> Workshop Participant > Lab Modules > 7. Review Cloud Architecture

7. Review Cloud Architecture

Objectives

This lab module will walk through how the dispenser, dispenser app, and coupled services interact. It will go into level of detail specific for the workshop. If you would like to review more details, please reference the Setting Up the Workshop documentation for deeper insights.

By then end of this module you will have:

An understanding of the relationship between the dispenser (Thing), your Cognito user, and the DynamoDB database tables that track and log dispenser activity and state.
Seen how the dispenser Thing uses the Device Shadow Service for AWS IoT to get notified of the requested state changes, and how it uses to acknowledge a dispense request with a dispense response.
Tested a dispense operation and monitored what takes place in different scenarios.
Reviewed dispenser activity both in the DynamoDB EventsTable and in the dispenser app logging.
An understanding of how the dispenser app along with the API Lambda functions control how to give credits to others dispensers, as well as ensuring that a dispense event can on;y be initiated when there sufficient credits.

Steps to Complete

Follow each step in order and use the Click to open for detailed step-by-step instructions if required.

1. Understand the AWS IoT Thing, Cognito User, and DynamoDB Table Relationships

As this solution is designed as a software-as-a-service (SaaS) environment, there needs to be a specific relationship between all of the resources to help enforce the security and operational controls of the actions. At a high level this is how the resources are associated with each other:

Relationship services — Figure 1. Relationship between services

Each thing has a unique X.509 client certificate for authentication allowing the dispenser to connect to AWS IoT and publish and subscribe to the MQTT topics specific for that dispenser. This authorization of MQTT topics comes from a common policy attached to the certificate that uses substitution variables that read the Common Name value from the X.509 certificate which contains the dispenser Id. This allows for an easier management of the authorization policies, as a single policy can be used for all dispensers. The relationship between the dispenser and the user is modeled into a Cognito User attribute, custom:dispenserId, that is read for every API call. Finally, your dispenser has an entry in the DynamoDB DispenserTable that tracks the credit balance and any in-flight or stale command operations.

Go to the AWS Console to review the relationships for your dispenser and your own user in the following AWS services:

AWS IoT Core - View your thing, the attached certificate details, and the policy associated with the certificate. Also, view the other security policy that is associated with your Cognito user (used to monitor update events).
Amazon Cognito - From Manage User Pools, select the workshop-users, Users and Groups, then select your username. Note the custom:group and custom:dispenserId attribute values.
Amazon DynamoDB - From the DispenserTable review the credits value for your dispenser via the dispenserId sort key. From the DispenserEvents table, query with the partition key equal to your dispenserId. As others start to create and operate their dispensers, filtering will limit to just your events.

Click to open for detailed step-by-step instructions

From the browser tab opened to the AWS Console, click on the Services menu dropdown (upper left next to AWS logo), and type in iot core, then click on IoT Core when the drop-down populates. This will direct you the the AWS IoT Core service page.
Tip:
During the workshop you will be changing from service to service quite often. When navigating to a different service via the Service→SERVICENAME, right-click on the service name and select "Open in a new tab" (or equivalent). This will have all the services referenced within a single browser window on separate tabs.
Click on Get Started to take you to the main page, then select Manage from the left tab. Click on Skip tour. This will take you to the list of things. Either select your thing (same as dispenserId), or click on Search things, which is helpful for large amounts of items.
From your things page, click on Security. This shows that you have a single X.509 certificate (long hash value) associated with your thing. Click on the certificate which will show details on it. Note that the Subject contains values that are parsed when the certificate is presented, and the value for CN (Common Name) is the dispenserId. This is how we can verify the identity of your device.

To continue viewing the IoT relationships, from the Certificate page, click on Policies. This shows what IoT policies are associated with the certificate, and by relationship, to the thing. Click on the policy to view its content, which is a JSON document.

Notice that all of the resources use the substitution variable ${iot:Certificate.Subject.CommonName} as part of the string. When a dispenser connects to AWS IoT the value in the client certificate CommonName, or CN, is used to replace the variable, making the policy resources unique to each dispenser. This allows for a single policy to used by all the dispensers.

Abbreviated DispenserLimitedAccess Policy

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Condition": {
        "Bool": {
          "iot:Connection.Thing.IsAttached": [
            "true"
          ]
        }
      },
      "Action": [
        "iot:Connect"
      ],
      "Resource": [
        "arn:aws:iot:REGION:ACCOUNT:client/${iot:Connection.Thing.ThingName}"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "iot:Subscribe"
      ],
      "Resource": [
        "arn:aws:iot:REGION:ACCOUNT:topicfilter/$aws/things/${iot:Certificate.Subject.CommonName}/shadow/*",
        "arn:aws:iot:REGION:ACCOUNT:topicfilter/$aws/things/${iot:Certificate.Subject.CommonName}/cmd/${iot:Certificate.Subject.CommonName}"
      ],
      "Effect": "Allow"
    }
  ]
}

