serverless.yml

# Welcome to serverless. Read the docs
# https://serverless.com/framework/docs/

# Serverless.yml is the configuration the CLI
# uses to deploy your code to your provider of choice

# The `service` block is the name of the service
service: serverlessAppsyncJestDemoNew

# The `provider` block defines where your service will be deployed
provider:
  name: aws
  runtime: nodejs10.x
  region: eu-west-1
  # profile: default
  environment:
    SERVERLESS_STAGE: ${opt:stage, self:provider.stage}
    SERVERLESS_PROJECT: ${self:service}
    SERVERLESS_REGION: ${opt:region, self:provider.region}
    TABLE_NAME: ${self:service}
    USER_POOL_ID: { Ref: CognitoUserPoolUsers }
    REGION: ${self:provider.region}
    DYNAMODB_ENDPOINT: 'http://localhost:8000'
  iamRoleStatements:
    - Effect: Allow
      Action:
        - "dynamodb:PutItem"
        - "dynamodb:UpdateItem"
        - "dynamodb:GetItem"
        - "dynamodb:Query"
        - "dynamodb:BatchGetItem"
      Resource:
        - { Fn::GetAtt: [ DynamoDBTable, Arn ]}
        - { Fn::Join: [ "/", [{ Fn::GetAtt: [ DynamoDBTable, Arn ]}, "*" ]]}
    - Effect: Allow
      Action:
        - cognito-idp:listUsers
      Resource:
        - {"Fn::Join": ["", ["arn:aws:cognito-idp:", {"Ref":"AWS::Region"}, ":", {"Ref":"AWS::AccountId"}, ":userpool/", "${self:provider.environment.USER_POOL_ID}"]]}
    - Effect: Allow
      Action:
        - cognito-identity:describeIdentity
      Resource:
        # TODO: Describe exact resource
        - "*"

functions:
  GraphQLResolver:
    handler: handler.request

plugins:
  - serverless-webpack
  - serverless-dynamodb-local
  - serverless-appsync-plugin
  - serverless-appsync-offline
  - serverless-appsync-jest-plugin
  - aws-amplify-serverless-plugin
  - serverless-cf-vars
  - serverless-offline

custom:
  appsync-emulator:
    buildPrefix: .webpack/service

  appsync-offline:
    port: 62222
    dynamodb:
      client:
        endpoint: "http://localhost:8000"

  amplify:
    - filename: ../client/src/amplify/aws-exports.js
      type: javascript
      appClient: WebUserPoolClient

  appSyncJest:
    noSchema: true
  appSync:
    name: ${self:service}
    authenticationType: API_KEY
    logConfig:
      loggingRoleArn: { Fn::GetAtt: [ AppSyncLoggingServiceRole, Arn ]}
      level: ALL
    schema: ./schema.graphql
    dataSources:
      - type: AWS_LAMBDA
        name: Lambda
        description: Lambda function for GraphQL queries
        config:
          functionName: GraphQLResolver
    mappingTemplates: ${file(resolvers.yml):mappingTemplates}
    # functionConfigurations: ${file(resolvers/functionConfigurations/*.yml)}

resources:
  Resources:
    CognitoUserPoolUsers:
      Type: AWS::Cognito::UserPool
      Properties:
        UserPoolName: ${self:service}
        Schema:
          - Name: email
            Required: true
            Mutable: true
        Policies:
          PasswordPolicy:
            MinimumLength: 6
            RequireLowercase: false
            RequireUppercase: false
            RequireNumbers: false
            RequireSymbols: false
        AutoVerifiedAttributes: [ "email" ]
        MfaConfiguration: OFF

    WebUserPoolClient:
      Type: AWS::Cognito::UserPoolClient
      Properties:
        ClientName: ${self:service}-web
        GenerateSecret: false
        UserPoolId: { Ref: CognitoUserPoolUsers }

    AuthRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: ${self:service}-auth
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                Federated: cognito-identity.amazonaws.com
              Action: sts:AssumeRoleWithWebIdentity
              Condition:
                ForAnyValue:StringLike:
                  "cognito-identity.amazonaws.com:amr": "authenticated"
        Policies:
          - PolicyName: AllowAuthenticatedAppSyncAccess
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Action:
                    - "appsync:GraphQL"
                  Effect: Allow
                  Resource:
                    - { Fn::Join: [ "/", [{ Fn::GetAtt: [ GraphQlApi, Arn ]}, "*" ]]}

    UnauthRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: ${self:service}-unauth
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                Federated: cognito-identity.amazonaws.com
              Action: sts:AssumeRoleWithWebIdentity
              Condition:
                ForAnyValue:StringLike:
                  "cognito-identity.amazonaws.com:amr": "unauthenticated"
        Policies:
          - PolicyName: AllowUnauthenticatedAppSyncQueries
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Action:
                    - "appsync:GraphQL"
                  Effect: Allow
                  Resource:
                    - { Fn::Join: [ "/", [{ Fn::GetAtt: [ GraphQlApi, Arn ]}, "*" ]]}
                # - Action:
                #     - "appsync:GraphQL"
                #   Effect: Deny
                #   Resource:
                #     - { Fn::Join: [ "/", [{ Fn::GetAtt: [ GraphQlApi, Arn ]}, "types/Mutation/*" ]]}

    IdentityPool:
      Type: AWS::Cognito::IdentityPool
      Properties:
        IdentityPoolName: ${self:service}
        AllowUnauthenticatedIdentities: true
        CognitoIdentityProviders:
          - ClientId: { Ref: WebUserPoolClient }
            ProviderName: { Fn::Sub: [ 'cognito-idp.${self:provider.region}.amazonaws.com/#{client}', { "client": { Ref: CognitoUserPoolUsers }}]}

    IdentityPoolRoleMap:
      Type: AWS::Cognito::IdentityPoolRoleAttachment
      Properties:
        IdentityPoolId: { Ref: IdentityPool }
        Roles:
          unauthenticated: { Fn::GetAtt: [ UnauthRole, Arn ]}
          authenticated: { Fn::GetAtt: [ AuthRole, Arn ]}

    DynamoDBTable:
      Type: AWS::DynamoDB::Table
      Properties:
        TableName: ${self:provider.environment.TABLE_NAME}
        KeySchema:
          - AttributeName: pk
            KeyType: HASH
          - AttributeName: sk
            KeyType: RANGE
        AttributeDefinitions:
          - AttributeName: pk
            AttributeType: S
          - AttributeName: sk
            AttributeType: S
        ProvisionedThroughput:
          ReadCapacityUnits: 1
          WriteCapacityUnits: 1
        GlobalSecondaryIndexes:
          - IndexName: GSI1
            KeySchema:
              - AttributeName: sk
                KeyType: HASH
              - AttributeName: pk
                KeyType: RANGE
            Projection:
              ProjectionType: ALL
            ProvisionedThroughput:
              ReadCapacityUnits: 1
              WriteCapacityUnits: 1
        StreamSpecification:
          StreamViewType: NEW_AND_OLD_IMAGES
          StreamEnabled: true

    AppSyncLoggingServiceRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: ${self:service}-AppSyncLoggingServiceRole
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                Service: "appsync.amazonaws.com"
              Action: "sts:AssumeRole"
        Policies:
          - PolicyName: CloudWatchLogsAccess
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Action:
                    - "logs:CreateLogGroup"
                    - "logs:CreateLogStream"
                    - "logs:PutLogEvents"
                  Effect: Allow
                  Resource:
                    - "arn:aws:logs:#{AWS::Region}:#{AWS::AccountId}:*"