diff --git a/.github/workflows/deploy_sap_model_lambda.yml b/.github/workflows/deploy_sap_model_lambda.yml index 9e1e7012..fb4b8dde 100644 --- a/.github/workflows/deploy_sap_model_lambda.yml +++ b/.github/workflows/deploy_sap_model_lambda.yml @@ -20,7 +20,7 @@ jobs: - name: Install Serverless and plugins run: | npm install -g serverless - # npm install -g serverless-domain-manager + npm install -g serverless-domain-manager - name: AWS credentials for dev if: github.ref == 'refs/heads/dev' diff --git a/sapmodel.serverless.yml b/sapmodel.serverless.yml index c88eb952..a1342744 100644 --- a/sapmodel.serverless.yml +++ b/sapmodel.serverless.yml @@ -12,63 +12,87 @@ provider: DOMAIN_NAME: ${env:DOMAIN_NAME} ECR_URI: ${env:ECR_URI} GITHUB_SHA: ${env:GITHUB_SHA} + iam: + role: + name: fastapi_backend_${env:PLAN_TRIGGER_BUCKET}_access + statements: + # Allow reading from MODEL_DIRECTORY_BUCKET and DATA_BUCKET + - Effect: Allow + Action: + - s3:GetObject + - s3:ListBucket + Resource: + - arn:aws:s3:::${env:MODEL_DIRECTORY_BUCKET} + - arn:aws:s3:::${env:MODEL_DIRECTORY_BUCKET}/* + - arn:aws:s3:::${env:DATA_BUCKET} + - arn:aws:s3:::${env:DATA_BUCKET}/* + # Allow reading and writing to PREDICTIONS_BUCKET + - Effect: Allow + Action: + - s3:GetObject + - s3:PutObject + - s3:ListBucket + Resource: + - arn:aws:s3:::${env:PREDICTIONS_BUCKET} + - arn:aws:s3:::${env:PREDICTIONS_BUCKET}/* -#plugins: -# - serverless-domain-manager -# -#custom: -# customDomain: -# domainName: api.${self:provider.environment.DOMAIN_NAME} -# basePath: 'sapmodel' -# createRoute53Record: true -# certificateArn: ${ssm:/ssl_certificate_arn} + +plugins: + - serverless-domain-manager + +custom: + customDomain: + domainName: api.${self:provider.environment.DOMAIN_NAME} + basePath: 'sapmodel' + createRoute53Record: true + certificateArn: ${ssm:/ssl_certificate_arn} functions: sap_prediction_lambda: image: uri: ${env:ECR_URI}:${env:GITHUB_SHA} - role: sapPredictionLambdaRole + # role: sapPredictionLambdaRole events: - http: path: /predict method: POST -resources: - Resources: - sapPredictionLambdaRole: - Type: AWS::IAM::Role - Properties: - RoleName: sap-prediction-lambda-role - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: sts:AssumeRole - Policies: - - PolicyName: sapPredictionLambdaS3Access - PolicyDocument: - Version: '2012-10-17' - Statement: - # Allow reading from MODEL_DIRECTORY_BUCKET and DATA_BUCKET - - Effect: Allow - Action: - - s3:GetObject - - s3:ListBucket - Resource: - - arn:aws:s3:::${env:MODEL_DIRECTORY_BUCKET} - - arn:aws:s3:::${env:MODEL_DIRECTORY_BUCKET}/* - - arn:aws:s3:::${env:DATA_BUCKET} - - arn:aws:s3:::${env:DATA_BUCKET}/* - # Allow reading and writing to PREDICTIONS_BUCKET - - Effect: Allow - Action: - - s3:GetObject - - s3:PutObject - - s3:ListBucket - Resource: - - arn:aws:s3:::${env:PREDICTIONS_BUCKET} - - arn:aws:s3:::${env:PREDICTIONS_BUCKET}/* +#resources: +# Resources: +# sapPredictionLambdaRole: +# Type: AWS::IAM::Role +# Properties: +# RoleName: sap-prediction-lambda-role +# AssumeRolePolicyDocument: +# Version: '2012-10-17' +# Statement: +# - Effect: Allow +# Principal: +# Service: +# - lambda.amazonaws.com +# Action: sts:AssumeRole +# Policies: +# - PolicyName: sapPredictionLambdaS3Access +# PolicyDocument: +# Version: '2012-10-17' +# Statement: +# # Allow reading from MODEL_DIRECTORY_BUCKET and DATA_BUCKET +# - Effect: Allow +# Action: +# - s3:GetObject +# - s3:ListBucket +# Resource: +# - arn:aws:s3:::${env:MODEL_DIRECTORY_BUCKET} +# - arn:aws:s3:::${env:MODEL_DIRECTORY_BUCKET}/* +# - arn:aws:s3:::${env:DATA_BUCKET} +# - arn:aws:s3:::${env:DATA_BUCKET}/* +# # Allow reading and writing to PREDICTIONS_BUCKET +# - Effect: Allow +# Action: +# - s3:GetObject +# - s3:PutObject +# - s3:ListBucket +# Resource: +# - arn:aws:s3:::${env:PREDICTIONS_BUCKET} +# - arn:aws:s3:::${env:PREDICTIONS_BUCKET}/*