feat(client-iot): This release adds support to register a CA certific…

…ate without having to provide a verification certificate. This also allows multiple AWS accounts to register the same CA in the same region.
aws · Jul 7, 2022 · 3e13ee1 · 3e13ee1
1 parent 5ff951f
commit 3e13ee1
Show file tree

Hide file tree

Showing 8 changed files with 110 additions and 36 deletions.
diff --git a/clients/client-iot/src/IoT.ts b/clients/client-iot/src/IoT.ts
@@ -7494,12 +7494,9 @@ export class IoT extends IoTClient {
   }
 
   /**
-   * <p>Registers a CA certificate with IoT. This CA certificate can then be used to sign
-   *          device certificates, which can be then registered with IoT. You can register up to 10
-   *          CA certificates per Amazon Web Services account that have the same subject field. This enables you to have
-   *          up to 10 certificate authorities sign your device certificates. If you have more than one
-   *          CA certificate registered, make sure you pass the CA certificate when you register your
-   *          device certificates with the <a>RegisterCertificate</a> action.</p>
+   * <p>Registers a CA certificate with Amazon Web Services IoT Core. There is no limit to the number of CA
+   *          certificates you can register in your Amazon Web Services account. You can register up to 10 CA
+   *          certificates with the same <code>CA subject field</code> per Amazon Web Services account.</p>
    *          <p>Requires permission to access the <a href="https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions">RegisterCACertificate</a> action.</p>
    */
   public registerCACertificate(
@@ -7532,9 +7529,9 @@ export class IoT extends IoTClient {
   }
 
   /**
-   * <p>Registers a device certificate with IoT. If you have more than one CA certificate
-   *          that has the same subject field, you must specify the CA certificate that was used to sign
-   *          the device certificate being registered.</p>
+   * <p>Registers a device certificate with IoT in the same <a href="https://docs.aws.amazon.com/iot/latest/apireference/API_CertificateDescription.html#iot-Type-CertificateDescription-certificateMode">certificate mode</a> as the signing CA. If you have more than one CA certificate that has the same subject field, you must
+   *          specify the CA certificate that was used to sign the device certificate being
+   *          registered.</p>
    *          <p>Requires permission to access the <a href="https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions">RegisterCertificate</a> action.</p>
    */
   public registerCertificate(

diff --git a/clients/client-iot/src/commands/RegisterCACertificateCommand.ts b/clients/client-iot/src/commands/RegisterCACertificateCommand.ts
@@ -23,12 +23,9 @@ export interface RegisterCACertificateCommandInput extends RegisterCACertificate
 export interface RegisterCACertificateCommandOutput extends RegisterCACertificateResponse, __MetadataBearer {}
 
 /**
- * <p>Registers a CA certificate with IoT. This CA certificate can then be used to sign
- *          device certificates, which can be then registered with IoT. You can register up to 10
- *          CA certificates per Amazon Web Services account that have the same subject field. This enables you to have
- *          up to 10 certificate authorities sign your device certificates. If you have more than one
- *          CA certificate registered, make sure you pass the CA certificate when you register your
- *          device certificates with the <a>RegisterCertificate</a> action.</p>
+ * <p>Registers a CA certificate with Amazon Web Services IoT Core. There is no limit to the number of CA
+ *          certificates you can register in your Amazon Web Services account. You can register up to 10 CA
+ *          certificates with the same <code>CA subject field</code> per Amazon Web Services account.</p>
  *          <p>Requires permission to access the <a href="https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions">RegisterCACertificate</a> action.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.

diff --git a/clients/client-iot/src/commands/RegisterCertificateCommand.ts b/clients/client-iot/src/commands/RegisterCertificateCommand.ts
@@ -23,9 +23,9 @@ export interface RegisterCertificateCommandInput extends RegisterCertificateRequ
 export interface RegisterCertificateCommandOutput extends RegisterCertificateResponse, __MetadataBearer {}
 
 /**
- * <p>Registers a device certificate with IoT. If you have more than one CA certificate
- *          that has the same subject field, you must specify the CA certificate that was used to sign
- *          the device certificate being registered.</p>
+ * <p>Registers a device certificate with IoT in the same <a href="https://docs.aws.amazon.com/iot/latest/apireference/API_CertificateDescription.html#iot-Type-CertificateDescription-certificateMode">certificate mode</a> as the signing CA. If you have more than one CA certificate that has the same subject field, you must
+ *          specify the CA certificate that was used to sign the device certificate being
+ *          registered.</p>
  *          <p>Requires permission to access the <a href="https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions">RegisterCertificate</a> action.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.

