def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.provisioning_role = iam.Role(
self, "AwsIotProvisioningRole",
assumed_by=iam.ServicePrincipal("iot.amazonaws.com"),
inline_policies={
"AwsIotProvisioningPolicy":
iam.PolicyDocument(statements=[
iam.PolicyStatement(
actions=[
"iot:AddThingToThingGroup",
"iot:AttachPrincipalPolicy",
"iot:AttachThingPrincipal",
"iot:CreateCertificateFromCsr",
"iot:CreatePolicy",
"iot:CreateThing",
"iot:DescribeCertificate",
"iot:DescribeThing",
"iot:DescribeThingGroup",
"iot:DescribeThingType",
"iot:DetachThingPrincipal",
"iot:GetPolicy",
"iot:ListPolicyPrincipals",
"iot:ListPrincipalPolicies",
"iot:ListPrincipalThings",
"iot:ListThingGroupsForThing",
"iot:ListThingPrincipals",
"iot:RegisterCertificate",
"iot:RegisterThing",
"iot:RemoveThingFromThingGroup",
"iot:UpdateCertificate",
"iot:UpdateThing",
"iot:UpdateThingGroupsForThing",
"iot:AddThingToBillingGroup",
"iot:DescribeBillingGroup",
"iot:RemoveThingFromBillingGroup"
],
resources=["*"],
effect=iam.Effect.ALLOW,
)
])
})
policy_name = "AwsIotProvisioningDataPolictyTest1"
iot.CfnPolicy(scope=self,
id='AWSIotProvisioningDataPlanePolicy',
policy_document=get_data_policy_doc(),
policy_name=policy_name)
template_body = get_template_body(device_type='YoYoMaDeviceType', policy_name=policy_name)
self.provisioning_template = \
iot.CfnProvisioningTemplate(scope=self,
id='AWSIoTProvisioningTemplate',
provisioning_role_arn=self.provisioning_role.role_arn,
template_body=template_body,
enabled=True,
template_name='IotProvisioningTemplateTest1',
pre_provisioning_hook=None)
def setup_iot_policy(self):
"""
Sets up an IoT Policy to be granted to Things that are authenticated during tests. This
policy isn't an IAM policy assigned to normal IAM principals; it's an IoT policy attached
to IoT Things.
An IoT policy cannot be statically named or it will fail during update if there are any
principals attached to it (e.g., certificates). A dynamic string has the benefit of allowing
updates to the policy, but the downsides of a) failing to delete the old policy, which
results in a longer deployment time while the delete retries for several minutes; and b) old
policies cluttering the test account.
We compromise below by naming the policy with the hash of the policy document itself. That
ensures that updates are applied to a newly-named policy, while avoiding the overhead of
updating a policy every time we deploy.
"""
policy_document = {
"Version":
"2012-10-17",
"Statement": [
{
"Effect":
"Allow",
"Action": [
"iot:Connect", "iot:Publish", "iot:Subscribe",
"iot:Receive"
],
"Resource":
f"arn:aws:iot:{self.region}:{self.account}:*",
},
],
}
policy_string = json.dumps(policy_document)
policy_bytes = bytes(policy_string, "utf8")
md5_hash = hashlib.md5(policy_bytes).hexdigest()
policy_name = f"iot_integ_test_policy_{md5_hash}"
aws_iot.CfnPolicy(
self,
"iot_integ_test_policy",
policy_document=policy_document,
policy_name=policy_name,
)
self._parameters_to_save["policy_name"] = policy_name
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# The code that defines your stack goes here
# create iot thing & policy
thing = iot.CfnThing(self, "MyIoTCDKThing", thing_name='myiot-thing')
print("## Thing Name: %s" % thing.thing_name)
thing_policy = iot.CfnPolicy(
self,
"MyIoTCDKThingPolicy",
policy_document=boto3_helper.policyDocument,
policy_name='myiot-policy')
# debug - get policy name
thing_policy_name = thing_policy.policy_name
print("## Policy Name: %s" % thing_policy_name)
# create iot thing certificate
response = boto3_helper.myiot_create_csr(
) # ugh! - gens a new cert for each deployment
print(response)
thing_policy_principal_props = iot.CfnPolicyPrincipalAttachmentProps(
policy_name=thing_policy.policy_name,
principal=response['certificateArn'])
print("## Principal Cert Arn: %s" %
thing_policy_principal_props.principal)
# attach policy to iot certificate
iot.CfnPolicyPrincipalAttachment(
self,
'MyIoTCDKPolicyPrincipalAttachment',
policy_name=thing_policy.policy_name,
principal=thing_policy_principal_props.principal)
# attach certificate to iot thing
iot.CfnThingPrincipalAttachment(
self,
'MyIoTCDKThingPrincipalAttachment',
thing_name=thing.thing_name,
principal=thing_policy_principal_props.principal)
def __init__(self, app: core.App, id: str, key: str, csr: str,
policy: str) -> None:
super().__init__(app, id)
# Create an IoT Thing, Certificate, and Policy
thing = aws_iot.CfnThing(self, "Thing", thing_name=self.stack_name)
cert = aws_iot.CfnCertificate(self,
"ThingCertificate",
certificate_signing_request=csr,
status="ACTIVE")
policy = aws_iot.CfnPolicy(self, "ThingPolicy", policy_document=policy)
# Attach the Certificate to the Thing
aws_iot.CfnThingPrincipalAttachment(self,
"ThingCertificateAttachment",
principal=cert.attr_arn,
thing_name=thing.ref)
# Attach the Policy to the Certificate
aws_iot.CfnPolicyPrincipalAttachment(self,
"ThingPolicyAttachment",
principal=cert.attr_arn,
policy_name=policy.ref)
# Store the certificate CSR and private key in Secrets Manager
secret = aws_secretsmanager.CfnSecret(self,
"PrivateKeySecret",
secret_string=json.dumps({
"certificateId":
cert.ref,
"csr":
csr,
"privateKey":
key
}))
# Define CloudFormation outputs
core.CfnOutput(self, "ThingId", value=thing.ref)
core.CfnOutput(self, "CertificateId", value=cert.ref)
core.CfnOutput(self, "SecretId", value=secret.ref)
def __init__(self, scope: core.Construct, id: str, *, prefix: str, environment: str, configuration, **kwargs):
"""
:param scope: Stack class, used by CDK.