Next, from the Services menu, select Cognito, click Manage User Pools, and then click on the workshop-users pool. This is the service that manages the user account you created from the dispenser app. Under General Settings select Users and groups to display all of the user accounts. Search for your username and click on it. At the bottom you will notice a couple of custom: attributes. The first, custom:group denotes that your account is a general user account (extra credit, check out the admin user). The second attribute, custom:dispenserId shows your dispenserId value. These fields are passed whenever you make an API call from the dispenser app and used by the Lambda functions to validate what actions you are allowed to take.
From the Services menu navigate to DynamoDB, which contains the database tables. Select Tables from the left menu, select the DispenserTable name, then select Items from the right pane. This table holds a single record for each dispenser. The most important field is credits, and should correspond to the value in the dispenser app ("1" in the table is $1.00 in the dispenser app). This record is modified every time someone gives you credits, or whenever you issue a dispense operation.
Finally, select the DispenserEvents table from the left pane. You will see all the various log entries for all dispensers. To view just your dispenser’s events, click on the Scan dropdown and change to Query, for Partition key enter your dispenser’s value and click on Start Search.

2. Monitor Shadow Changes for a Simple Operation (toggle LED Ring status)

The Device Shadow Service for AWS IoT is a service that can be used by things and applications to set and track the state of device. There are two main sections in the shadow document: the desired state and the reported state. In our solution the desired settings originate from the dispenser app. The dispenser acts upon them and set the correct reported state.

shadow state changes — Figure 2. Shadow state changes

To see this in action, from the AWS Console navigate to your Thing in IoT Core, then select Shadow which will show the current shadow document. Note the led attribute in the desired and reported sections, which should be the same. Also notice the value for version in the metadata. This increments each time the shadow is updated. To see how the shadow is working, use the dispenser app to change the state of the LED by either toggling or setting to the other state. You will see the value for led has changed in the shadow document, in both desired and reported sections, and version has incremented.

To see how the shadow works when the device is in a disconnected state, unplug the microcontroller from your laptop. Now, in the dispenser app change the state of the LED and notice that the desired change to show the new value but that the reported state is still what the dispenser was in before being disconnected. Notice also that a new delta section has appeared in the document, containing just this led field. This is automatically calculated by the Shadow service. Plug the microcontroller back into your laptop. Once it has booted and connected AWS IoT, the LED will change to the desired state value and the dispenser will update the reported state. Since desired and reported states are the same, the delta state for the LED is removed.

Click to open for detailed step-by-step instructions

Navigate to IoT Core→Manage→Things→Your Thing→Shadow and review the shadow document. Note that the desired and reported sections are the same. This indicates that the device and requested state from the dispenser app are in sync. At the bottom of the shadow document review the value for version in the metadata. This increments each time the shadow is updated.
```
"desired": {
  "led": "off",
  "led_ring": {
    "count": 5,
    "color": "#FF8000"
  }
},
"reported": {
  "led": "off",
  "led_ring": {
    "count": 5,
    "color": "#FF8000"
  }
},
...
"version": 100
```
From the dispenser app, toggle or change the state of the LED (in this example from off to on). The dispenser app sets the desired state of the shadow, the dispenser reads this value, turns on the LED, and modifies the reported state to on. You may miss the update in the AWS Console, but check the metadata and notice that the value for version has increased by at least 2 (once for the dispenser app setting the desired state and once when the dispenser updated the reported state).
```
"desired": {
  "led": "on",
  "led_ring": {
    "count": 5,
    "color": "#FF8000"
  }
},
"reported": {
  "led": "on",
  "led_ring": {
    "count": 5,
    "color": "#FF8000"
  }
},
...
"version": 102
```
To see how the shadow works when the device is in a disconnected state, unplug the microcontroller from your laptop, then toggle or set the LED to the alternate state (in this case from on to off). Notice that the desired and reported states are different, and that there is a delta state which show only those differences. This is useful when you only want to focus on the changes between desired and reported states.
```
"desired": {
  "led": "off",
  "led_ring": {
    "count": 5,
    "color": "#FF8000"
  }
},
"delta": {
  "led": "off",
},
"reported": {
  "led": "on",
  "led_ring": {
    "count": 5,
    "color": "#FF8000"
  }
},
...
"version": 103
```
To verify that the dispenser reads the shadow state upon restart, plug the dispenser back into your laptop and watch the shadow document. The dispenser will reconcile the states which will remove the attribute from the delta section (or completely remove it).
```
"desired": {
  "led": "off",
  "led_ring": {
    "count": 5,
    "color": "#FF8000"
  }
},
"reported": {
  "led": "off",
  "led_ring": {
    "count": 5,
    "color": "#FF8000"
  }
},
...
"version": 105
```

3. Monitor Shadow MQTT topics for a Complex Operation (Dispense Drink)

The shadow can also be used for more complex operations. While changing the state of the LED can be tracked via a single attribute, operations such as dispensing a drink are more complex and require multiple states such as request and response. The dispenser app initiates the dispense operation as a request, and when the dispenser completes the operation it, in turn, sets a corresponding response. We use a short, random, requestId value to match the correlate the request and response states.

req res shadow — Figure 3. Tracking request/response using shadow

As we cannot be sure that the dispenser is online, the dispenser app initiates the request and sets the desired state of the shadow with a request object containing the command to execute, a unique requestId, and the timestamp of when the user clicked "Dispense a Drink" in the dispenser app.

