stack.yml

# This file describes the serverless infrastructure stack that serves as the back-end for the Litter Map application.
#
# Read about the concept of "infrastructure as code":
#
# https://learn.microsoft.com/en-us/devops/deliver/what-is-infrastructure-as-code
#
# Quick reference links:
#
# https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-template-anatomy.html
# https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-resources-and-properties.html
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
# https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-template-anatomy-globals.html
# https://theburningmonk.com/cloudformation-ref-and-getatt-cheatsheet/

AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: Global location submission and retrieval system

#
# Common attributes can be set for various resource types, however they are only somewhat overridable:
#
# https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-template-anatomy-globals.html#sam-specification-template-anatomy-globals-overrideable
#
Globals:
  Function:
    Handler: index.handler
    Runtime: nodejs16.x
    CodeUri: functions
    Architectures:
      - arm64 # Choose the ARM processor (cost effective)

Resources:
  API:
    Type: AWS::Serverless::HttpApi
    Properties:
      Description: Backend API
      StageName: !Ref APIStageName
      Auth:
        Authorizers: {}

  CommonLib:
    Type: AWS::Serverless::LayerVersion
    Properties:
      LayerName: lib-common
      ContentUri: layers/common
      CompatibleRuntimes:
        - nodejs14.x
      RetentionPolicy: Delete
    Metadata:
      BuildMethod: makefile

  PostgresLib:
    Type: AWS::Serverless::LayerVersion
    Properties:
      LayerName: lib-postgres
      ContentUri: layers/postgres
      CompatibleRuntimes:
        - nodejs14.x
      RetentionPolicy: Delete
    Metadata:
      BuildMethod: makefile

  DefaultFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: default-response
      Description: Lets you know you've reached an invalid endpoint
      InlineCode: |-
        exports.handler = async () => {
          return {
            statusCode: 404,
            headers: {
              'Content-Type': 'application/json'
            },
            body: JSON.stringify({
              message: "This endpoint does not exist. Please pick up that litter."
            })
          }
        }
      Events:
        Default:
          Type: HttpApi
          Properties:
            ApiId: !Ref API

  ScaleImageFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: scale-image
      Description: Generate a scaled version of an image in the media store
      CodeUri: functions/scale-image/build/scale-image.zip
      Handler: scale-image # The name of the main executable file inside the zip package
      Runtime: provided.al2 # Amazon Linux 2 runtime is required for ARM binaries
      Role: !GetAtt ScaleImageFunctionRole.Arn
      Environment:
        Variables:
          MEDIA_BUCKET: !Ref MediaBucket
          # DEBUG_OUTPUT: 1 # Return debug info instead of actual image
      Events:
        ScaleImage:
          Type: HttpApi
          Properties:
            ApiId: !Ref API
            Path: /scale-image
            Method: GET

  LogEventFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: log-event
      Description: Record a single event in the event log table
      Role: !GetAtt LogEventFunctionRole.Arn
      Layers:
        - !Ref CommonLib
      Environment:
        Variables:
          TABLE_NAME: !Ref EventsTable
    Metadata:
      BuildMethod: makefile

  AddLocationFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: add-location
      Description: Add a location
      Role: !GetAtt AddLocationFunctionRole.Arn
      Layers:
        - !Ref CommonLib
        - !Ref PostgresLib
      Environment:
        Variables:
          SESSIONS_TABLE: !Ref SessionsTable
          SESSION_LIFETIME_IN_DAYS: !Ref SessionLifetimeInDays
          PGHOST: !If [DoRDS, !GetAtt MainDB.Endpoint.Address, ""]
          PGPORT: !If [DoRDS, !GetAtt MainDB.Endpoint.Port, ""]
          PGDATABASE: !Ref DBName
          PGUSER: writer
          PGPASSWORD: !Ref DBWriterPassword
          DB_GEOMETRY_TYPE_OID: !Ref DBGeometryTypeObjectID
          MEDIA_BUCKET: !Ref MediaBucket
          ALLOW_ANONYMOUS_SUBMIT: !Ref AllowAnonymousSubmit
      Events:
        AddLocation:
          Type: HttpApi
          Properties:
            ApiId: !Ref API
            Path: /add
            Method: POST
    Metadata:
      BuildMethod: makefile

  DanielFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: daniel
      Description: Add own location to map
      Role: !GetAtt DanielFunctionRole.Arn
      Layers:
        - !Ref CommonLib
      Environment:
        Variables:
          MEDIA_BUCKET: !Ref MediaBucket
      Events:
        Daniel:
          Type: HttpApi
          Properties:
            ApiId: !Ref API
            Path: /daniel
            Method: POST
    Metadata:
      BuildMethod: makefile

  GetLocationFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: get-location
      Description: Retrieve a location by its id
      Role: !GetAtt GetLocationFunctionRole.Arn
      Layers:
        - !Ref CommonLib
        - !Ref PostgresLib
      Environment:
        Variables:
          PGHOST: !If [DoRDS, !GetAtt MainDB.Endpoint.Address, ""]
          PGPORT: !If [DoRDS, !GetAtt MainDB.Endpoint.Port, ""]
          PGDATABASE: !Ref DBName
          PGUSER: reader
          PGPASSWORD: !Ref DBReaderPassword
          DB_GEOMETRY_TYPE_OID: !Ref DBGeometryTypeObjectID
          USERS_TABLE: !Ref UsersTable
      Events:
        GetLocationById:
          Type: HttpApi
          Properties:
            ApiId: !Ref API
            Path: /id/{id}
            Method: GET
        GetLocationsByRadius:
          Type: HttpApi
          Properties:
            ApiId: !Ref API
            Path: /radius
            Method: GET
    Metadata:
      BuildMethod: makefile

  InfoFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: info
      Description: Look up privileged information
      Role: !GetAtt InfoFunctionRole.Arn
      Layers:
        - !Ref CommonLib
      Environment:
        Variables:
          SESSIONS_TABLE: !Ref SessionsTable
          SESSION_LIFETIME_IN_DAYS: !Ref SessionLifetimeInDays
          USERS_TABLE: !Ref UsersTable
      Events:
        GetProfileInfo:
          Type: HttpApi
          Properties:
            ApiId: !Ref API
            Path: /profile
            Method: GET
    Metadata:
      BuildMethod: makefile

  CloudfrontGeolocationFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: cloudfront-geolocation
      Description: Look up privileged information
      Role: !GetAtt CloudfrontGeolocationFunctionRole.Arn
      Layers:
        - !Ref CommonLib
      Events:
        GetProfileInfo:
          Type: HttpApi
          Properties:
            ApiId: !Ref API
            Path: /mylocation
            Method: GET
    Metadata:
      BuildMethod: makefile

  LoginFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: login
      Description: Login proxy (redirects to third-party sign-in dialog)
      Role: !GetAtt LoginFunctionRole.Arn
      Layers:
        - !Ref CommonLib
      Environment:
        Variables:
          SESSIONS_TABLE: !Ref SessionsTable
          SESSION_LIFETIME_IN_DAYS: !Ref SessionLifetimeInDays
          CLIENTID_GOOGLE: !Ref GoogleClientId
      Events:
        Login:
          Type: HttpApi
          Properties:
            ApiId: !Ref API
            Path: /login/{service}
            Method: GET
        Logout:
          Type: HttpApi
          Properties:
            ApiId: !Ref API
            Path: /logout
            Method: GET
    Metadata:
      BuildMethod: makefile

  AuthFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: auth
      Description: Receive authorization from third-party sign-in dialog and start an authenticated user session
      Role: !GetAtt AuthFunctionRole.Arn
      Layers:
        - !Ref CommonLib
      Environment:
        Variables:
          SESSIONS_TABLE: !Ref SessionsTable
          SESSION_LIFETIME_IN_DAYS: !Ref SessionLifetimeInDays
          USERS_TABLE: !Ref UsersTable
          CLIENTID_GOOGLE: !Ref GoogleClientId
          CLIENTSECRET_GOOGLE: !Ref GoogleClientSecret
      Events:
        Authentication:
          Type: HttpApi
          Properties:
            ApiId: !Ref API
            Path: /auth/{service}
            Method: GET
    Metadata:
      BuildMethod: makefile

  GetUploadLinkFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: get-upload-link
      Description: Generate a signed upload link to the media bucket
      Role: !GetAtt GetUploadLinkFunctionRole.Arn
      Layers:
        - !Ref CommonLib
      Environment:
        Variables:
          SESSIONS_TABLE: !Ref SessionsTable
          SESSION_LIFETIME_IN_DAYS: !Ref SessionLifetimeInDays
          MEDIA_BUCKET: !Ref MediaBucket
          MAX_UPLOAD_FILE_SIZE: !Ref MaxUploadFileSize
      Events:
        GetUploadLink:
          Type: HttpApi
          Properties:
            ApiId: !Ref API
            Path: /getuploadlink
            Method: GET
    Metadata:
      BuildMethod: makefile

  DBInitFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: db-init
      Description: Administrative lambda that initilizes the main database
      Role: !GetAtt DBAccessFunctionRole.Arn
      Timeout: 10
      Layers:
        - !Ref PostgresLib
      Environment:
        Variables:
          PGHOST: !If [DoRDS, !GetAtt MainDB.Endpoint.Address, ""]
          PGPORT: !If [DoRDS, !GetAtt MainDB.Endpoint.Port, ""]
          PGDATABASE: !Ref DBName
          PGUSER: !Ref DBAdminUser
          PGPASSWORD: !Ref DBAdminPassword
          DB_WRITER_PASSWORD: !Ref DBWriterPassword
          DB_READER_PASSWORD: !Ref DBReaderPassword
    Metadata:
      BuildMethod: makefile

  DBRunFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: db-run
      Description: Runs a database query (as administrator)
      Role: !GetAtt DBAccessFunctionRole.Arn
      Layers:
        - !Ref CommonLib
        - !Ref PostgresLib
      Environment:
        Variables:
          PGHOST: !If [DoRDS, !GetAtt MainDB.Endpoint.Address, ""]
          PGPORT: !If [DoRDS, !GetAtt MainDB.Endpoint.Port, ""]
          PGDATABASE: !Ref DBName
          DB_ADMIN: !Ref DBAdminUser
          DB_ADMIN_PASSWORD: !Ref DBAdminPassword
          DB_WRITER_PASSWORD: !Ref DBWriterPassword
          DB_READER_PASSWORD: !Ref DBReaderPassword
    Metadata:
      BuildMethod: makefile

  ScaleImageFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
               - lambda.amazonaws.com
            Action:
              - sts:AssumeRole

  AddLocationFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
               - lambda.amazonaws.com
            Action:
              - sts:AssumeRole

  DanielFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
               - lambda.amazonaws.com
            Action:
              - sts:AssumeRole

  GetLocationFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
               - lambda.amazonaws.com
            Action:
              - sts:AssumeRole

  InfoFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
               - lambda.amazonaws.com
            Action:
              - sts:AssumeRole

  CloudfrontGeolocationFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
               - lambda.amazonaws.com
            Action:
              - sts:AssumeRole

  LoginFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
               - lambda.amazonaws.com
            Action:
              - sts:AssumeRole

  AuthFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
               - lambda.amazonaws.com
            Action:
              - sts:AssumeRole

  GetUploadLinkFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
               - lambda.amazonaws.com
            Action:
              - sts:AssumeRole

  LogEventFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
               - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: eventlog-write
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Action: dynamodb:PutItem
                Resource: !GetAtt EventsTable.Arn
                Effect: Allow

  DBAccessFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
               - lambda.amazonaws.com
            Action:
              - sts:AssumeRole

