serverless.yaml

service: agent-environment

provider:
  name: aws
  region: ${env:region, 'ap-southeast-2'}
  runtime: nodejs12.x
  endpointType: REGIONAL
  stage: ${env:stage, 'dev'}
  logRetentionInDays: 14
  apiGateway:
    shouldStartNameWithService: true

package:
  individually: true

functions:
  capturedata:
    handler: lambda/CaptureData.handler
    name: '${self:provider.stage}-${self:service}-capturedata'
    description: 'Captures agent data and stores it in DynamoDB'
    role: !GetAtt LambdaRole.Arn
    events:
      - http:
          path: agentenvironment/data
          method: post
          cors: true
    package:
      exclude:
        - '**'
      include:
        - 'lambda/CaptureData.js'
        - 'node_modules/**'
    memorySize: 128
    timeout: 29
    environment:
      REGION: '${self:provider.region}'
      STAGE: '${self:provider.stage}'
      API_KEY: '${env:apiKey}'
      ORIGIN: '${env:origin}'
      AGENT_DATA_TABLE: !Ref AgentDataTable

  verifylogin:
    handler: lambda/VerifyLogin.handler
    name: '${self:provider.stage}-${self:service}-verifylogin'
    description: 'Verifies a login'
    role: !GetAtt LambdaRole.Arn
    package:
      exclude:
        - '**'
      include:
        - 'lambda/VerifyLogin.js'
        - 'node_modules/**'
    memorySize: 128
    timeout: 29
    environment:
      REGION: '${self:provider.region}'
      STAGE: '${self:provider.stage}'
      API_KEY: '${env:apiKey}'
      ORIGIN: '${env:origin}'
      UPLOAD_BUCKET: !Ref S3BucketSite
      UPLOAD_KEY: 'test_files/uploaded.test'
    events:
      - http:
          path: agentenvironment/login
          method: get
          cors: true

  processstream:
    handler: lambda/ProcessStream.handler
    name: '${self:provider.stage}-${self:service}-processstream'
    description: 'Processes sream data from DynamoDB'
    role: !GetAtt LambdaRole.Arn
    events:
      - stream:
          type: dynamodb
          arn:
            Fn::GetAtt: [AgentDataTable, StreamArn]
    package:
      exclude:
        - '**'
      include:
        - 'lambda/ProcessStream.js'
        - 'node_modules/**'
    memorySize: 128
    timeout: 60
    environment:
      REGION: '${self:provider.region}'
      STAGE: '${self:provider.stage}'
      AGENT_DATA_TABLE: !Ref AgentDataTable
      S3_BUCKET: !Ref S3BucketData
      S3_PREFIX: '${env:s3Prefix}'

resources:
  Description: 'Amazon Connect Agent Environment'
  Resources:

    LambdaRole:
      Type: 'AWS::IAM::Role'
      Properties:
        RoleName: '${self:provider.stage}-${self:service}-${self:provider.region}-role'
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: 'Allow'
              Principal:
                Service:
                  - 'lambda.amazonaws.com'
              Action:
                - 'sts:AssumeRole'
        ManagedPolicyArns:
          - !Ref LambdaPolicy

    LambdaPolicy:
      Type: 'AWS::IAM::ManagedPolicy'
      Properties:
        ManagedPolicyName: '${self:provider.stage}-${self:service}-${self:provider.region}-policy'
        Description: 'Managed policy for Lambda execution'
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Action:
                - s3:PutObject
              Resource:
                - 'arn:aws:s3:::${self:provider.stage}-${self:service}-data-${self:provider.region}-${env:accountNumber}'
                - 'arn:aws:s3:::${self:provider.stage}-${self:service}-data-${self:provider.region}-${env:accountNumber}/*'
            - Effect: Allow
              Action:
                - dynamodb:PutItem
                - dynamodb:Query
                - dynamodb:GetItem
                - dynamodb:DeleteItem
                - dynamodb:Scan
                - dynamodb:UpdateItem
                - dynamodb:DescribeStream
                - dynamodb:GetRecords
                - dynamodb:GetShardIterator
                - dynamodb:ListStreams
                - dynamodb:ListShards
              Resource:
                - 'arn:aws:dynamodb:${self:provider.region}:${env:accountNumber}:table/${self:provider.stage}-agent-environment-data'
                - 'arn:aws:dynamodb:${self:provider.region}:${env:accountNumber}:table/${self:provider.stage}-agent-environment-data/*'
            - Effect: Allow
              Action:
                - logs:CreateLogGroup
                - logs:CreateLogStream
                - logs:PutLogEvents
              Resource:
                - 'arn:aws:logs:${self:provider.region}:${env:accountNumber}:log-group:/aws/lambda/*:*:*'

