AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: AlleyCat - Base template for all examples

Resources:
  KinesisStream:
    Type: AWS::Kinesis::Stream
    Properties:
      Name: "alleycat"
      RetentionPeriodHours: 24
      ShardCount: 1

  ##########################################
  # Resources for realtime messaging       #
  ##########################################
  AlleyCatRealtime:
    Type: AWS::IoT::Thing
    Properties:
      ThingName: "alleycat-realtime"
      AttributePayload: 
        Attributes: {}  

  UserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: AlleyCatUserPool
      MfaConfiguration: "OPTIONAL"
      Schema:
        - Name: email
          AttributeDataType: String
          Mutable: false
          Required: true
  
  # Creates a User Pool Client to be used by the identity pool
  UserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      ClientName: AlleyCatUserPoolClient
      GenerateSecret: false
      UserPoolId: !Ref UserPool
  
  # Creates a federated Identity pool
  IdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      IdentityPoolName: AlleyCatIdentityPool
      AllowUnauthenticatedIdentities: true
      CognitoIdentityProviders: 
        - ClientId: !Ref UserPoolClient
          ProviderName: !GetAtt UserPool.ProviderName

  # Create a role for unauthorized access to AWS resources. 
  CognitoUnAuthorizedRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal: 
              Federated: "cognito-identity.amazonaws.com"
            Action: 
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              "ForAnyValue:StringLike":
                "cognito-identity.amazonaws.com:amr": unauthenticated
      Policies:
        - PolicyName: "CognitoUnauthorizedPolicy"
          PolicyDocument: 
            Version: "2012-10-17"
            Statement: 
              - Effect: "Allow"
                Action:
                  - "cognito-sync:*"
                Resource: !Join [ "", [ "arn:aws:cognito-sync:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":identitypool/", !Ref IdentityPool] ]
              - Effect: Allow
                Action:
                  - iot:Connect
                Resource: !Join [ "", [ "arn:aws:iot:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":client/alleycat-*" ] ]
              - Effect: Allow
                Action:
                  - iot:Subscribe
                  - iot:Publish
                Resource: "*"
              - Effect: Allow
                Action:
                  - iot:Receive
                Resource: !Join [ "", [ "arn:aws:iot:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":topic/*" ] ]

  # Create a role for authorized acces to AWS resources. 
  CognitoAuthorizedRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal: 
              Federated: "cognito-identity.amazonaws.com"
            Action: 
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              "ForAnyValue:StringLike":
                "cognito-identity.amazonaws.com:amr": authenticated
      Policies:
        - PolicyName: "CognitoAuthorizedPolicy"
          PolicyDocument: 
            Version: "2012-10-17"
            Statement: 
              - Effect: "Allow"
                Action:
                  - "cognito-sync:*"
                Resource: !Join [ "", [ "arn:aws:cognito-sync:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":identitypool/", !Ref IdentityPool] ]
              - Effect: Allow
                Action:
                  - iot:Connect
                Resource: !Join [ "", [ "arn:aws:iot:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":client/alleycat-*" ] ]
              - Effect: Allow
                Action:
                  - iot:Subscribe
                Resource: "*"
              - Effect: Allow
                Action:
                  - iot:Receive
                Resource: !Join [ "", [ "arn:aws:iot:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":topic/*" ] ]
  # Assigns the roles to the Identity Pool
  IdentityPoolRoleMapping:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId: !Ref IdentityPool
      Roles:
        authenticated: !GetAtt CognitoAuthorizedRole.Arn
        unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn

  ###################################################################
  # IoT topic rule to publish from IoT to Kinesis Stream/CloudWatch #
  ###################################################################

  IotTopicRule:
    Type: AWS::IoT::TopicRule
    Properties:
      RuleName: 'alleycatIngest'
      TopicRulePayload:
        RuleDisabled: 'false'
        Sql: "SELECT * FROM 'alleycat-publish'"
        Actions:
        - Kinesis:
            StreamName: 'alleycat'
            PartitionKey: "${timestamp()}"
            RoleArn: !GetAtt IoTKinesisRole.Arn

  IoTKinesisRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - iot.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: IoTKinesisPutPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: 'kinesis:PutRecord'
                Resource: !GetAtt KinesisStream.Arn