  AllowDBAccessPolicy:
    Type: AWS::IAM::Policy
    Condition: DoRDS
    Properties:
      PolicyName: allow-rds-connect
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action: rds-db:connect
            Resource: !Sub arn:aws:rds:${AWS::Region}:${AWS::AccountId}:db:${MainDB}
            Effect: Allow
      Roles:
        - Ref: DBAccessFunctionRole
        - Ref: AddLocationFunctionRole
        - Ref: GetLocationFunctionRole

  AllowUsersAccessPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: allow-users-access
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
            - dynamodb:GetItem
            - dynamodb:PutItem
            - dynamodb:UpdateItem
            Resource: !GetAtt UsersTable.Arn
            Effect: Allow
      Roles:
        - Ref: InfoFunctionRole
        - Ref: AuthFunctionRole

  AllowUsersReadAccessPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: allow-users-read-access
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
            - dynamodb:GetItem
            - dynamodb:BatchGetItem
            Resource: !GetAtt UsersTable.Arn
            Effect: Allow
      Roles:
        - Ref: GetLocationFunctionRole

  AllowSessionsAccessPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: allow-sessions-access
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
            - dynamodb:GetItem
            - dynamodb:PutItem
            - dynamodb:UpdateItem
            Resource: !GetAtt SessionsTable.Arn
            Effect: Allow
      Roles:
        - Ref: InfoFunctionRole
        - Ref: LoginFunctionRole
        - Ref: AuthFunctionRole
        - Ref: GetUploadLinkFunctionRole
        - Ref: AddLocationFunctionRole

  AllowLogEventPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: allow-log-event
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action: lambda:InvokeFunction
            Resource: !GetAtt LogEventFunction.Arn
            Effect: Allow
      Roles:
        - Ref: LoginFunctionRole
        - Ref: AuthFunctionRole
        - Ref: AddLocationFunctionRole
        - Ref: DanielFunctionRole

  AllowGetPutMediaPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: allow-get-put-media
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
              - s3:ListBucket # Without this, nonexistent keys return Access Denied
            Resource: !Sub "arn:aws:s3:::${MediaBucket}"
            Effect: Allow
          - Action:
              - s3:GetObject
              - s3:PutObject
              - s3:PutObjectAcl
            Resource: !Sub "arn:aws:s3:::${MediaBucket}/*"
            Effect: Allow
      Roles:
        - Ref: ScaleImageFunctionRole
        - Ref: DanielFunctionRole

  AllowPutMediaPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: allow-put-media
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
              - s3:PutObject
              - s3:PutObjectAcl
            Resource: !Sub "arn:aws:s3:::${MediaBucket}/*"
            Effect: Allow
      Roles:
        - Ref: GetUploadLinkFunctionRole
        - Ref: DanielFunctionRole

  AllowTagMediaPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: allow-tag-media
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
              - s3:PutObjectTagging
            Resource: !Sub "arn:aws:s3:::${MediaBucket}/*"
            Effect: Allow
      Roles:
        - Ref: GetUploadLinkFunctionRole
        - Ref: AddLocationFunctionRole
        - Ref: ScaleImageFunctionRole
        - Ref: DanielFunctionRole

  # Main database that stores the world
  MainDB:
    Type: AWS::RDS::DBInstance
    Condition: DoRDS
    Properties:
      DBInstanceIdentifier: !Ref DBName
      DBSnapshotIdentifier: !If [HasDBSnapshotIdentifier, !Ref DBSnapshotIdentifier, !Ref 'AWS::NoValue']
      DBName: !Ref DBName
      Engine: postgres
      EngineVersion: !Ref DBPostgresVersion
      AllowMajorVersionUpgrade: true
      AutoMinorVersionUpgrade: true
      DBInstanceClass: !Ref DBInstanceClass
      AllocatedStorage: !Ref DBAllocatedStorage
      BackupRetentionPeriod: 0 # no automated backups
      MasterUsername: !Ref DBAdminUser
      MasterUserPassword: !Ref DBAdminPassword

