AWS IoT support

[hashibot]

This issue was originally opened by @vrcsix as hashicorp/terraform#6138. It was migrated here as part of the provider split. The original body of the issue is below.

---

Edit by Ninir: TODOs

• Thing
• Thing Type
• Thing Group
• Certificate
• Policy
• Policy Attachment
• Topic

---

Opening this to spec out Terraform support for [AWS IoT](https://aws.amazon.com/iot/).

Thing
Represents a thing in the thing registry.

resource "aws_iot_thing" "device3" {
  name = "MyDevice3"
  principals = ["${aws_iot_certificate.cert.arn}"]

  attributes {
    Manufacturer = "Amazon"
    Type = "IoT Device A"
    SerialNumber = "10293847562912"
  }
}

func Create(t Thing) {
  iot.CreateThing(t)
  for p := range t.principals {
    iot.AttachThingPrincipal(t, p)
  }
}

func Read(t Thing) {
  update(t, iot.DescribeThing(t))
}

func Update(t Thing) {
  toBeDetached, toBeAttached := principalAttachmentChanges(t)

  for p := range toBeDetached {
    iot.DetachThingPrincipal(t, p)
  }

  for p := range toBeAttached {
    iot.AttachThingPrincipal(t, p)
  }

  iot.UpdateThing(t)
}

func Delete(t Thing) {
  for p := range t.principals {
    iot.DetachThingPrincipal(t, p)
  }

  iot.DeleteThing(t)  
}

Certificate
Represents a X.509 certificate for use with IoT.

resource "aws_iot_certificate" "cert" {
  csr = "${file("/my/csr.pem")}"
  active = true 
}

func Create(c Certificate) {
  iot.CreateCertificateFromCsr(c)
}

func Read(c Certificate) {
  update(c, iot.DescribeCertificate(c))
}

func Update(c Certificate) {
  if hasChanged(c.csr) {
    forceNewResource(c)
  } else {
    iot.UpdateCertificate(c)
  }
}

func Delete(c Certificate) {
  iot.UpdateCertificate(c, Input{NewStatus: "INACTIVE"})
  iot.DeleteCertificate(c)
}

Policy
Represents permissions for IoT clients.

resource "aws_iot_policy" "pubsub" {
  name = "PubSubToAnyTopic"
  policy = <<EOF
{
  "Version": "2012-10-17", 
  "Statement": [{
    "Effect": "Allow",
    "Action": ["iot:*"],
    "Resource": ["*"]
  }]
}
EOF
}

func Create(p Policy) {
  iot.CreatePolicy(p)
}

func Read(p Policy) {
  update(p, iot.GetPolicy(p))
}

func Update(p Policy) {
  prunePolicyVersions(p) // ensure no more than 4 versions exist (DeletePolicyVersion)
  iot.CreatePolicyVersion(p, Input{SetAsDefault: true})
}

func Delete(p Policy) {
  deletePolicyVersions(p) // delete all non-default policies (DeletePolicyVersion)
  iot.DeletePolicy(p)
}

Policy attachment
Represents the attachment of one or more IoT policies to a principal (certificate, Cognito ID or IAM entity).

resource "aws_iot_policy_attachment" "cert_policies" {
  principal = "${aws_iot_certificate.cert.arn}"
  policies = ["${aws_iot_policy.pubsub.name}"]
}

func Create(a PolicyAttachment) {
  for p := range a.policies {
    iot.AttachPrincipalPolicy(a.principal, p)
  }
}

func Read(a PolicyAttachment) {
  update(a, iot.ListPrincipalPolicies(a.principal))
}

func Update(a PolicyAttachment) {
  toBeDetached, toBeAttached := policyAttachmentChanges(a)

  for p := range toBeDetached {
    iot.DetachPrincipalPolicy(a.principal, p)
  }

  for p := range toBeAttached {
    iot.AttachPrincipalPolicy(a.principal. p)
  }
}

func Delete(a PolicyAttachment) {
  for p := range a.policies {
    iot.DetachPrincipalPolicy(a.principal, p)
  }
}

Topic rule
Represents a rule for processing messages to an MQTT topic.

