-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathserverless.yml
More file actions
252 lines (242 loc) · 8.5 KB
/
serverless.yml
File metadata and controls
252 lines (242 loc) · 8.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
service: wagtaillwa
package: # TODO package each function individually
exclude:
- 'node_modules/**'
- 'db/**'
- 'media/**'
- Dockerfile
- Makefile
- package-lock.json
- package.json
- README.rst
- TODO.rst
provider:
name: aws
region: eu-west-3
memorySize: 2048 # optional, in MB, default is 1024
timeout: 60
ecr:
images:
wagtaillwa:
path: ./
platform: linux/amd64 # my Mac M1 builds ARM by default,
iam:
role:
statements:
# See django-storages doc
- Effect: Allow
Action:
- s3:ListBucket
- s3:GetBucketLocation
- s3:ListBucketMultipartUploads # needed?
- s3:ListBucketVersions # needed?
Resource:
- !Sub ${S3Media.Arn} # BUCKET
- Effect: Allow
Action:
- s3:DeleteObject
- s3:GetObject
- s3:GetObjectAcl
- s3:PutObject
- s3:PutObjectAcl
- s3:ListMultipartUploadParts # needed?
- s3:AbortMultipartUpload # needed?
Resource:
- !Sub ${S3Media.Arn}/* # OBJECTS
vpc: # Put Lambda in the VPC with Aurora.
securityGroupIds:
- !Ref SecurityGroupLambda
subnetIds:
- !Ref PublicSubnet1
- !Ref PublicSubnet2
functions:
# For Django-Storages, set its environment variables
s3check:
environment:
AWS_STORAGE_BUCKET_NAME: !Ref S3Media # Bucket name, not DNS
handler: s3check.handler
runtime: python3.11
# Connect to the DB Cluster endpoint, not the Instance. The Instance has an
# undocumented ``DBName`` attribute, but the Cluster does not.
wagtail:
environment:
DATABASE_URL: !Sub "postgres://wagtail:ChangeMe@${DBCluster.Endpoint.Address}:${DBCluster.Endpoint.Port}/${DBInstance.DBName}"
AWS_STORAGE_BUCKET_NAME: !Ref S3Media # Bucket name, not DNS
image:
name: ${self:service}
url: true # create a Lambda Function URL
wagtailjanitor: # sets flag which start.sh uses to do maintenance
environment:
DATABASE_URL: !Sub "postgres://wagtail:ChangeMe@${DBCluster.Endpoint.Address}:${DBCluster.Endpoint.Port}/${DBInstance.DBName}"
AWS_STORAGE_BUCKET_NAME: !Ref S3Media
# It always does createsuperuser, migrate, collectstatic
WAGTAIL_JANITOR: s3check
image:
name: ${self:service}
timeout: 180 # migration, collectstatic > 30 sec, wake up DB 30-35
url: false # run from CLI or web console, not API
wagtailresetdb:
environment:
DATABASE_URL: !Sub "postgres://wagtail:ChangeMe@${DBCluster.Endpoint.Address}:${DBCluster.Endpoint.Port}/${DBInstance.DBName}"
AWS_STORAGE_BUCKET_NAME: !Ref S3Media
WAGTAIL_JANITOR: s3check reset_db load_data
image:
name: ${self:service}
timeout: 180 # migration, collectstatic > 30 sec, wake up DB 30-35
url: false # run from CLI or web console, not API
# VPC, Aurora Serverless v1 DB, S3 Media
resources:
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.192.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Ref AWS::StackName
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: !Ref AWS::StackName
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: 10.192.10.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: !Sub ${AWS::StackName} Public Subnet (AZ1)
PublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 1, !GetAZs '' ]
CidrBlock: 10.192.11.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: !Sub ${AWS::StackName} Public Subnet (AZ2)
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub ${AWS::StackName} Public Routes
DefaultPublicRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet1
PublicSubnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet2
SecurityGroupLambda:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub "${AWS::StackName}-lambda-sg"
GroupDescription: "Security group marking the lambda instance"
VpcId: !Ref VPC
SecurityGroupDb:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub "${AWS::StackName}-db-sg-2"
GroupDescription: "Security group on DB allowing lambda access"
SecurityGroupIngress:
- IpProtocol: tcp
SourceSecurityGroupId: !GetAtt SecurityGroupLambda.GroupId
FromPort: 5432 # postgres
ToPort: 5432
- IpProtocol: tcp
SourceSecurityGroupId: !GetAtt SecurityGroupLambda.GroupId
FromPort: 3306 # mysql
ToPort: 3306
VpcId: !Ref VPC
DBSubnetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: Subnet for Database
DBSubnetGroupName: !Sub "${AWS::StackName}-db-subnet-group"
SubnetIds:
- !Ref PublicSubnet1
- !Ref PublicSubnet2
DBCluster:
Type: AWS::RDS::DBCluster
Properties:
Engine: aurora-postgresql
EngineMode: provisioned # Serverless v2 (v1 is deprecated)
EngineVersion: 16.4 # v2 on PG>16.1, AWS default 16.4
#EngineVersion: 13.16 # 13.1 used for v1 on PG<16.1, AWS default 13.16
DatabaseName: ${self:service}
DBClusterIdentifier: ${self:service}
DBSubnetGroupName: !Ref DBSubnetGroup
MasterUsername: wagtail
MasterUserPassword: ChangeMe
# DANGER: Aurora Serverless v1 defaults to 3306 for MySQL, 5432 for PG.
# But for v2, it sets Postgres port to 3306, not 5432!
Port: 5432 # Aurora Serverless v2 default PG DB to 3306 (MySQL!)
ServerlessV2ScalingConfiguration: # only for Serverless v2
MaxCapacity: 2 # will this be enough for Wagtail? 4 seemed fine
MinCapacity: 0 # MinACU=0 allows v2 to be paused when inactive
SecondsUntilAutoPause: 300 # default is 300, requires MinCapacity=0
VpcSecurityGroupIds:
- !Ref SecurityGroupDb
DBInstance: # required for v2
Type: AWS::RDS::DBInstance
Properties:
Engine: aurora-postgresql
DBInstanceClass: db.serverless
DBClusterIdentifier: !Ref DBCluster
S3Media:
Type: AWS::S3::Bucket
Properties:
# BucketName generated like: wagtaillwa-dev-s3media-12vbehqv6osgh
CorsConfiguration:
CorsRules:
- AllowedHeaders: ['*']
AllowedMethods: [GET]
AllowedOrigins: ['*']
ExposedHeaders: [Date]
MaxAge: '300'
PublicAccessBlockConfiguration: # needed to set acl=public-read
BlockPublicAcls: false
OwnershipControls: # needed if we want to set acl=public-read
Rules:
- ObjectOwnership: ObjectWriter
# LifecycleConfiguration:
# Rules:
# - Id: ExpireOldVersions
# Status: Enabled
# NoncurrentVersionExpirationInDays: 100
# VersioningConfiguration:
# Status: Enabled
S3VpcEndpoint:
# Serverless created VPCEndpoint type=Interface: wagtail-dev but
# we need this VPCE type=Gateway so Lambda in VPC can reach S3.
# See https://www.alexdebrie.com/posts/aws-lambda-vpc/#set-up-a-vpc-endpoint-for-your-aws-service
Type: AWS::EC2::VPCEndpoint
Properties:
RouteTableIds:
- !Ref PublicRouteTable
ServiceName: com.amazonaws.${self:provider.region}.s3
VpcId: !Ref VPC