diff --git a/github-app.cjs b/config.cjs similarity index 83% rename from github-app.cjs rename to config.cjs index 2c97f4f..7f0b1fe 100644 --- a/github-app.cjs +++ b/config.cjs @@ -1,7 +1,8 @@ module.exports.GH_APP_URL = process.env[`GH_APP_URL`]; module.exports.GH_APP_ID = process.env[`GH_APP_ID`]; module.exports.GH_CLIENT_ID = process.env[`GH_CLIENT_ID`].toUpperCase(); -module.exports.GH_APP_SECRETS = JSON.stringify({ + +module.exports.SECRETS = JSON.stringify({ [`GITHUB_${module.exports.GH_CLIENT_ID.replace(".", "_")}`]: process.env[`GH_CLIENT_SECRET`], [`GITHUB_CLIENT_ID_${process.env[`GH_APP_ID`]}`]: process.env[`GH_CLIENT_ID`], @@ -11,3 +12,6 @@ module.exports.GH_APP_SECRETS = JSON.stringify({ [`GITHUB_WEBHOOK_SECRET_${process.env[`GH_APP_ID`]}`]: process.env[`GH_WEBHOOK_SECRET`], }); + +module.exports.AUTH_VERSION = 4; +module.exports.GITHUB_VERSION = 22; diff --git a/serverless.yml b/serverless.yml index 52ae50f..6f7db3d 100644 --- a/serverless.yml +++ b/serverless.yml @@ -6,13 +6,6 @@ configValidationMode: off disabledDeprecations: - "*" -# plugins: -# - serverless-esbuild -# - serverless-react -# - serverless-dotenv-plugin -# - serverless-offline-resources -# - serverless-offline - provider: name: aws runtime: nodejs18.x @@ -34,17 +27,46 @@ provider: lambda: true environment: STAGE: ${self:provider.stage} - GITHUB_APP_ID: ${file(github-app.cjs):GH_APP_ID} - GITHUB_CLIENT_IDS: ${file(github-app.cjs):GH_CLIENT_ID} - GITHUB_APP_URL: ${file(github-app.cjs):GH_APP_URL} + GITHUB_APP_ID: ${file(config.cjs):GH_APP_ID} + GITHUB_CLIENT_ID: ${file(config.cjs):GH_CLIENT_ID} + GITHUB_CLIENT_IDS: ${file(config.cjs):GH_CLIENT_ID} + GITHUB_APP_URL: ${file(config.cjs):GH_APP_URL} + SELF_HOSTED: true functions: + auth: + handler: /opt/src/lambda.handler + timeout: 29 + layers: + - arn:aws:lambda:us-east-1:580360238192:layer:nonlive-auth-sls-rest-api:${file(config.cjs):AUTH_VERSION} + environment: + SERVICE_NAME: auth-sls-rest-api + SERVICE_SLUG: auth + events: + - http: + path: /auth + method: any + - http: + path: /auth + method: options + - http: + path: /auth/{proxy+} + method: any + - http: + path: /auth/{proxy+} + method: options + - stream: + type: dynamodb + batchSize: 1 + maximumRecordAgeInSeconds: 600 + arn: + Fn::GetAtt: [AuthTable, StreamArn] github: handler: /opt/src/lambda.handler timeout: 29 layers: - arn:aws:lambda:us-east-1:034541671702:layer:openssl-lambda:1 - - arn:aws:lambda:us-east-1:580360238192:layer:nonlive-github-sls-rest-api:17 + - arn:aws:lambda:us-east-1:580360238192:layer:nonlive-github-sls-rest-api:${file(config.cjs):GITHUB_VERSION} environment: SERVICE_NAME: github-sls-rest-api SERVICE_SLUG: github @@ -61,24 +83,18 @@ functions: - http: path: /github/{proxy+} method: options - # - sns: - # arn: ${file(serverless.config.js):topic-arn} - # - sns: - # arn: ${file(serverless.config.js):auth-topic-arn} - # - sns: - # arn: arn:aws:sns:us-east-1:580360238192:cf-hook + - sns: + arn: !Ref AuthTopic + topicName: auth-sls-rest-api-${self:provider.stage} + - sns: + arn: !Ref GithubTopic + topicName: github-sls-rest-api-${self:provider.stage} - stream: type: dynamodb batchSize: 1 maximumRecordAgeInSeconds: 600 arn: Fn::GetAtt: [GithubTable, StreamArn] - # - stream: - # type: kinesis - # batchSize: 1 - # maximumRecordAgeInSeconds: 86400 - # arn: - # Fn::GetAtt: [Stream, Arn] resources: Resources: @@ -91,21 +107,61 @@ resources: AliasName: alias/${self:provider.stage} TargetKeyId: !Ref KmsKey + AuthSecret: + Type: AWS::SecretsManager::Secret + Properties: + Name: lambda/${self:provider.stage}/auth-sls-rest-api + SecretString: ${file(config.cjs):SECRETS} + GithubSecret: Type: AWS::SecretsManager::Secret Properties: Name: lambda/${self:provider.stage}/github-sls-rest-api - SecretString: ${file(github-app.cjs):GH_APP_SECRETS} + SecretString: ${file(config.cjs):SECRETS} + + AuthTopic: + Type: AWS::SNS::Topic + Properties: + TopicName: auth-sls-rest-api-${self:provider.stage} - # Topic: - # Type: AWS::SNS::Topic - # Properties: - # TopicName: ${self:service}-${self:provider.stage} + GithubTopic: + Type: AWS::SNS::Topic + Properties: + TopicName: github-sls-rest-api-${self:provider.stage} - # Queue: - # Type: AWS::SQS::Queue - # Properties: - # QueueName: ${self:service}-${self:provider.stage} + AuthTable: + Type: AWS::DynamoDB::Table + Properties: + TableName: ${self:provider.stage}-auth-sls-rest-api + KeySchema: + - AttributeName: pk + KeyType: HASH + - AttributeName: sk + KeyType: RANGE + AttributeDefinitions: + - AttributeName: pk + AttributeType: S + - AttributeName: sk + AttributeType: S + GlobalSecondaryIndexes: + - IndexName: sk-pk-index + KeySchema: + - AttributeName: sk + KeyType: HASH + - AttributeName: pk + KeyType: RANGE + Projection: + ProjectionType: ALL + StreamSpecification: + StreamViewType: NEW_AND_OLD_IMAGES + TimeToLiveSpecification: + AttributeName: expires + Enabled: true + PointInTimeRecoverySpecification: + PointInTimeRecoveryEnabled: true + SSESpecification: + SSEEnabled: true + BillingMode: PAY_PER_REQUEST GithubTable: Type: AWS::DynamoDB::Table @@ -141,7 +197,7 @@ resources: SSEEnabled: true BillingMode: PAY_PER_REQUEST - IdpRequestsTable: + GithubIdpRequestsTable: Type: AWS::DynamoDB::Table Properties: TableName: ${self:provider.stage}-github-sls-rest-api-idp-requests @@ -175,7 +231,7 @@ resources: SSEEnabled: true BillingMode: PAY_PER_REQUEST - CachedConfigTable: + GithubCachedConfigTable: Type: AWS::DynamoDB::Table Properties: TableName: ${self:provider.stage}-github-sls-rest-api-cached-config