  # Users
  UsersTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: users
      AttributeDefinitions:
        - AttributeName: id
          AttributeType: S
      KeySchema:
        - AttributeName: id # Keyed by user id
          KeyType: HASH
      ProvisionedThroughput:
        ReadCapacityUnits: !Ref UsersTableReadCapacity
        WriteCapacityUnits: !Ref UsersTableWriteCapacity

  # Sessions
  SessionsTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: sessions
      AttributeDefinitions:
        - AttributeName: id
          AttributeType: S
      KeySchema:
        - AttributeName: id # Keyed by user id
          KeyType: HASH
      TimeToLiveSpecification:
        AttributeName: expires_at
        Enabled: true
      ProvisionedThroughput:
        ReadCapacityUnits: !Ref SessionsTableReadCapacity
        WriteCapacityUnits: !Ref SessionsTableWriteCapacity

  # Event log
  EventsTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: event-log
      AttributeDefinitions:
        - AttributeName: date_key
          AttributeType: S
        - AttributeName: time_key
          AttributeType: S
      KeySchema:
        - AttributeName: date_key # Keyed by date followed by time
          KeyType: HASH
        - AttributeName: time_key
          KeyType: RANGE
      ProvisionedThroughput:
        ReadCapacityUnits: !Ref EventLogReadCapacity
        WriteCapacityUnits: !Ref EventLogWriteCapacity

  # S3 bucket that hosts the user uploaded media files
  MediaBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      WebsiteConfiguration:
        IndexDocument: " " # The documentation claims this is optional, but the deployment will fail if it's empty
        RoutingRules:
          - RoutingRuleCondition:
              HttpErrorCodeReturnedEquals: 403 # not 404
              KeyPrefixEquals: media/
            RedirectRule:
              HostName: !Ref Hostname # Deploying with this field blank, the redirect will be to the raw bucket web URL
              Protocol: https
              ReplaceKeyPrefixWith: api/scale-image?key=
              HttpRedirectCode: 302
      LifecycleConfiguration:
        Rules:
          # Schedule regular removal of unverified uploads
          - Id: DeleteUnverified
            ExpirationInDays: 1
            Status: Enabled
            TagFilters:
              - Key: verified
                Value: false
          # Schedule removal of cached thumbnails
          - Id: DeleteThumbnails
            ExpirationInDays: 2 # TODO: Make this a configurable stack parameter
            Status: Enabled
            TagFilters:
              - Key: temp
                Value: ""
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders:
              - "*"
            AllowedMethods:
              - GET
              - POST
              - HEAD
            AllowedOrigins:
              - "*" # TODO: In production, should be domain name

  # S3 bucket that hosts the front-end (single page application)
  WebsiteBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: index.html # Single-page application handles routing on the front-end

