in deployment/custom-deployment/lib/smart-product-jitr.ts [33:153]
constructor(parent: cdk.Construct, name: string, props: SmartProductJITRProps) {
super(parent, name);
//=============================================================================================
// Resources
//=============================================================================================
const jitrServiceRole = new iam.Role(this, 'ServiceRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com')
})
const jitrService = new lambda.CfnFunction(this, 'Service', {
functionName: generateName(`${name}-Service`, 64),
description: "Smart Product Solution Just-In-Time-Registration microservice",
code: {
s3Bucket: process.env.BUILD_OUTPUT_BUCKET,
s3Key: `smart-product-solution/${props.solutionVersion}/smart-product-jitr-service.zip`
},
handler: 'index.handler',
runtime: 'nodejs12.x',
role: jitrServiceRole.roleArn,
timeout: 60,
memorySize: 256,
environment: {
variables: {
TELEMETRY_TOPIC: props.spTelemetryTopic,
EVENT_TOPIC: props.spEventTopic,
REGISTRATION_TBL: props.registrationTable.tableName,
LOGGING_LEVEL: '2',
solutionId: props.solutionId,
solutionUuid: props.solutionUuid,
anonymousData: props.anonymousData
}
}
})
const jitrRule = new iot.CfnTopicRule(this, 'Rule', {
ruleName: "SmartProductJitrRule",
topicRulePayload: {
actions: [{
lambda: {
functionArn: jitrService.attrArn
}
}],
description: 'Just in time registration (JITR) for Smart Product Solution.',
ruleDisabled: false,
sql: `SELECT * FROM '$aws/events/certificates/registered/#'`,
}
})
//=============================================================================================
// Permissions and Policies
//=============================================================================================
// JITR Log Policy
const jitrLogPolicy = new iam.Policy(this, 'jitrLogPolicy', {
statements: [new iam.PolicyStatement({
actions: [
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents'
],
resources: [`arn:aws:logs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:log-group:/aws/lambda/${jitrService.functionName}:*`]
})]
})
const jitrLogPolicyResource = jitrLogPolicy.node.findChild('Resource') as iam.CfnPolicy;
jitrLogPolicyResource.cfnOptions.metadata = {
cfn_nag: {
rules_to_suppress: [{
id: 'W12',
reason: `The * resource allows ${jitrServiceRole.roleName} to access its own logs.`
}]
}
}
jitrLogPolicy.attachToRole(jitrServiceRole);
// Notification Dynamo Policy
const notificationDynamoPolicy = new iam.Policy(this, 'notificationDynamoPolicy', {
statements: [new iam.PolicyStatement({
actions: [
'dynamodb:Query',
'dynamodb:UpdateItem'
],
resources: [
`${props.registrationTable.tableArn}`,
`${props.registrationTable.tableArn}/index/deviceId-index`
]
})]
})
notificationDynamoPolicy.attachToRole(jitrServiceRole);
// JITR IoT Policy
const jitrIotPolicy = new iam.Policy(this, 'jitrIotPolicy', {
statements: [new iam.PolicyStatement({
actions: [
'iot:UpdateCertificate',
'iot:CreatePolicy',
'iot:AttachPrincipalPolicy',
'iot:DescribeCertificate',
'iot:AttachThingPrincipal'
],
resources: [`*`]
})]
})
const jitrIotPolicyResource = jitrIotPolicy.node.findChild('Resource') as iam.CfnPolicy;
jitrIotPolicyResource.cfnOptions.metadata = {
cfn_nag: {
rules_to_suppress: [{
id: 'W12',
reason: `The * resource allows ${jitrServiceRole.roleName} to exchange information with solution resources.`
}]
}
}
jitrIotPolicy.attachToRole(jitrServiceRole);
new lambda.CfnPermission(this, 'LambdaInvokeJitrPermission', {
functionName: `${jitrService.functionName}`,
action: 'lambda:InvokeFunction',
principal: 'iot.amazonaws.com',
sourceArn: `${jitrRule.attrArn}`,
sourceAccount: cdk.Aws.ACCOUNT_ID
})
}