ExternalVendorCode/sondehub-infra
1
0
Fork 0
mirror of https://github.com/projecthorus/sondehub-infra.git synced 2024-12-18 20:57:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

initial

Browse Source
This commit is contained in:
Michaela 2021-01-30 21:07:34 +10:00
commit e9f9ba7084
3 changed files with 748 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
README.md Normal file
View File

@ -0,0 +1,14 @@
WIP
==
todo
--
- Most of this was generated using former2, so it's very rough, need to rename things to make sense
- lambda layers should be scripted so we can deploy them again (or at the least documented), or move to packaging them into the deployable
- all the sondehub v1 stuff needs migrating, rebuilding
- web interface
- basic APIs
- build out APIs for sondehub ui replacement
- we don't have rate limiting ? do we need it
- cognito needs to be setup to allow private access
- replace profile defination with env variables since not all admins will have that profile
-

630
main.tf Normal file
View File

@ -0,0 +1,630 @@
terraform {
backend "s3" {
bucket = "sondehub-terraform"
key = "sondehub-main"
region = "us-east-1"
profile = "sondes"
}
}
provider "aws" {
region = "us-east-1"
profile = "sondes"
}
locals {
domain_name = "v2.sondehub.org"
}
data "aws_caller_identity" "current" {}
resource "aws_iam_role" "IAMRole" {
path = "/"
name = "Cognito_sondesAuth_Role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.CognitoIdentityPool.id}"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}]
}
EOF
max_session_duration = 3600
}
resource "aws_iam_role" "IAMRole2" {
path = "/"
name = "Cognito_sondesUnauth_Role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.CognitoIdentityPool.id}"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
}]
}
EOF
max_session_duration = 3600
}
resource "aws_iam_role" "IAMRole3" {
path = "/service-role/"
name = "CognitoAccessForAmazonES"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "es.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
max_session_duration = 3600
}
resource "aws_iam_role" "IAMRole4" {
path = "/service-role/"
name = "iot-es"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "iot.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
max_session_duration = 3600
}
resource "aws_iam_role" "IAMRole5" {
path = "/service-role/"
name = "sonde-api-to-iot-core-role-z9zes3f5"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
max_session_duration = 3600
}
resource "aws_iam_service_linked_role" "IAMServiceLinkedRole" {
aws_service_name = "es.amazonaws.com"
}
resource "aws_iam_service_linked_role" "IAMServiceLinkedRole3" {
aws_service_name = "ops.apigateway.amazonaws.com"
description = "The Service Linked Role is used by Amazon API Gateway."
}
resource "aws_iam_policy" "IAMManagedPolicy" {
name = "AWSLambdaBasicExecutionRole-01b38736-6769-4407-9515-93d653f4db5f"
path = "/service-role/"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/sonde-api-to-iot-core:*"
]
}
]
}
EOF
}
resource "aws_iam_policy" "IAMManagedPolicy2" {
name = "aws-iot-role-es_795847808"
path = "/service-role/"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "es:ESHttpPut",
"Resource": [
"arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2/*"
]
}
}
EOF
}
resource "aws_iam_policy" "IAMManagedPolicy4" {
name = "AWSLambdaTracerAccessExecutionRole-56cd4e03-902a-4a40-9cd9-c9449709d80d"
path = "/service-role/"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": [
"*"
]
}
}
EOF
}
resource "aws_iam_role_policy" "IAMPolicy" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "es:ESHttp*",
"Resource": "*"
}
]
}
EOF
role = aws_iam_role.IAMRole.name
}
resource "aws_iam_role_policy" "IAMPolicy2" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": [
"*"
]
}
]
}
EOF
role = aws_iam_role.IAMRole2.name
}
resource "aws_iam_role_policy" "IAMPolicy3" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"*"
]
}
]
}
EOF
role = aws_iam_role.IAMRole.name
}
resource "aws_iam_role_policy" "IAMPolicy4" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iot:*",
"Resource": "*"
}
]
}
EOF
role = aws_iam_role.IAMRole5.name
}
resource "aws_route53_zone" "Route53HostedZone" {
name = "${local.domain_name}."
}
resource "aws_route53_record" "Route53RecordSet" {
name = ""
type = "A"
ttl = 300
records = [
"127.0.0.1"
]
zone_id = aws_route53_zone.Route53HostedZone.zone_id
}
resource "aws_route53_record" "cert_validation" {
for_each = {