:param id: ID of the construct, used by CDK.
:param prefix: Prefix of the construct, used for naming purposes.
:param environment: Environment of the construct, used for naming purposes.
:param configuration: Configuration of the construct. In this case IOT_ANALYTICS_DATA_WORKFLOW.
:param kwargs: Other parameters that could be used by the construct.
"""
super().__init__(scope, id, **kwargs)
self.prefix = prefix
self.environment_ = environment
self._configuration = configuration
# Validating that the payload passed is correct
validate_configuration(configuration_schema=IOT_POLICY_SCHEMA, configuration_received=self._configuration)
self._iot_policy = iot_.CfnPolicy(
self,
id=self.prefix + "_" + self._configuration["name"] + "_" + self.environment_,
policy_name=self.prefix + "_" + self._configuration["name"] + "_" + self.environment_,
policy_document=self._configuration["policy_document"],
)
def __init__(
self,
scope: core.Construct,
id: str,
host_name,
cert_arn,
zone_id,
admin_user: str,
admin_password: str,
cloud9_instance_size: str,
participant_limit: str,
**kwargs,
) -> None:
super().__init__(scope, id, **kwargs)
stack = core.Stack.of(self)
stack.template_options.description = "Connected Drink Dispenser Workshop"
# Static Website
props: StaticSiteProps = StaticSiteProps(
fqdn=host_name,
hosted_zone_id=zone_id,
certificate_arn=cert_arn,
error_configuration=[
{
"error_code": 403,
"error_caching_min_ttl": 300,
"response_code": 200,
"response_page_path": "/index.html",
},
{
"error_code": 404,
"error_caching_min_ttl": 300,
"response_code": 200,
"response_page_path": "/index.html",
},
],
output_name="CDDWebSite",
)
cdd_site = StaticSiteConstruct(self, "StaticSite", props)
# Custom resource to clean out static website bucket prior to delete
# TODO: Move this to the StaticSiteConstruct as option
props: CustomResourceProps = CustomResourceProps(
name=id + "-CR-S3DeleteObjects",
lambda_directory="./lambda_functions/cr_s3_delete",
handler="index.main",
timeout=30,
runtime=lambda_.Runtime.PYTHON_3_7,
environment={"BUCKET_NAME": cdd_site.bucket_name},
)
s3_delete_cr = CustomResourceConstruct(self, "EmptyCddS3Bucket", props)
# DependsOn the bucket (we need to delete objects before the bucket is deleted)
s3_delete_cr.resource.node.add_dependency(cdd_site.bucket_resource)
policy_statement = iam.PolicyStatement()
policy_statement.add_actions("s3:GetBucket*")
policy_statement.add_actions("s3:GetObject*")
policy_statement.add_actions("s3:DeleteObject*")
policy_statement.add_actions("s3:List*")
policy_statement.add_resources(cdd_site.bucket_resource.bucket_arn)
policy_statement.add_resources(
f"{cdd_site.bucket_resource.bucket_arn}/*")
s3_delete_cr.add_policy_to_role(policy_statement)
# IAM Constructs
user_group = iam.Group(
self,
"UserGroup",
group_name=id + "-CDDUserGroup",
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
"ReadOnlyAccess")
],
)
# DynamoDB tables
user_db = dynamodb.Table(
# UserId as key, user "admin" tracks next available dispenser id
# No access to users, RW to Cognito Lambda
self,
"UserTable",
table_name=id + "-UserTable",
partition_key={
"name": "userName",
"type": dynamodb.AttributeType.STRING
},
billing_mode=dynamodb.BillingMode.PAY_PER_REQUEST,
removal_policy=core.RemovalPolicy.DESTROY,
)
dispenser_db = dynamodb.Table(
# Dispenser ID and credit amount - RO to users, RW to APIs
self,
"DispenserTable",
table_name=id + "-DispenserTable",
partition_key={
"name": "dispenserId",
"type": dynamodb.AttributeType.STRING,
},
billing_mode=dynamodb.BillingMode.PAY_PER_REQUEST,
removal_policy=core.RemovalPolicy.DESTROY,
)
dispenser_events = dynamodb.Table(
# Recorded events from dispenser actions
self,
"DispenserEvents",
table_name=id + "-DispenserEvents",
partition_key={
"name": "dispenserId",
"type": dynamodb.AttributeType.STRING,
},
sort_key={
"name": "timestamp",
"type": dynamodb.AttributeType.STRING
},
billing_mode=dynamodb.BillingMode.PAY_PER_REQUEST,
removal_policy=core.RemovalPolicy.DESTROY,
)
# Cognito Resources
# User pool with phone_number as username
props: CognitoUserPoolProps = CognitoUserPoolProps(
user_pool_name=id + "-users",
client_name=id + "-webclient",
auto_verified_attributes=["phone_number"],
schema=[
{
"name": "group",
"attributeDataType": "String",
"mutable": True,
"required": False,
},
{
"name": "dispenserId",
"attributeDataType": "String",
"mutable": True,
"required": False,
},
],
policies={
"passwordPolicy": {
"minimumLength": 6,
"requireLowercase": True,
"requireNumbers": True,
"requireSymbols": False,
"requireUppercase": False,
}
},
)
user_pool = CognitoUserPoolConstruct(self, "UserPool", props)
# Role and lambda triggers
lambda_cognito_access_role = iam.Role(
# Access to IDP calls (for triggers)
self,
"LambdaCognitoAccessRole",
assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
inline_policies=[
iam.PolicyDocument(statements=[
iam.PolicyStatement(
actions=[
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
resources=["arn:aws:logs:*:*:*"],
),
iam.PolicyStatement(actions=["cognito-idp:*"],
resources=["*"]),
iam.PolicyStatement(actions=["dynamodb:*"],
resources=["*"]),
])
],
)
# Triggers for UserPool
# Pre-sign-up: triggered when username, password, and phone number submitted
lambda_cognito_trigger_pre_signup = lambda_.Function(
self,
"CogntioTriggerPreSignUp",
function_name=id + "-CogntioTriggerPreSignUp",
code=lambda_.AssetCode("./lambda_functions/cog_pre_signup"),
handler="lambda.handler",
runtime=lambda_.Runtime.PYTHON_3_7,
role=lambda_cognito_access_role,
timeout=core.Duration.seconds(6),
environment={
"USER_TABLE": user_db.table_name,
"PARTICIPANT_LIMIT": participant_limit,
},
)
lambda_cognito_trigger_pre_signup.add_permission(
"AllowCognitoPreSign",
principal=iam.ServicePrincipal("cognito-idp.amazonaws.com"),
source_arn=user_pool.user_pool_arn,
)
# Post confirmation: triggered after validation code provided
lambda_cognito_trigger_post_confirm = lambda_.Function(
self,
"CogntioTriggerPostConfirm",
function_name=id + "-CogntioTriggerPostConfirm",
code=lambda_.AssetCode("./lambda_functions/cog_post_confirm"),
handler="lambda.handler",
runtime=lambda_.Runtime.PYTHON_3_7,
role=lambda_cognito_access_role,
timeout=core.Duration.seconds(6),
environment={
"USER_TABLE": user_db.table_name,
"PARTICIPANT_LIMIT": participant_limit,
},
)
lambda_cognito_trigger_post_confirm.add_permission(
"AllowCognitoPostConfirm",
principal=iam.ServicePrincipal("cognito-idp.amazonaws.com"),
source_arn=user_pool.user_pool_arn,
)
# Attach triggers to pool
user_pool.user_pool.lambda_config = cognito.CfnUserPool.LambdaConfigProperty(
pre_sign_up=lambda_cognito_trigger_pre_signup.function_arn,
post_confirmation=lambda_cognito_trigger_post_confirm.function_arn,
)
cognito.CfnUserPoolGroup(
self,
"UserPoolCDDUser",
group_name="cdd_user",
description="General users of CDD (participants)",
user_pool_id=user_pool.user_pool_id,
)
cognito.CfnUserPoolGroup(
self,
"UserPoolCDDAdmin",
group_name="cdd_admin",
description="CDD administrators",
user_pool_id=user_pool.user_pool_id,
)
identity_pool = cognito.CfnIdentityPool(
self,
"IdentityPool",
identity_pool_name=id.replace("-", "") + "_idpool",
allow_unauthenticated_identities=False,
cognito_identity_providers=[{
"clientId":
user_pool.client_id,
"providerName":
user_pool.provider_name,
}],
)
core.CfnOutput(
self,
"CognitoIdentityPoolId",
export_name="CognitoIdentityPoolId",
value=identity_pool.ref,
)
# Custom resource to create admin user - cannot do via CFn to set password
props: CustomResourceProps = CustomResourceProps(
name=id + "-CR-CreateCognitoAdminUser",
lambda_directory="./lambda_functions/cr_create_admin_user",
handler="index.main",
timeout=30,
runtime=lambda_.Runtime.PYTHON_3_7,
environment={
"COGNITO_USER_POOL_ID": user_pool.user_pool_id,
"COGNITO_CLIENT_ID": user_pool.client_id,
"ADMIN_USERNAME": admin_user,
"ADMIN_PASSWORD": admin_password,
},
)
create_admin_user_cr = CustomResourceConstruct(self, "CreateAdminUser",
props)
# DependsOn the user pool
create_admin_user_cr.resource.node.add_dependency(user_pool)
policy_statement = iam.PolicyStatement()
policy_statement.add_actions("cognito-idp:SignUp")
policy_statement.add_actions("cognito-idp:AdminConfirmSignUp")
policy_statement.add_resources("*")
create_admin_user_cr.add_policy_to_role(policy_statement)
# IAM roles for identity pool auth/unauth
cog_unauth_role = iam.Role(
self,
"cognitoUnauthRole",
role_name=f"Cognito_{identity_pool.identity_pool_name}_Unauth_Role",
assumed_by=iam.FederatedPrincipal(
"cognito-identity.amazonaws.com",
conditions={
"StringEquals": {
"cognito-identity.amazonaws.com:aud": identity_pool.ref
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
},
},
assume_role_action="sts:AssumeRoleWithWebIdentity",
),
)
cog_unauth_role.attach_inline_policy(
iam.Policy(
self,
"cognitoUnauth",
policy_name="cognitoUnauth",
statements=[
iam.PolicyStatement(
actions=[
"mobileanalytics:PutEvents", "cognito-sync:*"
],
resources=["*"],
)
],
))
cog_auth_role = iam.Role(
self,
"cognitoAuthRole",
role_name=f"Cognito_{identity_pool.identity_pool_name}_Auth_Role",
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonESCognitoAccess")
],
assumed_by=iam.FederatedPrincipal(
"cognito-identity.amazonaws.com",
conditions={
"StringEquals": {
"cognito-identity.amazonaws.com:aud": identity_pool.ref
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
},
},
assume_role_action="sts:AssumeRoleWithWebIdentity",
),
)
cog_auth_role.attach_inline_policy(
iam.Policy(
self,
"cognitoAuth",
policy_name="cognitoAuth",
statements=[
