-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathtemplate.yaml
140 lines (126 loc) · 3.76 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Globals:
Function:
Runtime: go1.x
Timeout: 10
Tracing: Active
KmsKeyArn: !GetAtt ParameterKey.Arn
# Note: Most of these Environment vars do not need to be shared.
# Only OauthClientID and TABLE_NAME need to be shared between functions.
Environment:
Variables:
TABLE_NAME: !Ref Tokens
# Replace this with your own domain
RETURN_URL: https://monzo-auth.adamek.io/return
# Replace this with your own OAuth Client ID
OAuthClientID: oauthclient_00009TP3eNmTK294KsB7ir
## Note: This value was encrypted using `ParameterKey`
## You will need to deploy the service, encrypt your OAuth secret, put it here, and then re-deploy
OAuthClientSecret: AQICAHg4xpNzGnSULS2b7M474Iq8uk96FmIAXPfwaPSxMJXOIQFrgnbEh7QPtEtSEkG2Is81AAAAtjCBswYJKoZIhvcNAQcGoIGlMIGiAgEAMIGcBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDDbs1zC+HCdF0v1emwIBEIBvFxsoFy4734HuEMhv8LMoCwGW/1iuHNfqDjcsFTTf3yliSNcCGIVHVBQJ2Wd2UK3u2+dN/lcoQIIuLw94x6zxX5jIun6XgdcGv7GhJ1rjars8zq+dgVgtbJ0+BYfTGmg2wnShIPkTQ0SsadHdcopK
Resources:
CreateToken:
Type: AWS::Serverless::Function
Properties:
Handler: ./bin/createToken
Runtime: go1.x
CodeUri: .
Policies:
Version: 2012-10-17
Statement:
Effect: Allow
Action:
- dynamodb:PutItem
Resource: !GetAtt Tokens.Arn
Events:
Api:
Type: Api
Properties:
Path: /new
Method: get
Return:
Type: AWS::Serverless::Function
Properties:
Handler: ./bin/return
Runtime: go1.x
CodeUri: .
Policies:
Version: 2012-10-17
Statement:
Effect: Allow
Action:
- dynamodb:GetItem
- dynamodb:UpdateItem
Resource: !GetAtt Tokens.Arn
Events:
Api:
Type: Api
Properties:
Path: /return
Method: get
GetToken:
Type: AWS::Serverless::Function
Properties:
Handler: ./bin/getToken
Runtime: go1.x
CodeUri: .
Policies:
Version: 2012-10-17
Statement:
Effect: Allow
Action:
- dynamodb:GetItem
- dynamodb:DeleteItem
Resource: !GetAtt Tokens.Arn
Events:
Api:
Type: Api
Properties:
Path: /token
Method: get
Tokens:
Type: AWS::Serverless::SimpleTable
Properties:
PrimaryKey:
Name: id
Type: String
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
ParameterKey:
Type: AWS::KMS::Key
Properties:
Description: >
KMS Key for securing secrets used by Monzo Auth Service
Enabled: yes
EnableKeyRotation: no
KeyPolicy:
Version: 2012-10-17
Id: monzo-service-key-policy
Statement:
# You'll want to change replace these admin policies with your own IAM users.
- Sid: "Allow administration of the key"
Effect: "Allow"
Resource: '*'
Principal:
AWS: arn:aws:iam::280427722663:user/kitsune
Action:
- "kms:*"
- Sid: "Allow administration of the key"
Effect: "Allow"
Resource: '*'
Principal:
AWS: arn:aws:iam::280427722663:user/leo.adamek
Action:
- "kms:*"
- Sid: "KeyUseByFunctions"
Effect: Allow
Principal:
AWS: !GetAtt GetTokenRole.Arn
Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
- kms:DescribeKey
Resource: '*'