-
Notifications
You must be signed in to change notification settings - Fork 490
/
Copy pathrestapi.yaml
249 lines (225 loc) · 8.61 KB
/
restapi.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
This template deploys the api with api gateway to initiate a live connect
Parameters:
ParentStackName:
Type: String
Description: Parent Stack Name
Default: lex-web-ui-stack
SourceBucket:
Description: S3 bucket where the source is located
Type: String
Default: aws-bigdata-blog
InitiateChatLambdaCodeObject:
Type: String
Description: >
S3 object zip file containing Lambda initiate chat functions
Default: artifacts/aws-lex-web-ui/artifacts/initiate-chat-lambda.zip
ConnectContactFlowId:
Type: String
Description: >
Connect Contract Flow Id
ConnectInstanceId:
Type: String
Description: >
Connect Instance Id
ParentOrigin:
Type: String
Description: >
Parent Origin for CORS allow-origin
VpcSubnetId:
Type: String
Default: ''
Description: ID of a VPC subnet where all Lambda functions will run, only used if you need Lambda to run in a VPC
VpcSecurityGroupId:
Type: String
Default: ''
Description: ID of a security group where all Lambda functions will run, only used if you need Lambda to run in a VPC
Conditions:
NeedsVpc: !And [ !Not [ !Equals [!Ref VpcSubnetId, ''] ], !Not [ !Equals [!Ref VpcSecurityGroupId, ''] ] ]
Resources:
#### Lambda #####
InitiateChatLambda:
Type: "AWS::Lambda::Function"
Properties:
VpcConfig:
!If
- NeedsVpc
-
SecurityGroupIds:
- !Ref VpcSecurityGroupId
SubnetIds:
- !Ref VpcSubnetId
- !Ref "AWS::NoValue"
Description: AWS Lambda Function to initiate the chat with the end user
Handler: "index.handler"
Role: !GetAtt InitiateChatLambdaExecutionRole.Arn
Runtime: "nodejs18.x"
MemorySize: 128
Timeout: 30
Environment:
Variables:
INSTANCE_ID: !Ref ConnectInstanceId
CONTACT_FLOW_ID: !Ref ConnectContactFlowId
PARENT_ORIGIN: !Ref ParentOrigin
Code:
S3Bucket: !Ref SourceBucket
S3Key: !Ref InitiateChatLambdaCodeObject
InitiateChatLambdaExecutionRole:
Type: "AWS::IAM::Role"
Properties:
ManagedPolicyArns:
!If
- NeedsVpc
-
- "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
- !Ref "AWS::NoValue"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
- PolicyName: initiate-chat-execution-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource:
- !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*"
- Effect: "Allow"
Action:
- "connect:StartChatContact"
Resource:
- !Sub "arn:${AWS::Partition}:connect:${AWS::Region}:${AWS::AccountId}:instance/${ConnectInstanceId}"
- !Sub "arn:${AWS::Partition}:connect:${AWS::Region}:${AWS::AccountId}:instance/${ConnectInstanceId}/*"
#### API Gateway #####
## Role used for API custom access logging
ApiGatewayIamRole:
Type: AWS::IAM::Role
Properties:
Path: /
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- apigateway.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
## Assign role to account config to allow cloudwatch logging
ApiGatewayAccountConfig:
Type: "AWS::ApiGateway::Account"
Properties:
CloudWatchRoleArn: !GetAtt "ApiGatewayIamRole.Arn"
ApiGatewayRestAPI:
Type: AWS::ApiGateway::RestApi
Properties:
Name: !Join ["-", [!Ref ParentStackName, "API"]]
Description: "API to initiate chat with Amazon Connect"
ApiGatewayLiveChatResource:
Type: AWS::ApiGateway::Resource
Properties:
ParentId: !GetAtt
- ApiGatewayRestAPI
- RootResourceId # Required
PathPart: "livechat"
RestApiId: !Ref ApiGatewayRestAPI # Required
LambdaApiGatewayInvokePermission:
Type: AWS::Lambda::Permission
Properties:
Action: "lambda:InvokeFunction"
FunctionName: !GetAtt InitiateChatLambda.Arn
Principal: "apigateway.amazonaws.com"
SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${ApiGatewayRestAPI}/*"
## Log group to use for custom logging for the stage
ApiGatewayAccessLogGroup:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: 3653
Metadata:
cfn_nag:
rules_to_suppress:
- id: W84
reason: By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys).
ApiGatewayDeployment:
Type: AWS::ApiGateway::Deployment
DependsOn:
- ApiGatewayLiveChatMethod
Properties:
RestApiId: !Ref ApiGatewayRestAPI
StageName: "Prod"
StageDescription:
AccessLogSetting:
DestinationArn: !GetAtt ApiGatewayAccessLogGroup.Arn
Format: >-
{"requestId": "$context.requestId", "caller": "$context.identity.caller", "requestTime": "$context.requestTime", "httpMethod": "$context.httpMethod", "resourcePath": "$context.resourcePath", "status": "$context.status", "responseLength": "$context.responseLength", "integrationLatency": "$context.integrationLatency"}"
ApiGatewayLiveChatMethod:
Type: AWS::ApiGateway::Method
DependsOn: LambdaApiGatewayInvokePermission
Properties:
AuthorizationType: "AWS_IAM"
HttpMethod: "POST"
Integration:
IntegrationHttpMethod: "POST"
Type: "AWS_PROXY"
Uri: !Sub "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${InitiateChatLambda.Arn}/invocations"
PassthroughBehavior: WHEN_NO_MATCH
ResourceId: !Ref ApiGatewayLiveChatResource
RestApiId: !Ref ApiGatewayRestAPI
MethodResponses:
- StatusCode: "200"
ResponseParameters:
method.response.header.Access-Control-Allow-Origin: true
ResponseModels:
application/json: Empty
- StatusCode: "500"
ResponseParameters:
method.response.header.Access-Control-Allow-Origin: true
ResponseModels:
application/json: Empty
ApiGatewayLiveChatOptionsMethod:
Type: AWS::ApiGateway::Method
Properties:
ResourceId: !Ref ApiGatewayLiveChatResource
RestApiId: !Ref ApiGatewayRestAPI
AuthorizationType: NONE
HttpMethod: OPTIONS
Integration:
Type: MOCK
IntegrationResponses:
- ResponseParameters:
method.response.header.Access-Control-Allow-Headers: >-
'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'
method.response.header.Access-Control-Allow-Methods: '''POST,OPTIONS'''
method.response.header.Access-Control-Allow-Origin: !Sub '''${ParentOrigin}'''
ResponseTemplates:
application/json: ''
StatusCode: '200'
PassthroughBehavior: WHEN_NO_MATCH
RequestTemplates:
application/json: '{"statusCode": 200}'
MethodResponses:
- ResponseModels:
application/json: Empty
ResponseParameters:
method.response.header.Access-Control-Allow-Headers: false
method.response.header.Access-Control-Allow-Methods: false
method.response.header.Access-Control-Allow-Origin: false
StatusCode: '200'
Outputs:
RestApiId:
Description: API Gateway Id
Value: !Ref ApiGatewayRestAPI