iam.PolicyStatement(
actions=[
"mobileanalytics:PutEvents",
"cognito-sync:*",
"execute-api:*",
],
resources=["*"],
),
# Provide full access to IoT for the authenticated user
# The AWS IoT policy scopes down the access
iam.PolicyStatement(actions=["iot:*"], resources=["*"]),
],
))
# Finally, attach auth and unauth roles to Identity pool
cognito.CfnIdentityPoolRoleAttachment(
self,
"CDDIdentityPoolRoleAttach",
identity_pool_id=identity_pool.ref,
roles={
"authenticated": cog_auth_role.role_arn,
"unauthenticated": cog_unauth_role.role_arn,
},
)
### Supporting IAM Roles and Policies
lambda_full_access_role = iam.Role(
# Wide open role for Lambda's to access other services
self,
"LambdaFullAccessRole",
assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
inline_policies=[
iam.PolicyDocument(statements=[
iam.PolicyStatement(
actions=[
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
resources=["arn:aws:logs:*:*:*"],
),
iam.PolicyStatement(actions=["*"], resources=["*"]),
])
],
)
lambda_iot_full_access_role = iam.Role(
# Wide open role for Lambda's to access other services
self,
"LambdaIoTFullAccessRole",
assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
inline_policies=[
iam.PolicyDocument(statements=[
iam.PolicyStatement(
actions=[
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
resources=["arn:aws:logs:*:*:*"],
),
iam.PolicyStatement(actions=["dynamodb:*", "iot:*"],
resources=["*"]),
])
],
)
lambda_api_app_role = iam.Role(
# Role for APIG Lambda functions - make specific per Lambda/method if needed
self,
"ApiAppRole",
assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
inline_policies=[
iam.PolicyDocument(statements=[
iam.PolicyStatement(
actions=[
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
resources=["arn:aws:logs:*:*:*"],
),
iam.PolicyStatement(
actions=["dynamodb:*"],
resources=[
f"arn:aws:dynamodb:{stack.region}:{stack.account}:table/{dispenser_db.table_name}",
f"arn:aws:dynamodb:{stack.region}:{stack.account}:table/{dispenser_events.table_name}",
f"arn:aws:dynamodb:{stack.region}:{stack.account}:table/{user_db.table_name}",
],
),
iam.PolicyStatement(actions=["iot:*"], resources=["*"]),
])
],
)
lambda_api_delete_user_role = iam.Role(
# Role for APIG Lambda delete user - specific as this has to delete multiple services
self,
"ApiDeleteUserRole",
assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
inline_policies=[
iam.PolicyDocument(statements=[
iam.PolicyStatement(
actions=[
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
resources=["arn:aws:logs:*:*:*"],
),
iam.PolicyStatement(
actions=["dynamodb:*"],
resources=[
f"arn:aws:dynamodb:{stack.region}:{stack.account}:table/{dispenser_db.table_name}",
f"arn:aws:dynamodb:{stack.region}:{stack.account}:table/{dispenser_events.table_name}",
f"arn:aws:dynamodb:{stack.region}:{stack.account}:table/{user_db.table_name}",
],
),
iam.PolicyStatement(actions=["cloud9:DeleteEnvironment"],
resources=["*"]),
iam.PolicyStatement(
actions=[
"iam:DeleteLoginProfile",
"iam:ListGroupsForUser",
"iam:RemoveUserFromGroup",
"iam:DeleteUser",
],
resources=["*"],
),
iam.PolicyStatement(
actions=["cognito-idp:AdminDeleteUser"],
resources=["*"]),
iam.PolicyStatement(actions=["iot:*"], resources=["*"]),
])
],
)
lambda_api_dispense_role = iam.Role(
# Role for lambda
self,
"CommandRole",
assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
inline_policies=[
iam.PolicyDocument(statements=[
iam.PolicyStatement(
actions=[
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
resources=["arn:aws:logs:*:*:*"],
),
iam.PolicyStatement(
actions=["dynamodb:*"],
resources=[
f"arn:aws:dynamodb:{stack.region}:{stack.account}:table/{dispenser_db.table_name}",
f"arn:aws:dynamodb:{stack.region}:{stack.account}:table/{dispenser_events.table_name}",
],
),
iam.PolicyStatement(actions=["iot:*"], resources=["*"]),
])
],
)
# IoT Policies
iot_policy_dispenser_limited = iot.CfnPolicy(
self,
"IoTDispenserLimitedPolicy",
policy_name=id + "-DispenserLimitedAccess",
policy_document={
"Version":
"2012-10-17",
"Statement": [
{
"Effect":
"Allow",
"Action": ["iot:Connect"],
"Resource": [
f"arn:aws:iot:{stack.region}:{stack.account}:client/${{iot:Connection.Thing.ThingName}}"
],
"Condition": {
"Bool": {
"iot:Connection.Thing.IsAttached": [True]
}
},
},
{
"Effect": "Allow",
"Action": ["iot:Receive"],
"Resource": ["*"]
},
{
"Effect":
"Allow",
"Action": ["iot:Subscribe"],
"Resource": [
f"arn:aws:iot:{stack.region}:{stack.account}:topicfilter/$aws/things/${{iot:Certificate.Subject.CommonName}}/shadow/*",
f"arn:aws:iot:{stack.region}:{stack.account}:topicfilter/$aws/things/${{iot:Certificate.Subject.CommonName}}/cmd/${{iot:Certificate.Subject.CommonName}}",
],
},
{
"Effect":
"Allow",
"Action": ["iot:Publish"],
"Resource": [