diff --git a/clients/client-iot/src/models/models_0.ts b/clients/client-iot/src/models/models_0.ts
@@ -4650,6 +4650,10 @@ export interface PresignedUrlConfig {
   /**
    * <p>The ARN of an IAM role that grants grants permission to download files from the S3 bucket where the job
    *             data/updates are stored. The role must also grant permission for IoT to download the files.</p>
+   *         <important>
+   *             <p>For information about addressing the confused deputy problem, see <a href="https://docs.aws.amazon.com/iot/latest/developerguide/cross-service-confused-deputy-prevention.html">cross-service
+   *                 confused deputy prevention</a> in the <i>Amazon Web Services IoT Core developer guide</i>.</p>
+   *         </important>
    */
   roleArn?: string;
 

diff --git a/clients/client-iot/src/models/models_1.ts b/clients/client-iot/src/models/models_1.ts
@@ -843,6 +843,11 @@ export namespace DescribeCACertificateRequest {
   });
 }
 
+export enum CertificateMode {
+  DEFAULT = "DEFAULT",
+  SNI_ONLY = "SNI_ONLY",
+}
+
 export enum CACertificateStatus {
   ACTIVE = "ACTIVE",
   INACTIVE = "INACTIVE",
@@ -931,6 +936,13 @@ export interface CACertificateDescription {
    * <p>When the CA certificate is valid.</p>
    */
   validity?: CertificateValidity;
+
+  /**
+   * <p>The mode of the CA. </p>
+   *          <p>All the device certificates that are registered using this CA will be registered
+   *          in the same mode as the CA. For more information about certificate mode for device certificates, see <a href="https://docs.aws.amazon.com/iot/latest/apireference/API_CertificateDescription.html#iot-Type-CertificateDescription-certificateMode">certificate mode</a>.</p>
+   */
+  certificateMode?: CertificateMode | string;
 }
 
 export namespace CACertificateDescription {
@@ -1010,11 +1022,6 @@ export namespace DescribeCertificateRequest {
   });
 }
 
-export enum CertificateMode {
-  DEFAULT = "DEFAULT",
-  SNI_ONLY = "SNI_ONLY",
-}
-
 export enum CertificateStatus {
   ACTIVE = "ACTIVE",
   INACTIVE = "INACTIVE",
@@ -1134,6 +1141,17 @@ export interface CertificateDescription {
 
   /**
    * <p>The mode of the certificate.</p>
+   *          <p>
+   *             <code>DEFAULT</code>: A certificate in <code>DEFAULT</code> mode is either generated by
+   *          Amazon Web Services IoT Core or registered with an issuer certificate authority (CA) in <code>DEFAULT</code> mode. Devices with
+   *          certificates in <code>DEFAULT</code> mode aren't required to send the Server Name
+   *          Indication (SNI) extension when connecting to Amazon Web Services IoT Core. However, to use features such as
+   *          custom domains and VPC endpoints, we recommend that you use the SNI extension when
+   *          connecting to Amazon Web Services IoT Core.</p>
+   *          <p>
+   *             <code>SNI_ONLY</code>: A certificate in <code>SNI_ONLY</code> mode is registered without an issuer CA. Devices with certificates
+   *          in <code>SNI_ONLY</code> mode must send the SNI extension when connecting to Amazon Web Services IoT Core. </p>
+   *          <p>For more information about the value for SNI extension, see <a href="https://docs.aws.amazon.com/iot/latest/developerguide/transport-security.html">Transport security in IoT</a>.</p>
    */
   certificateMode?: CertificateMode | string;
 }
@@ -2196,6 +2214,11 @@ export interface Job {
    */
   documentParameters?: Record<string, string>;
 
+  /**
+   * <p>Indicates whether a job is concurrent. Will be true when a job is
+   *             rolling out new job executions or canceling previously created executions,
+   *             otherwise false.</p>
+   */
   isConcurrent?: boolean;
 }
 
@@ -5770,6 +5793,16 @@ export interface Certificate {
 
   /**
    * <p>The mode of the certificate.</p>
+   *          <p>
+   *             <code>DEFAULT</code>: A certificate in <code>DEFAULT</code> mode is either generated by
+   *          Amazon Web Services IoT Core or registered with an issuer certificate authority (CA) in <code>DEFAULT</code> mode. Devices with
+   *          certificates in <code>DEFAULT</code> mode aren't required to send the Server Name
+   *          Indication (SNI) extension when connecting to Amazon Web Services IoT Core. However, to use features such as
+   *          custom domains and VPC endpoints, we recommend that you use the SNI extension when
+   *          connecting to Amazon Web Services IoT Core.</p>
+   *          <p>
+   *             <code>SNI_ONLY</code>: A certificate in <code>SNI_ONLY</code> mode is registered without an issuer CA. Devices with certificates
+   *          in <code>SNI_ONLY</code> mode must send the SNI extension when connecting to Amazon Web Services IoT Core. </p>
    */
   certificateMode?: CertificateMode | string;
 
