AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  Test IoT Thing

  This template creates an IoT Thing, its policy and attaches the policy with certificate and the thing itself

Parameters:
  AccountID:
    Type: String
    Description: The account ID where the IoT Core relies
  Region:
    Type: String
    Description: The region where the IoT Core relies
  ClientIDPrefix:
    Type: String
    Description: The AWS Lambda function's IoT Client's ID Prefix
  TestingIoTThingCertificateARN:
    Type: String
    Description: The certificate ARN to be associated to the testing IoT Thing

Resources:
  TestingIoTThing:
    Type: AWS::IoT::Thing # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
      ThingName: test-iot-thing
      
  TestingIoTThingPolicy:
    Type: AWS::IoT::Policy
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'iot:Publish'
            Resource:
              - !Sub 
                - 'arn:aws:iot:${Region}:${AccountID}:topic/${ClientIDPrefix}/*'
                - Region: !Ref Region
                  AccountID: !Ref AccountID
                  ClientIDPrefix: !Ref ClientIDPrefix
          - Effect: Allow
            Action:
              - 'iot:Receive'
            Resource:
              - !Sub 
                - 'arn:aws:iot:${Region}:${AccountID}:topic/${!iot:ClientId}/*/${ClientIDPrefix}/*'
                - Region: !Ref Region
                  AccountID: !Ref AccountID
                  ClientIDPrefix: !Ref ClientIDPrefix
          - Effect: Allow
            Action:
              - 'iot:Subscribe'
            Resource:
              - !Sub 
                - 'arn:aws:iot:${Region}:${AccountID}:topicfilter/${!iot:ClientId}/*'
                - Region: !Ref Region
                  AccountID: !Ref AccountID
                  ClientIDPrefix: !Ref ClientIDPrefix
          - Effect: Allow
            Action:
              - 'iot:Connect'
            Resource:
              - !Sub 
                - 'arn:aws:iot:${Region}:${AccountID}:client/${!iot:ClientId}'
                - Region: !Ref Region
                  AccountID: !Ref AccountID
      PolicyName: TestingIoTThingPolicy

  TestingIoTThingPolicyCertificateAttachment:
    Type: AWS::IoT::PolicyPrincipalAttachment
    Properties: 
      PolicyName: !Ref TestingIoTThingPolicy
      Principal: !Ref TestingIoTThingCertificateARN

  TestingIoTThingThingCertificateAttachment:
    Type: AWS::IoT::ThingPrincipalAttachment
    Properties: 
      Principal: !Ref TestingIoTThingCertificateARN
      ThingName: !Ref TestingIoTThing