f"arn:aws:iot:{stack.region}:{stack.account}:topic/$aws/things/${{iot:Certificate.Subject.CommonName}}/shadow/update",
f"arn:aws:iot:{stack.region}:{stack.account}:topic/$aws/things/${{iot:Certificate.Subject.CommonName}}/shadow/get",
f"arn:aws:iot:{stack.region}:{stack.account}:topic/test/${{iot:Certificate.Subject.CommonName}}",
f"arn:aws:iot:{stack.region}:{stack.account}:topic/cmd/${{iot:Certificate.Subject.CommonName}}/response",
],
},
],
},
)
iot_policy_client = iot.CfnPolicy(
self,
"IoTClientPolicy",
policy_name=id + "-IoTClientAccess",
policy_document={
"Version":
"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["iot:Connect", "iot:Receive"],
"Resource": ["*"],
},
{
"Effect":
"Allow",
"Action": ["iot:Subscribe"],
"Resource": [
f"arn:aws:iot:{stack.region}:{stack.account}:topicfilter/events/*",
f"arn:aws:iot:{stack.region}:{stack.account}:topicfilter/$aws/things/*/shadow/update/accepted",
],
},
],
},
)
### Lambda Functions
# General Lambda Functions NOT associated with APIG
lambda_process_events = lambda_.Function(
self,
"ProcessEvents",
function_name=id + "-ProcessEvents",
code=lambda_.AssetCode("./lambda_functions/process_events"),
handler="process_events.handler",
runtime=lambda_.Runtime.PYTHON_3_7,
role=lambda_iot_full_access_role,
timeout=core.Duration.seconds(20),
environment={
"EVENT_TABLE": dispenser_events.table_name,
"STATUS_TABLE": dispenser_db.table_name,
},
)
## API Lambda functions
# Return credit for dispenser
api_credit_dispenser_function = lambda_.Function(
self,
"ApiCreditDispenserFunction",
function_name=id + "-ApiCreditDispenserFunction",
code=lambda_.AssetCode("./lambda_functions/api_credit_dispenser"),
handler="credit_dispenser.handler",
runtime=lambda_.Runtime.PYTHON_3_7,
role=lambda_api_app_role,
timeout=core.Duration.seconds(15),
memory_size=128,
environment={
"DISPENSER_TABLE": dispenser_db.table_name,
"EVENT_TABLE": dispenser_events.table_name,
},
)
# Command
api_command_function = lambda_.Function(
self,
"ApiCommandFunction",
function_name=id + "-ApiCommandFunction",
code=lambda_.AssetCode("./lambda_functions/api_command"),
handler="command.handler",
runtime=lambda_.Runtime.PYTHON_3_7,
role=lambda_api_app_role,
timeout=core.Duration.seconds(15),
memory_size=128,
environment={
"DispenserTable": dispenser_db.table_name,
"EventTable": dispenser_events.table_name,
},
)
# Request dispense operation (set shadow or command to dispense)
api_dispense_function = lambda_.Function(
self,
"ApiDispenseFunction",
function_name=id + "-ApiDispenseFunction",
code=lambda_.AssetCode("./lambda_functions/api_dispense"),
handler="dispense.handler",
runtime=lambda_.Runtime.PYTHON_3_7,
role=lambda_api_dispense_role,
timeout=core.Duration.seconds(15),
memory_size=128,
environment={
"DISPENSER_TABLE": dispenser_db.table_name,
"EVENT_TABLE": dispenser_events.table_name,
},
)
# Request dispense operation (set shadow or command to dispense)
api_dispenser_status_function = lambda_.Function(
self,
"ApiDispenserStatusFunction",
function_name=id + "-ApiDispenserStatusFunction",
code=lambda_.AssetCode("./lambda_functions/api_dispenser_status"),
handler="dispenser_status.handler",
runtime=lambda_.Runtime.PYTHON_3_7,
role=lambda_api_app_role,
timeout=core.Duration.seconds(15),
memory_size=128,
environment={"DISPENSER_TABLE": dispenser_db.table_name},
)
# Request user details from user table, create resources if needed
# NOTE: This uses an overley permissive policy to create the resources needed
api_get_resources_function = lambda_.Function(
self,
"ApiGetResourcesFunction",
function_name=id + "-ApiGetResourcesFunction",
code=lambda_.AssetCode("./lambda_functions/api_get_resources"),
handler="get_resources.handler",
runtime=lambda_.Runtime.PYTHON_3_7,
role=lambda_full_access_role,
# Timeout is for user creation: certain tasks such as Cloud9 may take longer
timeout=core.Duration.seconds(300),
memory_size=128,
environment={
"DISPENSER_TABLE": dispenser_db.table_name,
"EVENT_TABLE": dispenser_events.table_name,
"USER_TABLE": user_db.table_name,
"USER_PERMISSIONS_GROUP": user_group.group_name,
"IOT_POLICY_DISPENSER_LIMITED":
iot_policy_dispenser_limited.policy_name,
"IOT_POLICY_CLIENT": iot_policy_client.policy_name,
"CLOUD9_INSTANCE_SIZE": cloud9_instance_size,
},
)
# Request user details from user table
api_delete_user_function = lambda_.Function(
self,
"ApiDeleteUserFunction",
function_name=id + "-ApiDeleteUserFunction",
code=lambda_.AssetCode("./lambda_functions/api_delete_user"),
handler="delete_user.handler",
runtime=lambda_.Runtime.PYTHON_3_7,
role=lambda_api_delete_user_role,
timeout=core.Duration.seconds(28),
memory_size=256,
environment={
"DISPENSER_TABLE": dispenser_db.table_name,
"EVENT_TABLE": dispenser_events.table_name,
"USER_TABLE": user_db.table_name,