    DynamoKMSKey:
      Type: AWS::KMS::Key
      Properties:
        Description: !Sub 'Encrypts DynamoDB table data'
        KeyPolicy:
          Version: '2012-10-17'
          Id: 'dynamo-${self:provider.stage}-${self:service}-key'
          Statement:
            -
              Sid: 'Allow root administration of the key'
              Effect: 'Allow'
              Principal:
                AWS: 'arn:aws:iam::${env:accountNumber}:root'
              Action:
                - 'kms:*'
              Resource: '*'
            -
              Sid: 'Allow root use of the key'
              Effect: 'Allow'
              Principal:
                AWS: 'arn:aws:iam::${env:accountNumber}:root'
              Action:
                - 'kms:Encrypt'
                - 'kms:Decrypt'
                - 'kms:ReEncrypt*'
                - 'kms:GenerateDataKey*'
                - 'kms:DescribeKey'
              Resource: '*'
            -
              Sid: 'Allow DynamoDB to use the key via Lambda'
              Effect: 'Allow'
              Principal:
                AWS: !GetAtt LambdaRole.Arn
              Action:
                - 'kms:Encrypt'
                - 'kms:Decrypt'
                - 'kms:ReEncrypt*'
                - 'kms:GenerateDataKey*'
                - 'kms:DescribeKey'
                - 'kms:CreateGrant'
              Condition:
                StringLike:
                  kms:ViaService:
                    - 'dynamodb.${self:provider.region}.amazonaws.com'
              Resource: '*'

    DynamoKMSAlias:
      Type: AWS::KMS::Alias
      Properties:
        AliasName: 'alias/dynamo-${self:provider.stage}-${self:service}-key'
        TargetKeyId: !Ref DynamoKMSKey

    S3KMSKey:
      Type: AWS::KMS::Key
      Properties:
        Description: !Sub 'Encrypts S3 data'
        KeyPolicy:
          Version: '2012-10-17'
          Id: 's3-${self:provider.stage}-${self:service}-key'
          Statement:
            -
              Sid: 'Allow root administration of the key'
              Effect: 'Allow'
              Principal:
                AWS: 'arn:aws:iam::${env:accountNumber}:root'
              Action:
                - 'kms:*'
              Resource: '*'
            -
              Sid: 'Allow root use of the key'
              Effect: 'Allow'
              Principal:
                AWS: 'arn:aws:iam::${env:accountNumber}:root'
              Action:
                - 'kms:Encrypt'
                - 'kms:Decrypt'
                - 'kms:ReEncrypt*'
                - 'kms:GenerateDataKey*'
                - 'kms:DescribeKey'
              Resource: '*'
            -
              Sid: 'Allow S3 to use the key for encryption via Lambda'
              Effect: 'Allow'
              Principal:
                AWS: !GetAtt LambdaRole.Arn
              Action:
                - 'kms:Encrypt'
                - 'kms:Decrypt'
                - 'kms:ReEncrypt*'
                - 'kms:GenerateDataKey*'
                - 'kms:DescribeKey'
                - 'kms:CreateGrant'
              Condition:
                StringLike:
                  kms:ViaService: 's3.${self:provider.region}.amazonaws.com'
                  kms:CallerAccount: '${env:accountNumber}'
              Resource:
                - '*'

    S3KMSAlias:
      Type: AWS::KMS::Alias
      Properties:
        AliasName: 'alias/s3-${self:provider.stage}-${self:service}-key'
        TargetKeyId: !Ref S3KMSKey

    AgentDataTable:
      Type: 'AWS::DynamoDB::Table'
      Properties:
        TableName: '${self:provider.stage}-${self:service}-data'
        AttributeDefinitions:
          - AttributeName: email
            AttributeType: S
          - AttributeName: captureDate
            AttributeType: S
        KeySchema:
          - AttributeName: email
            KeyType: HASH
          - AttributeName: captureDate
            KeyType: RANGE
        BillingMode: PAY_PER_REQUEST
        StreamSpecification:
          StreamViewType: NEW_AND_OLD_IMAGES
        SSESpecification:
          KMSMasterKeyId: !Ref DynamoKMSKey
          SSEEnabled: true
          SSEType: KMS

    S3BucketSite:
      Type: 'AWS::S3::Bucket'
      Properties:
        BucketName: '${self:provider.stage}-${self:service}-site-${self:provider.region}-${env:accountNumber}'
        CorsConfiguration:
          CorsRules:
            -
              AllowedOrigins:
                - '*'
              AllowedHeaders:
                - '*'
              AllowedMethods:
                - GET
                - PUT
                - POST
                - DELETE
                - HEAD
              MaxAge: 3000

    S3BucketData:
      Type: 'AWS::S3::Bucket'
      Properties:
        BucketName: '${self:provider.stage}-${self:service}-data-${self:provider.region}-${env:accountNumber}'
        CorsConfiguration:
          CorsRules:
            -
              AllowedOrigins:
                - '*'
              AllowedHeaders:
                - '*'
              AllowedMethods:
                - GET
                - PUT
                - POST
                - DELETE
                - HEAD
              MaxAge: 3000
        BucketEncryption:
          ServerSideEncryptionConfiguration:
            - ServerSideEncryptionByDefault:
                SSEAlgorithm: 'aws:kms'
                KMSMasterKeyID: !GetAtt S3KMSKey.Arn
              BucketKeyEnabled: true