Merge pull request #113 from silinternational/develop

forevermatt · web-flow · commit 09dd72553162 · 2023-05-25T11:09:36.000-04:00
Release 2.4.0
diff --git a/serverless.yml b/serverless.yml
@@ -28,7 +28,7 @@ provider:
         - dynamodb:PutItem
         - dynamodb:UpdateItem
         - dynamodb:DeleteItem
-        Resource: "arn:aws:dynamodb:${aws:region}:*:table/${self:custom.namespace}_*"
+        Resource: "arn:aws:dynamodb:*:*:table/${self:custom.namespace}_*"
 
 custom:
   namespace: ${self:service}_${sls:stage}
@@ -37,6 +37,7 @@ custom:
   u2fTable: ${self:custom.namespace}_u2f
   dev_env: staging
   prod_env: production
+  secondaryRegion: ${env:AWS_REGION_SECONDARY, "us-west-2"}
 
 functions:
   apiKeyActivate:
@@ -192,6 +193,41 @@ functions:
 
 resources:
   Resources:
+    ApiKeyDynamoDbGlobalTable:
+      Type: AWS::DynamoDB::GlobalTable
+      DeletionPolicy: Retain
+      Properties:
+        AttributeDefinitions:
+          - AttributeName: value
+            AttributeType: S
+        KeySchema:
+          - AttributeName: value
+            KeyType: HASH
+        BillingMode: PAY_PER_REQUEST
+        Replicas:
+          - Region: ${aws:region}
+            Tags:
+              - Key: "itse_app_name"
+                Value: ${self:service}
+              - Key: "itse_app_env"
+                Value: ${self:custom.${sls:stage}_env}
+              - Key: "itse_app_customer"
+                Value: "shared"
+              - Key: "managed_by"
+                Value: "serverless"
+          - Region: ${self:custom.secondaryRegion}
+            Tags:
+              - Key: "itse_app_name"
+                Value: ${self:service}
+              - Key: "itse_app_env"
+                Value: ${self:custom.${sls:stage}_env}
+              - Key: "itse_app_customer"
+                Value: "shared"
+              - Key: "managed_by"
+                Value: "serverless"
+        StreamSpecification:
+          StreamViewType: NEW_IMAGE
+        TableName: ${self:custom.apiKeyTable}_global
     ApiKeyDynamoDbTable:
       Type: AWS::DynamoDB::Table
       DeletionPolicy: Retain
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -17,11 +17,51 @@ module "serverless-user" {
           {
             "Effect" : "Allow",
             "Action" : [
-              "dynamodb:DescribeTable"
+              "dynamodb:DescribeGlobalTableSettings",
+              "dynamodb:DescribeGlobalTable"
             ],
-            "Resource" : [
-              "arn:aws:dynamodb:*:*:table/mfa-api_*"
-            ]
+            "Resource" : "arn:aws:dynamodb:*:*:global-table/mfa-api_*"
+          },
+          {
+            "Effect" : "Allow",
+            "Action" : [
+              "dynamodb:BatchWriteItem",
+              "dynamodb:CreateTable",
+              "dynamodb:CreateTableReplica",
+              "dynamodb:DeleteItem",
+              "dynamodb:DescribeContinuousBackups",
+              "dynamodb:DescribeContributorInsights",
+              "dynamodb:DescribeKinesisStreamingDestination",
+              "dynamodb:DescribeTable",
+              "dynamodb:DescribeTimeToLive",
+              "dynamodb:GetItem",
+              "dynamodb:ListTagsOfResource",
+              "dynamodb:PutItem",
+              "dynamodb:Query",
+              "dynamodb:Scan",
+              "dynamodb:TagResource",
+              "dynamodb:UntagResource",
+              "dynamodb:UpdateItem",
+              "dynamodb:UpdateTable"
+            ],
+            "Resource" : "arn:aws:dynamodb:*:*:table/mfa-api_*"
+          },
+          {
+            "Effect" : "Allow",
+            "Action" : [
+              "dynamodb:Scan",
+              "dynamodb:Query"
+            ],
+            "Resource" : "arn:aws:dynamodb:*:*:table/mfa-api_*/index/*"
+          },
+          {
+            "Effect" : "Allow",
+            "Action" : [
+              "iam:CreateServiceLinkedRole",
+              "iam:TagRole",
+              "iam:UntagRole"
+            ],
+            "Resource" : "arn:aws:iam::*:role/*"
           }
         ]
       }
