commit e9f9ba7084f0f716fbd7166f00e5090dfd8d378a
Author: Michaela <git@michaela.lgbt>
Date:   Sat Jan 30 21:07:34 2021 +1000

    initial

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..4c3a85c
--- /dev/null
+++ b/README.md
@@ -0,0 +1,14 @@
+WIP
+==
+todo
+--
+ - Most of this was generated using former2, so it's very rough, need to rename things to make sense
+ - lambda layers should be scripted so we can deploy them again (or at the least documented), or move to packaging them into the deployable
+ - all the sondehub v1 stuff needs migrating, rebuilding
+   - web interface
+   - basic APIs
+ - build out APIs for sondehub ui replacement
+ - we don't have rate limiting ? do we need it
+ - cognito needs to be setup to allow private access
+ - replace profile defination with env variables since not all admins will have that profile
+ - 
\ No newline at end of file
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..3458297
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,630 @@
+terraform {
+  backend "s3" {
+    bucket = "sondehub-terraform"
+    key    = "sondehub-main"
+    region = "us-east-1"
+    profile = "sondes"
+  }
+}
+provider "aws" {
+    region = "us-east-1"
+    profile = "sondes"
+}
+
+locals {
+    domain_name = "v2.sondehub.org"
+}
+data "aws_caller_identity" "current" {}
+
+
+resource "aws_iam_role" "IAMRole" {
+    path = "/"
+    name = "Cognito_sondesAuth_Role"
+    assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [{
+        "Effect": "Allow",
+        "Principal": {
+            "Federated": "cognito-identity.amazonaws.com"
+        },
+        "Action": "sts:AssumeRoleWithWebIdentity",
+        "Condition": {
+            "StringEquals": {
+                "cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.CognitoIdentityPool.id}"
+            },
+            "ForAnyValue:StringLike": {
+                "cognito-identity.amazonaws.com:amr": "authenticated"
+            }
+        }
+    }]
+}
+EOF
+    max_session_duration = 3600
+}
+
+resource "aws_iam_role" "IAMRole2" {
+    path = "/"
+    name = "Cognito_sondesUnauth_Role"
+    assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [{
+        "Effect": "Allow",
+        "Principal": {
+            "Federated": "cognito-identity.amazonaws.com"
+        },
+        "Action": "sts:AssumeRoleWithWebIdentity",
+        "Condition": {
+            "StringEquals": {
+                "cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.CognitoIdentityPool.id}"
+            },
+            "ForAnyValue:StringLike": {
+                "cognito-identity.amazonaws.com:amr": "unauthenticated"
+            }
+        }
+    }]
+}
+EOF
+    max_session_duration = 3600
+}
+
+resource "aws_iam_role" "IAMRole3" {
+    path = "/service-role/"
+    name = "CognitoAccessForAmazonES"
+    assume_role_policy = <<EOF
+    {
+    "Version": "2012-10-17",
+    "Statement": [{
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "es.amazonaws.com"
+        },
+        "Action": "sts:AssumeRole"
+    }]
+}
+EOF
+    max_session_duration = 3600
+}
+
+resource "aws_iam_role" "IAMRole4" {
+    path = "/service-role/"
+    name = "iot-es"
+    assume_role_policy = <<EOF
+    {
+    "Version": "2012-10-17",
+    "Statement": [{
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "iot.amazonaws.com"
+        },
+        "Action": "sts:AssumeRole"
+    }]
+}
+EOF
+    max_session_duration = 3600
+}
+
+resource "aws_iam_role" "IAMRole5" {
+    path = "/service-role/"
+    name = "sonde-api-to-iot-core-role-z9zes3f5"
+    assume_role_policy = <<EOF
+    {
+    "Version": "2012-10-17",
+    "Statement": [{
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "lambda.amazonaws.com"
+        },
+        "Action": "sts:AssumeRole"
+    }]
+}
+EOF
+    max_session_duration = 3600
+}
+
+resource "aws_iam_service_linked_role" "IAMServiceLinkedRole" {
+    aws_service_name = "es.amazonaws.com"
+}
+
+resource "aws_iam_service_linked_role" "IAMServiceLinkedRole3" {
+    aws_service_name = "ops.apigateway.amazonaws.com"
+    description = "The Service Linked Role is used by Amazon API Gateway."
+}
+
+resource "aws_iam_policy" "IAMManagedPolicy" {
+    name = "AWSLambdaBasicExecutionRole-01b38736-6769-4407-9515-93d653f4db5f"
+    path = "/service-role/"
+    policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "logs:CreateLogGroup",
+            "Resource": "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+            ],
+            "Resource": [
+                "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/sonde-api-to-iot-core:*"
+            ]
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "IAMManagedPolicy2" {
+    name = "aws-iot-role-es_795847808"
+    path = "/service-role/"
+    policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Action": "es:ESHttpPut",
+        "Resource": [
+            "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2/*"
+        ]
+    }
+}
+EOF
+}
+
+resource "aws_iam_policy" "IAMManagedPolicy4" {
+    name = "AWSLambdaTracerAccessExecutionRole-56cd4e03-902a-4a40-9cd9-c9449709d80d"
+    path = "/service-role/"
+    policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Action": [
+            "xray:PutTraceSegments",
+            "xray:PutTelemetryRecords"
+        ],
+        "Resource": [
+            "*"
+        ]
+    }
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "IAMPolicy" {
+    policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+       
+        {
+            "Sid": "VisualEditor1",
+            "Effect": "Allow",
+            "Action": "es:ESHttp*",
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+    role = aws_iam_role.IAMRole.name
+}
+
+resource "aws_iam_role_policy" "IAMPolicy2" {
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "mobileanalytics:PutEvents",
+        "cognito-sync:*"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}
+EOF
+    role = aws_iam_role.IAMRole2.name
+}
+
+resource "aws_iam_role_policy" "IAMPolicy3" {
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "mobileanalytics:PutEvents",
+        "cognito-sync:*",
+        "cognito-identity:*"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}
+EOF
+    role = aws_iam_role.IAMRole.name
+}
+
+resource "aws_iam_role_policy" "IAMPolicy4" {
+    policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": "iot:*",
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+    role = aws_iam_role.IAMRole5.name
+}
+
+resource "aws_route53_zone" "Route53HostedZone" {
+    name = "${local.domain_name}."
+}
+
+resource "aws_route53_record" "Route53RecordSet" {
+    name = ""
+    type = "A"
+    ttl = 300
+    records = [
+        "127.0.0.1"
+    ]
+    zone_id = aws_route53_zone.Route53HostedZone.zone_id
+}
+
+resource "aws_route53_record" "cert_validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.CertificateManagerCertificate.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = aws_route53_zone.Route53HostedZone.zone_id
+}
+resource "aws_acm_certificate_validation" "CertificateManagerCertificate" {
+  certificate_arn         = aws_acm_certificate.CertificateManagerCertificate.arn
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
+}
+
+resource "aws_route53_record" "Route53RecordSet5" {
+    name = "api"
+    type = "CNAME"
+    ttl = 60
+    records = [
+        "${aws_apigatewayv2_domain_name.ApiGatewayV2DomainName.domain_name_configuration.0.target_domain_name}."
+    ]
+    zone_id = aws_route53_zone.Route53HostedZone.zone_id
+}
+
+resource "aws_cognito_user_pool_domain" "main" {
+  domain       = "auth.${local.domain_name}"
+  user_pool_id = aws_cognito_user_pool.CognitoUserPool.id
+  certificate_arn = aws_acm_certificate_validation.CertificateManagerCertificate.certificate_arn
+}
+
+resource "aws_route53_record" "Route53RecordSet6" {
+    name = "auth"
+    type = "A"
+    alias {
+        name = "${aws_cognito_user_pool_domain.main.cloudfront_distribution_arn}."
+        zone_id = "Z2FDTNDATAQYW2"
+        evaluate_target_health = false
+    }
+    zone_id = aws_route53_zone.Route53HostedZone.zone_id
+}
+
+resource "aws_route53_record" "Route53RecordSet7" {
+    name = "es"
+    type = "CNAME"
+    ttl = 300
+    records = [
+        aws_elasticsearch_domain.ElasticsearchDomain.endpoint
+    ]
+    zone_id = aws_route53_zone.Route53HostedZone.zone_id
+}
+
+data "archive_file" "api_to_iot" {
+  type        = "zip"
+  source_file = "sonde-api-to-iot-core/lambda_function.py"
+  output_path = "${path.module}/build/sonde-api-to-iot-core.zip"
+}
+
+resource "aws_lambda_function" "LambdaFunction" {
+    function_name = "sonde-api-to-iot-core"
+    handler = "lambda_function.lambda_handler"
+    filename      = "${path.module}/build/sonde-api-to-iot-core.zip"
+    source_code_hash = data.archive_file.api_to_iot.output_base64sha256
+    publish = true
+    memory_size = 256
+    role = aws_iam_role.IAMRole5.arn
+    runtime = "python3.7"
+    timeout = 10
+    tracing_config {
+        mode = "Active"
+    }
+    layers = [
+        "arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:xray-python:1",
+        "arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:iot:3"
+    ]
+}
+
+resource "aws_lambda_permission" "LambdaPermission2" {
+    action = "lambda:InvokeFunction"
+    function_name = aws_lambda_function.LambdaFunction.arn
+    principal = "apigateway.amazonaws.com"
+    source_arn = "arn:aws:execute-api:us-east-1:${data.aws_caller_identity.current.account_id}:r03szwwq41/*/*/sondes/telemetry"
+}
+
+resource "aws_lambda_layer_version" "LambdaLayerVersion2" {
+    compatible_runtimes = [
+        "python3.8"
+    ]
+    layer_name = "iot"
+    s3_bucket = "sondehub-lambda-layers"
+    s3_key = "iot.zip"
+    source_code_hash = "sHyE9vXk+BzFphPe8evfiL79fcxsSEYVfpbTVi2IwH0="
+}
+
+
+resource "aws_lambda_layer_version" "LambdaLayerVersion4" {
+    compatible_runtimes = [
+        "python3.8"
+    ]
+    layer_name = "xray-python"
+    s3_bucket = "sondehub-lambda-layers"
+    s3_key = "xray-python.zip"
+    source_code_hash = "ta4o2brS2ZRAeWhZjqrm6MhOc3RlYNgkOuD4dxSonEc="
+}
+
+resource "aws_s3_bucket" "S3Bucket" {
+    bucket = "sondehub-lambda-layers"
+}
+
+resource "aws_cloudwatch_log_group" "LogsLogGroup" {
+    name = "/aws/lambda/sonde-api-to-iot-core"
+}
+
+resource "aws_apigatewayv2_api" "ApiGatewayV2Api" {
+    name = "sondehub-v2"
+    disable_execute_api_endpoint = true
+    api_key_selection_expression = "$request.header.x-api-key"
+    protocol_type = "HTTP"
+    route_selection_expression = "$request.method $request.path"
+}
+
+resource "aws_apigatewayv2_stage" "ApiGatewayV2Stage" {
+    name = "$default"
+    api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
+    deployment_id = aws_apigatewayv2_deployment.ApiGatewayV2Deployment3.id
+    default_route_settings {
+        detailed_metrics_enabled = false
+    }
+    auto_deploy = true
+}
+
+resource "aws_apigatewayv2_stage" "ApiGatewayV2Stage2" {
+    name = "prod"
+    api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
+    deployment_id = aws_apigatewayv2_deployment.ApiGatewayV2Deployment4.id
+    default_route_settings {
+        detailed_metrics_enabled = false
+    }
+}
+
+resource "aws_apigatewayv2_deployment" "ApiGatewayV2Deployment3" {
+    api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
+}
+
+resource "aws_apigatewayv2_deployment" "ApiGatewayV2Deployment4" {
+    api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
+}
+
+resource "aws_apigatewayv2_route" "ApiGatewayV2Route" {
+    api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
+    api_key_required = false
+    authorization_type = "NONE"
+    route_key = "PUT /sondes/telemetry"
+    target = "integrations/${aws_apigatewayv2_integration.ApiGatewayV2Integration.id}"
+}
+
+resource "aws_apigatewayv2_integration" "ApiGatewayV2Integration" {
+    api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
+    connection_type = "INTERNET"
+    integration_method = "POST"
+    integration_type = "AWS_PROXY"
+    integration_uri = aws_lambda_function.LambdaFunction.arn
+    timeout_milliseconds = 30000
+    payload_format_version = "2.0"
+}
+
+resource "aws_apigatewayv2_api_mapping" "ApiGatewayV2ApiMapping" {
+    api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
+    domain_name = aws_apigatewayv2_domain_name.ApiGatewayV2DomainName.id
+    stage = "$default"
+    api_mapping_key = ""
+}
+
+resource "aws_apigatewayv2_domain_name" "ApiGatewayV2DomainName" {
+    domain_name = "api.${local.domain_name}"
+    domain_name_configuration {
+        certificate_arn = aws_acm_certificate_validation.CertificateManagerCertificate.certificate_arn
+        endpoint_type = "REGIONAL"
+        security_policy = "TLS_1_2"
+    }
+}
+
+resource "aws_acm_certificate" "CertificateManagerCertificate" {
+    domain_name = local.domain_name
+    subject_alternative_names = [
+        "*.${local.domain_name}"
+    ]
+    validation_method = "DNS"
+}
+
+resource "aws_elasticsearch_domain" "ElasticsearchDomain" {
+    domain_name = "sondes-v2"
+    elasticsearch_version = "7.9"
+    cluster_config {
+        dedicated_master_count = 3
+        dedicated_master_enabled = true
+        dedicated_master_type = "t3.small.elasticsearch"
+        instance_count = 2
+        instance_type = "t3.small.elasticsearch"
+        zone_awareness_enabled = true
+    }
+    cognito_options {
+          enabled          = true
+          identity_pool_id = aws_cognito_identity_pool.CognitoIdentityPool.id
+          role_arn         = aws_iam_role.IAMRole3.arn
+          user_pool_id     = aws_cognito_user_pool.CognitoUserPool.id
+    }
+
+    access_policies  = <<EOF
+    {
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/OrganizationAccountAccessRole"
+            },
+            "Action": "es:*",
+            "Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2/*"
+        }
+    ]
+}
+EOF
+    encrypt_at_rest {
+        enabled = true
+        kms_key_id = data.aws_kms_key.es.arn
+    }
+    node_to_node_encryption {
+        enabled = true
+    }
+    advanced_options = {
+        "rest.action.multi.allow_explicit_index" = "true"
+    }
+    ebs_options {
+        ebs_enabled = true
+        volume_type = "gp2"
+        volume_size = 10
+    }
+}
+data "aws_kms_key" "es" {
+  key_id = "alias/aws/es"
+}
+
+resource "aws_cognito_identity_pool" "CognitoIdentityPool" {
+    identity_pool_name = "sondes"
+    allow_unauthenticated_identities = false
+
+    cognito_identity_providers {
+        client_id = aws_cognito_user_pool_client.CognitoUserPoolClient.id
+        provider_name = aws_cognito_user_pool.CognitoUserPool.endpoint
+        server_side_token_check = true
+    }
+}
+
+resource "aws_cognito_identity_pool_roles_attachment" "CognitoIdentityPoolRoleAttachment" {
+    identity_pool_id = aws_cognito_identity_pool.CognitoIdentityPool.id
+    roles = {
+        authenticated = aws_iam_role.IAMRole.arn
+        unauthenticated = aws_iam_role.IAMRole2.arn
+    }
+}
+
+resource "aws_cognito_user_pool" "CognitoUserPool" {
+    name = "sondes"
+    password_policy {
+        temporary_password_validity_days = 7
+        minimum_length = 8
+        require_lowercase = true
+        require_numbers = true
+        require_symbols = true
+        require_uppercase = true
+    }
+  
+    schema {
+        attribute_data_type = "String"
+        developer_only_attribute = false
+        mutable = true
+        name = "email"
+        string_attribute_constraints {
+            max_length = "2048"
+            min_length = "0"
+        }
+        required = true
+    }
+    username_configuration {
+        case_sensitive = false
+    }
+  
+    auto_verified_attributes = [
+        "email"
+    ]
+    alias_attributes = [
+        "email",
+        "preferred_username"
+    ]
+    sms_verification_message = "Your verification code is {####}. "
+    email_verification_message = "Your verification code is {####}. "
+    email_verification_subject = "Your verification code"
+    sms_authentication_message = "Your authentication code is {####}. "
+    mfa_configuration = "OFF"
+    device_configuration {
+        challenge_required_on_new_device = false
+        device_only_remembered_on_user_prompt = false
+    }
+    email_configuration {
+        
+    }
+    admin_create_user_config {
+        allow_admin_create_user_only = true
+        invite_message_template {
+            email_message = "Your username is {username} and temporary password is {####}. "
+            email_subject = "Your temporary password"
+            sms_message = "Your username is {username} and temporary password is {####}. "
+        }
+    }
+    account_recovery_setting {
+        recovery_mechanism {
+            name     = "admin_only"
+            priority = 1
+        }
+    }
+}
+
+resource "aws_cognito_user_pool_client" "CognitoUserPoolClient" {
