-
-
Notifications
You must be signed in to change notification settings - Fork 25
/
serverless.yml
220 lines (208 loc) · 8.51 KB
/
serverless.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
service: externals
frameworkVersion: '3'
provider:
name: aws
region: eu-west-1
stage: prod
runtime: provided.al2
layers:
- ${bref:layer.php-81}
timeout: 10
environment:
APP_ENV: prod
EXTERNALS_APP_VERSION: ${env:GITHUB_RUN_ID}
DATABASE_NAME: 'externals-prod'
DATABASE_USER: ${ssm:/externals/db/user}
DATABASE_PASSWORD: ${ssm:/externals/db/password}
ALGOLIA_APP_ID: KSTITII7EC
ALGOLIA_API_KEY: ${ssm:/externals/algolia_api_key}
ALGOLIA_INDEX_PREFIX: ${param:algoliaIndexPrefix}
GITHUB_OAUTH_CLIENT_ID: ${param:githubOAuthClientId}
GITHUB_OAUTH_CLIENT_SECRET: ${ssm:/externals/github_oauth_client_secret}
GITHUB_OAUTH_REDIRECT_URL: 'https://externals.io/login'
SENTRY_URL: ${ssm:/externals/sentry_url}
SESSION_SECRET_KEY: ${ssm:/externals/session_secret_key}
# See https://bref.sh/docs/environment/performances.html#bref-for-event-driven-functions
BREF_LOOP_MAX: '100'
params:
prod:
isProd: true
algoliaIndexPrefix: v2_
githubOAuthClientId: b75b3226c86d801a95cd
default:
isProd: false
algoliaIndexPrefix: dev_
githubOAuthClientId: 422ae3a54f6ebd43895b
package:
exclude:
- '.github/**'
- 'assets/**'
- 'backups/**'
- 'node_modules/**'
- 'tests/**'
- 'var/log/**'
- 'web/**'
functions:
home:
handler: Externals\Application\Controller\HomeController
events:
- httpApi: 'GET /'
thread:
handler: Externals\Application\Controller\ThreadController
events:
- httpApi: 'GET /message/{number}'
top:
handler: Externals\Application\Controller\TopController
events:
- httpApi: 'GET /top'
news:
handler: Externals\Application\Controller\NewsController
events:
- httpApi: 'GET /news'
login:
handler: Externals\Application\Controller\LoginController
events:
- httpApi: 'GET /login'
logout:
handler: Externals\Application\Controller\LogoutController
events:
- httpApi: 'GET /logout'
email-source:
handler: Externals\Application\Controller\EmailSourceController
events:
- httpApi: 'GET /email/{number}/source'
stats:
handler: Externals\Application\Controller\StatsController
events:
- httpApi: 'GET /stats'
vote:
handler: Externals\Application\Controller\VoteController
events:
- httpApi: 'POST /votes/{number}'
rss:
handler: Externals\Application\Controller\RssController
events:
- httpApi: 'GET /rss'
rss-rfc:
handler: Externals\Application\Controller\RssRfcController
events:
- httpApi: 'GET /rss-rfc'
# Keep backward compatibility with old URLs (old threads)
legacy-thread-redirect:
handler: Externals\Application\Controller\LegacyThreadRedirectController
events:
- httpApi: 'GET /thread/{id}'
# Catch-all to render a "Not found" page
not-found:
handler: Bref\Micro\Http\ThrowNotFound
events:
- httpApi: '*'
# This script fetches emails from the mailing list and updates our database
updater:
handler: Externals\Application\Handler\SynchronizeHandler
description: 'externals.io updater'
timeout: 900
environment:
BREF_LOOP_MAX: '1'
events:
- schedule:
rate: rate(15 minutes)
# Only enabled in production
enabled: ${param:isProd}
console:
handler: console
timeout: 900
layers:
- ${bref:layer.php-81}
- ${bref:layer.console}
plugins:
- ./vendor/bref/bref
- '@mnapoli/lift/plugin'
custom:
brefOrg: matthieu
lift:
use: shared
s3:
assets:
public: true
cors: true
resources:
Conditions:
IsProd:
Fn::Equals:
- ${sls:stage}
- prod
Resources:
# We use CloudFront in front of API Gateway to be able to redirect HTTP to HTTPS
# because API Gateway does not listen at all to HTTP requests.
CDN:
Type: AWS::CloudFront::Distribution
Condition: IsProd
Properties:
DistributionConfig:
Enabled: true
# Cheapest option by default (https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DistributionConfig.html)
PriceClass: PriceClass_100
# Enable http2 transfer for better performances
HttpVersion: http2
# Origins are where CloudFront fetches content
Origins:
# The website (AWS Lambda)
- Id: Website
DomainName: !Join ['.', [!Ref HttpApi, 'execute-api', !Ref AWS::Region, 'amazonaws.com']]
CustomOriginConfig:
OriginProtocolPolicy: 'https-only' # API Gateway only supports HTTPS
# The assets (S3)
- Id: Assets
DomainName: 'externals-prod-assets.s3-eu-west-1.amazonaws.com'
CustomOriginConfig:
OriginProtocolPolicy: 'http-only' # S3 websites only support HTTP
# The default behavior is to send everything to AWS Lambda
DefaultCacheBehavior:
AllowedMethods: [GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE]
TargetOriginId: Website # the PHP application
# Disable caching for the PHP application https://aws.amazon.com/premiumsupport/knowledge-center/prevent-cloudfront-from-caching-files/
DefaultTTL: 0
MinTTL: 0
MaxTTL: 0
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-forwardedvalues.html
ForwardedValues:
QueryString: true
Cookies:
Forward: all # Forward cookies to use them in PHP
# We must *not* forward the `Host` header else it messes up API Gateway
Headers:
- 'Accept'
- 'Accept-Encoding'
- 'Accept-Language'
- 'Authorization'
- 'Origin'
- 'Referer'
ViewerProtocolPolicy: redirect-to-https
CacheBehaviors:
# Assets will be served under the `/assets/` prefix
- PathPattern: 'assets/*'
TargetOriginId: Assets # the static files on S3
AllowedMethods: [GET, HEAD]
ForwardedValues:
# We use the query string to bust the cache
QueryString: 'true'
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
Compress: true # Serve files with gzip for browsers that support it (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressedFiles.html)
CustomErrorResponses:
# Force CloudFront to not cache HTTP errors
- ErrorCode: 500
ErrorCachingMinTTL: 0
- ErrorCode: 504
ErrorCachingMinTTL: 0
# Custom domain name
Aliases:
- externals.io
- v3.externals.io
ViewerCertificate:
# ARN of the certificate created in ACM
AcmCertificateArn: arn:aws:acm:us-east-1:416566615250:certificate/0f28e63d-d3a9-4578-9f8b-14347bfe8326
# See https://docs.aws.amazon.com/fr_fr/cloudfront/latest/APIReference/API_ViewerCertificate.html
SslSupportMethod: 'sni-only'