AWS IoT support

[Flygsand]

Opening this to spec out Terraform support for AWS IoT.

Thing
Represents a thing in the thing registry.

resource "aws_iot_thing" "device3" {
  name = "MyDevice3"
  principals = ["${aws_iot_certificate.cert.arn}"]

  attributes {
    Manufacturer = "Amazon"
    Type = "IoT Device A"
    SerialNumber = "10293847562912"
  }
}

func Create(t Thing) {
  iot.CreateThing(t)
  for p := range t.principals {
    iot.AttachThingPrincipal(t, p)
  }
}

func Read(t Thing) {
  update(t, iot.DescribeThing(t))
}

func Update(t Thing) {
  toBeDetached, toBeAttached := principalAttachmentChanges(t)

  for p := range toBeDetached {
    iot.DetachThingPrincipal(t, p)
  }

  for p := range toBeAttached {
    iot.AttachThingPrincipal(t, p)
  }

  iot.UpdateThing(t)
}

func Delete(t Thing) {
  for p := range t.principals {
    iot.DetachThingPrincipal(t, p)
  }

  iot.DeleteThing(t)  
}

Certificate
Represents a X.509 certificate for use with IoT.

resource "aws_iot_certificate" "cert" {
  csr = "${file("/my/csr.pem")}"
  active = true 
}

func Create(c Certificate) {
  iot.CreateCertificateFromCsr(c)
}

func Read(c Certificate) {
  update(c, iot.DescribeCertificate(c))
}

func Update(c Certificate) {
  if hasChanged(c.csr) {
    forceNewResource(c)
  } else {
    iot.UpdateCertificate(c)
  }
}

func Delete(c Certificate) {
  iot.UpdateCertificate(c, Input{NewStatus: "INACTIVE"})
  iot.DeleteCertificate(c)
}

Policy
Represents permissions for IoT clients.

resource "aws_iot_policy" "pubsub" {
  name = "PubSubToAnyTopic"
  policy = <<EOF
{
  "Version": "2012-10-17", 
  "Statement": [{
    "Effect": "Allow",
    "Action": ["iot:*"],
    "Resource": ["*"]
  }]
}
EOF
}

func Create(p Policy) {
  iot.CreatePolicy(p)
}

func Read(p Policy) {
  update(p, iot.GetPolicy(p))
}

func Update(p Policy) {
  prunePolicyVersions(p) // ensure no more than 4 versions exist (DeletePolicyVersion)
  iot.CreatePolicyVersion(p, Input{SetAsDefault: true})
}

func Delete(p Policy) {
  deletePolicyVersions(p) // delete all non-default policies (DeletePolicyVersion)
  iot.DeletePolicy(p)
}

Policy attachment
Represents the attachment of one or more IoT policies to a principal (certificate, Cognito ID or IAM entity).

resource "aws_iot_policy_attachment" "cert_policies" {
  principal = "${aws_iot_certificate.cert.arn}"
  policies = ["${aws_iot_policy.pubsub.name}"]
}

func Create(a PolicyAttachment) {
  for p := range a.policies {
    iot.AttachPrincipalPolicy(a.principal, p)
  }
}

func Read(a PolicyAttachment) {
  update(a, iot.ListPrincipalPolicies(a.principal))
}

func Update(a PolicyAttachment) {
  toBeDetached, toBeAttached := policyAttachmentChanges(a)

  for p := range toBeDetached {
    iot.DetachPrincipalPolicy(a.principal, p)
  }

  for p := range toBeAttached {
    iot.AttachPrincipalPolicy(a.principal. p)
  }
}

func Delete(a PolicyAttachment) {
  for p := range a.policies {
    iot.DetachPrincipalPolicy(a.principal, p)
  }
}

Topic rule
Represents a rule for processing messages to an MQTT topic.

resource "aws_iot_topic_rule" "rule" {
  name = "MyRule"
  description = "Example rule"
  enabled = true
  sql = "SELECT * FROM 'topic/test'";

  cloudwatch_alarm {
    alarm_name = ""
    role_arn = ""
    state_reason = ""
    state_value = ""
  }

  cloudwatch_metric {
    metric_name = ""
    metric_namespace = ""
    metric_timestamp = ""
    metric_unit = ""
    metric_value = ""
    role_arn = ""
  }

  dynamodb {
    hash_key_field = ""
    hash_key_value = ""
    payload_field = ""
    range_key_field = ""
    range_key_value = ""
    role_arn = ""
    table_name = ""
  }

  elasticsearch {
    endpoint = ""
    id = ""
    index = ""
    role_arn = ""
    type = ""
  }

  firehose {
    delivery_stream_name = ""
    role_arn = ""
  }

  kinesis {
    partition_key = ""
    role_arn = ""
    stream_name = ""
  }

  lambda {
    function_arn = ""
  }

  republish {
    role_arn = ""
    topic = ""
  }

  s3 {
    bucket_name = ""
    key = ""
    role_arn = ""
  }

  sns {
    message_format = ""
    role_arn = ""
    target_arn = ""
  }

  sqs {
    queue_url = ""
    role_arn = ""
    use_base64 = false
  }
}

func Create(r TopicRule) {
  iot.CreateTopicRule(r)
}

func Read(r TopicRule) {
  update(r, iot.GetTopicRule(r))
}

func Update(r TopicRule) {
  iot.ReplaceTopicRule(r)
}

func Delete(r TopicRule) {
  iot.DeleteTopicRule(r)
}

[gavinheavyside]

@protomouse We're really interested in IoT support in Terraform, and we don't want to duplicate any effort if there is work in progress. What is your status, and is there anything we can do to help?

[Flygsand]

@gavinheavyside No further work has been done on this, and I'm afraid there are currently no internal needs that enable us to drive implementation forward in the foreseeable future.

[jhedev]

I started working on it. So far I can already create IoT things; other than that it's mostly just schema descriptions.

As soon as more resources are working I'll open a PR for feedback.

[jhedev]

My implementation proposed in #6961 is basically working. I guess, it just requires some tests etc.

Any help with testing is appreciated :)

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.