ExternalVendorCode/sondehub-infra
1
0
Fork 0
mirror of https://github.com/projecthorus/sondehub-infra.git synced 2025-02-20 17:12:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add a signed websocket url generator

Browse Source
This commit is contained in:
Michaela 2021-02-01 16:08:59 +10:00
parent 5ad39c38cd
commit f4c92f6599
3 changed files with 548 additions and 311 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

670
main.tf
View File

@ -1,27 +1,28 @@
# add sns / sqs
terraform {
backend "s3" {
bucket = "sondehub-terraform"
key = "sondehub-main"
region = "us-east-1"
bucket = "sondehub-terraform"
key = "sondehub-main"
region = "us-east-1"
profile = "sondes"
}
}
provider "aws" {
region = "us-east-1"
profile = "sondes"
region = "us-east-1"
profile = "sondes"
}
locals {
domain_name = "v2.sondehub.org"
domain_name = "v2.sondehub.org"
}
data "aws_caller_identity" "current" {}
data "aws_iot_endpoint" "endpoint" {}
resource "aws_iam_role" "IAMRole" {
path = "/"
name = "Cognito_sondesAuth_Role"
assume_role_policy = <<EOF
path = "/"
name = "Cognito_sondesAuth_Role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
@ -41,13 +42,13 @@ resource "aws_iam_role" "IAMRole" {
}]
}
EOF
max_session_duration = 3600
max_session_duration = 3600
}
resource "aws_iam_role" "IAMRole2" {
path = "/"
name = "Cognito_sondesUnauth_Role"
assume_role_policy = <<EOF
path = "/"
name = "Cognito_sondesUnauth_Role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
@ -67,14 +68,14 @@ resource "aws_iam_role" "IAMRole2" {
}]
}
EOF
max_session_duration = 3600
max_session_duration = 3600
}
resource "aws_iam_role" "IAMRole3" {
path = "/service-role/"
name = "CognitoAccessForAmazonES"
assume_role_policy = <<EOF
{
path = "/service-role/"
name = "CognitoAccessForAmazonES"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
@ -85,14 +86,14 @@ resource "aws_iam_role" "IAMRole3" {
}]
}
EOF
max_session_duration = 3600
max_session_duration = 3600
}
resource "aws_iam_role" "IAMRole4" {
path = "/service-role/"
name = "iot-es"
assume_role_policy = <<EOF
{
path = "/service-role/"
name = "iot-es"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
@ -103,14 +104,14 @@ resource "aws_iam_role" "IAMRole4" {
}]
}
EOF
max_session_duration = 3600
max_session_duration = 3600
}
resource "aws_iam_role" "IAMRole5" {
path = "/service-role/"
name = "sonde-api-to-iot-core-role-z9zes3f5"
assume_role_policy = <<EOF
{
path = "/service-role/"
name = "sonde-api-to-iot-core-role-z9zes3f5"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
@ -121,22 +122,39 @@ resource "aws_iam_role" "IAMRole5" {
}]
}
EOF
max_session_duration = 3600
max_session_duration = 3600
}
resource "aws_iam_role" "sign_socket" {
name = "sign_socket"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
max_session_duration = 3600
}
resource "aws_iam_service_linked_role" "IAMServiceLinkedRole" {
aws_service_name = "es.amazonaws.com"
aws_service_name = "es.amazonaws.com"
}
resource "aws_iam_service_linked_role" "IAMServiceLinkedRole3" {
aws_service_name = "ops.apigateway.amazonaws.com"
description = "The Service Linked Role is used by Amazon API Gateway."
aws_service_name = "ops.apigateway.amazonaws.com"
description = "The Service Linked Role is used by Amazon API Gateway."
}
resource "aws_iam_policy" "IAMManagedPolicy" {
name = "AWSLambdaBasicExecutionRole-01b38736-6769-4407-9515-93d653f4db5f"
path = "/service-role/"
policy = <<EOF
name = "AWSLambdaBasicExecutionRole-01b38736-6769-4407-9515-93d653f4db5f"
path = "/service-role/"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
@ -161,9 +179,9 @@ EOF
}
resource "aws_iam_policy" "IAMManagedPolicy2" {
name = "aws-iot-role-es_795847808"
path = "/service-role/"
policy = <<EOF
name = "aws-iot-role-es_795847808"
path = "/service-role/"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": {
@ -178,9 +196,9 @@ EOF
}
resource "aws_iam_policy" "IAMManagedPolicy4" {
name = "AWSLambdaTracerAccessExecutionRole-56cd4e03-902a-4a40-9cd9-c9449709d80d"
path = "/service-role/"
policy = <<EOF
name = "AWSLambdaTracerAccessExecutionRole-56cd4e03-902a-4a40-9cd9-c9449709d80d"
path = "/service-role/"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": {
@ -198,28 +216,28 @@ EOF
}
resource "aws_iam_role_policy" "IAMPolicy" {
policy = <<EOF
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:143841941773:domain/sondes-v2"
"Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2"
},
{
"Effect": "Allow",
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:143841941773:domain/sondes-v2/*"
"Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2/*"
}
]
}
EOF
role = aws_iam_role.IAMRole.name
role = aws_iam_role.IAMRole.name
}
resource "aws_iam_role_policy" "IAMPolicy2" {
policy = <<EOF
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
@ -236,11 +254,11 @@ resource "aws_iam_role_policy" "IAMPolicy2" {
]
}
EOF
role = aws_iam_role.IAMRole2.name
role = aws_iam_role.IAMRole2.name
}
resource "aws_iam_role_policy" "IAMPolicy3" {
policy = <<EOF
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
@ -258,11 +276,11 @@ resource "aws_iam_role_policy" "IAMPolicy3" {
]
}
EOF
role = aws_iam_role.IAMRole.name
role = aws_iam_role.IAMRole.name
}
resource "aws_iam_role_policy" "IAMPolicy4" {
policy = <<EOF
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
@ -275,21 +293,47 @@ resource "aws_iam_role_policy" "IAMPolicy4" {
]
}
EOF
role = aws_iam_role.IAMRole5.name
role = aws_iam_role.IAMRole5.name
}
resource "aws_iam_role_policy" "sign_socket" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:${data.aws_caller_identity.current.account_id}:topicfilter/sondes/*"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "arn:aws:iot:us-east-1:${data.aws_caller_identity.current.account_id}:topic/sondes/*"
}
]
}
EOF
role = aws_iam_role.sign_socket.name
}
resource "aws_route53_zone" "Route53HostedZone" {
name = "${local.domain_name}."
