Using Terraform to create AWS IoT Things
In this post users will learn to use Terraform to create AWS IoT Certificates and a Policy attached to the Certificates and create AWS IoT Things created with these Certificates attached.
Atul Chaudhari
Amazon Employee
Published Jun 24, 2024
Terraform is a widely using Infrastructure as Code tool to manage Cloud infrastructure. This post will introduce you to use Terraform as Infrastructure-as-Code (IaC) tool to create 1/ IoT Policy, 2/ a new Certificate with the IoT policy attached to this Certificate, and 3/ create an IoT Thing with the Certificate attached.
Terraform code shared in this github repository will help you create unique Certificates for each IoT Thing defined in the configuration file. A template of IoT policy created is shown in the code block. It enforces to publish & subscribe to a topic defined in the code as shown in the code block, and connect with thing name used while creating IoT Thing.
IoT devices connect to AWS IoT Core using these certificates, hence we create a unique certificate for each device. Policy defined in the code improves security. This policy will allow IoT devices connect to AWS IoT core using MQTT ClientID with the thing name defined. This policy also enforces Publish and Subscribe to a topic as defined in the Resource section of the Statement in the code block.
Note: Certificates are stored as sensitive data in Terraform state file and Terraform output command can be used to retrieve these Certificates.
- An active AWS account.
- AWS Command Line Interface (AWS CLI) configured.
- Set the AWS environment variables ‘AWS_ACCESS_KEY_ID‘, ‘AWS_SECRET_ACCESS_KEY‘, ‘AWS_SESSION_TOKEN‘ and ‘AWS_DEFAULT_REGION‘.
- Use this link to learn more about setting Environment variables.
- git and Terraform installed.
To use this code in production environment all the Terraform state files should be stored in Amazon Simple Storage Service (Amazon S3) buckets, a Git repo or other secure storage. Enable versioning when using S3 buckets.
- Verify AWS Environment variables are set and check the role assumed.
- Create a tfvars file as shown below with AWS Account number and AWS region where the AWS IoT things and certificates need to be created. Set the name of the AWS IoT Policy that should be created and attached to the AWS IoT X.509 certificates that will be created. Set the AWS IoT MQTT Topic to which the IoT Things can publish and subscribe using the Certificate and the Policy.
In this example.tfvars file 3 IoT things are requested to be created with Policy name "demoterraformpolicy" and MQTT topic "demoterraformtopic"
- Next run
ls -lh
to confirm the terraform files and the tfvars file are in the current working directory.
- Run
terraform init
to initialize the download required provider packages. Your terminal output should look as shown below:
- You can run
terraform plan -var-file=example.tfvars
to review the resources that will be created before creating these resources.
- Finally create the AWS IoT Things using Terraform with
terraform apply -var-file=example.tfvars -auto-approve
- Let's verify them in AWS Console by Login to AWS Console and search for AWS IoT core in search and set the region to US-WEST-2. Expand All devices menu in the left sidebar and click on Things. You should see the newly created Things as listed in the example.tfvars file.
- Click on thing01 to review the Thing created and the Certificate attached. Next click on the certificate id as shown in the screenshot below:
- Certificate shows the AWS IoT policy created as defined in the terraform scripts and attached to AWS IoT Thing thing01.
- The new Policy created shows the permissions as defined in the data.tf terraform file with permissions to allow Connect, Receive, Publish and Subscribe.
- Next the Root CA1 and the AWS IoT Things certificates can be extracted from the output file using these commands
terraform output -json | jq -r '.AmazonRootCA1_response.value'
to show the Amazon Root CA1.terraform output -json | jq -r '.thing_cert.value[]'
to show the list of X.509 certificates.terraform output -json | jq -r '.thing_pvtkey.value[]'
to show the list of private certificates.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.