template.yaml

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  Noteworthy

Parameters:

  CognitoDomain:
    Type: String
    Description: A name for the Cognito Domain

  S3Bucket:
    Type: String
    Description: Parameter to specify the S3 Bucket to use for deployment

  FrontendDeployment:
    Default: remote
    Type: String
    AllowedValues:
      - local
      - remote
    ConstraintDescription: Must specify 'local' or 'remote' for FrontendDeployment.

Conditions:
  DeployCloudFront: !Equals
    - !Ref FrontendDeployment
    - remote

Globals:
  Function:
    Timeout: 20

  Api:
    Cors:
      AllowMethods: "'GET,POST,PUT,DELETE,OPTIONS'"
      AllowHeaders: "'content-type,authorization'"
      AllowOrigin: "'*'"
    Auth:
      DefaultAuthorizer: CognitoAuthorizer
      AddDefaultAuthorizerToCorsPreflight: false
      Authorizers:
        CognitoAuthorizer:
          UserPoolArn: !GetAtt UserPool.Arn
    BinaryMediaTypes:
      - 'multipart/form-data'

Resources:

  #-----------------------------------------------------
  # Cognito Configuration for user management
  #-----------------------------------------------------

  UserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_email
            Priority: 1
      UsernameAttributes:
        - email
      UsernameConfiguration:
        CaseSensitive: false
      AutoVerifiedAttributes:
        - email
      UserPoolName: !Sub ${CognitoDomain}-user-pool
      Schema:
        - Name: email
          AttributeDataType: String
          Mutable: false
          Required: true
        - Name: name
          AttributeDataType: String
          Mutable: true
          Required: true

  UserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      UserPoolId: !Ref UserPool
      AllowedOAuthFlowsUserPoolClient: true
      CallbackURLs:
        - http://localhost:8000
        - !If
            - DeployCloudFront
            - !Sub "https://${CloudfrontDistribution.DomainName}"
            - !Ref "AWS::NoValue"
      LogoutURLs:
        - http://localhost:8000
        - !If
            - DeployCloudFront
            - !Sub "https://${CloudfrontDistribution.DomainName}"
            - !Ref "AWS::NoValue"
      AllowedOAuthFlows:
        - code
        - implicit
      AllowedOAuthScopes:
        - phone
        - email
        - openid
        - profile
      SupportedIdentityProviders:
        - COGNITO
      PreventUserExistenceErrors: ENABLED

  UserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Properties:
      Domain: !Ref CognitoDomain
      UserPoolId: !Ref UserPool


  #-----------------------------------------------------
  # CloudFront Configuration
  #-----------------------------------------------------

  CloudFrontOriginAccessIdentity:
    Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
    Condition: DeployCloudFront
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: 'Serverless frontend website'

  CloudfrontDistribution:
    Type: "AWS::CloudFront::Distribution"
    Condition: DeployCloudFront
    Properties:
      DistributionConfig:
        Comment: "Cloudfront distribution for serverless website"
        DefaultRootObject: "index.html"
        Enabled: true
        HttpVersion: http2
        PriceClass: PriceClass_100
        # List of origins that Cloudfront will connect to
        Origins:
          - Id: s3-website
            DomainName: !Sub "${S3Bucket}.s3.us-east-2.amazonaws.com"
            OriginPath: /static
            S3OriginConfig:
              # Restricting Bucket access through an origin access identity
              OriginAccessIdentity:
                Fn::Sub: 'origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}'
        # To connect the CDN to the origins you need to specify behaviours
        DefaultCacheBehavior:
          # Compress resources automatically ( gzip )
          Compress: 'true'
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
          ForwardedValues:
            QueryString: false
          TargetOriginId: s3-website
          ViewerProtocolPolicy : redirect-to-https
          CachePolicyId: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad

  S3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Condition: DeployCloudFront
    Properties:
      Bucket: !Ref S3Bucket
      PolicyDocument:
        # Restricting access to cloudfront only.
        Statement:
          -
            Effect: Allow
            Action: 's3:GetObject'
            Resource:
              - !Sub "arn:aws:s3:::${S3Bucket}/*"
            Principal:
              AWS: !Sub "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${CloudFrontOriginAccessIdentity}"


  #-----------------------------------------------------
  # Role/Permissions/Policy Configuration
  #-----------------------------------------------------

  AccessRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaRole'
        - 'arn:aws:iam::aws:policy/AWSLambdaExecute'
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Policies:
        - PolicyName: 'WriteToCloudWatch'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action:
                - logs:CreateLogGroup
                - logs:CreateLogStream
                - logs:PutLogEvents
                - cloudwatch:PutMetricData
              Resource: '*'
        - PolicyName: 'AccessNotesTable'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action: dynamodb:*
              Resource: !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/notes"
        - PolicyName: 'AccessTranscriptionsTable'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: dynamodb:*
                Resource: !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/transcriptions"
        - PolicyName: 'AccessTranscribe'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action: transcribe:*
              Resource: '*'
        - PolicyName: 'AccessS3BucketTranscribeOutputs'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: s3:*
                Resource: '*'


  #-----------------------------------------------------
  # Lambda Functions Configuration
  #-----------------------------------------------------