name = "${local.domain_name}."
}
resource "aws_route53_record" "Route53RecordSet" {
name = ""
type = "A"
ttl = 300
records = [
"127.0.0.1"
]
zone_id = aws_route53_zone.Route53HostedZone.zone_id
name = ""
type = "A"
ttl = 300
records = [
"127.0.0.1"
]
zone_id = aws_route53_zone.Route53HostedZone.zone_id
}
resource "aws_route53_record" "cert_validation" {
@ -314,40 +358,40 @@ resource "aws_acm_certificate_validation" "CertificateManagerCertificate" {
}
resource "aws_route53_record" "Route53RecordSet5" {
name = "api"
type = "CNAME"
ttl = 60
records = [
"${aws_apigatewayv2_domain_name.ApiGatewayV2DomainName.domain_name_configuration.0.target_domain_name}."
]
zone_id = aws_route53_zone.Route53HostedZone.zone_id
name = "api"
type = "CNAME"
ttl = 60
records = [
"${aws_apigatewayv2_domain_name.ApiGatewayV2DomainName.domain_name_configuration.0.target_domain_name}."
]
zone_id = aws_route53_zone.Route53HostedZone.zone_id
}
resource "aws_cognito_user_pool_domain" "main" {
domain = "auth.${local.domain_name}"
user_pool_id = aws_cognito_user_pool.CognitoUserPool.id
domain = "auth.${local.domain_name}"
user_pool_id = aws_cognito_user_pool.CognitoUserPool.id
certificate_arn = aws_acm_certificate_validation.CertificateManagerCertificate.certificate_arn
}
resource "aws_route53_record" "Route53RecordSet6" {
name = "auth"
type = "A"
alias {
name = "${aws_cognito_user_pool_domain.main.cloudfront_distribution_arn}."
zone_id = "Z2FDTNDATAQYW2"
evaluate_target_health = false
}
zone_id = aws_route53_zone.Route53HostedZone.zone_id
name = "auth"
type = "A"
alias {
name = "${aws_cognito_user_pool_domain.main.cloudfront_distribution_arn}."
zone_id = "Z2FDTNDATAQYW2"
evaluate_target_health = false
}
zone_id = aws_route53_zone.Route53HostedZone.zone_id
}
resource "aws_route53_record" "Route53RecordSet7" {
name = "es"
type = "CNAME"
ttl = 300
records = [
aws_elasticsearch_domain.ElasticsearchDomain.endpoint
]
zone_id = aws_route53_zone.Route53HostedZone.zone_id
name = "es"
type = "CNAME"
ttl = 300
records = [
aws_elasticsearch_domain.ElasticsearchDomain.endpoint
]
zone_id = aws_route53_zone.Route53HostedZone.zone_id
}
data "archive_file" "api_to_iot" {
@ -356,157 +400,219 @@ data "archive_file" "api_to_iot" {
output_path = "${path.module}/build/sonde-api-to-iot-core.zip"
}
data "archive_file" "sign_socket" {
type = "zip"
source_file = "sign-websocket/lambda_function.py"
output_path = "${path.module}/build/sign_socket.zip"
}
resource "aws_lambda_function" "LambdaFunction" {
function_name = "sonde-api-to-iot-core"
handler = "lambda_function.lambda_handler"
filename = "${path.module}/build/sonde-api-to-iot-core.zip"
source_code_hash = data.archive_file.api_to_iot.output_base64sha256
publish = true
memory_size = 256
role = aws_iam_role.IAMRole5.arn
runtime = "python3.7"
timeout = 10
tracing_config {
mode = "Active"
function_name = "sonde-api-to-iot-core"
handler = "lambda_function.lambda_handler"
filename = "${path.module}/build/sonde-api-to-iot-core.zip"
source_code_hash = data.archive_file.api_to_iot.output_base64sha256
publish = true
memory_size = 256
role = aws_iam_role.IAMRole5.arn
runtime = "python3.7"
timeout = 10
tracing_config {
mode = "Active"
}
environment {
variables = {
"IOT_ENDPOINT" = data.aws_iot_endpoint.endpoint.endpoint_address
}
layers = [
"arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:xray-python:1",
"arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:iot:3"
]
}
layers = [
"arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:xray-python:1",
"arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:iot:3"
]
}
resource "aws_lambda_function" "sign_socket" {
function_name = "sign-websocket"
handler = "lambda_function.lambda_handler"
filename = "${path.module}/build/sign_socket.zip"
source_code_hash = data.archive_file.sign_socket.output_base64sha256
publish = true
memory_size = 128
role = aws_iam_role.sign_socket.arn
runtime = "python3.7"
timeout = 10
tracing_config {
mode = "Active"
}
environment {
variables = {
"IOT_ENDPOINT" = data.aws_iot_endpoint.endpoint.endpoint_address
}
}
layers = [
"arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:xray-python:1",
"arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:iot:3"
]
}
resource "aws_lambda_permission" "sign_socket" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.sign_socket.arn
principal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:us-east-1:${data.aws_caller_identity.current.account_id}:r03szwwq41/*/*/sondes/websocket"
}
resource "aws_lambda_permission" "LambdaPermission2" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.LambdaFunction.arn
