AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: "Sub template"
Parameters:
ResourceTag:
Type: String
Description: Tag applied to all resources
Globals:
Function:
Timeout: 3
Runtime: python3.7
Tags:
Project: !Ref ResourceTag
Environment:
Variables:
ResourceTag: !Ref ResourceTag
Resources:
BootstrapCerts:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
FleetProvisioningFunction:
Type: AWS::Serverless::Function
Properties:
Description: Sets up fleet provisioning
CodeUri: Lambdas/provision_device/
Handler: app.handler
Timeout: 360
MemorySize: 3008
Environment:
Variables:
BootstrapCertsBucket: !Ref BootstrapCerts
Account: !Ref AWS::AccountId
Region: !Ref AWS::Region
RegistrationRoleArn: !Sub ${ThingsRegistrationRole.Arn}
ProdLambdaHookArn: !Sub ${FleetProvisioningHookFunction.Arn}
RotateLambdaHookArn: !Sub ${CertRotationHookFunction.Arn}
Policies:
- AWSLambdaBasicExecutionRole
- AdministratorAccess
FleetProvisioningCustom:
Type: Custom::FleetProvisioning
Properties:
ServiceToken: !GetAtt FleetProvisioningFunction.Arn
ThingsRegistrationRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ${ResourceTag}-ThingRegistration
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: iot.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSIoTThingsRegistration
FleetProvisioningHookFunction:
Type: AWS::Serverless::Function
Properties:
Description: Lambda hook for provisioning acceptance logic
CodeUri: Lambdas/provision_hook/
Handler: app.handler
Timeout: 10
Policies:
- AWSLambdaBasicExecutionRole
Environment:
Variables:
ENV: dev
FleetProvisioningHookPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
Principal: iot.amazonaws.com
FunctionName: !Ref FleetProvisioningHookFunction
SourceAccount: !Ref AWS::AccountId
CertMonitorFunction:
Type: AWS::Serverless::Function
Properties:
Description: Lambda to monitor expired certs
CodeUri: Lambdas/cert_rotation_monitor/
Handler: app.handler
Timeout: 10
Events:
CheckCertExpiryEvent:
Type: Schedule
Properties:
Schedule: rate(1 minute)
Policies:
- AWSLambdaBasicExecutionRole
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- cloudwatch:PutMetricData
- iot:Receive
- logs:CreateLogStream
- logs:CreateLogGroup
- iot:DescribeThing
- iot:SearchIndex
- iot:ListThingsInThingGroup
- iot:ListThingPrincipals
- iot:DescribeCertificate
- iot:UpdateCertificate
- iot:DetachThingPrincipal
- iot:PutLogEvents
- iot:Publish
Resource: "*"
CertRotationHookFunction:
Type: AWS::Serverless::Function
Properties:
Description: Lambda to manage provisioning of rotating certs
CodeUri: Lambdas/cert_rotation_hook/
Handler: app.handler
Timeout: 10
Policies:
- AWSLambdaBasicExecutionRole
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- cloudwatch:PutMetricData
- iot:Receive
- logs:CreateLogStream
- logs:CreateLogGroup
- iot:DescribeThing
- iot:SearchIndex
- iot:ListThingsInThingGroup
- iot:ListThingPrincipals
- iot:DescribeCertificate
- iot:UpdateCertificate
- iot:DetachThingPrincipal
- iot:PutLogEvents
- iot:Publish
Resource: "*"
CertRotationHookPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
Principal: iot.amazonaws.com
FunctionName: !Ref CertRotationHookFunction
SourceAccount: !Ref AWS::AccountId
BootstrapGeneratorFunction:
Type: AWS::Serverless::Function
Properties:
Description: Creates bootstraps for each model type presented
CodeUri: Lambdas/bootstrap_generator/
Handler: app.handler
Timeout: 360
MemorySize: 3008
Environment:
Variables:
Region: !Ref AWS::Region
Policies:
- AWSLambdaBasicExecutionRole
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- cloudwatch:PutMetricData
- iot:CreateKeysAndCertificate
- iot:AttachPolicy
- logs:CreateLogStream
- logs:CreateLogGroup
- iot:ListThingPrincipals
- iot:DescribeCertificate
- iot:PutLogEvents
Resource: "*"
Outputs:
BootstrapBucket:
Description: 'Bucket with bootstrap certificates'
Value: !Ref BootstrapCerts
Export:
Name: BootstrapBucket