-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathserverless.yml
118 lines (110 loc) · 3.17 KB
/
serverless.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
service: LdapPasswordRotation
frameworkVersion: "3"
plugins:
- serverless-prune-plugin
package:
individually: true
patterns:
- "!.venv/**"
- "!.github/**"
- "!.pytest_cache/**"
- "!.coverage"
- "!.coveragerc"
- "!node_modules/**"
- "!config/**"
- "!requirements.txt"
- "!requirements-dev.txt"
- "!package.json"
- "!package-lock.json"
- "!Makefile"
- "!Pipfile"
- "!Pipfile.lock"
- "!tests/**"
provider:
name: aws
runtime: python3.13
timeout: 30
logRetentionInDays: 14
stage: ${opt:stage, 'dev'}
region: eu-central-1
environment:
SERVICE: ${self:service}
STAGE: ${self:provider.stage}
VPC_ID: ${self:custom.file.VPC_ID}
SECRETS_MANAGER_KEY_USERNAME: ${self:custom.file.SECRETS_MANAGER_KEY_USERNAME}
SECRETS_MANAGER_KEY_PASSWORD: ${self:custom.file.SECRETS_MANAGER_KEY_PASSWORD}
SECRETS_MANAGER_KEY_DN: ${self:custom.file.SECRETS_MANAGER_KEY_DN}
SECRETS_MANAGER_REGION: ${self:custom.file.SECRETS_MANAGER_REGION}
EXCLUDE_CHARACTERS_USER: ${self:custom.file.EXCLUDE_CHARACTERS_USER}
EXCLUDE_CHARACTERS_PW: ${self:custom.file.EXCLUDE_CHARACTERS_PW}
EXCLUDE_CHARACTERS_NEW_PW: ${self:custom.file.EXCLUDE_CHARACTERS_NEW_PW}
LDAP_SERVER_LIST: ${self:custom.file.LDAP_SERVER_LIST}
LDAP_SERVER_PORT: ${self:custom.file.LDAP_SERVER_PORT}
LDAP_BASE_DN: ${self:custom.file.LDAP_BASE_DN}
LDAP_USER_AUTH_ATTRIBUTE: ${self:custom.file.LDAP_USER_AUTH_ATTRIBUTE}
vpc:
securityGroupIds:
- Ref: LambdaSecurityGroup
subnetIds:
- ${self:custom.file.SUBNET1_ID}
- ${self:custom.file.SUBNET2_ID}
iam:
role:
statements:
- Effect: "Allow"
Resource: "*"
Action:
- "secretsmanager:DescribeSecret"
- "secretsmanager:GetRandomPassword"
- "secretsmanager:GetSecretValue"
- "secretsmanager:PutSecretValue"
- "secretsmanager:UpdateSecretVersionStage"
- Effect: "Allow"
Resource: "*"
Action:
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey*"
- "kms:DescribeKey"
custom:
file: ${file(./config/serverless.${self:provider.stage}.yml)}
prune:
automatic: true
number: 10
layers:
ldappw:
path: layer
compatibleRuntimes:
- python3.8
- python3.9
- python3.10
- python3.11
- python3.12
- python3.13
compatibleArchitectures:
- x86_64
- arm64
functions:
app:
handler: src.lambda_function.lambda_handler
layers:
- Ref: LdappwLambdaLayer
environment:
STAGE: ${self:provider.stage}
resources:
Resources:
LambdaSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Service Lambda function
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
VpcId: ${self:custom.file.VPC_ID}
SecretsManagerInvokePermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: { "Fn::GetAtt": ["AppLambdaFunction", "Arn"] }
Action: lambda:InvokeFunction
Principal: secretsmanager.amazonaws.com