principal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:us-east-1:${data.aws_caller_identity.current.account_id}:r03szwwq41/*/*/sondes/telemetry"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.LambdaFunction.arn
principal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:us-east-1:${data.aws_caller_identity.current.account_id}:r03szwwq41/*/*/sondes/telemetry"
}
resource "aws_lambda_layer_version" "LambdaLayerVersion2" {
compatible_runtimes = [
"python3.8"
]
layer_name = "iot"
s3_bucket = "sondehub-lambda-layers"
s3_key = "iot.zip"
source_code_hash = "sHyE9vXk+BzFphPe8evfiL79fcxsSEYVfpbTVi2IwH0="
compatible_runtimes = [
"python3.8"
]
layer_name = "iot"
s3_bucket = "sondehub-lambda-layers"
s3_key = "iot.zip"
source_code_hash = "sHyE9vXk+BzFphPe8evfiL79fcxsSEYVfpbTVi2IwH0="
}
resource "aws_lambda_layer_version" "LambdaLayerVersion4" {
compatible_runtimes = [
"python3.8"
]
layer_name = "xray-python"
s3_bucket = "sondehub-lambda-layers"
s3_key = "xray-python.zip"
source_code_hash = "ta4o2brS2ZRAeWhZjqrm6MhOc3RlYNgkOuD4dxSonEc="
compatible_runtimes = [
"python3.8"
]
layer_name = "xray-python"
s3_bucket = "sondehub-lambda-layers"
s3_key = "xray-python.zip"
source_code_hash = "ta4o2brS2ZRAeWhZjqrm6MhOc3RlYNgkOuD4dxSonEc="
}
resource "aws_s3_bucket" "S3Bucket" {
bucket = "sondehub-lambda-layers"
bucket = "sondehub-lambda-layers"
}
resource "aws_cloudwatch_log_group" "LogsLogGroup" {
name = "/aws/lambda/sonde-api-to-iot-core"
name = "/aws/lambda/sonde-api-to-iot-core"
}
resource "aws_apigatewayv2_api" "ApiGatewayV2Api" {
name = "sondehub-v2"
disable_execute_api_endpoint = true
api_key_selection_expression = "$request.header.x-api-key"
protocol_type = "HTTP"
route_selection_expression = "$request.method $request.path"
name = "sondehub-v2"
disable_execute_api_endpoint = true
api_key_selection_expression = "$request.header.x-api-key"
protocol_type = "HTTP"
route_selection_expression = "$request.method $request.path"
}
resource "aws_apigatewayv2_stage" "ApiGatewayV2Stage" {
name = "$default"
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
deployment_id = aws_apigatewayv2_deployment.ApiGatewayV2Deployment3.id
default_route_settings {
detailed_metrics_enabled = false
}
auto_deploy = true
name = "$default"
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
default_route_settings {
detailed_metrics_enabled = false
}
auto_deploy = true
lifecycle {
ignore_changes = ["deployment_id"]
}
}
resource "aws_apigatewayv2_stage" "ApiGatewayV2Stage2" {
name = "prod"
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
deployment_id = aws_apigatewayv2_deployment.ApiGatewayV2Deployment4.id
default_route_settings {
detailed_metrics_enabled = false
}
name = "prod"
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
deployment_id = aws_apigatewayv2_deployment.ApiGatewayV2Deployment4.id
default_route_settings {
detailed_metrics_enabled = false
}
}
resource "aws_apigatewayv2_deployment" "ApiGatewayV2Deployment3" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
}
resource "aws_apigatewayv2_deployment" "ApiGatewayV2Deployment4" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
}
resource "aws_apigatewayv2_route" "ApiGatewayV2Route" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
api_key_required = false
authorization_type = "NONE"
route_key = "PUT /sondes/telemetry"
target = "integrations/${aws_apigatewayv2_integration.ApiGatewayV2Integration.id}"
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
api_key_required = false
authorization_type = "NONE"
route_key = "PUT /sondes/telemetry"
target = "integrations/${aws_apigatewayv2_integration.ApiGatewayV2Integration.id}"
}
resource "aws_apigatewayv2_route" "sign_socket" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
api_key_required = false
authorization_type = "NONE"
route_key = "GET /sondes/websocket"
target = "integrations/${aws_apigatewayv2_integration.sign_socket.id}"
}
resource "aws_apigatewayv2_integration" "sign_socket" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
connection_type = "INTERNET"
integration_method = "POST"
integration_type = "AWS_PROXY"
integration_uri = aws_lambda_function.sign_socket.arn
timeout_milliseconds = 30000
payload_format_version = "2.0"
}
resource "aws_apigatewayv2_integration" "ApiGatewayV2Integration" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
connection_type = "INTERNET"
integration_method = "POST"
integration_type = "AWS_PROXY"
integration_uri = aws_lambda_function.LambdaFunction.arn
timeout_milliseconds = 30000
payload_format_version = "2.0"
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
connection_type = "INTERNET"
integration_method = "POST"
integration_type = "AWS_PROXY"
integration_uri = aws_lambda_function.LambdaFunction.arn