for dvo in aws_acm_certificate.CertificateManagerCertificate.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = aws_route53_zone.Route53HostedZone.zone_id
}
resource "aws_acm_certificate_validation" "CertificateManagerCertificate" {
certificate_arn = aws_acm_certificate.CertificateManagerCertificate.arn
validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
}
resource "aws_route53_record" "Route53RecordSet5" {
name = "api"
type = "CNAME"
ttl = 60
records = [
"${aws_apigatewayv2_domain_name.ApiGatewayV2DomainName.domain_name_configuration.0.target_domain_name}."
]
zone_id = aws_route53_zone.Route53HostedZone.zone_id
}
resource "aws_cognito_user_pool_domain" "main" {
domain = "auth.${local.domain_name}"
user_pool_id = aws_cognito_user_pool.CognitoUserPool.id
certificate_arn = aws_acm_certificate_validation.CertificateManagerCertificate.certificate_arn
}
resource "aws_route53_record" "Route53RecordSet6" {
name = "auth"
type = "A"
alias {
name = "${aws_cognito_user_pool_domain.main.cloudfront_distribution_arn}."
zone_id = "Z2FDTNDATAQYW2"
evaluate_target_health = false
}
zone_id = aws_route53_zone.Route53HostedZone.zone_id
}
resource "aws_route53_record" "Route53RecordSet7" {
name = "es"
type = "CNAME"
ttl = 300
records = [
aws_elasticsearch_domain.ElasticsearchDomain.endpoint
]
zone_id = aws_route53_zone.Route53HostedZone.zone_id
}
data "archive_file" "api_to_iot" {
type = "zip"
source_file = "sonde-api-to-iot-core/lambda_function.py"
output_path = "${path.module}/build/sonde-api-to-iot-core.zip"
}
resource "aws_lambda_function" "LambdaFunction" {
function_name = "sonde-api-to-iot-core"
handler = "lambda_function.lambda_handler"
filename = "${path.module}/build/sonde-api-to-iot-core.zip"
source_code_hash = data.archive_file.api_to_iot.output_base64sha256
publish = true
memory_size = 256
role = aws_iam_role.IAMRole5.arn
runtime = "python3.7"
timeout = 10
tracing_config {
mode = "Active"
}
layers = [
"arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:xray-python:1",
"arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:iot:3"
]
}
resource "aws_lambda_permission" "LambdaPermission2" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.LambdaFunction.arn
principal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:us-east-1:${data.aws_caller_identity.current.account_id}:r03szwwq41/*/*/sondes/telemetry"
}
resource "aws_lambda_layer_version" "LambdaLayerVersion2" {
compatible_runtimes = [
"python3.8"
]
layer_name = "iot"
s3_bucket = "sondehub-lambda-layers"
s3_key = "iot.zip"
source_code_hash = "sHyE9vXk+BzFphPe8evfiL79fcxsSEYVfpbTVi2IwH0="
}
resource "aws_lambda_layer_version" "LambdaLayerVersion4" {
compatible_runtimes = [
"python3.8"
]
layer_name = "xray-python"
s3_bucket = "sondehub-lambda-layers"
s3_key = "xray-python.zip"
source_code_hash = "ta4o2brS2ZRAeWhZjqrm6MhOc3RlYNgkOuD4dxSonEc="
}
resource "aws_s3_bucket" "S3Bucket" {
bucket = "sondehub-lambda-layers"
}
resource "aws_cloudwatch_log_group" "LogsLogGroup" {
name = "/aws/lambda/sonde-api-to-iot-core"
}
resource "aws_apigatewayv2_api" "ApiGatewayV2Api" {
name = "sondehub-v2"
disable_execute_api_endpoint = true
api_key_selection_expression = "$request.header.x-api-key"
protocol_type = "HTTP"
route_selection_expression = "$request.method $request.path"
}
resource "aws_apigatewayv2_stage" "ApiGatewayV2Stage" {
name = "$default"
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
deployment_id = aws_apigatewayv2_deployment.ApiGatewayV2Deployment3.id
default_route_settings {
detailed_metrics_enabled = false
}
auto_deploy = true
}
resource "aws_apigatewayv2_stage" "ApiGatewayV2Stage2" {
name = "prod"
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
deployment_id = aws_apigatewayv2_deployment.ApiGatewayV2Deployment4.id
default_route_settings {
detailed_metrics_enabled = false
}
}
resource "aws_apigatewayv2_deployment" "ApiGatewayV2Deployment3" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
}
resource "aws_apigatewayv2_deployment" "ApiGatewayV2Deployment4" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
}
resource "aws_apigatewayv2_route" "ApiGatewayV2Route" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
api_key_required = false
authorization_type = "NONE"
route_key = "PUT /sondes/telemetry"
target = "integrations/${aws_apigatewayv2_integration.ApiGatewayV2Integration.id}"
}
resource "aws_apigatewayv2_integration" "ApiGatewayV2Integration" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