"USER_POOL_ID": user_pool.user_pool_id,
},
)
### API Gateway
api = apigateway.RestApi(
self,
id + "-API",
api_key_source_type=apigateway.ApiKeySourceType.HEADER,
deploy_options=apigateway.StageOptions(stage_name="prod"),
)
core.CfnOutput(
self,
"APIEndpoint",
export_name="APIEndpoint",
value=
f"https://{api.rest_api_id}.execute-api.{stack.region}.amazonaws.com/prod/",
)
# Although / is not used as method, provide OPTIONS for hinting CORS
add_cors_options(api.root)
# Define Cognito authorizer and attach to gateway
cog_authorizer = apigateway.CfnAuthorizer(
self,
"CognitoAuth",
name="CognitoAuthName",
rest_api_id=api.rest_api_id,
type="COGNITO_USER_POOLS",
identity_source="method.request.header.Authorization",
provider_arns=[user_pool.user_pool_arn],
)
# # Resources (paths) and methods (GET, POST, etc.), for the API
api_credit_resource = api.root.add_resource("credit")
add_resource_method(
api_credit_resource,
http_method="GET",
integration=apigateway.LambdaIntegration(
api_credit_dispenser_function),
authorization_type=apigateway.AuthorizationType.COGNITO,
authorizer=cog_authorizer,
)
add_cors_options(api_credit_resource)
# command
api_command_resource = api.root.add_resource("command")
add_resource_method(
api_command_resource,
http_method="GET",
integration=apigateway.LambdaIntegration(api_command_function),
authorization_type=apigateway.AuthorizationType.COGNITO,
authorizer=cog_authorizer,
)
add_cors_options(api_command_resource)
# Actuate dispenser
api_dispense_resource = api.root.add_resource("dispense")
add_resource_method(
api_dispense_resource,
http_method="GET",
integration=apigateway.LambdaIntegration(api_dispense_function),
authorization_type=apigateway.AuthorizationType.COGNITO,
authorizer=cog_authorizer,
)
add_cors_options(api_dispense_resource)
# Return dispenser status (from DynamoDB)
api_dispenser_status_resource = api.root.add_resource("status")
add_resource_method(
api_dispenser_status_resource,
http_method="GET",
integration=apigateway.LambdaIntegration(
api_dispenser_status_function),
authorization_type=apigateway.AuthorizationType.COGNITO,
authorizer=cog_authorizer,
)
add_cors_options(api_dispenser_status_resource)
# Return user details from User Table
api_get_resources_resource = api.root.add_resource("getResources")
add_resource_method(
api_get_resources_resource,
http_method="POST",
integration=apigateway.LambdaIntegration(
api_get_resources_function),
authorization_type=apigateway.AuthorizationType.COGNITO,
authorizer=cog_authorizer,
)
add_cors_options(api_get_resources_resource)
# Create a user based on valid token
api_delete_user_resource = api.root.add_resource("deleteUser")
add_resource_method(
api_delete_user_resource,
http_method="POST",
integration=apigateway.LambdaIntegration(api_delete_user_function),
authorization_type=apigateway.AuthorizationType.COGNITO,
authorizer=cog_authorizer,
)
add_cors_options(api_delete_user_resource)
# Create policy and reference group
iam.Policy(
self,
"UserPermissionsPolicy",
groups=[user_group],
policy_name=id + "-UserPermissions",
statements=[
# Elevated permissions beyond the ReadOnlyUser
# Allow seeing all MQTT messages
iam.PolicyStatement(
actions=["iot:Subscribe", "iot:Connect", "iot:Receive"],
resources=["*"],
),
# Allow search indexing
iam.PolicyStatement(
actions=["iot:SearchIndex"],
resources=[
f"arn:aws:iot:{stack.region}:{stack.account}:index/AWS_Things"
],
),
# Allow changing of security group ingress on EC2 (Cloud9) to support mapping 443 to
iam.PolicyStatement(
actions=[
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
],
resources=[
f"arn:aws:ec2:{stack.region}:{stack.account}:security-group/*"
],
),
# DENY access to credentials table
iam.PolicyStatement(
effect=iam.Effect.DENY,
actions=["dynamodb:*"],
resources=[
f"arn:aws:dynamodb:{stack.region}:{stack.account}:table/{user_db.table_name}"
],
),
# DENY access to S3 overall
iam.PolicyStatement(effect=iam.Effect.DENY,
actions=["s3:*"],
resources=["*"]),
],
)
# IoT Constructs
# Rule to process shadow events and send to logging
iot_rule_log_shadow_events = iot.CfnTopicRule(
self,
"LogShadowEventsRule",
rule_name=id.replace("-", "") + "_LogShadowEvents",
topic_rule_payload=iot.CfnTopicRule.TopicRulePayloadProperty(
description=
"Based on shadow topic and content, process messages via Lambda",
rule_disabled=False,
aws_iot_sql_version="2016-03-23",
sql=
"select *, topic() AS topic FROM '$aws/things/+/shadow/update/documents'",
actions=[
iot.CfnTopicRule.ActionProperty(
lambda_=iot.CfnTopicRule.LambdaActionProperty(
function_arn=lambda_process_events.function_arn))
],
),
)
# Allow rule to invoke the logging function
lambda_process_events.add_permission(
"AllowIoTRule1",
principal=iam.ServicePrincipal("iot.amazonaws.com"),
source_arn=iot_rule_log_shadow_events.attr_arn,