timeout_milliseconds = 30000
payload_format_version = "2.0"
}
resource "aws_apigatewayv2_api_mapping" "ApiGatewayV2ApiMapping" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
domain_name = aws_apigatewayv2_domain_name.ApiGatewayV2DomainName.id
stage = "$default"
api_mapping_key = ""
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
domain_name = aws_apigatewayv2_domain_name.ApiGatewayV2DomainName.id
stage = "$default"
api_mapping_key = ""
}
resource "aws_apigatewayv2_domain_name" "ApiGatewayV2DomainName" {
domain_name = "api.${local.domain_name}"
domain_name_configuration {
certificate_arn = aws_acm_certificate_validation.CertificateManagerCertificate.certificate_arn
endpoint_type = "REGIONAL"
security_policy = "TLS_1_2"
}
domain_name = "api.${local.domain_name}"
domain_name_configuration {
certificate_arn = aws_acm_certificate_validation.CertificateManagerCertificate.certificate_arn
endpoint_type = "REGIONAL"
security_policy = "TLS_1_2"
}
}
resource "aws_acm_certificate" "CertificateManagerCertificate" {
domain_name = local.domain_name
subject_alternative_names = [
"*.${local.domain_name}"
]
validation_method = "DNS"
domain_name = local.domain_name
subject_alternative_names = [
"*.${local.domain_name}"
]
validation_method = "DNS"
}
resource "aws_elasticsearch_domain" "ElasticsearchDomain" {
domain_name = "sondes-v2"
elasticsearch_version = "7.9"
cluster_config {
dedicated_master_count = 3
dedicated_master_enabled = false
dedicated_master_type = "t3.small.elasticsearch"
instance_count = 2
instance_type = "m5.large.elasticsearch"
zone_awareness_enabled = true
}
cognito_options {
enabled = true
identity_pool_id = aws_cognito_identity_pool.CognitoIdentityPool.id
role_arn = aws_iam_role.IAMRole3.arn
user_pool_id = aws_cognito_user_pool.CognitoUserPool.id
}
domain_name = "sondes-v2"
elasticsearch_version = "7.9"
cluster_config {
dedicated_master_count = 3
dedicated_master_enabled = false
dedicated_master_type = "t3.small.elasticsearch"
instance_count = 2
instance_type = "m5.large.elasticsearch"
zone_awareness_enabled = true
}
cognito_options {
enabled = true
identity_pool_id = aws_cognito_identity_pool.CognitoIdentityPool.id
role_arn = aws_iam_role.IAMRole3.arn
user_pool_id = aws_cognito_user_pool.CognitoUserPool.id
}
access_policies = <<EOF
access_policies = <<EOF
{
"Version": "2012-10-17",
"Statement": [
@ -521,122 +627,122 @@ resource "aws_elasticsearch_domain" "ElasticsearchDomain" {
]
}
EOF
encrypt_at_rest {
enabled = true
kms_key_id = data.aws_kms_key.es.arn
}
node_to_node_encryption {
enabled = true
}
advanced_options = {
"rest.action.multi.allow_explicit_index" = "true"
}
ebs_options {
ebs_enabled = true
volume_type = "gp2"
volume_size = 10
}
encrypt_at_rest {
enabled = true
kms_key_id = data.aws_kms_key.es.arn
}
node_to_node_encryption {
enabled = true
}
advanced_options = {
"rest.action.multi.allow_explicit_index" = "true"
}
ebs_options {
ebs_enabled = true
volume_type = "gp2"
volume_size = 10
}
}
data "aws_kms_key" "es" {
key_id = "alias/aws/es"
}
resource "aws_cognito_identity_pool" "CognitoIdentityPool" {
identity_pool_name = "sondes"
allow_unauthenticated_identities = true
supported_login_providers = {
"accounts.google.com" = "575970424139-vkk7scicbdd1igj04riqjh2bbs0oa6vj.apps.googleusercontent.com"
}
cognito_identity_providers {
client_id = aws_cognito_user_pool_client.CognitoUserPoolClient.id
provider_name = aws_cognito_user_pool.CognitoUserPool.endpoint
server_side_token_check = false
}
identity_pool_name = "sondes"
allow_unauthenticated_identities = true
supported_login_providers = {
"accounts.google.com" = "575970424139-vkk7scicbdd1igj04riqjh2bbs0oa6vj.apps.googleusercontent.com"
}
cognito_identity_providers {
client_id = aws_cognito_user_pool_client.CognitoUserPoolClient.id
provider_name = aws_cognito_user_pool.CognitoUserPool.endpoint
server_side_token_check = false
}
}
resource "aws_cognito_identity_pool_roles_attachment" "CognitoIdentityPoolRoleAttachment" {
identity_pool_id = aws_cognito_identity_pool.CognitoIdentityPool.id
roles = {
authenticated = aws_iam_role.IAMRole.arn
unauthenticated = aws_iam_role.IAMRole2.arn
}
role_mapping {
ambiguous_role_resolution = "AuthenticatedRole"
identity_provider = "cognito-idp.us-east-1.amazonaws.com/us-east-1_G4H7NMniM:5sngha3l291nb4784iid5hli48"
type = "Token"
}
identity_pool_id = aws_cognito_identity_pool.CognitoIdentityPool.id
roles = {
authenticated = aws_iam_role.IAMRole.arn
unauthenticated = aws_iam_role.IAMRole2.arn
}
role_mapping {
ambiguous_role_resolution = "AuthenticatedRole"
identity_provider = "cognito-idp.us-east-1.amazonaws.com/us-east-1_G4H7NMniM:5sngha3l291nb4784iid5hli48"
type = "Token"
}
}