  GetNotesLambda:
    Type: AWS::Serverless::Function
    Properties:
      Role: !GetAtt AccessRole.Arn
      CodeUri: noteworthyServiceLambda
      Handler: com.nashss.se.noteworthy.lambda.GetNotesLambda::handleRequest
      Runtime: java11
      Architectures:
        - x86_64
      MemorySize: 512
      Environment:
        Variables:
          JAVA_TOOL_OPTIONS: -XX:+TieredCompilation -XX:TieredStopAtLevel=1
      Events:
        Noteworthy:
          Type: Api
          Properties:
            Path: /notes
            Method: get

  CreateNoteLambda:
    Type: AWS::Serverless::Function
    Properties:
      Role: !GetAtt AccessRole.Arn
      CodeUri: noteworthyServiceLambda
      Handler: com.nashss.se.noteworthy.lambda.CreateNoteLambda::handleRequest
      Runtime: java11
      Architectures:
        - x86_64
      MemorySize: 512
      Environment:
        Variables:
          JAVA_TOOL_OPTIONS: -XX:+TieredCompilation -XX:TieredStopAtLevel=1
      Events:
        Noteworthy:
          Type: Api
          Properties:
            Path: /notes
            Method: post

  UpdateNoteLambda:
    Type: AWS::Serverless::Function
    Properties:
      Role: !GetAtt AccessRole.Arn
      CodeUri: noteworthyServiceLambda
      Handler: com.nashss.se.noteworthy.lambda.UpdateNoteLambda::handleRequest
      Runtime: java11
      Architectures:
        - x86_64
      MemorySize: 512
      Environment:
        Variables:
          JAVA_TOOL_OPTIONS: -XX:+TieredCompilation -XX:TieredStopAtLevel=1
      Events:
        Noteworthy:
          Type: Api
          Properties:
            Path: /notes
            Method: put

  DeleteNoteLambda:
    Type: AWS::Serverless::Function
    Properties:
      Role: !GetAtt AccessRole.Arn
      CodeUri: noteworthyServiceLambda
      Handler: com.nashss.se.noteworthy.lambda.DeleteNoteLambda::handleRequest
      Runtime: java11
      Architectures:
        - x86_64
      MemorySize: 512
      Environment:
        Variables:
          JAVA_TOOL_OPTIONS: -XX:+TieredCompilation -XX:TieredStopAtLevel=1
      Events:
        Noteworthy:
          Type: Api
          Properties:
            Path: /notes
            Method: delete

  TranscribeAudioLambda:
    Type: AWS::Serverless::Function
    Properties:
      Role: !GetAtt AccessRole.Arn
      CodeUri: noteworthyServiceLambda
      Handler: com.nashss.se.noteworthy.lambda.TranscribeAudioLambda::handleRequest
      Runtime: java11
      Architectures:
        - x86_64
      MemorySize: 512
      Timeout: 300
      Environment:
        Variables:
          JAVA_TOOL_OPTIONS: -XX:+TieredCompilation -XX:TieredStopAtLevel=1
      Events:
        Noteworthy:
          Type: Api
          Properties:
            Path: /notes/voice
            Method: post

  #-----------------------------------------------------
  # S3 Bucket for Transcribe Outputs
  #-----------------------------------------------------

  TranscribeOutputBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: "nss-s3-c04-u7-noteworthy-cito.mcclure-transcribe-output"


  #-----------------------------------------------------
  # DynamoDB Configuration
  #-----------------------------------------------------

  NotesTable:
    Type: AWS::DynamoDB::Table
    Properties:
      AttributeDefinitions:
        - AttributeName: "email"
          AttributeType: "S"
        - AttributeName: "dateCreated"
          AttributeType: "S"
      KeySchema:
        - AttributeName: "email"
          KeyType: "HASH"
        - AttributeName: "dateCreated"
          KeyType: "RANGE"
      BillingMode: "PAY_PER_REQUEST"
      TableName: "notes"

  TranscriptionsTable:
    Type: AWS::DynamoDB::Table
    Properties:
      AttributeDefinitions:
        - AttributeName: "transcriptionId"
          AttributeType: "S"
      KeySchema:
        - AttributeName: "transcriptionId"
          KeyType: "HASH"
      BillingMode: "PAY_PER_REQUEST"
      TableName: "transcriptions"

#-----------------------------------------------------
# The outputs defined below will be printed
#  to the screen after a successful deploy
#-----------------------------------------------------

Outputs:

  CognitoUserPoolId:
    Value: !Ref UserPool
    Description: "The Cognito User Pool ID (COGNITO_USER_POOL_ID)."
  CognitoUserPoolClientId:
    Value: !Ref UserPoolClient
    Description: "The Cognito User Pool Client ID (COGNITO_USER_POOL_CLIENT_ID)."
  CognitoDomain:
    Value: !Sub "${CognitoDomain}.auth.us-east-2.amazoncognito.com"
    Description: "The Cognito Domain (COGNITO_DOMAIN)."

  ApiBaseUrl:
    Description: "API Gateway endpoint base URL for Prod stage (API_BASE_URL)."
    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/"

  CognitoRedirectSignin:
    Description: "The URL of the deployed front-end application (COGNITO_REDIRECT_SIGNIN)."
    Value: !Sub "https://${CloudfrontDistribution.DomainName}"
    Condition: DeployCloudFront
  CognitoRedirectSignout:
    Description: "The URL of the deployed front-end application (COGNITO_REDIRECT_SIGNOUT)."
    Value: !Sub "https://${CloudfrontDistribution.DomainName}"
    Condition: DeployCloudFront