)
# Rule to process generic events and send to logging
iot_rule_log_generic_events = iot.CfnTopicRule(
self,
"LogGenericEventsRule",
rule_name=id.replace("-", "") + "_LogGenericEvents",
topic_rule_payload=iot.CfnTopicRule.TopicRulePayloadProperty(
description="Log generic events, enrich, then send to Lambda",
rule_disabled=False,
aws_iot_sql_version="2016-03-23",
sql=
"select *, timestamp() AS ts, topic() AS topic FROM 'events'",
actions=[
iot.CfnTopicRule.ActionProperty(
lambda_=iot.CfnTopicRule.LambdaActionProperty(
function_arn=lambda_process_events.function_arn))
],
),
)
# Allow generic_events rule to Invoke the process_events function
lambda_process_events.add_permission(
"AllowIoTRule2",
principal=iam.ServicePrincipal("iot.amazonaws.com"),
source_arn=iot_rule_log_generic_events.attr_arn,
)
# Rule to process dispenser specific events and send to logging
iot_rule_log_dispenser_events = iot.CfnTopicRule(
self,
"LogDispenserEventsRule",
rule_name=id.replace("-", "") + "_LogDispenserEvents",
topic_rule_payload=iot.CfnTopicRule.TopicRulePayloadProperty(
description=
"Log specific dispenser events, enrich, then send to Lambda",
rule_disabled=False,
aws_iot_sql_version="2016-03-23",
sql=
"select *, timestamp() AS ts, topic() AS topic FROM 'events/+'",
actions=[
iot.CfnTopicRule.ActionProperty(
lambda_=iot.CfnTopicRule.LambdaActionProperty(
function_arn=lambda_process_events.function_arn))
],
),
)
# Allow log_dispenser_events rule to Invoke the process_events function
lambda_process_events.add_permission(
"AllowIoTRule3",
principal=iam.ServicePrincipal("iot.amazonaws.com"),
source_arn=iot_rule_log_dispenser_events.attr_arn,
)
# Rule to process cmd/NNN/response WHERE "command=dispense"
iot_rule_command_response_dispense = iot.CfnTopicRule(
self,
"DispenseCommandResponseRule",
rule_name=id.replace("-", "") + "_DispenseCommandResponse",
topic_rule_payload=iot.CfnTopicRule.TopicRulePayloadProperty(
description=
"Invoke Lambda to process dispense commands from dispenser",
rule_disabled=False,
aws_iot_sql_version="2016-03-23",
sql=
"select *, topic() AS topic FROM '$aws/things/+/shadow/update/accepted' WHERE isUndefined(state.reported.response) = False",
actions=[
iot.CfnTopicRule.ActionProperty(
lambda_=iot.CfnTopicRule.LambdaActionProperty(
function_arn=api_dispense_function.function_arn))
],
),
)
# Allow command_response rule to Invoke the dispense function to reconcile outstanding requests
api_dispense_function.add_permission(
"AllowIoTCommandResponseRule",
principal=iam.ServicePrincipal("iot.amazonaws.com"),
source_arn=iot_rule_command_response_dispense.attr_arn,
)
# Custom resource to delete workshop users - run to clean up any lingering ones
# if the admin user didn't clean up. A lot of dependsOn as users are created with bindings
# to other resources
props: CustomResourceProps = CustomResourceProps(
name=id + "-CR-DeleteParticipantUsers",
lambda_directory="./lambda_functions/cr_delete_participant_users",
handler="index.main",
timeout=30,
runtime=lambda_.Runtime.PYTHON_3_7,
environment={
# Read user records from UserTable
"USER_TABLE":
user_db.table_name,
# Invoke the api_delete_user function
"DELETE_USER_LAMBDA_FUNCTION":
api_delete_user_function.function_arn,
},
)
delete_participant_users_cr = CustomResourceConstruct(
self, "DeleteParticpantUsers", props)
# DependsOn the API Delete User Function
delete_participant_users_cr.resource.node.add_dependency(
api_delete_user_function)
# DependsOn the user pool to delete Cognito users
delete_participant_users_cr.resource.node.add_dependency(user_pool)
# DependsOn the DynamoDB UserTable
delete_participant_users_cr.resource.node.add_dependency(user_db)
# DependsOn the IoT dispenser and client policies
delete_participant_users_cr.resource.node.add_dependency(
iot_policy_dispenser_limited)
delete_participant_users_cr.resource.node.add_dependency(
iot_policy_client)
# DependsOn the IoT IAM user group
delete_participant_users_cr.resource.node.add_dependency(user_group)
# Permissions for function to delete users
policy_statement = iam.PolicyStatement()
policy_statement.add_actions("dynamodb:*")
policy_statement.add_resources(
f"arn:aws:dynamodb:{stack.region}:{stack.account}:table/{user_db.table_name}"
)
delete_participant_users_cr.add_policy_to_role(policy_statement)
policy_statement = iam.PolicyStatement()
policy_statement.add_actions("lambda:InvokeFunction")
policy_statement.add_resources(api_delete_user_function.function_arn)
delete_participant_users_cr.add_policy_to_role(policy_statement)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# JITP new device certificate
