AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::Serverless-2016-10-31 Description: Ask Around Me - Realtime messaging # Learn more: # - Creating AWS IoT rules with CloudFormation: https://aws.amazon.com/blogs/iot/bites-of-iot-creating-aws-iot-rules-with-aws-cloudformation/ # - IAM in Cognito User Pools: https://docs.aws.amazon.com/cognito/latest/developerguide/resource-permissions.html # - Pub/Sub policy for unauthenticated clients: https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html Resources: ########################################## # Resources for realtime messaging # ########################################## AskAroundMeRealtime: Type: "AWS::IoT::Thing" Properties: ThingName: "askaroundme-realtime" AttributePayload: Attributes: {} UserPool: Type: "AWS::Cognito::UserPool" Properties: UserPoolName: askAroundMeUserPool MfaConfiguration: "OFF" Schema: - Name: email AttributeDataType: String Mutable: false Required: true # Creates a User Pool Client to be used by the identity pool UserPoolClient: Type: "AWS::Cognito::UserPoolClient" Properties: ClientName: askAroundMeUserPoolClient GenerateSecret: false UserPoolId: !Ref UserPool # Creates a federated Identity pool IdentityPool: Type: "AWS::Cognito::IdentityPool" Properties: IdentityPoolName: askAroundMeIdentityPool AllowUnauthenticatedIdentities: true CognitoIdentityProviders: - ClientId: !Ref UserPoolClient ProviderName: !GetAtt UserPool.ProviderName # Create a role for unauthorized access to AWS resources. CognitoUnAuthorizedRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Federated: "cognito-identity.amazonaws.com" Action: - "sts:AssumeRoleWithWebIdentity" Condition: StringEquals: "cognito-identity.amazonaws.com:aud": !Ref IdentityPool "ForAnyValue:StringLike": "cognito-identity.amazonaws.com:amr": unauthenticated Policies: - PolicyName: "CognitoUnauthorizedPolicy" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "cognito-sync:*" Resource: !Join [ "", [ "arn:aws:cognito-sync:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":identitypool/", !Ref IdentityPool] ] - Effect: Allow Action: - iot:Connect Resource: !Join [ "", [ "arn:aws:iot:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":client/askAroundMe-*" ] ] - Effect: Allow Action: - iot:Subscribe Resource: "*" - Effect: Allow Action: - iot:Receive Resource: !Join [ "", [ "arn:aws:iot:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":topic/*" ] ] # Create a role for authorized access to AWS resources. CognitoAuthorizedRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Federated: "cognito-identity.amazonaws.com" Action: - "sts:AssumeRoleWithWebIdentity" Condition: StringEquals: "cognito-identity.amazonaws.com:aud": !Ref IdentityPool "ForAnyValue:StringLike": "cognito-identity.amazonaws.com:amr": authenticated Policies: - PolicyName: "CognitoAuthorizedPolicy" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "cognito-sync:*" Resource: !Join [ "", [ "arn:aws:cognito-sync:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":identitypool/", !Ref IdentityPool] ] - Effect: Allow Action: - iot:Connect Resource: !Join [ "", [ "arn:aws:iot:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":client/askAroundMe-*" ] ] - Effect: Allow Action: - iot:Subscribe Resource: "*" - Effect: Allow Action: - iot:Receive Resource: !Join [ "", [ "arn:aws:iot:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":topic/*" ] ] # Assigns the roles to the Identity Pool IdentityPoolRoleMapping: Type: "AWS::Cognito::IdentityPoolRoleAttachment" Properties: IdentityPoolId: !Ref IdentityPool Roles: authenticated: !GetAtt CognitoAuthorizedRole.Arn unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn Outputs: IotEndpoint: Value: !Ref AskAroundMeRealtime