AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: > iot-lambda-client Sample SAM Template for iot-lambda-client # More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst Globals: Function: Timeout: 60 Parameters: AccountID: Type: String Description: The account ID where the IoT Core relies Region: Type: String Description: The region where the IoT Core relies IoTCoreEndpoint: Type: String Description: The IoT Core endpoint where the AWS Lambda function will conntect to ClientIDPrefix: Type: String Description: The AWS Lambda function's IoT Client's ID Prefix LambdaName: Type: String Description: The name of your AWS Lambda function Resources: APIGWCloudWatchRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - apigateway.amazonaws.com Action: 'sts:AssumeRole' Path: / ManagedPolicyArns: - >- arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs ApiGWAccount: Type: 'AWS::ApiGateway::Account' Properties: CloudWatchRoleArn: !GetAtt APIGWCloudWatchRole.Arn ApiGatewayEndpoint: Type: 'AWS::Serverless::Api' Properties: StageName: Prod Auth: DefaultAuthorizer: AWS_IAM MethodSettings: - LoggingLevel: INFO ResourcePath: '/*' # allows for logging on any resource HttpMethod: '*' # allows for logging on any method Models: Request: $schema: "http://json-schema.org/draft-04/schema#" properties: method: type: string request: type: string target: type: string timeout: type: string required: - method - request - target - timeout title: Request type: object DependsOn: - ApiGWAccount IoTLambdaClientFunction: Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction Metadata: cfn_nag: rules_to_suppress: - id: W89 reason: This is a sample API implementation meant for dev stage. Lambda deployment strategy not in scope of solution - id: W92 reason: This is a sample API implementation meant for dev stage. No usage quotas are prescribed - id: W68 reason: Bug in cfn-nag, the API Deployment is associated with a UsagePlan but warning is thrown anyway - id: W64 reason: Bug in cfn-nag, the API Deployment is associated with a UsagePlan but warning is thrown anyway - id: W69 reason: This is a sample API implementation meant for dev stage. Access logging is not in scope Properties: CodeUri: endpoint/ Handler: app.handler Runtime: python3.9 FunctionName: !Ref LambdaName Architectures: - x86_64 MemorySize: 256 Environment: Variables: WSS_ENDPOINT: !Ref IoTCoreEndpoint CLIENT_ID_PREFIX: !Ref ClientIDPrefix Policies: - Version: "2012-10-17" Statement: - Effect: Allow Action: - 'iot:Connect' Resource: - !Sub - 'arn:aws:iot:${Region}:${AccountID}:client/${ClientIDPrefix}*' - Region: !Ref Region AccountID: !Ref AccountID ClientIDPrefix: !Ref ClientIDPrefix - Effect: Allow Action: - 'iot:Publish' Resource: - !Sub - 'arn:aws:iot:${ParamRegion}:${ParamAccountID}:topic/*/*/${ClientIDPrefix}/*' - ParamRegion: !Ref Region ParamAccountID: !Ref AccountID ClientIDPrefix: !Ref ClientIDPrefix - Effect: Allow Action: - 'iot:Subscribe' Resource: - !Sub - 'arn:aws:iot:${ParamRegion}:${ParamAccountID}:topicfilter/${ClientIDPrefix}/*' - ParamRegion: !Ref Region ParamAccountID: !Ref AccountID ClientIDPrefix: !Ref ClientIDPrefix - Effect: Allow Action: - 'iot:Receive' Resource: - !Sub - 'arn:aws:iot:${ParamRegion}:${ParamAccountID}:topic/${ClientIDPrefix}/*' - ParamRegion: !Ref Region ParamAccountID: !Ref AccountID ClientIDPrefix: !Ref ClientIDPrefix Events: Invoke: Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api Properties: RestApiId: Ref: ApiGatewayEndpoint Path: /invoke Method: get RequestModel: Model: Request ValidateBody: false ValidateParameters: true RequestParameters: - method.request.querystring.method: Required: true - method.request.querystring.request: Required: true - method.request.querystring.target: Required: true - method.request.querystring.timeout: Required: true Outputs: # ServerlessRestApi is an implicit API created out of Events key under Serverless::Function # Find out more about other implicit resources you can reference within SAM # https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api InvokeApi: Description: "API Gateway endpoint URL for Prod stage for function" Value: !Sub "https://${ApiGatewayEndpoint}.execute-api.${AWS::Region}.amazonaws.com/Prod/invoke/" IoTLambdaClientFunction: Description: "Lambda Function ARN" Value: !GetAtt IoTLambdaClientFunction.Arn IoTLambdaClientIamRole: Description: "Implicit IAM Role created for function" Value: !GetAtt IoTLambdaClientFunction.Arn