The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.
An L3 CDK construct to create and associate a singular AWS IoT Thing, Certificate, and IoT Policy. The construct also retrieves and returns AWS IoT account specific details such as the AWS IoT data endpoint and the AWS IoT Credential provider endpoint.
The certificate and its private key are stored as AWS Systems Manager Parameter Store parameters that can be retrieved via the AWS Console or programmatically via construct members.
npm install @cdklabs/cdk-aws-iot-thing-certificate-policypip install cdklabs.cdk-aws-iot-thing-certificate-policy// add this to your pom.xml
<dependency>
<groupId>io.github.cdklabs</groupId>
<artifactId>cdk-aws-iot-thing-certificate-policy</artifactId>
<version>0.0.0</version> // replace with version
</dependency>dotnet add package Cdklabs.CdkAwsIotThingCertificatePolicy --version X.X.X
// Add this
import "github.com/cdklabs/cdk-aws-iot-thing-certificate-policy-go/cdklabscdkawsiotthingcertificatepolicy"import * as cdk from "aws-cdk-lib";
import { IotThingCertificatePolicy } from "@cdklabs/cdk-aws-iot-thing-certificate-policy";
/**
* A minimum IoT Policy template using substitution variables for actual
* policy to be deployed for "region", "account", and "thingname". Allows
* the thing to publish and subscribe on any topics under "thing/*" topic
* namespace. Normal IoT Policy conventions such as "*", apply.
*/
const minimalIotPolicy = `{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["iot:Connect"],
"Resource": "arn:aws:iot:{{region}}:{{account}}:client/{{thingname}}"
},
{
"Effect": "Allow",
"Action": ["iot:Publish"],
"Resource": [
"arn:aws:iot:{{region}}:{{account}}:topic/{{thingname}}/*"
]
},
{
"Effect": "Allow",
"Action": ["iot:Subscribe"],
"Resource": [
"arn:aws:iot:{{region}}:{{account}}:topicfilter/{{thingname}}/*"
]
},
{
"Effect": "Allow",
"Action": ["iot:Receive"],
"Resource": [
"arn:aws:iot:{{region}}:{{account}}:topic/{{thingname}}/*"
]
}
]
}`;
const app = new cdk.App()
/**
* Create the thing, certificate, and policy, then associate the
* certificate to both the thing and the policy and fully activate.
*/
const fooThing = new IotThingCertificatePolicy(app, "MyFooThing", {
thingName: "foo-thing", // Name to assign to AWS IoT thing, and value for {{thingname}} in policy template
iotPolicyName: "foo-iot-policy", // Name to assign to AWS IoT policy
iotPolicy: minimalIotPolicy, // Policy with or without substitution parameters from above
encryptionAlgorithm: "ECC", // Algorithm to use to private key (RSA or ECC)
policyParameterMapping: [
// substitution names and values for AWS IoT policy template, e.g., {{region}} and {{account}}
{
name: "region",
value: cdk.Fn.ref("AWS::Region"),
},
{
name: "account",
value: cdk.Fn.ref("AWS::AccountId"),
},
],
// Optional: if the X.509 Subject is not provided, a set of default values will be used and the
// common name (CN) will be set from the thingName parameter.
x509Subject:
"CN=foo-thing,OU=Information Security,O=ACME Inc.,L=Detroit,ST=Michigan,C=US",
});
// The AWS IoT Thing Arn as a stack output
new cdk.CfnOutput(app, "ThingArn", {
value: fooThing.thingArn,
});
// The AWS account unique endpoint for the MQTT data connection
// See API for other available public values that can be referenced
new cdk.CfnOutput(app, "IotEndpoint", {
value: fooThing.dataAtsEndpointAddress,
});
