service: sapmodel provider: name: aws region: eu-west-2 architecture: x86_64 environment: RUNTIME_ENVIRONMENT: ${env:RUNTIME_ENVIRONMENT} MODEL_DIRECTORY_BUCKET: ${env:MODEL_DIRECTORY_BUCKET} PREDICTIONS_BUCKET: ${env:PREDICTIONS_BUCKET} DOMAIN_NAME: ${env:DOMAIN_NAME} ECR_URI: ${env:ECR_URI} GITHUB_SHA: ${env:GITHUB_SHA} plugins: - serverless-domain-manager custom: customDomain: domainName: api.${self:provider.environment.DOMAIN_NAME} basePath: 'sapmodel' createRoute53Record: true certificateArn: ${ssm:/ssl_certificate_arn} functions: sap_prediction_lambda: image: uri: ${env:ECR_URI}:${env:GITHUB_SHA} role: sapPredictionLambdaRole events: - http: path: /predict method: POST resources: Resources: sapPredictionLambdaRole: Type: AWS::IAM::Role Properties: RoleName: sap-prediction-lambda-role AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: sapPredictionLambdaS3Access PolicyDocument: Version: '2012-10-17' Statement: # Allow reading from MODEL_DIRECTORY_BUCKET - Effect: Allow Action: - s3:GetObject - s3:ListBucket Resource: - arn:aws:s3:::${env:MODEL_DIRECTORY_BUCKET} - arn:aws:s3:::${env:MODEL_DIRECTORY_BUCKET}/* # Allow reading and writing to PREDICTIONS_BUCKET - Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:ListBucket Resource: - arn:aws:s3:::${env:PREDICTIONS_BUCKET} - arn:aws:s3:::${env:PREDICTIONS_BUCKET}/*