connection_type = "INTERNET"
integration_method = "POST"
integration_type = "AWS_PROXY"
integration_uri = aws_lambda_function.LambdaFunction.arn
timeout_milliseconds = 30000
payload_format_version = "2.0"
}
resource "aws_apigatewayv2_api_mapping" "ApiGatewayV2ApiMapping" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
domain_name = aws_apigatewayv2_domain_name.ApiGatewayV2DomainName.id
stage = "$default"
api_mapping_key = ""
}
resource "aws_apigatewayv2_domain_name" "ApiGatewayV2DomainName" {
domain_name = "api.${local.domain_name}"
domain_name_configuration {
certificate_arn = aws_acm_certificate_validation.CertificateManagerCertificate.certificate_arn
endpoint_type = "REGIONAL"
security_policy = "TLS_1_2"
}
}
resource "aws_acm_certificate" "CertificateManagerCertificate" {
domain_name = local.domain_name
subject_alternative_names = [
"*.${local.domain_name}"
]
validation_method = "DNS"
}
resource "aws_elasticsearch_domain" "ElasticsearchDomain" {
domain_name = "sondes-v2"
elasticsearch_version = "7.9"
cluster_config {
dedicated_master_count = 3
dedicated_master_enabled = true
dedicated_master_type = "t3.small.elasticsearch"
instance_count = 2
instance_type = "t3.small.elasticsearch"
zone_awareness_enabled = true
}
cognito_options {
enabled = true
identity_pool_id = aws_cognito_identity_pool.CognitoIdentityPool.id
role_arn = aws_iam_role.IAMRole3.arn
user_pool_id = aws_cognito_user_pool.CognitoUserPool.id
}
access_policies = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/OrganizationAccountAccessRole"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2/*"
}
]
}
EOF
encrypt_at_rest {
enabled = true
kms_key_id = data.aws_kms_key.es.arn
}
node_to_node_encryption {
enabled = true
}
advanced_options = {
"rest.action.multi.allow_explicit_index" = "true"
}
ebs_options {
ebs_enabled = true
volume_type = "gp2"
volume_size = 10
}
}
data "aws_kms_key" "es" {
key_id = "alias/aws/es"
}
resource "aws_cognito_identity_pool" "CognitoIdentityPool" {
identity_pool_name = "sondes"
allow_unauthenticated_identities = false
cognito_identity_providers {
client_id = aws_cognito_user_pool_client.CognitoUserPoolClient.id
provider_name = aws_cognito_user_pool.CognitoUserPool.endpoint
server_side_token_check = true
}
}
resource "aws_cognito_identity_pool_roles_attachment" "CognitoIdentityPoolRoleAttachment" {
identity_pool_id = aws_cognito_identity_pool.CognitoIdentityPool.id
roles = {
authenticated = aws_iam_role.IAMRole.arn
unauthenticated = aws_iam_role.IAMRole2.arn
}
}
resource "aws_cognito_user_pool" "CognitoUserPool" {
name = "sondes"
password_policy {
temporary_password_validity_days = 7
minimum_length = 8
require_lowercase = true
require_numbers = true
require_symbols = true
require_uppercase = true
}
schema {
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
name = "email"
string_attribute_constraints {
max_length = "2048"
min_length = "0"
}
required = true
}
username_configuration {
case_sensitive = false
}
auto_verified_attributes = [
"email"
]
alias_attributes = [
"email",
"preferred_username"
]
sms_verification_message = "Your verification code is {####}. "
email_verification_message = "Your verification code is {####}. "
email_verification_subject = "Your verification code"
sms_authentication_message = "Your authentication code is {####}. "
mfa_configuration = "OFF"
device_configuration {
challenge_required_on_new_device = false
device_only_remembered_on_user_prompt = false
}
email_configuration {
}
admin_create_user_config {
allow_admin_create_user_only = true
invite_message_template {
email_message = "Your username is {username} and temporary password is {####}. "
email_subject = "Your temporary password"
sms_message = "Your username is {username} and temporary password is {####}. "
}
}
account_recovery_setting {
recovery_mechanism {
name = "admin_only"
priority = 1
}
}
}
resource "aws_cognito_user_pool_client" "CognitoUserPoolClient" {
user_pool_id = aws_cognito_user_pool.CognitoUserPool.id
name = "AWSElasticsearch-sondes-v2-us-east-1-hiwdpmnjbuckpbwfhhx65mweee"
refresh_token_validity = 30
allowed_oauth_flows = [ "code" ]
allowed_oauth_flows_user_pool_client = true
allowed_oauth_scopes = ["email", "openid", "phone", "profile"]
callback_urls = ["https://es.${local.domain_name}/_plugin/kibana/app/kibana"]
logout_urls = ["https://es.${local.domain_name}/_plugin/kibana/app/kibana"]
supported_identity_providers = ["COGNITO"]
}

