forked from aws-samples/aws-serverless-airline-booking
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathamplify.yml
99 lines (99 loc) · 6.27 KB
/
amplify.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
version: 0.1
backend:
phases:
preBuild:
commands:
- npm install -g @aws-amplify/[email protected] yarn # pinned known working version
- make init # install OS packages and dev tools (awscli, sam-cli, linters, etc.)
- aws configure set cli_follow_urlparam false # fix for parameter store when storing URLs: https://github.com/aws/aws-cli/issues/2507
- export AWS_BRANCH=$(echo ${AWS_BRANCH} | tr "/" "-" | cut -c1-20) # prevent common and long git branch names (feat/something) to create an invalid stack/resource name
build:
commands:
- "# Execute Amplify CLI with the helper script"
- amplifyPush --simple
##
# Extract Environment data
##
- export STACK_NAME=$(jq -r '.providers.awscloudformation.StackName' ./amplify/#current-cloud-backend/amplify-meta.json)
- export DEPLOYMENT_BUCKET_NAME=$(jq -r '.providers.awscloudformation.DeploymentBucketName' ./amplify/#current-cloud-backend/amplify-meta.json)
- export AWS_DEFAULT_REGION=$(jq -r '.providers.awscloudformation.Region' amplify/#current-cloud-backend/amplify-meta.json)
- export GRAPHQL_API_ID=$(jq -r '.api[(.api | keys)[0]].output.GraphQLAPIIdOutput' ./amplify/#current-cloud-backend/amplify-meta.json)
- export APPSYNC_URL=$(jq -r '.api[(.api | keys)[0]].output.GraphQLAPIEndpointOutput' ./amplify/#current-cloud-backend/amplify-meta.json)
- export COGNITO_USER_POOL_ID=$(jq -r '.auth[(.auth | keys)[0]].output.UserPoolId' ./amplify/#current-cloud-backend/amplify-meta.json)
- export COGNITO_USER_POOL_ARN=$(aws cognito-idp describe-user-pool --user-pool-id ${COGNITO_USER_POOL_ID} --query 'UserPool.Arn' --output text)
- export COGNITO_USER_POOL_CLIENT_ID=$(jq -r '.auth[(.auth | keys)[0]].output.AppClientIDWeb' ./amplify/#current-cloud-backend/amplify-meta.json)
- export FLIGHT_TABLE_NAME=$(aws appsync list-data-sources --api-id ${GRAPHQL_API_ID} --query "dataSources[?name=='FlightTable'].dynamodbConfig.tableName" --output text)
- export BOOKING_TABLE_NAME=$(aws appsync list-data-sources --api-id ${GRAPHQL_API_ID} --query "dataSources[?name=='BookingTable'].dynamodbConfig.tableName" --output text)
- export STRIPE_SECRET_KEY=${STRIPE_SECRET_KEY:-UNDEFINED}
- export STRIPE_PUBLIC_KEY=${STRIPE_PUBLIC_KEY:-UNDEFINED}
##
# Export key deployed resources to System Manager Parameter Store
##
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/deployment/stackName" VALUE=${STACK_NAME} &
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/deployment/deploymentBucket" VALUE=${DEPLOYMENT_BUCKET_NAME} &
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/auth/userpool/id" VALUE=${COGNITO_USER_POOL_ID} &
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/auth/userpool/arn" VALUE=${COGNITO_USER_POOL_ARN} &
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/auth/userpool/clientId" VALUE=${COGNITO_USER_POOL_CLIENT_ID} &
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/api/id" VALUE=${GRAPHQL_API_ID} &
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/api/url" VALUE=${APPSYNC_URL} &
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/storage/table/flight" VALUE=${FLIGHT_TABLE_NAME} &
- make export.parameter NAME="/${AWS_BRANCH}/service/amplify/storage/table/booking" VALUE=${BOOKING_TABLE_NAME} &
- make export.parameter NAME="/${AWS_BRANCH}/service/payment/stripe/secretKey" VALUE=${STRIPE_SECRET_KEY} &
- make export.parameter NAME="/${AWS_BRANCH}/service/payment/stripe/publicKey" VALUE=${STRIPE_PUBLIC_KEY} &
- make export.parameter NAME="/${AWS_BRANCH}/service/auth/userpool/url" VALUE=https://cognito-idp.${AWS_DEFAULT_REGION}.amazonaws.com/ &
- make export.parameter NAME="/${AWS_BRANCH}/service/loadtest/usercount" VALUE=5 &
- make export.parameter NAME="/${AWS_BRANCH}/service/loadtest/csv/token" VALUE=user-with-token.csv &
- make export.parameter NAME="/${AWS_BRANCH}/service/loadtest/csv/user" VALUE=user.csv &
- wait
##
# Deploy SAM based back-end
##
- make deploy
frontend:
phases:
preBuild:
commands:
- cd src/frontend
- test -f aws-exports.js && cat aws-exports.js
- yarn
##
# Expose Stripe public key and Payment Charge URL as a VueJS runtime env
##
- >
cat <<-EOF > .prod.env
StripePublicKey=${STRIPE_PUBLIC_KEY:-UNDEFINED}
PaymentChargeUrl=$(aws ssm get-parameter --name /${AWS_BRANCH}/service/payment/api/charge/url --query 'Parameter.Value' --output text)
EOF
build:
commands:
- npm run build
artifacts:
baseDirectory: src/frontend/dist/spa
files:
- "**/*"
cache:
paths:
- node_modules/**/*
customHeaders:
- pattern: "**/*"
headers: # https://infosec.mozilla.org/guidelines/web_security
- key: "Strict-Transport-Security"
value: "max-age=31536000; includeSubDomains"
- key: "X-Content-Type-Options"
value: "nosniff"
- key: "X-XSS-Protection"
value: "1; mode=block"
- key: "X-Frame-Options"
value: "DENY"
- key: "Referrer-Policy"
value: "same-origin"
- key: "Feature-Policy"
value: "microphone 'none'; camera 'none'; notifications 'self'"
# CSP generated using Laboratory: https://github.com/april/laboratory
# Caveats
## Stripe Elements adds inline JS and iFrame (unsafe-eval, frame-src)
## Allows any endpoint hosted on AWS - NOTE: Use custom domains for production
### REST and GraphQL have random identifiers so we allow the sub-domain (connect-src)
### connect-src doesn't parse cognito-idp.*.amazonaws.com used by Amplify Auth - for prod, use region(s) endpoint
- key: "Content-Security-Policy"
value: "'default-src 'none'; connect-src https://*.amazonaws.com; font-src 'self' https://fonts.gstatic.com; frame-src https://js.stripe.com; img-src 'self'; script-src 'self' 'unsafe-eval' https://js.stripe.com/v3/; style-src 'self' https://fonts.googleapis.com/css?family=Raleway 'unsafe-inline' https://fonts.googleapis.com'"