-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathserverless.yml
197 lines (179 loc) · 5.38 KB
/
serverless.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
service: TEMPLATE
# app: TEMPLATE
# org: myorg
plugins:
- serverless-python-requirements
- serverless-pseudo-parameters
- serverless-wsgi
custom:
stackName: ${self:service}-${self:provider.stage}
xray: '' # AWS Xray tracing of requests, queries. Set to 'Active' to actively trace.
db:
dbname: TEMPLATE
minCapacity: 2
maxCapacity: 4
secondsUntilAutoPause: 7200 # if not stage=='prd'
layers:
# https://github.com/jetbridge/psycopg2-lambda-layer
psycopg: "arn:aws:lambda:${self:provider.region}:898466741470:layer:psycopg2-py38:1"
# https://github.com/jetbridge/jetkit-base-lambda-layer
jkbase: "arn:aws:lambda:${self:provider.region}:898466741470:layer:jetkit-py38:3"
default:
- ${self:custom.layers.psycopg}
- ${self:custom.layers.jkbase}
secrets:
prefix: "${self:service}/${self:provider.stage}"
rds: "${self:custom.secrets.prefix}/rds/credentials"
vpc:
securityGroupIds:
- !GetAtt LambdaSecurityGroup.GroupId
# uncomment to enable lambda VPC networking:
# subnetIds:
# - Ref: LambdaSubnetA
# - Ref: LambdaSubnetB
# - Ref: LambdaSubnetC
network:
classB: 10 # second octet of VPC CIDR block (10.classB.0.0/16)
bastion: # EC2 host to access database
sshKeyPairName: '' # set this to enable bastion ec2 instance
alertEmails: '[email protected]' # get SNS notifications of alarms at this address
banner: https://ops.jetbridge.com/public/banner.txt
bootstrap: https://ops.jetbridge.com/public/bastion_bootstrap.sh
instanceType: t3a.nano
tenancy: default
bannerEnabled: 'true'
tcpForwardingEnabled: 'true'
x11ForwardingEnabled: 'false'
logRetentionInDays: 731
# plugins:
wsgi:
app: app.app
packRequirements: false
pythonRequirements:
useDownloadCache: true
useStaticCache: true
noDeploy:
# provided by runtime
- boto3
- botocore
- s3transfer
- docutils
# provided by layers
- psycopg2
- psycopg2-binary
- werkzeug
- flask
- sqlalchemy
- faker
- pytest
- future
- pytz
- alembic
- jinja2
- beautifulsoup4
- bs4
- text_unidecode
- requests
- marshmallow
- python_dateutil
- soupsieve
- chardet
- attrs
- mako
- certifi
- idna
- urllib3
- pyparsing
- packaging
- more_itertools
- dateutil
- click
slim: true
slimPatternsAppendDefaults: false # need dist-info for sqlalchemy plugin
slimPatterns:
- '**/*.py[c|o]'
- '**/__pycache__*'
provider:
name: aws
runtime: python3.8
stage: ${opt:stage, 'dev'}
region: ${opt:region, 'eu-west-1'}
# x-ray
tracing:
lambda: ${self:custom.xray}
environment:
SECRET_PREFIX: ${self:custom.secrets.prefix}
RDS_SECRETS_NAME: ${self:custom.secrets.rds}
# aurora data API credentials
AURORA_SECRET_ARN: !Ref RDSInstanceSecret
AURORA_CLUSTER_ARN: !Join [':', ["arn:aws:rds:#{AWS::Region}:#{AWS::AccountId}:cluster", !Ref DBCluster]]
DATABASE_NAME: ${self:custom.db.dbname}
# comment if connecting to RDS from VPC
AURORA_DATA_API_ENABLED: 'true'
SQLALCHEMY_DATABASE_URI: !Join ['/', ["postgresql+auroradataapi://:@", !Ref DBCluster]]
# uncomment if connecting to RDS from VPC
# LOAD_RDS_SECRETS: "true"
STAGE: ${self:provider.stage}
XRAY: ${self:custom.xray}
# LOAD_APP_SECRETS: true # enable to load user-defined secrets
# SQL_ECHO: true # enable to print all SQL queries
iamRoleStatements:
- Effect: Allow
Action: secretsmanager:GetSecretValue
Resource:
- "arn:aws:secretsmanager:#{AWS::Region}:#{AWS::AccountId}:secret:${self:custom.secrets.prefix}/*"
- "arn:aws:secretsmanager:#{AWS::Region}:#{AWS::AccountId}:secret:${self:custom.secrets.prefix}/dev-*"
- Effect: Allow
Action:
- rds-data:ExecuteStatement
- rds-data:BatchExecuteStatement
- rds-data:BeginTransaction
- rds-data:RollbackTransaction
- rds-data:CommitTransaction
- rds-data:BeginTransaction
Resource: "arn:aws:rds:#{AWS::Region}:#{AWS::AccountId}:cluster:${self:custom.stackName}"
package:
exclude:
- node_modules/**
- venv/**
- TEMPLATE/instance.cfg
- instance.cfg
- doc/**
- "**/__pycache__/**"
- "**/__pycache__"
- ".#*"
- ".bento/**"
functions:
app: # main flask entry point
handler: wsgi_handler.handler
events:
- http: ANY /
- http: "ANY {proxy+}"
memorySize: 512
layers: ${self:custom.layers.default}
timeout: 10
vpc: ${self:custom.vpc}
seed:
handler: TEMPLATE.commands.seed_handler
layers: ${self:custom.layers.default}
timeout: 120
vpc: ${self:custom.vpc}
initDb:
handler: TEMPLATE.commands.init_handler
layers: ${self:custom.layers.default}
timeout: 300
vpc: ${self:custom.vpc}
migrate:
handler: TEMPLATE.commands.migrate_handler
timeout: 900
layers: ${self:custom.layers.default}
vpc: ${self:custom.vpc}
resources:
- ${file(cloudformation/vpc/core.yml)}
- ${file(cloudformation/vpc/public.yml)}
- ${file(cloudformation/vpc/database.yml)}
- ${file(cloudformation/vpc/security.yml)}
# uncomment to enable lambda VPC networking
# - ${file(cloudformation/vpc/lambda.yml)}
- ${file(cloudformation/db/aurora-serverless.yml)}
- ${file(cloudformation/bastion.yml)}