serverless.yml

service: metadocs

provider:
  name: aws
  runtime: python3.11
  region: eu-west-3
  iamRoleStatements:
    - Effect: Allow
      Action:
        - rds-data:ExecuteStatement
        - rds-data:BatchExecuteStatement
      Resource:
        - arn:aws:rds:${self:provider.region}:*:db:${self:provider.stage}-postgres

plugins:
  - serverless-python-requirements
  - serverless-dotenv-plugin

custom:
  dotenv:
    path: .env
  pythonRequirements:
    dockerizePip: true
    usePoetry: true
  frontendBucketName: ${self:provider.stage}-metadocs-frontend
  domainName: ${self:custom.domainNames.${self:provider.stage}, '${self:provider.stage}.app.metadocs.co'}
  domainNames:
    prod: app.metadocs.co
  cloudFrontDistributionIds:
    dev: "E3CIV0VN5IVHON"
    prod: "YOUR_PROD_CLOUDFRONT_DISTRIBUTION_ID"

package:
  exclude:
    - frontend/**
    - node_modules/**
    - .git/**
    - .vscode/**
    - tests/**
    - README.md
    - .env

  include:
    - backend/**

functions:
  backend:
    handler: backend/src/main.handler
    environment:
      JWT_SECRET: ${env:JWT_SECRET}
      BUCKET_NAME: ${self:custom.frontendBucketName}
      RDS_HOSTNAME: !GetAtt MyPostgresDB.Endpoint.Address
      RDS_PORT: '5432'
      RDS_USERNAME: admin
      RDS_PASSWORD: ${env:RDS_PASSWORD}
      RDS_DB_NAME: mydatabase

resources:
  Resources:
    BackendLambdaPermission:
      Type: AWS::Lambda::Url
      Properties:
        TargetFunctionArn: !GetAtt BackendLambdaFunction.Arn
        AuthType: NONE  # No authentication (public URL)

    S3BucketFrontend:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: ${self:custom.frontendBucketName}
        BucketEncryption:
          ServerSideEncryptionConfiguration:
            - ServerSideEncryptionByDefault:
                SSEAlgorithm: AES256

    CloudFrontOriginAccessControl:
      Type: AWS::CloudFront::OriginAccessControl
      Properties:
        OriginAccessControlConfig:
          Name: "${self:provider.stage}-metadocs-OAC"
          OriginAccessControlOriginType: s3
          SigningBehavior: always
          SigningProtocol: sigv4

    CloudFrontDistribution:
      Type: AWS::CloudFront::Distribution
      Properties:
        DistributionConfig:
          Origins:
            - DomainName: !GetAtt S3BucketFrontend.DomainName
              Id: S3Origin
              OriginAccessControlId: !Ref CloudFrontOriginAccessControl  # Correct property for OAC
              S3OriginConfig: {}  # Keep this empty when using OAC
          Enabled: true
          DefaultRootObject: index.html
          DefaultCacheBehavior:
            TargetOriginId: S3Origin
            ViewerProtocolPolicy: redirect-to-https
            ForwardedValues:
              QueryString: false
              Cookies:
                Forward: none
          ViewerCertificate:
            AcmCertificateArn: arn:aws:acm:us-east-1:514170698941:certificate/62e81c17-bebd-414e-bc9a-9e88828bd697
            SslSupportMethod: sni-only
          Aliases:
            - ${self:custom.domainName}

    # Attach the bucket policy to restrict access to CloudFront only
    BucketPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket: !Ref S3BucketFrontend
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                Service: cloudfront.amazonaws.com
              Action: "s3:GetObject"
              Resource: "arn:aws:s3:::${self:custom.frontendBucketName}/*"
              Condition:
                StringEquals:
                  AWS:SourceArn: "arn:aws:cloudfront::${AWS::AccountId}:distribution/${self:custom.cloudFrontDistributionIds.${self:provider.stage}}"

    # RDS PostgreSQL Instance
    Postgres:
      Type: AWS::RDS::DBInstance
      Properties:
        DBInstanceIdentifier: Postgres
        DBName: db
        AllocatedStorage: "50"
        DBInstanceClass: db.t4g.small
        Engine: postgres
        EngineVersion: "16.4"
        MasterUsername: admin
        MasterUserPassword: ${env:RDS_PASSWORD}
        VPCSecurityGroups:
          - sg-xxxxxxxx
        PubliclyAccessible: false
        BackupRetentionPeriod: 7
        MultiAZ: false
        StorageType: gp2

  Outputs:
    S3BucketFrontend:
      Value: !Ref S3BucketFrontend
      Export:
        Name: ${self:service}-${self:provider.stage}-frontend-bucket

    PostgresDBEndpoint:
      Value: !GetAtt MyPostgresDB.Endpoint.Address
      Export:
        Name: ${self:service}-${self:provider.stage}-postgres-endpoint