@@ -6736,6 +6769,11 @@ export interface JobSummary {
    */
   completedAt?: Date;
 
+  /**
+   * <p>Indicates whether a job is concurrent. Will be true when a job is
+   *             rolling out new job executions or canceling previously created executions,
+   *             otherwise false.</p>
+   */
   isConcurrent?: boolean;
 }
 

diff --git a/clients/client-iot/src/models/models_2.ts b/clients/client-iot/src/models/models_2.ts
@@ -44,6 +44,7 @@ import {
 import {
   BehaviorCriteriaType,
   CACertificateStatus,
+  CertificateMode,
   CertificateStatus,
   Configuration,
   DetectMitigationActionsTaskTarget,
@@ -1111,9 +1112,12 @@ export interface RegisterCACertificateRequest {
   caCertificate: string | undefined;
 
   /**
-   * <p>The private key verification certificate.</p>
+   * <p>The private key verification certificate. If <code>certificateMode</code> is
+   *             <code>SNI_ONLY</code>, the <code>verificationCertificate</code> field must be empty. If
+   *             <code>certificateMode</code> is <code>DEFAULT</code> or not provided, the
+   *             <code>verificationCertificate</code> field must not be empty. </p>
    */
-  verificationCertificate: string | undefined;
+  verificationCertificate?: string;
 
   /**
    * <p>A boolean value that specifies if the CA certificate is set to active.</p>
@@ -1144,6 +1148,19 @@ export interface RegisterCACertificateRequest {
    *          </note>
    */
   tags?: Tag[];
+
+  /**
+   * <p>Describes the certificate mode in which the Certificate Authority (CA) will be
+   *          registered. If the <code>verificationCertificate</code> field is not provided, set <code>certificateMode</code> to be <code>SNI_ONLY</code>.
+   *          If the <code>verificationCertificate</code> field is provided, set <code>certificateMode</code> to be <code>DEFAULT</code>.
+   *          When <code>certificateMode</code> is not provided, it defaults to <code>DEFAULT</code>.
+   *          All the device certificates that are registered using this CA will be registered in the same certificate mode as the CA.
+   *          For more information about certificate mode for device certificates, see
+   *          <a href="https://docs.aws.amazon.com/iot/latest/apireference/API_CertificateDescription.html#iot-Type-CertificateDescription-certificateMode">
+   *             certificate mode</a>.
+   *       </p>
+   */
+  certificateMode?: CertificateMode | string;
 }
 
 export namespace RegisterCACertificateRequest {
@@ -1526,7 +1543,8 @@ export interface SearchIndexRequest {
   indexName?: string;
 
   /**
-   * <p>The search query string.</p>
+   * <p>The search query string. For more information about the search query syntax, see <a href="https://docs.aws.amazon.com/iot/latest/developerguide/query-syntax.html">Query
+   *       syntax</a>.</p>
    */
   queryString: string | undefined;
 

diff --git a/clients/client-iot/src/protocols/Aws_restJson1.ts b/clients/client-iot/src/protocols/Aws_restJson1.ts
@@ -6845,6 +6845,8 @@ export const serializeAws_restJson1RegisterCACertificateCommand = async (
   let body: any;
   body = JSON.stringify({
     ...(input.caCertificate !== undefined && input.caCertificate !== null && { caCertificate: input.caCertificate }),
+    ...(input.certificateMode !== undefined &&
+      input.certificateMode !== null && { certificateMode: input.certificateMode }),
     ...(input.registrationConfig !== undefined &&
       input.registrationConfig !== null && {
         registrationConfig: serializeAws_restJson1RegistrationConfig(input.registrationConfig, context),
@@ -26546,6 +26548,7 @@ const deserializeAws_restJson1CACertificateDescription = (
     autoRegistrationStatus: __expectString(output.autoRegistrationStatus),
     certificateArn: __expectString(output.certificateArn),
     certificateId: __expectString(output.certificateId),
+    certificateMode: __expectString(output.certificateMode),
     certificatePem: __expectString(output.certificatePem),
     creationDate:
       output.creationDate !== undefined && output.creationDate !== null