-
Notifications
You must be signed in to change notification settings - Fork 10
/
app.yml
85 lines (81 loc) · 2.49 KB
/
app.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Lambda function to login and sign CloudFront cookies
Parameters:
websiteDomain:
Description: "Website domain"
Type: "String"
sessionDuration:
Description: "Number of seconds the user has access to the file"
Type: "Number"
redirectOnSuccess:
Description: "Whether to send a HTTP 200 or 302 on successful login (boolean)"
Type: "String"
kmsKeyId:
Description: "ID of the KMS key used to encrypt other parameters"
Type: "String"
NoEcho: true
cloudFrontKeypairId:
Description: "CloudFront keypair ID encrypted with KMS"
Type: "String"
Default: ""
NoEcho: true
encryptedCloudFrontPrivateKey:
Description: "CloudFront private key encrypted with KMS"
Type: "String"
NoEcho: true
encryptedHtpasswd:
Description: "htpasswd file contents encrypted with KMS"
Type: "String"
NoEcho: true
Resources:
#
# Lambda function definition
#
LoginFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: dist/lambda.zip
Role: !GetAtt LambdaRole.Arn
Environment:
Variables:
WEBSITE_DOMAIN: !Ref websiteDomain
SESSION_DURATION: !Ref sessionDuration
REDIRECT_ON_SUCCESS: !Ref redirectOnSuccess
CLOUDFRONT_KEYPAIR_ID: !Ref cloudFrontKeypairId
ENCRYPTED_CLOUDFRONT_PRIVATE_KEY: !Ref encryptedCloudFrontPrivateKey
ENCRYPTED_HTPASSWD: !Ref encryptedHtpasswd
Events:
GetResource:
Type: Api
Properties:
Path: /login
Method: post
#
# IAM role so the Lambda can log (CloudWatch) and decrypt secrets (KMS)
#
LambdaRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AllowLambdaServiceToAssumeRole"
Effect: "Allow"
Action: [ "sts:AssumeRole" ]
Principal:
Service: [ "lambda.amazonaws.com" ]
Policies:
- PolicyName: KmsDecrypt
PolicyDocument:
Statement:
- Effect: "Allow"
Resource: !Sub
- "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${id}"
- id: !Ref kmsKeyId
Action: [ "kms:Decrypt" ]