+    user_pool_id = aws_cognito_user_pool.CognitoUserPool.id
+    name = "AWSElasticsearch-sondes-v2-us-east-1-hiwdpmnjbuckpbwfhhx65mweee"
+    refresh_token_validity = 30
+    allowed_oauth_flows                  = [ "code" ]
+    allowed_oauth_flows_user_pool_client = true
+    allowed_oauth_scopes = ["email", "openid", "phone", "profile"]
+    callback_urls = ["https://es.${local.domain_name}/_plugin/kibana/app/kibana"]
+    logout_urls = ["https://es.${local.domain_name}/_plugin/kibana/app/kibana"]
+    supported_identity_providers = ["COGNITO"]
+}
\ No newline at end of file
diff --git a/sonde-api-to-iot-core/lambda_function.py b/sonde-api-to-iot-core/lambda_function.py
new file mode 100644
index 0000000..0e9d4c0
--- /dev/null
+++ b/sonde-api-to-iot-core/lambda_function.py
@@ -0,0 +1,104 @@
+import json
+import boto3
+import zlib
+import base64
+import datetime
+import functools
+from aws_xray_sdk.core import xray_recorder
+from aws_xray_sdk.core import patch_all
+from awscrt import io, mqtt, auth, http
+from awsiot import mqtt_connection_builder
+import uuid
+import threading
+
+
+# this needs a bunch of refactor but the general approach is
+# connect to mqtt via websockets during init
+# if we detect that we are disconnected then reconnect
+# this is to make the lambda function nice and quick when during
+# peak load
+
+# todo
+# we should add some value checking
+# we typically perform version banning here based on user agent
+# xray doesn't know about mqtt, we should teach it
+# we should probably get sondehub v1 stuff in here as well
+# error handling - at the moment we bail on a single failure
+# report to the user what's happened
+# probably turn down logging since cloudwatch costs $$$
+# env variable some of this
+# work out how to have a dev env
+
+
+patch_all()
+
+
+event_loop_group = io.EventLoopGroup(1)
+host_resolver = io.DefaultHostResolver(event_loop_group)
+client_bootstrap = io.ClientBootstrap(event_loop_group, host_resolver)
+credentials_provider = auth.AwsCredentialsProvider.new_default_chain(client_bootstrap)
+
+io.init_logging(io.LogLevel.Info, 'stderr')
+
+session = boto3.session.Session()
+mqtt_connection = mqtt_connection_builder.websockets_with_default_aws_signing(
+endpoint="a2sgq5szfqum7p-ats.iot.us-east-1.amazonaws.com",
+client_bootstrap=client_bootstrap,
+region="us-east-1",
+credentials_provider=credentials_provider,
+client_id=str(uuid.uuid4()),
+clean_session=False,
+keep_alive_secs=6)
+connect_future = mqtt_connection.connect()
+
+def lambda_handler(event, context):
+    global connect_future, mqtt_connection
+
+    # Future.result() waits until a result is available
+    connect_future.result()
+
+    print(json.dumps(event))
+    if "isBase64Encoded" in event and event["isBase64Encoded"] == True:
+        event["body"] = base64.b64decode(event["body"])
+    if "content-encoding" in event["headers"] and event["headers"]["content-encoding"] == "gzip":
+        event["body"] = zlib.decompress(event["body"], 16+zlib.MAX_WBITS)
+        
+    payloads = json.loads(event["body"])
+    
+    tasks = []
+    first = False
+    for payload in payloads:
+        if "user-agent" in event["headers"]:
+            event["time_server"] = datetime.datetime.now().isoformat()
+            payload["user-agent"] = event["headers"]["user-agent"]
+        payload["position"] = f'{payload["lat"]},{payload["lon"]}'
+    
+        (msg, x) = mqtt_connection.publish(
+            topic=f'sondes/{payload["serial"]}',
+            payload=json.dumps(payload),
+            qos=mqtt.QoS.AT_MOST_ONCE)
+        try:
+            msg.result()
+        except RuntimeError:
+            mqtt_connection = mqtt_connection_builder.websockets_with_default_aws_signing(
+            endpoint="a2sgq5szfqum7p-ats.iot.us-east-1.amazonaws.com",
+            client_bootstrap=client_bootstrap,
+            region="us-east-1",
+            credentials_provider=credentials_provider,
+            client_id=str(uuid.uuid4()),
+            clean_session=False,
+            keep_alive_secs=6)
+            connect_future = mqtt_connection.connect()
+            connect_future.result()
+            (msg, x) = mqtt_connection.publish(
+            topic=f'sondes/{payload["serial"]}',
+            payload=json.dumps(payload),
+            qos=mqtt.QoS.AT_MOST_ONCE)
+            msg.result()
+    
+
+    return {
+        'statusCode': 200,
+        'body': "^v^ telm logged"
+    }
+