resource "aws_cognito_user_pool" "CognitoUserPool" {
name = "sondes"
password_policy {
temporary_password_validity_days = 7
minimum_length = 8
require_lowercase = true
require_numbers = true
require_symbols = true
require_uppercase = true
name = "sondes"
password_policy {
temporary_password_validity_days = 7
minimum_length = 8
require_lowercase = true
require_numbers = true
require_symbols = true
require_uppercase = true
}
schema {
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
name = "email"
string_attribute_constraints {
max_length = "2048"
min_length = "0"
}
schema {
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
name = "email"
string_attribute_constraints {
max_length = "2048"
min_length = "0"
}
required = true
required = true
}
username_configuration {
case_sensitive = false
}
auto_verified_attributes = [
"email"
]
alias_attributes = [
"email",
"preferred_username"
]
sms_verification_message = "Your verification code is {####}. "
email_verification_message = "Your verification code is {####}. "
email_verification_subject = "Your verification code"
sms_authentication_message = "Your authentication code is {####}. "
mfa_configuration = "OFF"
device_configuration {
challenge_required_on_new_device = false
device_only_remembered_on_user_prompt = false
}
email_configuration {
}
admin_create_user_config {
allow_admin_create_user_only = false
invite_message_template {
email_message = "Your username is {username} and temporary password is {####}. "
email_subject = "Your temporary password"
sms_message = "Your username is {username} and temporary password is {####}. "
}
username_configuration {
case_sensitive = false
}
auto_verified_attributes = [
"email"
]
alias_attributes = [
"email",
"preferred_username"
]
sms_verification_message = "Your verification code is {####}. "
email_verification_message = "Your verification code is {####}. "
email_verification_subject = "Your verification code"
sms_authentication_message = "Your authentication code is {####}. "
mfa_configuration = "OFF"
device_configuration {
challenge_required_on_new_device = false
device_only_remembered_on_user_prompt = false
}
email_configuration {
}
admin_create_user_config {
allow_admin_create_user_only = false
invite_message_template {
email_message = "Your username is {username} and temporary password is {####}. "
email_subject = "Your temporary password"
sms_message = "Your username is {username} and temporary password is {####}. "
}
}
account_recovery_setting {
recovery_mechanism {
name = "verified_email"
priority = 1
}
}
account_recovery_setting {
recovery_mechanism {
name = "verified_email"
priority = 1
}
}
}
resource "aws_cognito_user_pool_client" "CognitoUserPoolClient" {
user_pool_id = aws_cognito_user_pool.CognitoUserPool.id
name = "AWSElasticsearch-sondes-v2-us-east-1-hiwdpmnjbuckpbwfhhx65mweee"
refresh_token_validity = 30
allowed_oauth_flows = [ "code" ]
allowed_oauth_flows_user_pool_client = true
allowed_oauth_scopes = ["email", "openid", "phone", "profile"]
callback_urls = ["https://es.${local.domain_name}/_plugin/kibana/app/kibana"]
logout_urls = ["https://es.${local.domain_name}/_plugin/kibana/app/kibana"]
supported_identity_providers = ["COGNITO", "Google"]
explicit_auth_flows = ["ALLOW_CUSTOM_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_SRP_AUTH"]
user_pool_id = aws_cognito_user_pool.CognitoUserPool.id
name = "AWSElasticsearch-sondes-v2-us-east-1-hiwdpmnjbuckpbwfhhx65mweee"
refresh_token_validity = 30
allowed_oauth_flows = ["code"]
allowed_oauth_flows_user_pool_client = true
allowed_oauth_scopes = ["email", "openid", "phone", "profile"]
callback_urls = ["https://es.${local.domain_name}/_plugin/kibana/app/kibana"]
logout_urls = ["https://es.${local.domain_name}/_plugin/kibana/app/kibana"]
supported_identity_providers = ["COGNITO", "Google"]
explicit_auth_flows = ["ALLOW_CUSTOM_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_SRP_AUTH"]
}

118
sign-websocket/lambda_function.py Normal file
View File

@ -0,0 +1,118 @@
import boto3
import time
import uuid
import urllib.parse
import hmac, datetime, hashlib
import os
#todo this will need an iam role that has iot connection privs
def aws_sign(key, msg):
return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()
def aws_getSignatureKey(key, dateStamp, regionName, serviceName):
kDate = aws_sign(("AWS4" + key).encode("utf-8"), dateStamp)
kRegion = aws_sign(kDate, regionName)
kService = aws_sign(kRegion, serviceName)
kSigning = aws_sign(kService, "aws4_request")
return kSigning
def aws_presign(
access_key=None,
secret_key=None,
session_token=None,
host=None,
region=None,
method=None,
protocol=None,
uri=None,
service=None,
expires=3600,
payload_hash=None,
):
# method=GET, protocol=wss, uri=/mqtt service=iotdevicegateway
assert 604800 >= expires >= 1, "Invalid expire time 604800 >= %s >= 1" % expires
# Date stuff, first is datetime, second is just date.
t = datetime.datetime.utcnow()
date_time = t.strftime("%Y%m%dT%H%M%SZ")
date = t.strftime("%Y%m%d")
# Signing algorithm used
algorithm = "AWS4-HMAC-SHA256"
# Scope of credentials, date + region (eu-west-1) + service (iot gateway hostname) + signature version
credential_scope = date + "/" + region + "/" + service + "/" + "aws4_request"
# Start building the query-string
canonical_querystring = "X-Amz-Algorithm=" + algorithm
canonical_querystring += "&X-Amz-Credential=" + urllib.parse.quote_plus(
access_key + "/" + credential_scope
)
canonical_querystring += "&X-Amz-Date=" + date_time
canonical_querystring += "&X-Amz-Expires=" + str(expires)
canonical_querystring += "&X-Amz-SignedHeaders=host"
if payload_hash is None:
if service == "iotdevicegateway":
payload_hash = hashlib.sha256(b"").hexdigest()
else:
payload_hash = "UNSIGNED-PAYLOAD"
canonical_headers = "host:" + host + "\n"
canonical_request = (
method
+ "\n"
+ uri
+ "\n"
+ canonical_querystring
+ "\n"
+ canonical_headers
+ "\nhost\n"
+ payload_hash
)
string_to_sign = (
algorithm
+ "\n"
+ date_time
+ "\n"
+ credential_scope
+ "\n"
+ hashlib.sha256(canonical_request.encode()).hexdigest()
)
signing_key = aws_getSignatureKey(secret_key, date, region, service)
signature = hmac.new(
signing_key, string_to_sign.encode("utf-8"), hashlib.sha256
).hexdigest()
canonical_querystring += "&X-Amz-Signature=" + signature
if session_token:
canonical_querystring += "&X-Amz-Security-Token=" + urllib.parse.quote(
session_token
)
return protocol + "://" + host + uri + "?" + canonical_querystring
def lambda_handler(event, context):
#get aws creds
session = boto3.Session()
credentials = session.get_credentials()
current_credentials = credentials.get_frozen_credentials()
url = aws_presign(
access_key=current_credentials.access_key,
secret_key=current_credentials.secret_key,
session_token=current_credentials.token,
method="GET",
protocol="wss",
uri="/mqtt",
service="iotdevicegateway",
host=os.getenv("IOT_ENDPOINT"),
region=session.region_name,
)
return {"statusCode": 200, "body": url}
if __name__ == "__main__":
print(lambda_handler({}, {}))

71
sonde-api-to-iot-core/lambda_function.py
View File

@ -12,6 +12,7 @@ from awsiot import mqtt_connection_builder
import uuid
import threading
from email.utils import parsedate
import os
# this needs a bunch of refactor but the general approach is
# connect to mqtt via websockets during init
@ -38,29 +39,33 @@ event_loop_group = io.EventLoopGroup(1)
host_resolver = io.DefaultHostResolver(event_loop_group)
io.init_logging(io.LogLevel.Error, 'stderr')
io.init_logging(io.LogLevel.Error, "stderr")
def connect():
global connect_future, mqtt_connection
session = boto3.session.Session()
client_bootstrap = io.ClientBootstrap(event_loop_group, host_resolver)
credentials_provider = auth.AwsCredentialsProvider.new_default_chain(client_bootstrap)
credentials_provider = auth.AwsCredentialsProvider.new_default_chain(
client_bootstrap
)
