Skip to content

Instantly share code, notes, and snippets.

@nonbeing
Forked from fideliocc/serverless.yml
Created August 14, 2020 10:50
Show Gist options
  • Save nonbeing/9d95e85ec96fb9007c50cd0b75e8f2fa to your computer and use it in GitHub Desktop.
Save nonbeing/9d95e85ec96fb9007c50cd0b75e8f2fa to your computer and use it in GitHub Desktop.
A serverless project template to deploy Quicksight URL Resolver
service: quicksight-resolver-service
app: quicksight-resolver-app
# TIP: I prefer to use a secret file for sensitive information as a security practice
custom:
secrets: ${file(./secrets.json)}
quickSightEmbedRoleArn:
Fn::GetAtt: [quickSightEmbedRole, Arn]
provider:
name: aws
runtime: nodejs10.x
stage: ${opt:stage, 'dev'}
region: ${self:custom.secrets.${self:provider.stage}.REGION}
environment:
REGION: ${self:provider.region}
iamRoleStatements:
- Effect: Allow
Action:
- sts:AssumeRole
Resource:
- Fn::GetAtt: [quickSightEmbedRole, Arn]
functions:
getDashboardUrl:
handler: dashboard/getDashboardUrl.handler
timeout: 10
environment:
QUICKSIGHT_ROLE_ARN: ${self:custom.quickSightEmbedRoleArn}
QUICKSIGHT_DASHBOARD_ID: ${self:custom.secrets.${self:provider.stage}.QUICKSIGHT_MOBILE_DASHBOARD_ID}
AWS_ACCOUNT_ID: ${self:custom.secrets.${self:provider.stage}.AWS_ACCOUNT_ID}
events:
- http:
path: /dashboard/getDashboardUrl
method: get
cors: true
request:
parameters:
querystrings:
email: true
resources:
Resources:
# Required for succcesfull CORS responses
GatewayResponseDefault4XX:
Type: 'AWS::ApiGateway::GatewayResponse'
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: DEFAULT_4XX
RestApiId:
Ref: 'ApiGatewayRestApi'
GatewayResponseDefault5XX:
Type: 'AWS::ApiGateway::GatewayResponse'
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: DEFAULT_5XX
RestApiId:
Ref: 'ApiGatewayRestApi'
# Role that shares Quicksight permissions to Serverless Lambda Execution Role
# CloudFormation syntax
quickSightEmbedRole:
Type: AWS::IAM::Role
Properties:
Path: /aws/roles/
RoleName: QuickSightEmbedRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS:
- arn:aws:iam::${self:custom.secrets.${opt:stage, self:provider.stage}.AWS_ACCOUNT_ID}:root
Action: sts:AssumeRole
Policies:
- PolicyName: QuickSightEmbedPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- quicksight:GetDashboardEmbedUrl
Resource:
- arn:aws:quicksight:${self:provider.region}:${self:custom.secrets.${opt:stage, self:provider.stage}.AWS_ACCOUNT_ID}:dashboard/${self:custom.secrets.${opt:stage, self:provider.stage}.QUICKSIGHT_DASHBOARD_ID}
# Add more ARNs...
- Effect: Allow
Action:
- quicksight:RegisterUser
Resource: "*"
- Effect: Allow
Action:
- quicksight:GetAuthCode
Resource: "*"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment