magic-pocket-cli 0.2.0__py3-none-any.whl

pocket_cli/templates/cloudformation/awscontainer.yaml

@@ -0,0 +1,516 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: lambda configuration for webapp
+
+Resources:
+  LambdaRole:
+    # This role must be created before the lambda function.
+    # https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
+    # When you change Role, you must delete function and role.
+    # https://www.lastweekinaws.com/blog/the-sneaky-weakness-behind-aws-managed-kms-keys/
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+            Action: "sts:AssumeRole"
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+        # {% if vpc %}
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
+        # {% endif %}
+        # {% if use_ses %}
+        - arn:aws:iam::aws:policy/AmazonSESFullAccess
+        # {% endif %}
+        # {% if use_s3 %}
+        - arn:aws:iam::aws:policy/AmazonS3FullAccess
+        # {% endif %}
+        # {% if use_route53 %}
+        - arn:aws:iam::aws:policy/AmazonRoute53FullAccess
+        # {% endif %}
+        # {% if use_sqs %}
+        - arn:aws:iam::aws:policy/AmazonSQSFullAccess
+        # {% endif %}
+        # {% if use_efs %}
+        - arn:aws:iam::aws:policy/AmazonElasticFileSystemFullAccess
+        # {% endif %}
+        # {% for arn in iam.managed_policy_arns %}
+        - "{{ arn }}"
+        # {% endfor %}
+      Policies:
+        # {% if secrets and secrets.allowed_sm_resources %}
+        - PolicyName: "{{ resource_prefix }}access-secretsmanager"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: "Allow"
+                Action:
+                  - "secretsmanager:GetSecretValue"
+                Resource:
+                  # {% for value in secrets.allowed_sm_resources %}
+                  - Fn::Sub: "{{ value }}"
+                  # {% endfor %}
+              # {% if secrets.require_list_secrets %}
+              - Effect: "Allow"
+                Action:
+                  - "secretsmanager:ListSecrets"
+                Resource:
+                  - "*"
+              # {% endif %}
+        # {% endif %}
+        # {% if secrets and secrets.allowed_ssm_resources %}
+        - PolicyName: "{{ resource_prefix }}access-ssm"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: "Allow"
+                Action:
+                  - "ssm:GetParameter"
+                  - "ssm:GetParameters"
+                  - "ssm:GetParametersByPath"
+                Resource:
+                  # {% for value in secrets.allowed_ssm_resources %}
+                  - Fn::Sub: "{{ value }}"
+                  # {% endfor %}
+        # {% endif %}
+        # {% if rds_secret_arn %}
+        - PolicyName: "{{ resource_prefix }}access-rds-secret"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: "Allow"
+                Action:
+                  - "secretsmanager:GetSecretValue"
+                Resource:
+                  - "{{ rds_secret_arn }}"
+              # {% if rds_kms_key_id %}
+              - Effect: "Allow"
+                Action:
+                  - "kms:Decrypt"
+                Resource:
+                  - "{{ rds_kms_key_id }}"
+              # {% endif %}
+        # {% endif %}
+        # {% if rds_ssm_param_arn %}
+        - PolicyName: "{{ resource_prefix }}access-rds-ssm"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: "Allow"
+                Action:
+                  - "ssm:GetParameter"
+                Resource:
+                  - Fn::Sub: "{{ rds_ssm_param_arn }}"
+        # {% endif %}
+        # {% if use_dsql %}
+        - PolicyName: "{{ resource_prefix }}access-dsql"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: "Allow"
+                Action:
+                  - "dsql:DbConnectAdmin"
+                Resource:
+                  - "{{ dsql_cluster_arn }}"
+        # {% endif %}
+        - PolicyName:
+            Fn::Sub: "{{ resource_prefix }}access-cloudformation"
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: "Allow"
+                Action:
+                  - "cloudformation:DescribeStacks"
+                Resource:
+                  - Fn::Sub: "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/{{ slug }}-*"
+        # {% for name, doc in iam.inline_policies.items() %}
+        - PolicyName: "{{ resource_prefix }}{{ name }}"
+          PolicyDocument: {{ doc | tojson }}
+        # {% endfor %}
+      RoleName: "lambda-{{ slug }}-{{ namespace }}"
+      # {% if permissions_boundary %}
+      PermissionsBoundary: "{{ permissions_boundary }}"
+      # {% endif %}
+
+  # {% if vpc %}
+  LambdaSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: "{{ resource_prefix }}lambda"
+      GroupName: "{{ resource_prefix }}lambda"
+      SecurityGroupEgress:
+        - CidrIp: 0.0.0.0/0
+          Description: Allow all outbound traffic by default
+          IpProtocol: "-1"
+      Tags:
+        - Key: Name
+          Value: "{{ resource_prefix }}lambda"
+      VpcId:
+        Fn::ImportValue: "{{ export.vpc_id }}"
+  # {% endif %}
+
+  # {% for handler in handlers.values() %}
+  "{{ handler.key|capitalize }}LambdaFunction":
+    Type: AWS::Lambda::Function
+    Properties:
+      FunctionName: "{{ handler.function_name }}"
+      PackageType: Image
+      MemorySize: "{{ handler.memory_size }}"
+      Timeout: "{{ handler.timeout }}"
+      # {% if handler.reserved_concurrency %}
+      ReservedConcurrentExecutions: "{{ handler.reserved_concurrency }}"
+      # {% endif %}
+      Role:
+        Fn::GetAtt: LambdaRole.Arn
+      Code:
+        ImageUri:
+          Fn::Sub: "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/{{ ecr_name }}:{{ stage }}"
+      ImageConfig:
+        Command:
+          - "{{ handler.command }}"
+      Environment:
+        Variables:
+          "POCKET_STAGE": "{{ stage }}"
+          # {% for env_key, value in envs.items() %}
+          "{{ env_key }}": "{{ value }}"
+          # {% endfor %}
+          # {% for env_key, import_name in signing_key_imports.items() %}
+          "{{ env_key }}":
+            Fn::ImportValue: "{{ import_name }}"
+          # {% endfor %}
+          # {% if rds_secret_arn %}
+          "POCKET_RDS_SECRET_ARN": "{{ rds_secret_arn }}"
+          "POCKET_RDS_ENDPOINT": "{{ rds_endpoint }}"
+          "POCKET_RDS_PORT": "{{ rds_port }}"
+          "POCKET_RDS_DBNAME": "{{ rds_dbname }}"
+          # {% endif %}
+          # {% if rds_ssm_param_name %}
+          "POCKET_RDS_SECRET_STORE": "ssm"
+          "POCKET_RDS_SSM_PARAM": "{{ rds_ssm_param_name }}"
+          "POCKET_RDS_ENDPOINT": "{{ rds_endpoint }}"
+          "POCKET_RDS_PORT": "{{ rds_port }}"
+          "POCKET_RDS_DBNAME": "{{ rds_dbname }}"
+          # {% endif %}
+          # {% if use_dsql %}
+          "POCKET_DSQL_ENDPOINT": "{{ dsql_endpoint }}"
+          "POCKET_DSQL_REGION": "{{ dsql_region }}"
+          # {% endif %}
+      # {% if vpc %}
+      VpcConfig:
+        SecurityGroupIds:
+          - Ref: LambdaSecurityGroup
+        SubnetIds:
+          # {% for zone in vpc.zones %}
+          - Fn::ImportValue: "{{ export.private_subnet_ }}{{ loop.index }}"
+          # {% endfor %}
+      # {% endif %}
+      # {% if use_efs %}
+      FileSystemConfigs:
+        - Arn:
+            Fn::ImportValue: "{{ export.efs_access_point_arn }}"
+          LocalMountPath: "{{ efs_local_mount_path }}"
+      # {% endif %}
+  # {% endfor %}
+
+  # {% for handler in handlers.values() %}
+  # {% if handler.apigateway %}
+  "{{ handler.key|capitalize }}ApigatewayCloudWatchLogsGroup":
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName: "{{ slug }}-{{ handler.key }}-apigateway"
+      RetentionInDays: 365
+
+  "{{ handler.key|capitalize }}Api":
+    Type: AWS::ApiGatewayV2::Api
+    Properties:
+      Name: "{{ slug }}-{{ handler.key }}"
+      ProtocolType: HTTP
+      Target:
+        Fn::GetAtt: "{{ handler.key|capitalize }}LambdaFunction.Arn"
+      DisableExecuteApiEndpoint: "{{ handler.apigateway.disable_execute_api_endpoint }}"
+
+  "{{ handler.key|capitalize }}ApiGatewayManagedOverrides":
+    Type: AWS::ApiGatewayV2::ApiGatewayManagedOverrides
+    Properties:
+      ApiId:
+        Ref: "{{ handler.key|capitalize }}Api"
+      Stage:
+        AutoDeploy: true
+        AccessLogSettings:
+          DestinationArn:
+            Fn::GetAtt: "{{ handler.key|capitalize }}ApigatewayCloudWatchLogsGroup.Arn"
+          Format: >-
+            {"requestTime": "$context.requestTime",
+            "requestId": "$context.requestId",
+            "httpMethod": "$context.httpMethod",
+            "path": "$context.path",
+            "routeKey": "$context.routeKey",
+            "status": $context.status,
+            "responseLatency": $context.responseLatency,
+            "integrationRequestId": "$context.integration.requestId",
+            "functionResponseStatus": "$context.integration.status",
+            "integrationLatency": "$context.integration.latency",
+            "integrationServiceStatus": "$context.integration.integrationStatus",
+            "integrationErrorMessage": "$context.integrationErrorMessage",
+            "ip": "$context.identity.sourceIp",
+            "userAgent": "$context.identity.userAgent"}
+
+  "{{ handler.key|capitalize }}Route":
+    Type: AWS::ApiGatewayV2::Route
+    DependsOn:
+      - "{{ handler.key|capitalize }}Integration"
+    Properties:
+      ApiId:
+        Ref: "{{ handler.key|capitalize }}Api"
+      RouteKey: "ANY /{proxy+}"
+      Target:
+        Fn::Join:
+          - /
+          - - integrations
+            - Ref: "{{ handler.key|capitalize }}Integration"
+
+  "{{ handler.key|capitalize }}Integration":
+    Type: AWS::ApiGatewayV2::Integration
+    Properties:
+      ApiId:
+        Ref: "{{ handler.key|capitalize }}Api"
+      IntegrationType: AWS_PROXY
+      IntegrationUri:
+        Fn::Join:
+          - ""
+          - - "arn:"
+            - Ref: "AWS::Partition"
+            - ":apigateway:"
+            - Ref: "AWS::Region"
+            - ":lambda:path/2015-03-31/functions/"
+            - Fn::GetAtt: "{{ handler.key|capitalize }}LambdaFunction.Arn"
+            - /invocations
+      PayloadFormatVersion: "2.0"
+
+  "{{ handler.key|capitalize }}Permission":
+    Type: AWS::Lambda::Permission
+    Properties:
+      FunctionName:
+        Ref: "{{ handler.key|capitalize }}LambdaFunction"
+      Action: lambda:InvokeFunction
+      Principal: apigateway.amazonaws.com
+      SourceArn:
+        Fn::Join:
+          - ""
+          - - "arn:"
+            - Ref: "AWS::Partition"
+            - ":execute-api:"
+            - Ref: "AWS::Region"
+            - ":"
+            - Ref: "AWS::AccountId"
+            - ":"
+            - Ref: "{{ handler.key|capitalize }}Api"
+            - "/*/*"
+  # {% endif %}
+
+  # {% if handler.apigateway.domain %}
+  "{{ handler.cloudformation_cert_ref_name }}":
+    Type: AWS::CertificateManager::Certificate
+    Properties:
+      DomainName: "{{ handler.apigateway.domain }}"
+      # {% if handler.apigateway.create_records %}
+      DomainValidationOptions:
+        - DomainName: "{{ handler.apigateway.domain }}"
+          HostedZoneId: "{{ handler.apigateway.hosted_zone_id }}"
+      # {% endif %}
+      Tags:
+        - Key: Name
+          Value: "{{ slug }}-{{ handler.key }}-cert"
+      ValidationMethod: DNS
+
+  ##### Warning #####
+  # Api Gateway does not support http, so you must use http.
+  # Moreover you can not just redirect http to https.
+  #  - https://stackoverflow.com/a/58683733
+  #  - https://stackoverflow.com/q/47311081
+  ###################
+  "{{ handler.key|capitalize }}ApiGatewayDomainName":
+    Type: AWS::ApiGatewayV2::DomainName
+    Properties:
+      DomainName: "{{ handler.apigateway.domain }}"
+      DomainNameConfigurations:
+        - CertificateArn:
+            Ref: "{{ handler.cloudformation_cert_ref_name }}"
+
+  # {% if handler.apigateway.create_records %}
+  "{{ handler.key|capitalize }}DNSRecord":
+    Type: AWS::Route53::RecordSet
+    Properties:
+      HostedZoneId: "{{ handler.apigateway.hosted_zone_id }}"
+      Name: "{{ handler.apigateway.domain }}"
+      Type: A
+      AliasTarget:
+        HostedZoneId:
+          Fn::GetAtt: "{{ handler.key|capitalize }}ApiGatewayDomainName.RegionalHostedZoneId"
+        DNSName:
+          Fn::GetAtt: "{{ handler.key|capitalize }}ApiGatewayDomainName.RegionalDomainName"
+  # {% endif %}
+
+  "{{ handler.key|capitalize }}ApiGatewayApiMapping":
+    DependsOn:
+      - "{{ handler.key|capitalize }}ApiGatewayDomainName"
+    Type: "AWS::ApiGatewayV2::ApiMapping"
+    Properties:
+      DomainName: "{{ handler.apigateway.domain }}"
+      ApiId:
+        Ref: "{{ handler.key|capitalize }}Api"
+      Stage: "$default"
+  # {% endif %}
+  # {% endfor %}
+
+  # {% for handler in handlers.values() %}
+  # {% if handler.sqs %}
+  "{{ handler.key|capitalize }}SqsQueue":
+    Type: AWS::SQS::Queue
+    Properties:
+      QueueName:
+        Fn::Sub: "{{ handler.sqs.name }}"
+      RedrivePolicy:
+        deadLetterTargetArn:
+          Fn::GetAtt: "{{ handler.key|capitalize }}DeadLetterQueue.Arn"
+        maxReceiveCount: "{{ handler.sqs.dead_letter_max_receive_count }}"
+      VisibilityTimeout: "{{ handler.sqs.visibility_timeout }}"
+      # default 4 days
+      MessageRetentionPeriod: "{{ handler.sqs.message_retention_period }}"
+
+  "{{ handler.key|capitalize }}DeadLetterQueue":
+    Type: AWS::SQS::Queue
+    Properties:
+      QueueName:
+        Fn::Sub: "{{ handler.sqs.name }}-dead-letter"
+      # max 14 days
+      MessageRetentionPeriod: "{{ handler.sqs.dead_letter_message_retention_period }}"
+
+  "{{ handler.key|capitalize }}SqsEventSourceMapping":
+    DependsOn:
+      - "{{ handler.key|capitalize }}SqsQueue"
+      - "{{ handler.key|capitalize }}LambdaFunction"
+    Type: AWS::Lambda::EventSourceMapping
+    Properties:
+      EventSourceArn:
+        Fn::GetAtt: "{{ handler.key|capitalize }}SqsQueue.Arn"
+      FunctionName:
+        Ref: "{{ handler.key|capitalize }}LambdaFunction"
+      BatchSize: "{{ handler.sqs.batch_size }}"
+      ScalingConfig:
+        MaximumConcurrency: "{{ handler.sqs.maximum_concurrency }}"
+      # {% if handler.sqs.report_batch_item_failures %}
+      FunctionResponseTypes:
+        - "ReportBatchItemFailures"
+      # {% endif %}
+  # {% endif %}
+  # {% endfor %}
+
+  # {% if scheduler and scheduler.has_schedules %}
+  SchedulerExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: "{{ scheduler.role_name }}"
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: scheduler.amazonaws.com
+            Action: "sts:AssumeRole"
+      Policies:
+        - PolicyName: invoke-handlers
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "lambda:InvokeFunction"
+                Resource:
+                  # {% for arn in scheduler.invoked_function_arns %}
+                  - Fn::Sub: "{{ arn }}"
+                  # {% endfor %}
+
+  # {% for entry in scheduler.schedules %}
+  "{{ entry.yaml_key }}Schedule":
+    Type: AWS::Scheduler::Schedule
+    DependsOn:
+      - "{{ entry.handler|capitalize }}LambdaFunction"
+      - SchedulerExecutionRole
+    Properties:
+      Name: "{{ entry.name }}"
+      ScheduleExpression: "{{ entry.schedule_expression }}"
+      FlexibleTimeWindow:
+        Mode: "OFF"
+      Target:
+        Arn:
+          Fn::GetAtt: "{{ entry.handler|capitalize }}LambdaFunction.Arn"
+        RoleArn:
+          Fn::GetAtt: SchedulerExecutionRole.Arn
+        Input: {{ entry.input_json|tojson }}
+  # {% endfor %}
+  # {% endif %}
+
+  # {% if use_efs %}
+  LambdaEFSAccess:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId:
+        Fn::ImportValue: "{{ export.efs_security_group }}"
+      SourceSecurityGroupId:
+        Ref: LambdaSecurityGroup
+      IpProtocol: tcp
+      FromPort: 2049
+      ToPort: 2049
+  # {% endif %}
+
+  # {% if use_rds %}
+  LambdaRDSAccess:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: "{{ rds_security_group_id }}"
+      SourceSecurityGroupId:
+        Ref: LambdaSecurityGroup
+      IpProtocol: tcp
+      FromPort: 5432
+      ToPort: 5432
+  # {% endif %}
+
+# {% if handlers %}
+Outputs:
+  # {% for handler in handlers.values() %}
+  "{{ handler.key|capitalize }}LambdaFunction":
+    Value:
+      Fn::GetAtt: "{{ handler.key|capitalize }}LambdaFunction.Arn"
+  # {% if handler.export_api_domain %}
+  "{{ handler.key|capitalize }}ApiDomain":
+    Value:
+      Fn::Sub:
+        - "${ApiId}.execute-api.${AWS::Region}.amazonaws.com"
+        - ApiId:
+            Ref: "{{ handler.key|capitalize }}Api"
+    Export:
+      Name: "{{ handler.export_api_domain }}"
+  # {% endif %}
+  # {% if handler.apigateway %}
+  "{{ handler.key|capitalize }}ApiEndpoint":
+    Value:
+      # {% if handler.apigateway.domain %}
+      Fn::Join:
+        - ""
+        - - "https://{{ handler.apigateway.domain }}/"
+      # {% else %}
+      Fn::GetAtt: "{{ handler.key|capitalize }}Api.ApiEndpoint"
+      # {% endif %}
+  # {% if handler.apigateway.domain %}
+  "{{ handler.key|capitalize }}RegionalDomainName":
+    Value:
+      Fn::GetAtt: "{{ handler.key|capitalize }}ApiGatewayDomainName.RegionalDomainName"
+  "{{ handler.key|capitalize }}RegionalHostedZoneId":
+    Value:
+      Fn::GetAtt: "{{ handler.key|capitalize }}ApiGatewayDomainName.RegionalHostedZoneId"
+  # {% endif %}
+  # {% endif %}
+  # {% endfor %}
+# {% endif %}

pocket_cli/templates/cloudformation/cf_function_api_host.js

@@ -0,0 +1,5 @@
+function handler(event) {
+    var request = event.request;
+    request.headers['x-forwarded-host'] = { value: request.headers.host.value };
+    return request;
+}

pocket_cli/templates/cloudformation/cf_function_spa_auth.js

@@ -0,0 +1,28 @@
+import cf from 'cloudfront';
+var crypto = require('crypto');
+const kvsHandle = cf.kvs('${TokenKvs}');
+async function handler(event) {
+    var request = event.request;
+    var originalUri = request.uri;
+    var lastItem = request.uri.split('/').pop();
+    if (!lastItem.includes('.')) { request.uri = '{{ fallback_uri }}'; }
+    var cookie = request.cookies['pocket-spa-token'];
+    if (!cookie) { return _redirect(originalUri); }
+    var parts = cookie.value.split(':');
+    if (parts.length !== 3) { return _redirect(originalUri); }
+    var expiry = parseInt(parts[1], 10);
+    if (Math.floor(Date.now() / 1000) > expiry) { return _redirect(originalUri); }
+    var secret;
+    try { secret = await kvsHandle.get('token_secret'); }
+    catch (e) { return _redirect(originalUri); }
+    var msg = parts[0] + ':' + parts[1];
+    var hmac = crypto.createHmac('sha256', Buffer.from(secret, 'hex'));
+    var sig = hmac.update(msg).digest('hex');
+    if (sig !== parts[2]) { return _redirect(originalUri); }
+    return request;
+}
+function _redirect(uri) {
+    var next = encodeURIComponent(uri);
+    return { statusCode: 302, statusDescription: 'Found',
+        headers: { location: { value: '{{ login_path }}?next=' + next } } };
+}

pocket_cli/templates/cloudformation/cf_function_spa_fallback.js

@@ -0,0 +1,8 @@
+function handler(event) {
+    var request = event.request;
+    var lastItem = request.uri.split('/').pop();
+    if (!lastItem.includes('.')) {
+        request.uri = '{{ fallback_uri }}';
+    }
+    return request;
+}