-
Notifications
You must be signed in to change notification settings - Fork 0
/
template.yaml
182 lines (167 loc) · 6.28 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: CCStar - A CCTray / CCMenu proxy for AWS CodeBuild and CodePipeline
Parameters:
BasicAuthType:
Type: String
Default: 'None'
AllowedValues: [ 'None', 'PlainTextSingleEntry', 'GeneratedSecret' ]
Description: |
How to set users + passwords for API HTTP Basic Auth.
'None' means don't use basic auth
'PlainTextSingleEntry' means use a single user+password within the BasicAuthConfig parameter
'GeneratedSecret' means use a Secrets Manager secret, with a generated password
BasicAuthConfig:
Type: String
Default: 'None'
NoEcho: true
Description:
Config for basic auth, meaning depends on value of BasicAuthType param.
"NoEcho" is set to true for this parameter so that any sensitive data is not logged, however it may still
be stored in Lambda parameters, depending on the BasicAuthType value.
If BasicAuthType is 'None', this parameter is not used
If BasicAuthType is 'PlainTextSingleEntry', this needs to be a colon (':') separated plain text value (e.g. "myUser:myPassword")
If BasicAuthType is 'GeneratedSecret', and this parameter is set to a value other than 'None',
then this parameter is used for the Basic Auth username, otherwise username is CCStar
APILocalCacheTTL:
Type: Number
Default: 0
MinValue: 0
Description: |
If greater than 0, number of seconds to cache generated API responses locally.
This may be useful for high volume installations to reduce costs since it will reduce the number of calls to DynamoDB.
A typically useful value here may be 10.
LogLevel:
Type: String
Default: 'Info'
AllowedValues: [ 'Debug', 'Info', 'Warn', 'Error' ]
Description: |
Log Level to use in Lambda functions.
"Debug" may log possibly secure details, like authorization headers, so use debug with caution.
# Rules is a useful semi-documented feature of CloudFormation
# See https://www.cloudar.be/awsblog/undocumented-feature-using-template-constraint-rules-in-cloudformation/
Rules:
BasicAuthConfigCannotBeNoneIfBasicAuthTypeIsPlainTextSingleEntry:
RuleCondition: !Equals [ !Ref BasicAuthType, PlainTextSingleEntry ]
Assertions:
- Assert: !Not [ !Equals [ !Ref BasicAuthConfig, 'None' ] ]
AssertDescription: If you set BasicAuthType to PlainTextSingleEntry, you must set a BasicAuthConfig value (of form username:password)
Conditions:
GenerateSecret: !Equals [ !Ref BasicAuthType, GeneratedSecret ]
BasicAuthConfigIsNotNone: !Not [ !Equals [ !Ref BasicAuthConfig, 'None' ] ]
Metadata:
AWS::ServerlessRepo::Application:
Name: ccstar
Description: A CCTray / CCMenu proxy for AWS CodeBuild and CodePipeline
Author: Symphonia
SpdxLicenseId: Apache-2.0
LicenseUrl: LICENSE
ReadmeUrl: README.md
Labels: ['ci', 'cd', 'devops', 'monitoring']
HomePageUrl: https://github.com/symphoniacloud/ccstar
SourceCodeUrl: https://github.com/symphoniacloud/ccstar
Outputs:
CCTrayXMLURL:
Value: !Sub "${ServerlessHttpApi.ApiEndpoint}/cctray.xml"
# Only output if a Secrets Manager secret is created for the Basic Auth password
BasicAuthSecretArn:
Condition: GenerateSecret
Value: !Ref BasicAuthSecret
Globals:
Function:
Runtime: nodejs12.x
Timeout: 30
MemorySize: 256
CodeUri: ./target/prod-lambda.zip
Resources:
Projects:
Type: AWS::Serverless::SimpleTable
Properties:
PrimaryKey:
Name: name
Type: String
ApiFunction:
Type: AWS::Serverless::Function
Properties:
Handler: api/lambda.handler
Events:
HttpEvent:
Type: HttpApi
Properties:
Path: /cctray.xml
Method: GET
Environment:
Variables:
PROJECTS_TABLE: !Ref Projects
BASIC_AUTH_TYPE: !If
- GenerateSecret
- PlainTextSingleEntry
- !Ref BasicAuthType
BASIC_AUTH_CONFIG: !If
- GenerateSecret
- !Join
- ':'
-
# This doesn't work if the generated secret details are being *changed* (e.g. new user name)
# Therefore TODO - lookup secret in Lambda function
- !Sub "{{resolve:secretsmanager:${BasicAuthSecret}:SecretString:username}}"
- !Sub "{{resolve:secretsmanager:${BasicAuthSecret}:SecretString:password}}"
- !Ref BasicAuthConfig
LOCAL_CACHE_TTL: !Ref APILocalCacheTTL
LOG_LEVEL: !Ref LogLevel
Policies:
- DynamoDBReadPolicy:
TableName: !Ref Projects
# Only created if Parameter "BasicAuthType" is equal to "GeneratedSecret"
BasicAuthSecret:
Type: AWS::SecretsManager::Secret
Condition: GenerateSecret
Properties:
Name: !Sub "${AWS::StackName}/BasicAuthSecret"
GenerateSecretString:
SecretStringTemplate: !Sub
- '{"username": "${Username}"}'
- Username: !If
- BasicAuthConfigIsNotNone
- !Ref BasicAuthConfig
- 'CCStar'
GenerateStringKey: "password"
PasswordLength: 10
ExcludePunctuation: true
CodeBuildEventProcessor:
Type: AWS::Serverless::Function
Properties:
Handler: eventProcessors/lambda.codeBuildHandler
Environment:
Variables:
PROJECTS_TABLE: !Ref Projects
LOG_LEVEL: !Ref LogLevel
Events:
CodeBuildEvent:
Type: CloudWatchEvent
Properties:
Pattern:
source: [ aws.codebuild ]
detail:
build-status: [ IN_PROGRESS, SUCCEEDED, FAILED, STOPPED ]
Policies:
- DynamoDBCrudPolicy:
TableName: !Ref Projects
CodePipelineEventProcessor:
Type: AWS::Serverless::Function
Properties:
Handler: eventProcessors/lambda.codePipelineHandler
Environment:
Variables:
PROJECTS_TABLE: !Ref Projects
LOG_LEVEL: !Ref LogLevel
Events:
CodePipelineEvent:
Type: CloudWatchEvent
Properties:
Pattern:
source: [ aws.codepipeline ]
detail-type: [ "CodePipeline Pipeline Execution State Change" ]
Policies:
- DynamoDBCrudPolicy:
TableName: !Ref Projects