-
Notifications
You must be signed in to change notification settings - Fork 2
/
template.yaml
229 lines (207 loc) · 6.05 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
FastAPI Serverless
Sample SAM Template for FastAPI
Parameters:
EnvType:
Type: String
Description: Environment type.
Default: dev
AllowedValues: [dev, prod]
ConstraintDescription : Must specify dev or prod.
DomainName:
Type: String
Description: API Domain name.
Default: ''
HostedZoneIdValue:
# We cannot use optional parameter in CloudFormation for AWS Specific Parameters
# Type: AWS::Route53::HostedZone::Id
Type: String
Description: Route 53 Hosted zone ID value.
Default: ''
AdminsGroupName:
Type: String
Description: Cognito group name for Administrators
Default: admins
Conditions:
UseDomainName:
!Not
- !Equals
- !Ref DomainName
- ''
UseExistingHostedZone:
!Not
- !Equals
- !Ref HostedZoneIdValue
- ''
NotUseExistingHostedZone:
!Not
- Condition: UseExistingHostedZone
CreateNewHostedZone:
!And
- !Condition UseDomainName
- !Condition NotUseExistingHostedZone
Resources:
Route53HostedZone:
Type: AWS::Route53::HostedZone
Condition: CreateNewHostedZone
Properties:
Name: !Ref DomainName
ApiCertificateDomain:
Type: AWS::CertificateManager::Certificate
Condition: UseDomainName
Properties:
DomainName: !Sub '*.${DomainName}'
DomainValidationOptions:
- DomainName: !Ref DomainName
HostedZoneId: !If [ UseExistingHostedZone, !Ref HostedZoneIdValue , !Ref Route53HostedZone]
ValidationMethod: DNS
SubjectAlternativeNames:
- !Ref DomainName
ApiDomainName:
Type: AWS::ApiGateway::DomainName
Condition: UseDomainName
Properties:
CertificateArn: !Ref ApiCertificateDomain
DomainName: !Ref DomainName
ApiRoute53RecordSetGroup:
Type: AWS::Route53::RecordSetGroup
Condition: UseDomainName
Properties:
HostedZoneName: !Sub ${DomainName}.
RecordSets:
- Name: !Sub ${DomainName}.
Type: A
AliasTarget:
EvaluateTargetHealth: false
HostedZoneId: !GetAtt ApiDomainName.DistributionHostedZoneId
DNSName: !GetAtt ApiDomainName.DistributionDomainName
ApiBasePathMapping:
Type: AWS::ApiGateway::BasePathMapping
Condition: UseDomainName
Properties:
RestApiId: !Ref FastAPIGateway
DomainName: !Ref ApiDomainName
BasePath: '(none)'
# https://github.com/aws/serverless-application-model/issues/192
Stage: !Ref FastAPIGateway.Stage
CognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: !Sub ${AWS::StackName}-user-pool
AutoVerifiedAttributes:
- email
UsernameAttributes:
- email
UsernameConfiguration:
CaseSensitive: false
Policies:
PasswordPolicy:
RequireLowercase: true
RequireSymbols: false
RequireNumbers: true
MinimumLength: 8
RequireUppercase: true
AccountRecoverySetting:
RecoveryMechanisms:
-
Name: verified_email
Priority: 1
EmailConfiguration:
EmailSendingAccount: COGNITO_DEFAULT
CognitoUserPoolGroup:
Type: AWS::Cognito::UserPoolGroup
Properties:
GroupName: !Ref AdminsGroupName
Description: Administrators Group
UserPoolId: !Ref CognitoUserPool
UserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: !Sub ${AWS::StackName}-app
GenerateSecret: true
UserPoolId: !Ref CognitoUserPool
SupportedIdentityProviders:
- COGNITO
PreventUserExistenceErrors: ENABLED
ExplicitAuthFlows:
- ALLOW_USER_SRP_AUTH
- ALLOW_USER_PASSWORD_AUTH
- ALLOW_REFRESH_TOKEN_AUTH
ReadAttributes:
- email
- email_verified
WriteAttributes:
- email
FastAPIGateway:
Type: AWS::Serverless::Api
Properties:
StageName: !Ref EnvType
OpenApiVersion: '3.0.0'
# This property is not working properly right now, see
# https://github.com/aws/serverless-application-model/issues/1978
# https://github.com/aws/serverless-application-model/issues/2270
DisableExecuteApiEndpoint: !If [UseDomainName, true, false]
Auth:
DefaultAuthorizer: CognitoAuthorizer
Authorizers:
CognitoAuthorizer:
UserPoolArn: !GetAtt CognitoUserPool.Arn
Identity: # OPTIONAL
Header: Authorization # OPTIONAL; Default: 'Authorization'
FastAPILambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:*
FastAPIApp:
Type: AWS::Serverless::Function
Properties:
Runtime: python3.9
Timeout: 300
CodeUri: ./
Handler: app.main.handler
Description: fastAPI AWS lambda example
Events:
ApiEvent:
Type: Api
Properties:
RestApiId: !Ref FastAPIGateway
Path: /{proxy+}
Method: ANY
Auth:
# FastAPI app is responsible for auth, not AWS
Authorizer: NONE
Environment:
Variables:
USERPOOL_ID: !Ref CognitoUserPool
APP_CLIENT_ID: !Ref UserPoolClient
Role: !GetAtt FastAPILambdaExecutionRole.Arn
Outputs:
FastAPI:
Description: API Gateway endpoint URL
Value: !Sub https://${FastAPIGateway}.execute-api.${AWS::Region}.amazonaws.com/${EnvType}
CognitoUserPoolId:
Description: Cognito User Pool ID
Value: !Ref CognitoUserPool
CognitoAppClientId:
Description: Cognito App Client ID
Value: !Ref UserPoolClient