand:
    handler: ports/http-command/linkCommand.handler
    environment:
      POOL_ID: !Ref CognitoUserPoolBeenion
    events:
      - http:
          cors: true
          path: linkCommand
          method: post
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId: !Ref CognitoAuthorizer

  userCommand:
    handler: ports/http-command/userCommand.handler
    environment:
      POOL_ID: !Ref CognitoUserPoolBeenion
    events:
      - http:
          cors: true
          path: userCommand
          method: post
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId: !Ref CognitoAuthorizer

  postConfirm:
    handler: infrastructure/authentication/postConfirm.handler
    description: Triggers follow user commandHandler on signup
    timeout: 5 # Maximum
    events:
      - cognitoUserPool:
          pool: Beenion
          trigger: PostConfirmation
resources:
  Resources:

    CognitoAuthorizer:
      Type: AWS::ApiGateway::Authorizer
      Properties:
        AuthorizerResultTtlInSeconds: 300
        IdentitySource: method.request.header.Authorization
        Name: CognitoAuthorizer
        RestApiId: !Ref ApiGatewayRestApi
        Type: COGNITO_USER_POOLS
        ProviderARNs:
          - !GetAtt CognitoUserPoolBeenion.Arn

    ###################################
    CognitoUserPoolBeenion:
      Type: AWS::Cognito::UserPool
      Properties:
        UserPoolName: ${self:provider.application}-${self:provider.stage}
        AutoVerifiedAttributes:
          - email
        UsernameAttributes:
          - email
        Schema:
          - AttributeDataType: String
            DeveloperOnlyAttribute: false
            Mutable: true
            Name: email
            Required: true

    UserPoolClient:
      Type: AWS::Cognito::UserPoolClient
      Properties:
        ExplicitAuthFlows:
          - ADMIN_NO_SRP_AUTH
          - USER_PASSWORD_AUTH
        GenerateSecret: false
        UserPoolId: !Ref CognitoUserPoolBeenion
        RefreshTokenValidity: 7


    GatewayResponseDefault4XX:
      Type: 'AWS::ApiGateway::GatewayResponse'
      Properties:
        ResponseParameters:
          gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
          gatewayresponse.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
          gatewayresponse.header.Access-Control-Allow-Methods: "'GET,OPTIONS'"
        ResponseType: DEFAULT_4XX
        RestApiId: !Ref ApiGatewayRestApi

    EventStoreTable:
      Type: AWS::DynamoDB::Table
      Properties:
        AttributeDefinitions:
          - AttributeName: streamId
            AttributeType: S
          - AttributeName: version
            AttributeType: N
          - AttributeName: active
            AttributeType: N
          - AttributeName: committedAt
            AttributeType: N
        KeySchema:
          - AttributeName: streamId
            KeyType: HASH
          - AttributeName: version
            KeyType: RANGE
        GlobalSecondaryIndexes:
          - IndexName: active-committedAt-index
            KeySchema:
              - AttributeName: active
                KeyType: HASH
              - AttributeName: committedAt
                KeyType: RANGE
            Projection:
              ProjectionType: ALL
        BillingMode: PAY_PER_REQUEST
        TimeToLiveSpecification:
          AttributeName: ttl
          Enabled: true
        StreamSpecification:
          StreamViewType: NEW_IMAGE

    LinksTable:
      Type: AWS::DynamoDB::Table
      Properties:
        AttributeDefinitions:
          - AttributeName: linkId
            AttributeType: S
        KeySchema:
          - AttributeName: linkId
            KeyType: HASH
        BillingMode: PAY_PER_REQUEST
        TimeToLiveSpecification:
          AttributeName: ttl
          Enabled: true

    CosmosQueue:
      Type: AWS::SQS::Queue
      Properties:
        ContentBasedDeduplication: true
        FifoQueue: true

    GetStreamQueue:
      Type: AWS::SQS::Queue
      Properties:
        ContentBasedDeduplication: true
        FifoQueue: true

    QueuePolicy:
      Type: AWS::SQS::QueuePolicy
      Properties:
        Queues:
          - !Ref CosmosQueue
          - !Ref GetStreamQueue
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                AWS: !Sub ${AWS::AccountId}
              Action:
                - sqs:SendMessage
              Resource:
                - !GetAtt CosmosQueue.Arn
            - Effect: Allow
              Principal:
                AWS: !Sub ${AWS::AccountId}
              Action:
                - sqs:SendMessage
              Resource:
                - !GetAtt GetStreamQueue.Arn