mqtt_connection = mqtt_connection_builder.websockets_with_default_aws_signing(
endpoint="a2sgq5szfqum7p-ats.iot.us-east-1.amazonaws.com",
client_bootstrap=client_bootstrap,
region="us-east-1",
credentials_provider=credentials_provider,
client_id=str(uuid.uuid4()),
clean_session=False,
keep_alive_secs=6)
endpoint=os.getenv("IOT_ENDPOINT"),
client_bootstrap=client_bootstrap,
region="us-east-1",
credentials_provider=credentials_provider,
client_id=str(uuid.uuid4()),
clean_session=False,
keep_alive_secs=6,
)
connect_future = mqtt_connection.connect()
connect_future.result()
connect()
def lambda_handler(event, context):
# Future.result() waits until a result is available
try:
@ -71,17 +76,23 @@ def lambda_handler(event, context):
print(json.dumps(event))
if "isBase64Encoded" in event and event["isBase64Encoded"] == True:
event["body"] = base64.b64decode(event["body"])
if "content-encoding" in event["headers"] and event["headers"]["content-encoding"] == "gzip":
event["body"] = zlib.decompress(event["body"], 16+zlib.MAX_WBITS)
if (
"content-encoding" in event["headers"]
and event["headers"]["content-encoding"] == "gzip"
):
event["body"] = zlib.decompress(event["body"], 16 + zlib.MAX_WBITS)
time_delta = None
if "date" in event["headers"]:
try:
time_delta_header = event["headers"]["date"]
time_delta = (datetime.datetime(*parsedate(time_delta_header)[:7]) - datetime.datetime.utcnow()).total_seconds()
time_delta = (
datetime.datetime(*parsedate(time_delta_header)[:7])
- datetime.datetime.utcnow()
).total_seconds()
except:
pass
payloads = json.loads(event["body"])
tasks = []
first = False
for payload in payloads:
@ -95,26 +106,28 @@ def lambda_handler(event, context):
if not payload["uploader_position"]:
payload.pop("uploader_position")
else:
(payload["uploader_alt"], payload["uploader_position"]) = payload["uploader_position"][2], f"{payload['uploader_position'][0]},{payload['uploader_position'][1]}"
(payload["uploader_alt"], payload["uploader_position"]) = (
payload["uploader_position"][2],
f"{payload['uploader_position'][0]},{payload['uploader_position'][1]}",
)
(msg, x) = mqtt_connection.publish(
topic=f'sondes/{payload["serial"]}',
payload=json.dumps(payload),
qos=mqtt.QoS.AT_MOST_ONCE)
qos=mqtt.QoS.AT_MOST_ONCE,
)
try:
msg.result()
except (RuntimeError, AwsCrtError):
connect()
(msg, x) = mqtt_connection.publish(
topic=f'sondes/{payload["serial"]}',
payload=json.dumps(payload),
qos=mqtt.QoS.AT_MOST_ONCE)
topic=f'sondes/{payload["serial"]}',
payload=json.dumps(payload),
qos=mqtt.QoS.AT_MOST_ONCE,
)
msg.result()
return {
'statusCode': 200,
'body': "^v^ telm logged"
}
return {"statusCode": 200, "body": "^v^ telm logged"}
if __name__ == "__main__":
payload = {
@ -134,7 +147,7 @@ if __name__ == "__main__":
"x-forwarded-for": "103.107.130.22",
"x-forwarded-port": "443",
"x-forwarded-proto": "https",
"date": "Sun, 31 Jan 2021 00:21:45 GMT"
"date": "Sun, 31 Jan 2021 00:21:45 GMT",
},
"requestContext": {
"accountId": "143841941773",
@ -146,15 +159,15 @@ if __name__ == "__main__":
"path": "/sondes/telemetry",
"protocol": "HTTP/1.1",
"sourceIp": "103.107.130.22",
"userAgent": "autorx-1.4.1-beta4"
"userAgent": "autorx-1.4.1-beta4",
