Terraform-provider-aws: AWS IoT support

Created on 13 Jun 2017 · 15Comments · Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @vrcsix as hashicorp/terraform#6138. It was migrated here as part of the provider split. The original body of the issue is below._

Edit by Ninir: TODOs

[ ] Thing
[x] Thing Type
[ ] Thing Group
[x] Certificate
[x] Policy
[ ] Policy Attachment
[x] Topic

Opening this to spec out Terraform support for AWS IoT.

Thing
Represents a thing in the thing registry.

resource "aws_iot_thing" "device3" {
  name = "MyDevice3"
  principals = ["${aws_iot_certificate.cert.arn}"]

  attributes {
    Manufacturer = "Amazon"
    Type = "IoT Device A"
    SerialNumber = "10293847562912"
  }
}

func Create(t Thing) {
  iot.CreateThing(t)
  for p := range t.principals {
    iot.AttachThingPrincipal(t, p)
  }
}

func Read(t Thing) {
  update(t, iot.DescribeThing(t))
}

func Update(t Thing) {
  toBeDetached, toBeAttached := principalAttachmentChanges(t)

  for p := range toBeDetached {
    iot.DetachThingPrincipal(t, p)
  }

  for p := range toBeAttached {
    iot.AttachThingPrincipal(t, p)
  }

  iot.UpdateThing(t)
}

func Delete(t Thing) {
  for p := range t.principals {
    iot.DetachThingPrincipal(t, p)
  }

  iot.DeleteThing(t)  
}

Certificate
Represents a X.509 certificate for use with IoT.

resource "aws_iot_certificate" "cert" {
  csr = "${file("/my/csr.pem")}"
  active = true 
}

func Create(c Certificate) {
  iot.CreateCertificateFromCsr(c)
}

func Read(c Certificate) {
  update(c, iot.DescribeCertificate(c))
}

func Update(c Certificate) {
  if hasChanged(c.csr) {
    forceNewResource(c)
  } else {
    iot.UpdateCertificate(c)
  }
}

func Delete(c Certificate) {
  iot.UpdateCertificate(c, Input{NewStatus: "INACTIVE"})
  iot.DeleteCertificate(c)
}

Policy
Represents permissions for IoT clients.

resource "aws_iot_policy" "pubsub" {
  name = "PubSubToAnyTopic"
  policy = <<EOF
{
  "Version": "2012-10-17", 
  "Statement": [{
    "Effect": "Allow",
    "Action": ["iot:*"],
    "Resource": ["*"]
  }]
}
EOF
}

func Create(p Policy) {
  iot.CreatePolicy(p)
}

func Read(p Policy) {
  update(p, iot.GetPolicy(p))
}

func Update(p Policy) {
  prunePolicyVersions(p) // ensure no more than 4 versions exist (DeletePolicyVersion)
  iot.CreatePolicyVersion(p, Input{SetAsDefault: true})
}

func Delete(p Policy) {
  deletePolicyVersions(p) // delete all non-default policies (DeletePolicyVersion)
  iot.DeletePolicy(p)
}

Policy attachment
Represents the attachment of one or more IoT policies to a principal (certificate, Cognito ID or IAM entity).

resource "aws_iot_policy_attachment" "cert_policies" {
  principal = "${aws_iot_certificate.cert.arn}"
  policies = ["${aws_iot_policy.pubsub.name}"]
}

func Create(a PolicyAttachment) {
  for p := range a.policies {
    iot.AttachPrincipalPolicy(a.principal, p)
  }
}

func Read(a PolicyAttachment) {
  update(a, iot.ListPrincipalPolicies(a.principal))
}

func Update(a PolicyAttachment) {
  toBeDetached, toBeAttached := policyAttachmentChanges(a)

  for p := range toBeDetached {
    iot.DetachPrincipalPolicy(a.principal, p)
  }

  for p := range toBeAttached {
    iot.AttachPrincipalPolicy(a.principal. p)
  }
}

func Delete(a PolicyAttachment) {
  for p := range a.policies {
    iot.DetachPrincipalPolicy(a.principal, p)
  }
}

Topic rule
Represents a rule for processing messages to an MQTT topic.

resource "aws_iot_topic_rule" "rule" {
  name = "MyRule"
  description = "Example rule"
  enabled = true
  sql = "SELECT * FROM 'topic/test'";

  cloudwatch_alarm {
    alarm_name = ""
    role_arn = ""
    state_reason = ""
    state_value = ""
  }

  cloudwatch_metric {
    metric_name = ""
    metric_namespace = ""
    metric_timestamp = ""
    metric_unit = ""
    metric_value = ""
    role_arn = ""
  }

  dynamodb {
    hash_key_field = ""
    hash_key_value = ""
    payload_field = ""
    range_key_field = ""
    range_key_value = ""
    role_arn = ""
    table_name = ""
  }

  elasticsearch {
    endpoint = ""
    id = ""
    index = ""
    role_arn = ""
    type = ""
  }

