Add support for AWS::IoT::AccountAuditConfiguration (#17)

* Add support for AWS::IoT::AccountAuditConfiguration

* Address PR comments

* Fix additionalProperties placement

* Use real resources in contract test inputs

* Use ProgressEvents instead of Cfn exceptions

aws-iot-accountauditconfiguration/.gitignore

@@ -0,0 +1,23 @@
+# macOS
+.DS_Store
+._*
+
+# Maven outputs
+.classpath
+
+# IntelliJ
+*.iml
+.idea
+out.java
+out/
+.settings
+.project
+
+# auto-generated files
+target/
+
+# our logs
+rpdk.log
+
+# contains credentials
+sam-tests/

aws-iot-accountauditconfiguration/.rpdk-config

@@ -0,0 +1,17 @@
+{
+    "typeName": "AWS::IoT::AccountAuditConfiguration",
+    "language": "java",
+    "runtime": "java8",
+    "entrypoint": "com.amazonaws.iot.accountauditconfiguration.HandlerWrapper::handleRequest",
+    "testEntrypoint": "com.amazonaws.iot.accountauditconfiguration.HandlerWrapper::testEntrypoint",
+    "settings": {
+        "namespace": [
+            "com",
+            "amazonaws",
+            "iot",
+            "accountauditconfiguration"
+        ],
+        "codegen_template_path": "default",
+        "protocolVersion": "2.0.0"
+    }
+}

aws-iot-accountauditconfiguration/README.md

@@ -0,0 +1,26 @@
+# AWS::IoT::AccountAuditConfiguration
+
+## Running Contract Tests
+
+You can execute the following commands to run the tests.
+You will need to have docker installed and running.
+
+```bash
+# Create a CloudFormation stack with contract test dependencies (an IAM Role)
+aws cloudformation deploy  \
+--stack-name cfn-contract-test-dependencies-account-audit-configuration \
+--template-file packaging_additional_published_artifacts/contract_test_dependencies.yml \
+--capabilities CAPABILITY_IAM \
+--region us-east-1
+
+# Package the code with Maven
+mvn package
+# Start SAM which will execute lambdas in Docker
+sam local start-lambda
+
+# In a separate terminal, run the contract tests
+cfn test --enforce-timeout 240
+
+# Execute a single test
+cfn test --enforce-timeout 240 -- -k <testname>
+```

aws-iot-accountauditconfiguration/aws-iot-accountauditconfiguration.json

@@ -0,0 +1,117 @@
+{
+  "typeName": "AWS::IoT::AccountAuditConfiguration",
+  "description": "Configures the Device Defender audit settings for this account. Settings include how audit notifications are sent and which audit checks are enabled or disabled.",
+  "sourceUrl": "https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-iot.git",
+  "definitions": {
+    "AuditCheckConfiguration": {
+      "description": "The configuration for a specific audit check.",
+      "type": "object",
+      "properties": {
+        "Enabled": {
+          "description": "True if the check is enabled.",
+          "type": "boolean"
+        }
+      },
+      "additionalProperties": false
+    },
+    "AuditNotificationTarget": {
+      "type": "object",
+      "properties": {
+        "TargetArn": {
+          "description": "The ARN of the target (SNS topic) to which audit notifications are sent.",
+          "type": "string",
+          "maxLength": 2048
+        },
+        "RoleArn": {
+          "description": "The ARN of the role that grants permission to send notifications to the target.",
+          "type": "string",
+          "minLength": 20,
+          "maxLength": 2048
+        },
+        "Enabled": {
+          "description": "True if notifications to the target are enabled.",
+          "type": "boolean"
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  "properties": {
+    "AccountId": {
+      "description": "Your 12-digit account ID (used as the primary identifier for the CloudFormation resource).",
+      "type": "string",
+      "minLength": 12,
+      "maxLength": 12
+    },
+    "AuditCheckConfigurations": {
+      "description": "Specifies which audit checks are enabled and disabled for this account.",
+      "type": "object",
+      "patternProperties": {
+        "[A-Z_]+": {
+          "$ref": "#/definitions/AuditCheckConfiguration"
+        }
+      },
+      "additionalProperties": false
+    },
+    "AuditNotificationTargetConfigurations": {
+      "description": "Information about the targets to which audit notifications are sent.",
+      "type": "object",
+      "patternProperties": {
+        "[a-zA-Z0-9:_-]+": {
+          "$ref": "#/definitions/AuditNotificationTarget"
+        }
+      },
+      "additionalProperties": false
+    },
+    "RoleArn": {
+      "description": "The ARN of the role that grants permission to AWS IoT to access information about your devices, policies, certificates and other items as required when performing an audit.",
+      "type": "string",
+      "minLength": 20,
+      "maxLength": 2048
+    }
+  },
+  "additionalProperties": false,
+  "primaryIdentifier": [
+    "/properties/AccountId"
+  ],
+  "required": [
+    "AccountId",
+    "AuditCheckConfigurations",
+    "RoleArn"
+  ],
+  "createOnlyProperties": [
+    "/properties/AccountId"
+  ],
+  "handlers": {
+    "create": {
+      "permissions": [
+        "iot:UpdateAccountAuditConfiguration",
+        "iot:DescribeAccountAuditConfiguration",
+        "iam:PassRole"
+      ]
+    },
+    "read": {
+      "permissions": [
+        "iot:DescribeAccountAuditConfiguration"
+      ]
+    },
+    "update": {
+      "permissions": [
+        "iot:UpdateAccountAuditConfiguration",
+        "iot:DescribeAccountAuditConfiguration",
+        "iam:PassRole"
+      ]
+    },
+    "delete": {
+      "permissions": [
+        "iot:DescribeAccountAuditConfiguration",
+        "iot:DeleteAccountAuditConfiguration"
+      ]
+    },
+    "list": {
+      "permissions": [
+        "iot:DescribeAccountAuditConfiguration"
+      ]
+    }
+  }
+}