  WebsiteDelivery:
    Type: AWS::CloudFront::Distribution
    DependsOn:
      - MediaBucket
      - WebsiteBucket
    Properties:
      DistributionConfig:
        Enabled: !If [HasCDN, true, false]
        Origins:
          - Id: BackendAPI
            DomainName: !Sub ${API}.execute-api.${AWS::Region}.${AWS::URLSuffix}
            CustomOriginConfig:
              HTTPSPort: 443
              OriginProtocolPolicy: https-only
          - Id: Media
            DomainName: !Sub ${MediaBucket}.s3-website-${AWS::Region}.amazonaws.com
            CustomOriginConfig:
              OriginProtocolPolicy: http-only # S3 "web" server only supports plain HTTP
            ConnectionAttempts: 2
            ConnectionTimeout: 2
          - Id: FrontendApplication
            DomainName: !Sub ${WebsiteBucket}.s3-website-${AWS::Region}.amazonaws.com
            CustomOriginConfig:
              OriginProtocolPolicy: http-only # S3 "web" server only supports plain HTTP
            ConnectionAttempts: 1
            ConnectionTimeout: 2
        CacheBehaviors:
          #
          # Let api/* requests go to the API gateway
          #
          - PathPattern: !Sub ${APIStageName}/*
            TargetOriginId: BackendAPI
            AllowedMethods:
              - GET
              - HEAD
              - POST
              - PUT
              - DELETE
              - PATCH
              - OPTIONS
            ForwardedValues:
              Headers:
                # Specify headers that the back-end API needs to receive
                - Referer
                - CloudFront-Viewer-Latitude
                - CloudFront-Viewer-Longitude
              QueryString: true
              Cookies:
                Forward: all
            MaxTTL: 0
            MinTTL: 0
            DefaultTTL: 0
            Compress: true
            ViewerProtocolPolicy: redirect-to-https
          #
          # Let media/* requests go to the media bucket
          #
          - PathPattern: media/*
            TargetOriginId: Media
            AllowedMethods:
              - GET
              - HEAD
            ForwardedValues:
              QueryString: false
              Cookies:
                Forward: none
            DefaultTTL: 0 # Disable caching by default (objects will have their own Cache-Control metadata)
            Compress: true
            ViewerProtocolPolicy: redirect-to-https
        DefaultCacheBehavior:
          #
          # Let default requests go to the website bucket
          #
          TargetOriginId: FrontendApplication
          AllowedMethods:
            - GET
            - HEAD
          ForwardedValues:
            QueryString: false
            Cookies:
              Forward: none
          Compress: true
          ViewerProtocolPolicy: redirect-to-https
        DefaultRootObject: index.html
        HttpVersion: http2
        IPV6Enabled: true
        ViewerCertificate:
          CloudFrontDefaultCertificate: true

Parameters:
  APIStageName:
    Description: API stage
    Type: String
    Default: api
  DoNotDeployRDS:
    Description: Do not deploy RDS
    Type: Number
    Default: 0
  DBInstanceClass:
    Description: Database instance class
    Type: String
    Default: db.t2.micro
  DBPostgresVersion:
    Description: PostgreSQL version
    Type: String
    Default: 12.7
  DBAllocatedStorage:
    Description: Allocated storage (in GB)
    Type: Number
    Default: 5
  DBSnapshotIdentifier:
    Description: Provide the database snapshot id if you don't want a new database
    Type: String
  DBName:
    Description: Database name
    Type: String
    AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*"
    ConstraintDescription: Must begin with a letter and contain only alphanumeric characters
    Default: littermap
  DBAdminUser:
    Description: Database admin username
    Type: String
    AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*"
    ConstraintDescription: Must begin with a letter and contain only alphanumeric characters
    Default: litteradmin
  DBAdminPassword:
    Description: Database admin password
    Type: String
    MinLength: 8
    MaxLength: 128
    AllowedPattern: "[^\\s@\"\\/]*"
    ConstraintDescription: 'The password must be 8 to 128 characters and can include any printable ASCII character except "/", """, or "@"'
    Default: pristine
  DBWriterPassword:
    Description: Database write access password
    Type: String
    MinLength: 8
    MaxLength: 128
    AllowedPattern: "[^\\s@\"\\/]*"
    ConstraintDescription: 'The password must be 8 to 128 characters and can include any printable ASCII character except "/", """, or "@"'
    Default: recorder
  DBReaderPassword:
    Description: Database reader access password
    Type: String
    MinLength: 8
    MaxLength: 128
    AllowedPattern: "[^\\s@\"\\/]*"
    ConstraintDescription: 'The password must be 8 to 128 characters and can include any printable ASCII character except "/", """, or "@"'
    Default: observer
  DBGeometryTypeObjectID:
    Description: Geometry type object ID (provide this after the PostGIS extension has been initialized)
    Type: Number
    Default: -1
  GoogleClientId:
    Description: Client ID issued by Google for third-party sign-in authentication
    Type: String
  GoogleClientSecret:
    Description: Client secret issued by Google for third-party sign-in authentication
    Type: String
  UsersTableReadCapacity:
    Description: Users table provisioned read capacity
    Type: Number
    Default: 1
  UsersTableWriteCapacity:
    Description: Users table provisioned write capacity
    Type: Number
    Default: 1
  SessionLifetimeInDays:
    Description: How many days will browser sessions expire after they were created
    Type: Number
    Default: 3
  SessionsTableReadCapacity:
    Description: Session table provisioned read capacity
    Type: Number
    Default: 1
  SessionsTableWriteCapacity:
    Description: Session table provisioned write capacity
    Type: Number
    Default: 1
  EventLogReadCapacity:
    Description: Event log table provisioned read capacity
    Type: Number
    Default: 1
  EventLogWriteCapacity:
    Description: Event log table provisioned write capacity
    Type: Number
    Default: 1
  AllowAnonymousSubmit:
    Description: Allow users who are not logged in to submit a location
    Type: Number
    AllowedValues:
      - 0
      - 1
    Default: 0
  MaxUploadFileSize:
    Description: Maximum allowed upload size
    Type: Number
    Default: 12582910
  EnableCDN:
    Description: Enable global delivery with CloudFront
    Type: Number
    AllowedValues:
      - 0
      - 1
    Default: 1
  Hostname:
    Description: Web hostname (used for redirects; if using raw CDN domain, may need to deploy first, then fill this in and redeploy)
    Type: String
    Default: littermap.com

