search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.74k stars 9.09k forks source link

AWS IoT Certificate Authority Registration #15840

Closed KyleKotowick closed 10 months ago

KyleKotowick commented 3 years ago

Community Note

Description

AWS IoT supports importing certificate authority certificates (documentation). There is currently no corresponding resource for this. This feature request is for adding a such a resource, as well as a data source for retrieving the required "registration code".

New or Affected Resource(s)

Potential Terraform Configuration

data "aws_iot_registration_code" "code" {}

resource "aws_iot_certificate_authority" "CA" {
    ca_certificate_body = "PEM-encoded cert here"
    verification_certificate_body = "PEM-encoded cert here"
    auto_registration = true
    enabled = true
}

References

dvidben commented 2 years ago

This feature will be a great addition to terraform.

Currently, one way to accomplish this is using an external data block and few terraform local-exec provisioners using AWS CLI commands: https://docs.aws.amazon.com/cli/latest/reference/iot/register-ca-certificate.html

The un-registration process requires similar commands to first inactivate the CA cert: https://docs.aws.amazon.com/cli/latest/reference/iot/update-ca-certificate.html

And a final CA delete command for a full account clean-up https://docs.aws.amazon.com/cli/latest/reference/iot/delete-ca-certificate.html

The last 2 parts would need to be provided to local-exec provisioners when the destroy happens. As you can see this custom solution is a little overwhelming and the components proposed above will provide a cleaner solution

galsilb commented 1 year ago

The JITP is now the recomended way by AWS for the provisioing multiple "things". There is also another issue with the, iot_provisioning_template, that we can't change the type from "FLEET_PROVISIONING" to "JITP" (create-provisioning-template)

I'm sharing my code of adding a new provisioning template and registering a ca to it. It works for both adding and removing.


resource "null_resource" "aws_iot_provisioning_template" {

  triggers = {
    template_body = jsonencode(
      {
        "Parameters": {
          "AWS::IoT::Certificate::CommonName": {
            "Type": "String"
          },
          "AWS::IoT::Certificate::Id": {
            "Type": "String"
          }
        },
        "Resources": {
          "policy": {
            "Type": "AWS::IoT::Policy",
            "Properties": {
              "PolicyName": aws_iot_policy.device_policy.name
            }
          },
          "certificate": {
            "Type": "AWS::IoT::Certificate",
            "Properties": {
              "CertificateId": {
                "Ref": "AWS::IoT::Certificate::Id"
              },
              "Status": "Active"
            }
          },
          "thing": {
            "Type": "AWS::IoT::Thing",
            "OverrideSettings": {
              "AttributePayload": "MERGE",
              "ThingGroups": "DO_NOTHING",
              "ThingTypeName": "REPLACE"
            },
            "Properties": {
              "AttributePayload": {},
              "ThingGroups": [],
              "ThingName": {
                "Ref": "AWS::IoT::Certificate::CommonName"
              }
            }
          }
        }
      }
    )
  }

  provisioner "local-exec" {
    command = <<EOF
      echo '${self.triggers.template_body}' > template.json
      aws iot create-provisioning-template --template-name FleetTemplate \
                                            --template-body file://template.json \
                                            --enabled \
                                            --provisioning-role-arn ${aws_iam_role.iot_fleet_provisioning.arn} \
                                            --type JITP
    EOF
  }

  provisioner "local-exec" {
    when    = destroy
    command = <<EOF
      aws iot delete-provisioning-template --template-name FleetTemplate
    EOF
  }
}

resource "null_resource" "aws_iot_ca" {
  triggers = {
    iot_custom_ca: var.iot_custom_ca
  }

  depends_on = [
    null_resource.aws_iot_provisioning_template
  ]

  provisioner "local-exec" {
    command = <<EOF
      aws iot register-ca-certificate --ca-certificate "${self.triggers.iot_custom_ca}" --registration-config templateName=FleetTemplate --certificate-mode SNI_ONLY --set-as-active --allow-auto-registration --query certificateId
    EOF
  }

  provisioner "local-exec" {
    when    = destroy
    command = <<EOF
      CA_LIST=$(aws iot list-ca-certificates --template-name FleetTemplate --query certificates[*].certificateId  | jq '.[]' | tr -d '"')
      for i in $CA_LIST
      do
          aws iot update-ca-certificate --certificate-id $i --new-status INACTIVE
          aws iot delete-ca-certificate --certificate-id $i
      done
    EOF
  }
}
jug-smile commented 1 year ago

Hi, Any news about this feature @KyleKotowick?

It will be really useful to us.

Thanks

github-actions[bot] commented 10 months ago

This functionality has been released in v5.26.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

github-actions[bot] commented 9 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.