-
Notifications
You must be signed in to change notification settings - Fork 5
/
example-serverless.yml
117 lines (111 loc) · 3.74 KB
/
example-serverless.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
service: cloudformation-custom-resources
# Note: I write these examples using the latest version of Serverless. I pin the example
# to that version so that I know it will work for you even if you find it a year later.
# Likely, you can remove this line and use the example with any recent version of
# Serverless. Give it a shot if you're using a different version.
frameworkVersion: 1.34.1
custom:
defaultRegion: us-east-1
region: ${opt:region, self:custom.defaultRegion}
stage: ${opt:stage, env:USER}
objectPrefix: '${self:service}-${self:custom.stage}'
package:
exclude:
- 'tests/**'
provider:
name: aws
runtime: nodejs6.10
stackTags: # NOTE: STAGE is automatically added by SLS
SLS_SVC_NAME: ${self:service}
region: ${self:custom.region}
stage: ${self:custom.stage}
environment:
SLS_SVC_NAME: ${self:service}
SLS_STAGE: ${self:custom.stage}
iamRoleStatements:
# Permissions needed for various services:
# We know that APIGatewayDomainName requires this, and likely other resources do as
# well. See
# https://aws.amazon.com/blogs/security/introducing-an-easier-way-to-delegate-permissions-to-aws-services-service-linked-roles/
-
Effect: 'Allow'
Action:
- 'iam:CreateServiceLinkedRole'
Resource:
- '*'
# Permissions needed for SNSSQSSubscription:
-
Effect: 'Allow'
Action:
- 'sns:Subscribe'
- 'sns:Unsubscribe'
Resource:
- '*'
# Permissions needed for DynamoDBGlobalTable:
-
Effect: 'Allow'
Action:
- 'dynamodb:DescribeTable'
- 'dynamodb:DescribeGlobalTable'
- 'dynamodb:CreateTable'
- 'dynamodb:CreateGlobalTable'
- 'dynamodb:UpdateTable'
- 'dynamodb:UpdateGlobalTable'
- 'dynamodb:DeleteTable'
- 'dynamodb:ListTagsOfResource'
- 'dynamodb:TagResource'
Resource:
- '*'
# Permissions needed for SimpleEmailServiceDomainVerification:
-
Effect: 'Allow'
Action:
- 'ses:VerifyDomainIdentity'
- 'ses:DeleteIdentity'
Resource:
- '*'
# Permissions needed for SimpleEmailServiceRuleSetActivation:
-
Effect: 'Allow'
Action:
- 'ses:SetActiveReceiptRuleSet'
Resource:
- '*'
# Permissions needed for APIGatewayDomainName:
-
Effect: 'Allow'
Action:
- 'apigateway:*'
Resource:
- '*'
# Permissions needed for ELBTargetGroup:
-
Effect: 'Allow'
Action:
- 'elasticloadbalancing:CreateTargetGroup'
- 'elasticloadbalancing:DeleteTargetGroup'
- 'elasticloadbalancing:ModifyTargetGroup'
- 'elasticloadbalancing:ModifyTargetGroupAttributes'
Resource:
- '*'
# Permissions needed for ELBTargetGroupLambdaTarget:
-
Effect: 'Allow'
Action:
- 'elasticloadbalancing:RegisterTargets'
- 'elasticloadbalancing:DeregisterTargets'
Resource:
- '*'
functions:
customResources:
name: ${self:custom.objectPrefix}
handler: node_modules/@silvermine/cloudformation-custom-resources/src/CustomResourceHandler.handler
memorySize: 256
timeout: 300
resources:
Outputs:
CustomResourcesServiceToken:
Description: The ARN of the custom resources Lambda function to use as a service token when using a custom resource.
Value: { 'Fn::GetAtt': [ 'CustomResourcesLambdaFunction', 'Arn' ] }
Export:
Name: '${self:custom.objectPrefix}-ServiceToken'