To verify, ensure the microcontroller is connected and LED operations take place. Next, use Test from the IoT Core console and subscribe to the topic $aws/things/dispenserId/shadow/# (replace dispenserId with your value) to track all shadow operations. Next, in the dispenser app click the Dispense! button (should still be green) to initiate a dispense operation. From the MQTT Client tab, you should see a few shadow topic messages. Scroll through and review how the first message sets the request object, and after the dispenser completes turning the pump (indicated by the animated LED pattern on the LED Ring) the reported state is updated with a response object that has the same requestId, and finally that the the request and response objects are both deleted from all shadow sections once the response has been reconciliated.

In this situation, we are using the shadow to track the status of a command sent to the dispenser, and the response once it acts upon it.

Click to open for detailed step-by-step instructions

4. Review Logging and Credits

Oops! While testing how the Shadow works We used up all of our credits. Each dispense operation costs $1.00, and has been deducted from our dispenser credit, as shown by the dispenser app. Navigate to the DynamoDB DispenserTable and verify the credits match the dispenser app. Also, review the EventsTable for your dispenser (review the first steps in this lab if needed) to see the various logging entries made while testing the Ring LED and drink dispense test.

We use these tables as the source of truth for the status of our dispenser. While the dispenser code you compiled and installed could be modified, a dispense operation can only be performed if there are sufficient credits in the account (e.g., DynamoDB DispenserTable entry). We use the value of the dispenserId across the dispenser app (user account custom attribute), IoT Core (Thing name, Certificate CN) and DynamoDB DispenserTable (dispenserId key) to enforce the desired controls in the overall SaaS application.

5. Dispenser app Overview

The dispenser app is your main interface for interacting with the dispenser, eg to dispense a drink, and to check its state. As the dispenser app is running inside your local browser, there are two methods that can be used to track what is the current status. We can continuously poll via an API to return the status, or use a callback mechanism to alert the dispenser app when something has changed. In our app we use the callback method, and specifically it does this by subscribing to the MQTT topics for your specific dispenser. This reduces the overall load on the SaaS service and demonstrates how we can use the features of AWS IoT Core to simplify the implementation.

Modern web browsers have the ability to monitor what is running locally. Our dispenser app has additional debug, or console.log() statements to give an indication when something is happening. From your browser, enable the Web Console (name varies based on browser), and select the Console tab. Now change the status of the LED. Every time you make a change, you will see an Received MQTT message with change in LED or credit status message. This is alerted when an incoming MQTT message of interest such as a shadow update occurs.

These messages then trigger the dispenser app to make an API call requesting the complete status of the dispenser (LED status, credits, etc.), which in turn updates the main dispenser page. If there are no changes being made, no MQTT messages are generated, and subsequently, no API calls are made to request an update to the dispenser app.

Click to open for detailed step-by-step instructions

6. Share the Love!

Now that we have shown how you interact with your dispenser via the dispenser app, let’s build our credits up to a sufficient level to complete the rest of the lab. To do this, click on the Share the Love! panel underneath the LED status panel and follow the instructions. First, try giving credit to another dispenser number and monitor the Last credit response message (with or without browser logging). Next, try to give yourself credits and note that the gray button to the right does not change to SEND CREDIT!. This is a constraint built into the dispenser app. However, even if you were to make a direct API call, the backend will also deny the request.

Finally, talk to your neighbors and ask them to start sending you credits. You may also see that as the credits increase, the LED Ring will also start to fill until you have at least $1.00, and after that the colors will changes as your balance goes above $2.00, $3.00, etc.

It is recommended that you have at least $2.00 or $3.00 to perform a couple dispenses with a fully built dispenser unit.

Good work!

Checkpoints

Please ensure the following checkpoints are validated before moving on to the next module.

The dispenser board operates correctly and you can toggle the LED Ring from the dispenser app
A dispense operation enables the LED Ring with an animated pattern indicating the microcontroller activates the pump (motor control)
You have an understanding of how the shadow document and DynamoDB tables are used to track state (LED) and perform command and control (request/response) operations

Outcomes

Why do we use the shadow document for command and control, when it could also be done with regular MQTT messages? While either pattern are good practices, combining all of the operations into a single location makes it easier to follow for the workshop. As long as there is a way to track each request, the mechanism used doesn’t matter.

One thing that we didn’t discuss is the LED Ring. In this case, it is used to give a visual indication of the credit levels. From the dispensers perspective, it is another shadow attribute set to manage. But instead of being set by clicking buttons in the dispenser app, this value is programmatically set by the cloud services whenever there is a change in the credit state of a dispenser. This demonstrates that functionality in not static and can be modified in either device (dispenser) or the application (cloud-side).