# https://aws.amazon.com/blogs/iot/setting-up-just-in-time-provisioning-with-aws-iot-core/
# mosquitto_pub --cafile root.cert --cert deviceCertAndCACert.crt --key deviceCert.key -h <prefix>.iot.us-east-1.amazonaws.com -p 8883 -q 1 -t foo/bar -I xyz --tls-version tlsv1.2 -m "Hello" -d
certArn = 'arn:aws:iot:us-east-1:1234567890:cert/xyz'
region = core.Stack.of(self).region
accountId = core.Stack.of(self).account
print('region: %s' % region)
## IOT THING BEGIN ##
# create iot thing
gg_core = iot.CfnThing(self, 'MyGGGCDKCore', thing_name='myggg-core')
coreArn = 'arn:aws:iot:%s:%s:thing/%s' % (region, accountId,
gg_core.thing_name)
print('## Thing Name: %s' % gg_core.thing_name)
# create iot policy
thing_policy = iot.CfnPolicy(
self,
'MyGGGCDKCorePolicy',
policy_document=boto3_helper.policyDocument,
policy_name='myggg-core-policy')
print('## Policy Name: %s' % thing_policy.policy_name)
# create iot thing certificate
# uncomment boto3_helper.create_csr() if you want to use AWS keys and certs
#certArn = boto3_helper.create_csr() # ugh! - gens a new cert for each deployment
# using a self-signed cacert csr
# cacert_csr=boto3_helper.read_csr()
# iot_cacert = iot.CfnCertificate(self,
# 'MyGGGCDKCACertificate',
# certificate_signing_request=cacert_csr,
# status="ACTIVE"
# )
# certArn=iot_cacert.attr_arn
# print('## Show me Cert ARN: %s' % iot_cacert.attr_arn)
# attach policy to principal cert
thing_policy_principal_props = iot.CfnPolicyPrincipalAttachmentProps(
policy_name=thing_policy.policy_name, principal=certArn)
print('## Principal Cert Arn: %s' %
thing_policy_principal_props.principal)
# attach policy to iot certificate
iot.CfnPolicyPrincipalAttachment(
self,
'MyGGGCDKPolicyPrincipalAttachment',
policy_name=thing_policy.policy_name,
principal=thing_policy_principal_props.principal).add_depends_on(
resource=gg_core)
# attach certificate to iot thing
iot.CfnThingPrincipalAttachment(
self,
'MyGGGCDKThingPrincipalAttachment',
thing_name=gg_core.thing_name,
principal=thing_policy_principal_props.principal).add_depends_on(
resource=gg_core)
## IOT THING END ##
## GREENGRASS BEGIN ##
# Configure Greengrass Group & Associate IoT Thing to Greengrass Core
# core definition version
core_version_details = [{
'id': '1',
'certificateArn': certArn,
'thingArn': coreArn,
'shadowSync': True
}]
gg_core_def = gg.CfnCoreDefinition(
self,
'MyGGGCDKCoreDefinition',
name='Raspberry_Pi_Core',
initial_version={'cores': core_version_details})
gg_core_def.add_depends_on(gg_core)
gg_core_def_version = gg.CfnCoreDefinitionVersion(
self,
'MyGGCDKCoreDefinitionVersion',
core_definition_id=gg_core_def.attr_id,
cores=core_version_details)
# create greengrass group
gg_group = gg.CfnGroup(self,
'MyGGGCDKGroup',
name='myggg-name',
initial_version={
'coreDefinitionVersionArn':
gg_core_def.attr_latest_version_arn
})
gg_group.add_depends_on(gg_core_def)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create bucket and upload scrips
bucket = s3.Bucket(self, "ScriptBucket")
self.script_bucket = bucket
s3deploy.BucketDeployment(self, "UploadScriptsToBucket",
sources=[s3deploy.Source.asset(os.path.join(dirname, "scripts"))],
destination_bucket=bucket
)
# Greengrass Core Thing policy
greengrass_core_policy = iot.CfnPolicy(self,
'GreenGrassCorePolicy',
policy_name='greengrass-demo-policy',
policy_document={
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Connect",
"iot:Receive"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:GetThingShadow",
"iot:UpdateThingShadow",
"iot:DeleteThingShadow"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"greengrass:*"
],
"Resource": [
"*"
]
}
]
}
)
self.core_policy_name = greengrass_core_policy.policy_name
# Create a Greengrass group role
greengrass_group_role = iam.Role(self, "GroupRole",
assumed_by=iam.ServicePrincipal("greengrass.amazonaws.com")
)
greengrass_group_role.add_to_policy(iam.PolicyStatement(
resources=["arn:aws:logs:*:*:*"],
actions=[
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
))
greengrass_group_role.add_to_policy(iam.PolicyStatement(
resources=["*"],
actions=["iot:*"]
))
self.greengrass_group_role_arn = greengrass_group_role.role_arn
# A custom resource to verify that there is a service role for greengrass on the account
greengrass_mgmt_function = awslambda.SingletonFunction(
self,
"MgmttHandler",
uuid="58854ea2-0624-4ca5-b600-fa88d4b9164e",
runtime=awslambda.Runtime.PYTHON_3_7,
code=awslambda.Code.asset("custom_resources"),
handler="greengrassmgmt.handler",
)
greengrass_mgmt_function.add_to_role_policy(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
'greengrass:*',
'iot:*',
'iam:CreateRole',
'iam:AttachRolePolicy',
'iam:PassRole'
],
resources=['*']
)
)
greengrass_mgmt_provider = cust_resource.Provider(self, "MgmtProvider",
on_event_handler=greengrass_mgmt_function
)
core.CustomResource(self, "MgmtCustResource",
service_token=greengrass_mgmt_provider.service_token
)