serverless.template.yml

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31

Description: https://github.com/monken/aws-ecr-public

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label: { default: Configuration }
        Parameters:
          - ValidationDomain
          - DomainName
          - ValidationMethod
          - Authorizer
      - Label: { default: Basic Authentication }
        Parameters:
          - AuthBasicUsername
          - AuthBasicPassword
      - Label: { default: Azure DevOps Authentication }
        Parameters:
          - AuthAzureDevOpsOrg
      - Label: { default: Custom Lambda Authentication }
        Parameters:
          - AuthCustomLambdaArn
    ParameterLabels:
      ValidationDomain: { default: Validation Domain }
      DomainName: { default: Domain Name }
      ValidationMethod: { default: Validation Method }
      AuthBasicUsername: { default: Username }
      AuthBasicPassword: { default: Password }
      AuthAzureDevOpsOrg: { default: DevOps Organization Name }
      AuthCustomLambdaArn: { default: Lambda ARN }


Parameters:
  ValidationDomain:
    Type: String
    Default: ''
    Description: Overwrite default validation domain for ACM certificate.
  DomainName:
    Type: String
    Default: ''
    Description: If provided, an ACM Certificate and API Domain Name will be created.
  ValidationMethod:
    Type: String
    Default: EMAIL
    AllowedValues: [EMAIL, DNS]
    Description: Choose a validation method for the ACM certificate, only relevant if a Domain Name was provided.

  Authorizer:
    Type: String
    Default: NONE
    AllowedValues: [NONE, BASIC, AZURE_DEVOPS, CUSTOM]
    Description: Add an authorizer to your registry. Make sure to provide details below.

  AuthBasicUsername:
    Type: String
    Default: ''

  AuthBasicPassword:
    Type: String
    Default: ''
    NoEcho: true

  AuthAzureDevOpsOrg:
    Type: String
    Default: ''
    Description: Provide the name of the Azure DevOps organization that is allowed to authenticate. The username is ADO, the password is the System.AccessToken or user token.

  AuthCustomLambdaArn:
    Type: String
    Default: ''
    Description: Provide the full ARN to a custom authorizer function. Permissions will be added automatically.

Conditions:
  HasValidationDomain: !Not [ !Equals [ !Ref ValidationDomain, '' ] ]
  HasDomainName: !Not [ !Equals [ !Ref DomainName, '' ] ]
  HasAuthorizer: !Not [ !Equals [ !Ref Authorizer, NONE ] ]
  HasCustomAuthorizer: !Equals [ !Ref Authorizer, CUSTOM ]

Resources:
  CloudWatchRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: apigateway.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs

  ApiGatewayRole:
    Type: AWS::ApiGateway::Account
    DependsOn: Api
    Properties:
      CloudWatchRoleArn: !GetAtt CloudWatchRole.Arn

  ApiAccessLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub /${AWS::StackName}/accesslog
      RetentionInDays: 7

  Api:
    Type: AWS::Serverless::Api
    Properties:
      StageName: v2
      DefinitionBody: !Include api.openapi.yml
      EndpointConfiguration: REGIONAL
      MinimumCompressionSize: 0
      TracingEnabled: true
      OpenApiVersion: '3.0.1'
      # trigger a redeployment of the Authorizer changes
      BinaryMediaTypes: [!Ref Authorizer]
      AccessLogSetting:
        DestinationArn: !GetAtt ApiAccessLogGroup.Arn
        Format:
          # https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#context-variable-reference
          Fn::Stringify:
            requestId: $context.requestId
            ip: $context.identity.sourceIp
            caller: $context.identity.caller
            userArn: $context.identity.userArn
            requestTimeEpoch: $context.requestTimeEpoch
            httpMethod: $context.httpMethod
            resourcePath: $context.resourcePath
            path: $context.path
            status: $context.status
            protocol: $context.protocol
            responseLength: $context.responseLength
            responseLatency: $context.responseLatency
            integrationLatency: $context.integrationLatency
            error: $context.error

  Certificate:
    Type: AWS::CertificateManager::Certificate
    Condition: HasDomainName
    Properties:
      DomainName: !Ref DomainName
      ValidationMethod: !Ref ValidationMethod
      DomainValidationOptions:
        Fn::If:
          - HasValidationDomain
          - - DomainName: !Ref DomainName
              ValidationDomain: !Ref ValidationDomain
          - !Ref AWS::NoValue

  ApiDomainName:
    Type: AWS::ApiGateway::DomainName
    Condition: HasDomainName
    Properties:
      RegionalCertificateArn: !Ref Certificate
      DomainName: !Ref DomainName
      EndpointConfiguration:
        Types: [REGIONAL]

  BasePathMapping:
    Type: AWS::ApiGateway::BasePathMapping
    Condition: HasDomainName
    DependsOn: Apiv2Stage
    Properties:
      BasePath: v2
      DomainName: !Ref ApiDomainName
      RestApiId: !Ref Api
      Stage: v2

  ApiFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs12.x
      InlineCode: !Include { type: string, location: lambda/api.js }
      Timeout: 30
      Events:
        Api:
          Type: Api
          Properties:
            Path: /{proxy+}
            Method: ANY
            RestApiId: !Ref Api
      Policies:
        - Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Action:
                - ecr:GetDownloadUrlForLayer
                - ecr:BatchGetImage
              Resource: '*'

  AuthorizerFunction:
    Type: AWS::Serverless::Function
    Condition: HasAuthorizer
    Properties:
      Handler: index.handler
      Runtime: nodejs12.x
      InlineCode: !Include { type: string, location: lambda/authorizer.js }
      Timeout: 30
      Environment:
        Variables:
          ADO_ORG: !Ref AuthAzureDevOpsOrg
          BASIC_USER: !Ref AuthBasicUsername
          BASIC_PASSWORD: !Ref AuthBasicPassword
          METHOD: !Ref Authorizer

  AuthorizerPermission:
    Type: AWS::Lambda::Permission
    Condition: HasAuthorizer
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !If [ HasCustomAuthorizer, !Ref AuthCustomLambdaArn, !GetAtt AuthorizerFunction.Arn ]
      Principal: apigateway.amazonaws.com
      SourceArn: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${Api}/authorizers/*


Outputs:
  ApiDomainName:
    Value: !Sub ${Api}.execute-api.${AWS::Region}.amazonaws.com
    Export:
      Name: !Sub ${AWS::StackName}:ApiDomainName
  RegionalDomainName:
    Value: !If [ HasDomainName, !GetAtt ApiDomainName.RegionalDomainName, 'null']
    Export:
      Name: !Sub ${AWS::StackName}:RegionalDomainName
  RegionalHostedZoneId:
    Value: !If [ HasDomainName, !GetAtt ApiDomainName.RegionalHostedZoneId, 'null']
    Export:
      Name: !Sub ${AWS::StackName}:RegionalHostedZoneId
  LambdaExecutionRoleName:
    Value: !Ref ApiFunctionRole
    Export:
      Name: !Sub ${AWS::StackName}:LambdaExecutionRoleName