104
sonde-api-to-iot-core/lambda_function.py Normal file
View File

@ -0,0 +1,104 @@
import json
import boto3
import zlib
import base64
import datetime
import functools
from aws_xray_sdk.core import xray_recorder
from aws_xray_sdk.core import patch_all
from awscrt import io, mqtt, auth, http
from awsiot import mqtt_connection_builder
import uuid
import threading
# this needs a bunch of refactor but the general approach is
# connect to mqtt via websockets during init
# if we detect that we are disconnected then reconnect
# this is to make the lambda function nice and quick when during
# peak load
# todo
# we should add some value checking
# we typically perform version banning here based on user agent
# xray doesn't know about mqtt, we should teach it
# we should probably get sondehub v1 stuff in here as well
# error handling - at the moment we bail on a single failure
# report to the user what's happened
# probably turn down logging since cloudwatch costs $$$
# env variable some of this
# work out how to have a dev env
patch_all()
event_loop_group = io.EventLoopGroup(1)
host_resolver = io.DefaultHostResolver(event_loop_group)
client_bootstrap = io.ClientBootstrap(event_loop_group, host_resolver)
credentials_provider = auth.AwsCredentialsProvider.new_default_chain(client_bootstrap)
io.init_logging(io.LogLevel.Info, 'stderr')
session = boto3.session.Session()
mqtt_connection = mqtt_connection_builder.websockets_with_default_aws_signing(
endpoint="a2sgq5szfqum7p-ats.iot.us-east-1.amazonaws.com",
client_bootstrap=client_bootstrap,
region="us-east-1",
credentials_provider=credentials_provider,
client_id=str(uuid.uuid4()),
clean_session=False,
keep_alive_secs=6)
connect_future = mqtt_connection.connect()
def lambda_handler(event, context):
global connect_future, mqtt_connection
# Future.result() waits until a result is available
connect_future.result()
print(json.dumps(event))
if "isBase64Encoded" in event and event["isBase64Encoded"] == True:
event["body"] = base64.b64decode(event["body"])
if "content-encoding" in event["headers"] and event["headers"]["content-encoding"] == "gzip":
event["body"] = zlib.decompress(event["body"], 16+zlib.MAX_WBITS)
payloads = json.loads(event["body"])
tasks = []
first = False
for payload in payloads:
if "user-agent" in event["headers"]:
event["time_server"] = datetime.datetime.now().isoformat()
payload["user-agent"] = event["headers"]["user-agent"]
payload["position"] = f'{payload["lat"]},{payload["lon"]}'
(msg, x) = mqtt_connection.publish(
topic=f'sondes/{payload["serial"]}',
payload=json.dumps(payload),
qos=mqtt.QoS.AT_MOST_ONCE)
try:
msg.result()
except RuntimeError:
mqtt_connection = mqtt_connection_builder.websockets_with_default_aws_signing(
endpoint="a2sgq5szfqum7p-ats.iot.us-east-1.amazonaws.com",
client_bootstrap=client_bootstrap,
region="us-east-1",
credentials_provider=credentials_provider,
client_id=str(uuid.uuid4()),
clean_session=False,
keep_alive_secs=6)
connect_future = mqtt_connection.connect()
connect_future.result()
(msg, x) = mqtt_connection.publish(
topic=f'sondes/{payload["serial"]}',
payload=json.dumps(payload),
qos=mqtt.QoS.AT_MOST_ONCE)
msg.result()
return {
'statusCode': 200,
'body': "^v^ telm logged"
}