},
"requestId": "Z_NJvh0RoAMEJaw=",
"routeKey": "PUT /sondes/telemetry",
"stage": "$default",
"time": "31/Jan/2021:00:10:25 +0000",
"timeEpoch": 1612051825409
"timeEpoch": 1612051825409,
},
"body": "H4sIAHD1FWAC/8WbX2/byBXFv0rg5/Vg7v87eduHYh8LJNui2KIwlFjZGHDsVJbTLop+996hszVHXpECKI7hJ1GURiR/vnPOmTt//8/Fw+OH/W9ftxdv31y8e89w+f6nix/eXOy3X77GoUvDVOLll83d46fNx/3jbrurZ/51c/Owud3UMx+2u5vNbT34HpAyKNSjt5t9/ThxMs/OceTTbvOljsLKVj92V78IOEG8+La9vfpW30uGkOvZ15v9dn8zfOACM8JlhkuCn3N+C/lt5pQz5Jx/qUN92OzrWJiGr73/tP/XZre9unsa7WK3ub65f7i/u95ebR7391e7f18MP2b7z8ft3cff6qAZkuT6Mz5v4+S7X+OYSyoqWr/x8+OXm+ubfT3Tk8aBzW0dDoyLpWwu/v0CPtejORURpTj0+PX2fnO93V193NzePtz8eld/zY/v/vTT1Y9/+fnPV+/+Nty8zf4hjtdxbu/rGUAlgZfSXMu37e7hZnj7AlLcscsP2/2Gh2t/3D3sr+qNqndTRUjqwxs9z+FhxvtXu+3H7c237fXLO5rLW/YU912h/HLx3x/e9IGCWij8GBSe4lYjzUIhq0OhiXPJ5RAKG0EhmVKxLDSGAhI+XcACJkoeBu7JRIwKQCKvx0R5ZsIbJiiRGJRZJvQPmfCzMuGifIiENEiU5BnxsE4UEF3KBEJfJiQHE04Mr8aE5GNMlFQgyvEsE7Z2nSg5sRr4JBQQaAoUaKFwRFgMBVFnKKK+ocSTOhUKOzsU8AwFDpP071BgEmHzWSi8AxQU8/oLKHgMBWIoipg9DiaPbAWXQsHSGQpMQKgsrwcFHlMUFrzSvMosqzMR0xiY6SET1DBR65UXbpmIp4plKRPSWWUK1d+tjKcyoWdngsZMeKMoOP79ZlVm1Oj1oWBGmYaCIGRHztbOHiI2TCiLoNDOMlPiW9lyplOhkHP7UeFnKKSBIlwgC8/KzPh/XFlmFklmBodMQMNESFF4AmesKNSGB7OICe+MhCQQRuSOSEiLhDwjYYlGSGgq7jw7eYQMWR8JRi0vIgocM8FRccPClXbyIAspspSJQZL0hEJTPDgi6AiFtlDoMSh4SE9wFgpaffIIaUMmk3WCPVm2gzIhmGFpQvGU3PVEwgIJx9ONxxmQ8BaJUZQZhq5JrbyIzk8dq0eZpcY4eRDDx5moFRcdxqlVSTEx0lI5AdDbd8SVGZeipzLBy5koLRM+ZmLsO6BO4jTPxOpJZgm7W1ym64TmhOrSMmEU9WUpE6idmQgn52Deceo4QKIcQ8KTepbZ0Ap0bSQgjqH44IAmmAgdKiZj3xGFjtmWhlZAPZmo7j4ncA+c+9WJQTE9Q6F5bDu08aI59O+8xrS1NSbkkLEiRSdFpoX9CbVeGiiIoggvhaJraFWhgBhVXE42HrQcijagUBhXCm6MB0fN1lkofP1KkWveizpZKSy8s/FBpYjJAxdXCuHOUGCKY+X0NY8zQNG6UcVjUIQADmDnK8X6UWZMayAEk6mVx5AAhg0TJX4WL2VCqTMT4atzMT959sjLmWjNqDZJprZNFApoc0xg7mBGTc18sk547TxQ54YJycSLJw/DzkzEt4LF32lMwBlWPA6ZOBpkhsOnImU2oUBYHYowNwh0sGJuw0Lx/6GIk0ifnNJIZpaSly6DgfeGYjDWRfVUKHA5FNZCIcegqKtPJc8qCsQOTDDyYaGwpttK43PsTZJZEokPfUOLkCi9kYipkjTu/KlIwHIk2tRKdYwEtamVUpnVE0irp9tcF7helokWiZA/XA4SiuIOS5nA3JuJeiXop/bf5TP01ZQ2otBRkknJ2haKKGHzZWL9JJMTm2WbZAJiyLCs2qZWhrqYCeitMb3Szcqvx4SP60RpzGgIt+HxTDMhHZhwwMPU6pAJC+/s1K540BmSTMTeXjRGFYWOTEBLxHOQGf5Bm6XyzEizjVaoHZwomTEcEjHu0tU6gRk5tkjE1crSBQ+kzplV/O6wv9mlHxK5hcLycSiETWebatA6lImiXnAaijCe8tT0P4Iii+JS24HcOd2uHWKWKXesE7lNtw2OLXmEbOenNbNpKHx1jQmpEM9AQcGwFm71BIdxWqwnunbfPbWkQAihUxut1mACjzFBdY8HzxeK9XPMuPmWdVpPMIToKGgNE8IkSzsoUHszEfNg+KxTV8vXYOJoR2ZJITfybGRFq+eYbuGKRWGaCU+Y2ds6kUNRL22+Q/POTISRK3El8npMNDmmNF7098bnaSagwwZBA+LpyEpqwiYibYyZwRYz4b3rhATdYJxPZcLPLjLl2NxhQ2Y1iwR2QCKTwAs5IQ0SlgpIaZc7yCkvXRbF0hsJDSQcvfRDogVCjwGBCUV4tqeGqMPmwO+txMeB0BjRm7gqSgQuXxJ9IqonD3UtmuPjp/JgZ+bBjvEQr7DML4gSr85DlKqC05m2Wt035QdLX7WRcikQ0BsIj/sO+fWA8GObAuu/peNsok3SQVkWIPBJB2pUUxRop4zamLnUgRL2jqpiVDSR0o2Iw0TbyniVg5uuCTHKs/klaQcHGhdSaJqJUnMpxdZt+FOn3iImeseXmKPexaj8SlXC89h/SuM/UVFn1zjIOiTaHFcCUy0TUQ/CWZC0mYTL8u3k1LsJE7/vbj3Zf+q5vYbDMSbqLlHP89LSO+wSrcvUNslEwbpaxN7mVLp4PyBJZymBcSGs2TtKiUMkms3kuSkTwjq/m5xKhzUOLPzSbrRIeG21Odjno8ulhPYmIvgXLIAdi0QbUjkdKxKYxGG+KZdzByKgiL3Y0pFHRFhtW6TcJBIlFV7uN6xzIIHxrSGA2AKJf/wPWvB/4NlMAAA=",
"isBase64Encoded": True
"isBase64Encoded": True,
}
lambda_handler(payload, {})
lambda_handler(payload, {})