aws-iot-accountauditconfiguration/inputs/inputs_1_create.json

@@ -0,0 +1,12 @@
+{
+  "AccountId": "{{AccountId}}",
+  "AuditCheckConfigurations": {
+    "LOGGING_DISABLED_CHECK": {
+      "Enabled": true
+    },
+    "CA_CERTIFICATE_EXPIRING_CHECK": {
+      "Enabled": true
+    }
+  },
+  "RoleArn": "{{RoleForDeviceDefenderAuditArn}}"
+}

aws-iot-accountauditconfiguration/inputs/inputs_1_invalid.json

@@ -0,0 +1,12 @@
+{
+  "AccountId": "{{AccountId}}",
+  "AuditCheckConfigurations": {
+    "NON_EXISTENT_CHECK": {
+      "Enabled": true
+    },
+    "CA_CERTIFICATE_EXPIRING_CHECK": {
+      "Enabled": true
+    }
+  },
+  "RoleArn": "{{RoleForDeviceDefenderAuditArn}}"
+}

aws-iot-accountauditconfiguration/inputs/inputs_1_update.json

@@ -0,0 +1,15 @@
+{
+  "AccountId": "{{AccountId}}",
+  "AuditCheckConfigurations": {
+    "LOGGING_DISABLED_CHECK": {
+      "Enabled": true
+    },
+    "CA_CERTIFICATE_EXPIRING_CHECK": {
+      "Enabled": true
+    },
+    "DEVICE_CERTIFICATE_EXPIRING_CHECK": {
+      "Enabled": true
+    }
+  },
+  "RoleArn": "{{RoleForDeviceDefenderAuditArn}}"
+}

aws-iot-accountauditconfiguration/lombok.config

@@ -0,0 +1 @@
+lombok.addLombokGeneratedAnnotation = true

aws-iot-accountauditconfiguration/packaging_additional_published_artifacts/contract_test_dependencies.yml

@@ -0,0 +1,28 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: 'Resources for running the AccountAuditConfiguration contract tests'
+Resources:
+  RoleForDeviceDefenderAudit:
+    Type: "AWS::IAM::Role"
+    Properties:
+      Path: "/"
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              Service:
+                - "iot.amazonaws.com"
+            Action:
+              - "sts:AssumeRole"
+
+Outputs:
+  RoleForDeviceDefenderAuditOutput:
+    Value:
+      Fn::GetAtt: [RoleForDeviceDefenderAudit, Arn]
+    Export:
+      Name: RoleForDeviceDefenderAuditArn
+  AccountIdOutput:
+    Value:
+      Fn::Sub: "${AWS::AccountId}"
+    Export:
+      Name: AccountId