serverless.yml

service: serverless-example

plugins:
  - serverless-webpack

custom:
  webpack:
    includeModules:
      forceExclude:
        - aws-sdk
    packager: yarn
  functionPrefix: serverless-example-${ self:provider.stage }
  cognitoUserPoolId: ap-northeast-1_XXXXXXXXX
  cognitoUserPoolArn: arn:aws:cognito-idp:ap-northeast-1:XXXXXXXXX:userpool/${ self:custom.cognitoUserPoolId }
  RDSVPC:
    securityGroupIds:
      - sg-xxxxxxxx
    subnetIds:
      - subnet-xxxxxxxx
      - subnet-xxxxxxxx
  iamLambdaCloudWatchRoleAction:
    - logs:CreateLogGroup
    - logs:CreateLogStream
    - logs:PutLogEvents
  authorizer:
    name: authorizer
    type: TOKEN
    identitySource: method.request.header.Authorization
    identityValidationExpression: Bearer (.*)

provider:
  name: aws
  runtime: nodejs8.10
  region: ap-northeast-1
  stage: ${ opt:stage, 'dev' }
  apiKeys:
    - ServerlessExample
  memorySize: 128
  iamRoleStatements:
    - Effect: Allow
      Action:
        - iot:Connect
        - iot:Publish
      Resource:
        - '*'
  environment:
    IOT_ENDPOINT: xxxxxxxxxxxxxx-ats.iot.ap-northeast-1.amazonaws.com

package:
  individually: true
  exclude:
    - .git/**

functions:
  authorizer:
    handler: functions/authorizer.handler
    name: ${ self:custom.functionPrefix }-authorizer
    description: Authorizer

  hello:
    handler: functions/hello.handler
    name: ${ self:custom.functionPrefix }-hello
    description: Hello
    vpc: ${ self:custom.RDSVPC }
    events:
      - http:
          path: hello
          method: get
          private: true
          authorizer: ${ self:custom.authorizer }

  cognitoSignIn:
    handler: functions/cognitoSignIn.handler
    name: ${ self:custom.functionPrefix }-cognito-sign-in
    description: Authorize token
    role: IamRoleLambdaCognitoAdminInitiateAuth
    events:
      - http:
          path: signin
          method: post
          private: true

  cognitoAuthHello:
    handler: functions/cognitoAuthHello.handler
    name: ${ self:custom.functionPrefix }-cognito-auth-hello
    description: Cognito Auth Hello
    events:
      - http:
          path: cognito-hello
          method: get
          private: true
          authorizer:
            arn: ${ self:custom.cognitoUserPoolArn }

  iotPublishData:
    handler: functions/iotPublishData.handler
    name: ${ self:custom.functionPrefix }-iot-publish-data
    description: IoT publish data.


resources:
  Resources:
    ApiGatewayRestApi:
      Type: AWS::ApiGateway::RestApi
      Properties:
        Name: ${ self:service }-${ self:provider.stage }
        Description: ServerlessExample
    IamRoleLambdaCognitoAdminInitiateAuth:
      Type: AWS::IAM::Role
      Properties:
        RoleName: ${ self:service }-${ self:provider.stage }-cognito-admin-initiate-auth
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action: sts:AssumeRole
        ManagedPolicyArns:
          - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        Policies:
          - PolicyName: AmazonCognitoAdminInitiateAuth
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Action:
                    - cognito-idp:AdminInitiateAuth
                  Resource: ${ self:custom.cognitoUserPoolArn }
                - Effect: Allow
                  Action: ${ self:custom.iamLambdaCloudWatchRoleAction }
                  Resource:
                  - 'Fn::Join':
                    - ':'
                    -
                      - 'arn:aws:logs'
                      - Ref: 'AWS::Region'
                      - Ref: 'AWS::AccountId'