resource "aws_iot_topic_rule" "rule" {
  name = "MyRule"
  description = "Example rule"
  enabled = true
  sql = "SELECT * FROM 'topic/test'";

  cloudwatch_alarm {
    alarm_name = ""
    role_arn = ""
    state_reason = ""
    state_value = ""
  }

  cloudwatch_metric {
    metric_name = ""
    metric_namespace = ""
    metric_timestamp = ""
    metric_unit = ""
    metric_value = ""
    role_arn = ""
  }

  dynamodb {
    hash_key_field = ""
    hash_key_value = ""
    payload_field = ""
    range_key_field = ""
    range_key_value = ""
    role_arn = ""
    table_name = ""
  }

  elasticsearch {
    endpoint = ""
    id = ""
    index = ""
    role_arn = ""
    type = ""
  }

  firehose {
    delivery_stream_name = ""
    role_arn = ""
  }

  kinesis {
    partition_key = ""
    role_arn = ""
    stream_name = ""
  }

  lambda {
    function_arn = ""
  }

  republish {
    role_arn = ""
    topic = ""
  }

  s3 {
    bucket_name = ""
    key = ""
    role_arn = ""
  }

  sns {
    message_format = ""
    role_arn = ""
    target_arn = ""
  }

  sqs {
    queue_url = ""
    role_arn = ""
    use_base64 = false
  }
}

func Create(r TopicRule) {
  iot.CreateTopicRule(r)
}

func Read(r TopicRule) {
  update(r, iot.GetTopicRule(r))
}

func Update(r TopicRule) {
  iot.ReplaceTopicRule(r)
}

func Delete(r TopicRule) {
  iot.DeleteTopicRule(r)
}

[rob-smallshire]

Am I right in thinking that AWS IoT support for Terraform which was in progress over at hashicorp/terraform#6961 needs to be migrated over to this repo?

It's not clear that the aforementioned PR is still active, and I'm prepared to put some effort in to bring that work over if nobody else is on it.

[rob-smallshire]

The original author of hashicorp/terraform#6961 has made it clear he doesn't have capacity to continue with the work and has given the blessing of others to build directly on his work. I humbly suggest a good way to proceed is piecemeal, one AWS IoT provider at a time, to avoid massive pull requests, and to be in accordance with the Terraform contribution guidelines.

[AlexMabry]

@rob-smallshire I would also like to help contribute, and I agree with your plan

[rob-smallshire]

@AlexMabry Thanks for picking up this work! I've been on vacation since I last visited.

[abferm]

Is anyone currently working on this? I'd love to not have to manually attach policies to my certificates.

[rob-smallshire]

@abferm I don't know of anyone working on Policy Attachment. If you haven't seen it already, there is relevant code in hashicorp/terraform#6961. The process of extracting resource providers from that old PR and resubmitting individually in this repo seems to be slowly succeeding.

[Ninir]

@abferm IoT Thing type just got merged and should be in starting from TF AWS Provider 1.10.
Will work on other ones right after!

[radeksimko]

aws_iot_thing PRed here: #3521

[rafaljanicki]

Hey Guys,

I was wondering if you plan to support AWS::IoT::ThingPrincipalAttachment as well in order to easily attach a certificate to the IoT thing. Here's a CF documentation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iot-thingprincipalattachment.html

[srjithsn]

Hi, any update on @rafaljanicki 's request? Is there any plan for adding a resource for certificate attachment in iot_thing?

[rafaljanicki]

@srjithsn FYI, for now I'm using such workaround:

resource "null_resource" "attach_thing_to_certificate" {
  triggers {
    certificate_arn = "<certificate_arn>"
  }

  provisioner "local-exec" {
    command = "aws iot attach-thing-principal --thing-name <thing_name> --principal <certificate_arn> --region <region>"
  }
}

[bflad]

There are two open PRs for additional IoT resources:

• aws_iot_policy_attachment: New resource: aws_iot_policy_attachment #5864
• aws_iot_thing_principal_attachment: New resource: aws_iot_thing_principal_attachment #5868

Both are waiting on the original author to implement feedback at the moment.

[bflad]

The above two new resources have been merged and will release with version 1.42.0 of the AWS provider, likely by Wednesday.

I think we are reaching a point where the "definition of done" for a generic IoT support issue becomes hard -- so if there is other specific feature requests you are looking for, please feel free to create new issues. Thanks!

[rpstreef]

Can the Thing Group functionality be added? There's a lot of advantages using groups within IoT to manage the Thing settings with including certificates and policies.

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!