  firehose {
    delivery_stream_name = ""
    role_arn = ""
  }

  kinesis {
    partition_key = ""
    role_arn = ""
    stream_name = ""
  }

  lambda {
    function_arn = ""
  }

  republish {
    role_arn = ""
    topic = ""
  }

  s3 {
    bucket_name = ""
    key = ""
    role_arn = ""
  }

  sns {
    message_format = ""
    role_arn = ""
    target_arn = ""
  }

  sqs {
    queue_url = ""
    role_arn = ""
    use_base64 = false
  }
}

func Create(r TopicRule) {
  iot.CreateTopicRule(r)
}

func Read(r TopicRule) {
  update(r, iot.GetTopicRule(r))
}

func Update(r TopicRule) {
  iot.ReplaceTopicRule(r)
}

func Delete(r TopicRule) {
  iot.DeleteTopicRule(r)
}

enhancement new-resource serviciot

Source

hashibot

👍4

Most helpful comment

Can the Thing Group functionality be added? There's a lot of advantages using groups within IoT to manage the Thing settings with including certificates and policies.

Thanks!

rpstreef on 4 May 2019

👍2

All 15 comments

Am I right in thinking that AWS IoT support for Terraform which was in progress over at https://github.com/hashicorp/terraform/pull/6961 needs to be migrated over to this repo?

It's not clear that the aforementioned PR is still active, and I'm prepared to put some effort in to bring that work over if nobody else is on it.

rob-smallshire on 23 Jun 2017

The original author of hashicorp/terraform#6961 has made it clear he doesn't have capacity to continue with the work and has given the blessing of others to build directly on his work. I humbly suggest a good way to proceed is piecemeal, one AWS IoT provider at a time, to avoid massive pull requests, and to be in accordance with the Terraform contribution guidelines.

rob-smallshire on 23 Jun 2017

@rob-smallshire I would also like to help contribute, and I agree with your plan

AlexMabry on 26 Jun 2017

👍1

@AlexMabry Thanks for picking up this work! I've been on vacation since I last visited.

rob-smallshire on 4 Aug 2017

Is anyone currently working on this? I'd love to not have to manually attach policies to my certificates.

abferm on 15 Feb 2018

@abferm I don't know of anyone working on Policy Attachment. If you haven't seen it already, there is relevant code in https://github.com/hashicorp/terraform/pull/6961. The process of extracting resource providers from that old PR and resubmitting individually in this repo seems to be slowly succeeding.

rob-smallshire on 16 Feb 2018

@abferm IoT Thing type just got merged and should be in starting from TF AWS Provider 1.10.
Will work on other ones right after!

Ninir on 20 Feb 2018

🎉1

aws_iot_thing PRed here: https://github.com/terraform-providers/terraform-provider-aws/pull/3521

radeksimko on 25 Feb 2018

👍1

Hey Guys,

I was wondering if you plan to support AWS::IoT::ThingPrincipalAttachment as well in order to easily attach a certificate to the IoT thing. Here's a CF documentation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iot-thingprincipalattachment.html

rafaljanicki on 10 Jul 2018

Hi, any update on @rafaljanicki 's request? Is there any plan for adding a resource for certificate attachment in iot_thing?

srjithsn on 15 Oct 2018

@srjithsn FYI, for now I'm using such workaround:

resource "null_resource" "attach_thing_to_certificate" {
  triggers {
    certificate_arn = "<certificate_arn>"
  }

  provisioner "local-exec" {
    command = "aws iot attach-thing-principal --thing-name <thing_name> --principal <certificate_arn> --region <region>"
  }
}

rafaljanicki on 15 Oct 2018

There are two open PRs for additional IoT resources:

aws_iot_policy_attachment: #5864
aws_iot_thing_principal_attachment: #5868

Both are waiting on the original author to implement feedback at the moment.

bflad on 15 Oct 2018

The above two new resources have been merged and will release with version 1.42.0 of the AWS provider, likely by Wednesday.

I think we are reaching a point where the "definition of done" for a generic IoT support issue becomes hard -- so if there is other specific feature requests you are looking for, please feel free to create new issues. Thanks!

bflad on 29 Oct 2018

Can the Thing Group functionality be added? There's a lot of advantages using groups within IoT to manage the Thing settings with including certificates and policies.

Thanks!

rpstreef on 4 May 2019

👍2

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 30 Mar 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Using security_groups instead of the correct vpc_security_group_ids on an instance within VPC results in instance recreation on each apply

andywirv · 3Comments

Feature request: S3 Cross-Region Replication with KMS

modax · 3Comments

Feature: S3 bucket-wide default encryption

reedloden · 3Comments

S3 Lifecycle Rule Unnecessarily Updates on Each Terraform Apply

hashibot · 3Comments

aws_elasticsearch_domain: vpc_options - subnet_ids asks for list but can only be a single value.

ccslamstack · 3Comments