template.yaml

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  AWS

  Sample SAM Template for AWS

Parameters:
  CognitoAuthorizerArn:
    Type: 'AWS::SSM::Parameter::Value<String>'
    Description: Reference to Cognito UserPool for the stage
    Default: CognitoAuthorizerArn
  CognitoUri:
    Type: AWS::SSM::Parameter::Value<String>
    Description: URI to the OAUTH endpoint of the Cognito client
    Default: /NVA/CognitoUri
  ApiDomain:
    Type: 'AWS::SSM::Parameter::Value<String>'
    Description: The Api domain
    Default: /NVA/ApiDomain
  CustomDomain:
    Type: 'AWS::SSM::Parameter::Value<String>'
    Description: Custom API to connect this lambda to
    Default: CustomDomain
  CustomDomainBasePath:
    Type: String
    Description: Base path mapping in CustomDomain
    Default: doi-fetch
  CrossrefPlusApiTokenName:
    Type: String
    Default: CrossRefPlusApiToken
  CrossrefPlusApiTokenKey:
    Type: String
    Default: token
  NvaEventsBucketName:
    Type: 'AWS::SSM::Parameter::Value<String>'
    Default: '/NVA/Events/EventsBucketName'
  NvaEventsBucketArn:
    Type: 'AWS::SSM::Parameter::Value<String>'
    Default: '/NVA/Events/EventsBucketArn'
  NvaEventsBusArn:
    Type: 'AWS::SSM::Parameter::Value<String>'
    Default: '/NVA/Events/EventsBusArn'
  NvaEventsBusName:
    Type: 'AWS::SSM::Parameter::Value<String>'
    Default: '/NVA/Events/EventsBusName'

Globals:
  Function:
    Timeout: 900
    MemorySize: 1798
    Runtime: java21
    Environment:
      Variables:
        COGNITO_HOST: !Ref CognitoUri
  Api:
    Cors:
      AllowMethods: "'POST,OPTIONS'"
      AllowHeaders: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
      AllowOrigin: "'*'"
Resources:
  ApiAccessLogGroup:
    Type: AWS::Logs::LogGroup

  NvaFetchDoiFunctionApi:
    Type: AWS::Serverless::Api
    Properties:
      AccessLogSetting:
        DestinationArn: !GetAtt ApiAccessLogGroup.Arn
        Format: '{ "apiId": "$context.apiId", "requestId": "$context.requestId", "requestTime": "$context.requestTime", "requestTimeEpoch": "$context.requestTimeEpoch", "httpMethod": "$context.httpMethod", "path": "$context.path", "status": "$context.status",  "error.message": "$context.error.message" }'
      StageName: Prod
      EndpointConfiguration: REGIONAL
      DefinitionBody:
        'Fn::Transform':
          Name: AWS::Include
          Parameters:
            Location: ./docs/openapi.yaml


  NvaFetchDoiFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: [lambda.amazonaws.com]
            Action: ['sts:AssumeRole']
      Policies:
        - PolicyName: writeLog
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:*'
        - PolicyName: readSecret
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - secretsmanager:GetSecretValue
                Resource: !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:CrossRefPlusApiToken*'

  ImportDoiFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: publication-from-doi
      Handler: no.unit.nva.doi.fetch.ImportDoiHandler::handleRequest
      AutoPublishAlias: live
      DeploymentPreference:
        Type: AllAtOnce
      ProvisionedConcurrencyConfig:
        ProvisionedConcurrentExecutions: 1
      Role: !GetAtt NvaFetchDoiFunctionRole.Arn
      Environment:
        Variables:
          ALLOWED_ORIGIN: '*'
          PUBLICATION_API_HOST: !Ref ApiDomain
          CROSSREFPLUSAPITOKEN_NAME: !Ref CrossrefPlusApiTokenName
          CROSSREFPLUSAPITOKEN_KEY:  !Ref CrossrefPlusApiTokenKey
          API_HOST: !Ref ApiDomain
          ID_NAMESPACE: !Sub 'https://api.${CustomDomain}/${CustomDomainBasePath}'
      Events:
        NvaDoi:
          Type: Api
          Properties:
            Path: /
            Method: post
            RestApiId: !Ref NvaFetchDoiFunctionApi

  PreviewDoiFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: publication-from-doi
      Handler: no.unit.nva.doi.fetch.PreviewDoiHandler::handleRequest
      AutoPublishAlias: live
      DeploymentPreference:
        Type: AllAtOnce
      ProvisionedConcurrencyConfig:
        ProvisionedConcurrentExecutions: 1
      Role: !GetAtt NvaFetchDoiFunctionRole.Arn
      Environment:
        Variables:
          ALLOWED_ORIGIN: '*'
          PUBLICATION_API_HOST: !Ref ApiDomain
          CROSSREFPLUSAPITOKEN_NAME: !Ref CrossrefPlusApiTokenName
          CROSSREFPLUSAPITOKEN_KEY:  !Ref CrossrefPlusApiTokenKey
          API_HOST: !Ref ApiDomain
          ID_NAMESPACE: !Sub 'https://api.${CustomDomain}/${CustomDomainBasePath}'
      Events:
        NvaDoi:
          Type: Api
          Properties:
            Path: /preview
            Method: post
            RestApiId: !Ref NvaFetchDoiFunctionApi


  NvaFetchDoiFunctionScalableTarget:
    Type: AWS::ApplicationAutoScaling::ScalableTarget
    Properties:
      MaxCapacity: 10
      MinCapacity: 1
      ResourceId: !Sub function:${ImportDoiFunction}:live # You need to specify an alias or version here
      RoleARN: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/lambda.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency
      ScalableDimension: lambda:function:ProvisionedConcurrency
      ServiceNamespace: lambda
    DependsOn: ImportDoiFunctionAliaslive # This is your function logical ID + "Alias" + what you use for AutoPublishAlias

  NvaFetchDoiFunctionScalingPolicy:
    Type: AWS::ApplicationAutoScaling::ScalingPolicy
    Properties:
      PolicyName: NvaFetchDoiFunctionScalingPolicy
      PolicyType: TargetTrackingScaling
      ScalingTargetId: !Ref NvaFetchDoiFunctionScalableTarget
      TargetTrackingScalingPolicyConfiguration:
        TargetValue: 0.70 # Any value between 0.1 and 0.9 can be used here
        PredefinedMetricSpecification:
          PredefinedMetricType: LambdaProvisionedConcurrencyUtilization


  NvaFetchDoiFunctionBasePathMapping:
    Type: AWS::ApiGateway::BasePathMapping
    Properties:
      BasePath: !Ref CustomDomainBasePath
      DomainName: !Join [ '.', [ 'api', !Ref CustomDomain ] ]
      RestApiId: !Ref NvaFetchDoiFunctionApi
      Stage: !Ref NvaFetchDoiFunctionApi.Stage


  #============================ Deploy API ============================================================================#
  # This solves the problem described here:
  # https://stackoverflow.com/questions/41423439/cloudformation-doesnt-deploy-to-api-gateway-stages-on-update
  #====================================================================================================================#

  ApiGatewayCreateDeploymentLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
      Policies:
        - PolicyName: ApiGatewayAdmin
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - apigateway:POST
                Resource: !Sub 'arn:aws:apigateway:${AWS::Region}::/restapis/${NvaFetchDoiFunctionApi}/deployments'

  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-lambda-function-code-cfnresponsemodule.html
  ApiGatewayCreateDeploymentLambda:
    Type: AWS::Lambda::Function
    Properties:
      Handler: index.lambda_handler
      MemorySize: 128
      Timeout: 30
      Role: !GetAtt ApiGatewayCreateDeploymentLambdaRole.Arn
      Runtime: python3.13
      Code:
        ZipFile: |
          import json, boto3
          import cfnresponse
          client = boto3.client('apigateway')
          def lambda_handler(event, context):
            responseData = {}
            responseStatus = cfnresponse.SUCCESS
            if event['RequestType'] == 'Update':
              try:
                properties = event['ResourceProperties']
                response = client.create_deployment(
                  restApiId=properties['RestApiId'],
                  stageName=properties['StageName'],
                  description='Deployed from Custom Resource'
                )
              except:
                responseStatus = cfnresponse.FAILED
            cfnresponse.send(event, context, responseStatus, responseData)
  ApiGatewayCreateDeploymentCustomResource:
    Type: AWS::CloudFormation::CustomResource
    Properties:
      ServiceToken: !GetAtt ApiGatewayCreateDeploymentLambda.Arn
      RestApiId: !Ref NvaFetchDoiFunctionApi
      StageName: !Ref NvaFetchDoiFunctionApi.Stage
      Timestamp: '${BUILD_TIMESTAMP}'
      AuthorizerArn: !Ref CognitoAuthorizerArn