--- AWSTemplateFormatVersion: 2010-09-09 Description: > This template deploys resources needed to support Pinpoint's message personalization capabilities Author: James Jory Parameters: ResourceBucket: Type: String ResourceBucketRelativePath: Type: String ProductsServiceDNSName: Type: String OffersServiceDNSName: Type: String RecommendationsServiceDNSName: Type: String PinpointAppId: Type: String Uid: Type: String LambdaVpcSecurityGroup: Type: String LambdaVpcSubnets: Type: String Resources: # Allows Pinpoint to access Personalize solution and campaign PinpointPersonalizeRole: Type: AWS::IAM::Role Properties: RoleName: !Sub ${Uid}-PinptP9e # Referenced by name in messaging notebook Path: / ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: pinpoint.amazonaws.com Policies: - PolicyName: PersonalizeAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - personalize:DescribeSolution - personalize:DescribeCampaign - personalize:GetRecommendations Resource: - !Sub 'arn:aws:personalize:${AWS::Region}:${AWS::AccountId}:solution/retaildemo*' - !Sub 'arn:aws:personalize:${AWS::Region}:${AWS::AccountId}:campaign/retaildemo*' - !Sub 'arn:aws:personalize:${AWS::Region}:${AWS::AccountId}:filter/retaildemo*' CustomizeRecommendationsFunctionRole: Type: AWS::IAM::Role Properties: Path: / ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: lambda.amazonaws.com Policies: - PolicyName: CloudWatchAndPinpoint PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:PutLogEvents - logs:CreateLogStream Resource: "arn:aws:logs:*:*:*" - Effect: Allow Action: - mobiletargeting:GetEndpoint Resource: - !Sub 'arn:aws:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${PinpointAppId}/endpoints/*' CustomizeRecommendationsFunction: Type: AWS::Lambda::Function Properties: Description: 'Retail Demo Store function called by Pinpoint to enrich messages with product information based on recommendations from Amazon Personalize' Handler: pinpoint-recommender.lambda_handler Role: !GetAtt CustomizeRecommendationsFunctionRole.Arn Runtime: python3.8 Code: S3Bucket: !Ref ResourceBucket S3Key: !Sub '${ResourceBucketRelativePath}aws-lambda/pinpoint-recommender.zip' FunctionName: RetailDemoStorePinpointRecommender # Function name used in notebook to lookup ARN VpcConfig: SecurityGroupIds: - !Ref LambdaVpcSecurityGroup SubnetIds: !Split [",", !Ref LambdaVpcSubnets] Environment: Variables: recommendations_service_host: !Ref RecommendationsServiceDNSName CustomizeOffersRecommendationsFunction: Type: AWS::Lambda::Function Properties: Description: 'Retail Demo Store function called by Pinpoint to enrich messages with product/offer information based on recommendations from Amazon Personalize' Handler: pinpoint-offers-recommender.lambda_handler Role: !GetAtt CustomizeRecommendationsFunctionRole.Arn Runtime: python3.8 Code: S3Bucket: !Ref ResourceBucket S3Key: !Sub '${ResourceBucketRelativePath}aws-lambda/pinpoint-offers-recommender.zip' FunctionName: RetailDemoStorePinpointOffersRecommender # Function name used in notebook to lookup ARN VpcConfig: SecurityGroupIds: - !Ref LambdaVpcSecurityGroup SubnetIds: !Split [",", !Ref LambdaVpcSubnets] Environment: Variables: products_service_host: !Ref ProductsServiceDNSName offers_service_host: !Ref OffersServiceDNSName recommendations_service_host: !Ref RecommendationsServiceDNSName PinpointPermission: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunction FunctionName: !GetAtt CustomizeRecommendationsFunction.Arn Principal: pinpoint.amazonaws.com SourceArn: !Sub 'arn:aws:mobiletargeting:${AWS::Region}:${AWS::AccountId}:*' ####################### Pinpoint SMS Alerts Lambda ####################### PinpointSMSAlertsLambda: Type: 'AWS::Lambda::Function' Properties: Description: 'Retail Demo Store function that opts in customers to receive sms alerts from Amazon Pinpoint' Handler: pinpoint-sms-alerts.lambda_handler Role: !GetAtt - PinpointSMSAlertsLambdaExecutionRole - Arn Code: S3Bucket: !Ref ResourceBucket S3Key: !Sub '${ResourceBucketRelativePath}aws-lambda/pinpoint-sms-alerts.zip' Runtime: python3.8 Timeout: 900 FunctionName: RetailDemoStorePinpointSMSAlerts Environment: Variables: pinpoint_app_id: !Ref PinpointAppId PinpointSMSAlertsLambdaExecutionRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - logs:CreateLogGroup Resource: '*' - Effect: Allow Action: - logs:CreateLogStream - logs:PutLogEvents - logs:GetLogEvents Resource: - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/RetailDemoStorePinpointSMSAlerts:log-stream:*' - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/RetailDemoStorePinpointSMSAlerts' - Effect: Allow Action: - ssm:GetParameter Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/retaildemostore*' - Effect: "Allow" Action: - mobiletargeting:* Resource: "*" PinpointSnsTopicKmsKey: Type: 'AWS::KMS::Key' Properties: Description: Symmetric encryption KMS key for Pinpoint SNS Topic EnableKeyRotation: true PendingWindowInDays: 7 KeyPolicy: Version: 2012-10-17 Id: sns-key-policy Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' Action: 'kms:*' Resource: '*' - Sid: Allow Amazon Pinpoint to use this key Effect: Allow Principal: Service: 'sms-voice.amazonaws.com' Action: - kms:GenerateDataKey* - kms:Decrypt Resource: '*' - Sid: Allow Amazon SNS to use this key Effect: Allow Principal: Service: 'sns.amazonaws.com' Action: - kms:GenerateDataKey* - kms:Decrypt Resource: '*' PinpointIncomingTextAlertsSNSTopic: Type: 'AWS::SNS::Topic' Properties: Subscription: - Endpoint: !GetAtt - PinpointSMSAlertsLambda - Arn Protocol: lambda KmsMasterKeyId: !Ref PinpointSnsTopicKmsKey PinpointSMSAlertsLambdaInvokePermission: Type: 'AWS::Lambda::Permission' Properties: Action: lambda:InvokeFunction Principal: sns.amazonaws.com SourceArn: !Ref PinpointIncomingTextAlertsSNSTopic FunctionName: !Ref PinpointSMSAlertsLambda PinpointOffersPermission: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunction FunctionName: !GetAtt CustomizeOffersRecommendationsFunction.Arn Principal: pinpoint.amazonaws.com SourceArn: !Sub 'arn:aws:mobiletargeting:${AWS::Region}:${AWS::AccountId}:*' Outputs: PinpointPersonalizeRoleArn: Value: !GetAtt PinpointPersonalizeRole.Arn CustomizeRecommendationsFunctionArn: Value: !GetAtt CustomizeRecommendationsFunction.Arn CustomizeOffersRecommendationsFunctionArn: Value: !GetAtt CustomizeOffersRecommendationsFunction.Arn