Conditions:
  NoRDS: !Equals [!Ref DoNotDeployRDS, 1]
  DoRDS: !Not [!Condition NoRDS]
  HasNotDBSnapshotIdentifier: !Equals [!Ref DBSnapshotIdentifier, '']
  HasDBSnapshotIdentifier: !Not [!Condition HasNotDBSnapshotIdentifier]
  HasCDN: !Equals [!Ref EnableCDN, 1]

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      -
        Label:
          default: General
        Parameters:
          - Hostname
          - HasCDN
      -
        Label:
          default: Main database
        Parameters:
          - DBName
          - DBInstanceClass
          - DBPostgresVersion
          - DBAllocatedStorage
          - DBSnapshotIdentifier
          - DBAdminUser
          - DBAdminPassword
          - DBWriterPassword
          - DBReaderPassword
          - DBGeometryTypeObjectID
          - DoNotDeployRDS
      -
        Label:
          default: User accounts
        Parameters:
          - UsersTableReadCapacity
          - UsersTableWriteCapacity
      -
        Label:
          default: Browsing sessions
        Parameters:
          - SessionLifetimeInDays
          - SessionsTableReadCapacity
          - SessionsTableWriteCapacity
      -
        Label:
          default: Authentication
        Parameters:
          - GoogleClientId
          - GoogleClientSecret
      -
        Label:
          default: Event log
        Parameters:
          - EventLogReadCapacity
          - EventLogWriteCapacity
      -
        Label:
          default: User permissions
        Parameters:
          - AllowAnonymousSubmit
      -
        Label:
          default: User uploads
        Parameters:
          - MaxUploadFileSize
      -
        Label:
          default: Backend API
        Parameters:
          - APIStageName

Outputs:
  MainDBHost:
    Description: Database remote host
    Value: !If [DoRDS,
      !Sub "postgresql://${MainDB.Endpoint.Address}:${MainDB.Endpoint.Port}/${DBName}",
      "-- RDS not deployed --"
    ]
  MediaBucket:
    Description: S3 bucket that stores media content uploaded by users
    Value: !Sub "https://${MediaBucket.DomainName}"
  API:
    Description: Backend API
    Value: !Sub "https://${API}.execute-api.${AWS::Region}.${AWS::URLSuffix}/${API.Stage}/"
  WebsiteFiles:
    Description: Website Assets
    Value: !Sub "${WebsiteBucket.WebsiteURL}"
  Website:
    Description: Website (delivered by CDN)
    Value: !If [HasCDN, !Sub "https://${WebsiteDelivery.DomainName}", "Not enabled"]
  ManagementConsole:
    Description: Manage this application
    Value: !Sub "https://console.aws.amazon.com/lambda/home?region=${AWS::Region}#/applications/${AWS::StackName}"