Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Serverless IoT with Greengrass, Ansible and AWS CDK

20d0ddc61e80bce04a63680da0160756?s=47 Aletheia
September 30, 2020

Serverless IoT with Greengrass, Ansible and AWS CDK

Discover how AWS CDK and Lambda can be used to automatize IoT

20d0ddc61e80bce04a63680da0160756?s=128

Aletheia

September 30, 2020
Tweet

Transcript

  1. www.neosperience.com | blog.neosperience.com | info@neosperience.com Neosperience Empathy in Technology Serverless

    IoT with Greengrass, Ansible and AWS CDK September, 30th 2020
  2. Luca Bianchi Who am I? github.com/aletheia https://it.linkedin.com/in/lucabianchipavia https://speakerdeck.com/aletheia Chief Technology

    Officer @ Neosperience Chief Technology Officer @ WizKey Serverless Meetup and ServerlessDays Italy co-organizer www.bianchiluca.com @bianchiluca
  3. Air quality means life quality About HVAC systems Alisea is

    an Italian based company with 20+ years expertise in providing the best and safest solutions for heating, ventilation and air conditioning (HVAC) system worldwide. It’s a NADCA certified company pioneering this industry with innovative techniques. Neosperience Enterprise is the B2B focused branch of Neosperience group, supporting companies to innovate their market through smart product strategies leveraging Artificial Intelligence, IoT, cloud, and blockchain. Remotair is the smart product leveraging Neosperience technology and Alisea expertise to disrupt HVAC systems cleaning market.
  4. why is it relevant?

  5. Remotair system architecture

  6. A smart core sensor built on RaspberryPi CM3 supporting remote

    and local sensors A look into Remotair IoT Ad hoc sensor board: - wired sensors directly connected to I2C bus - wireless sensors connected OTA - acts as an edge gateway - collects and forwards data to the cloud - receives OTA software logic updates Requirements: - a single customer can have many plants with many Remotair devices - cloud native application deployed into customers’ AWS accounts - new device provisioning can be customized - receives OTA software logic updates
  7. Extend cloud services seamlessy to the edge AWS Greengrass Allows

    Lambda Functions and docker containers to be defined in cloud and deployed to an edge device (named a greengrass core) to process data flowing from devices and issue control commands. Supports a variety of connectors to AWS services, and provides local MQTT channels to handle communication.
  8. Let’s consider a reduced version of this architecture IoT architecture

    (simplified) To simplify the overall architecture, we consider a simple version of Remotair deployment, with - a sensor device - a Remotair board - a local business logic - an IoT topic - an AWS Greengrass core - a cloud Lambda function acting as a proxy to cloud services - no connectors
  9. AWS Greengrass resources

  10. provisioning a new device

  11. Provisioning a new Remotair Device 1. Device thing creation 2.

    Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup IoT Thing Provisioning: performs actions in cloud to create IoT Shadow, Policies, and certificates AWS Greengrass setup: creates all the required resources in cloud to handle local Greengrass group setup and configures all the resources needed by the config.json of the GG runtime Device configuration: is the initial step to configure device operative system and install AWS IoT libraries and AWS Greengrass daemon
  12. Ansible allows to setup from a fresh OS install Setting

    up a new device Device operative system should be provided on a bootable storage. Raspberry CM3 boards require a Raspberry Pi OS version, on an SD card. On startup a systemd routine checks for Wi-Fi and if not available switches the board into access point. An external application can setup Wi-Fi credentials. Through Ansible is possible to start from a bare image, then add libraries and configurations. Greengrass can be installed with its dependencies and started as process daemon. Suitable also for testing environments and to ensure deployments immutability. 1. Device thing creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup 0. Device setup
  13. IoT thing certificates

  14. Every thing needs to be provisioned and configured Creating an

    IoT Core Thing 1. Device thing creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup Creating a new Greengrass Core means setting up its thing before providing a valid configuration file to GG daemon. Setting up a new thing is a classical “chicken and egg” problem: devices need credentials to access AWS resources and obtain a certificate which, in turn, enables them to access AWS resources different approaches: - installing certificates on IoT devices before they are delivered - provisioning by trusted users - provisioning by claim - certificate token vending machine
  15. Provision new certificates when the device attempt to connect Just-in-time

    provisioning (JITP) - a registered certificate authority (CA) issues a certificate which is used to attempt a connection to AWS IoT - the payload of the request contains a template to craft a request for a new IoT certificate - a thing and its policy can be created using the template - the policy is attached to the certificate - the certificate is attached to the thing 1. Device thing creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup Evaluation ✓ unattended setup is possible ✓ no external app required ✗ device is in full control of the credentials ✗ security could be an issue ✗ configuration is hard (JITP are difficult to write)
  16. Create a workflow with an authenticated app Provisioning by trusted

    users 1. Device thing creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup 1. Call CreateProvisioningTemplate to create a provisioning template and return its templateArn and templateName. 2. Create an IAM role that is used by a trusted user to initiate the provisioning process. 3. Give the AWS IoT service permission to create or update IoT resources 4. Provide an user access to the app and obtain IAM role associated to the login (with permissions) 5. The mobile app or web application uses the IAM role and calls CreateProvisioningClaim to obtain a temporary provisioning claim certificate from AWS IoT. 6. Supply the temporary certificate to the device that connects to IoT and claims a certificate Evaluation ✓ security is enforced ✓ device needs to perform handshaking ✓ configuration is easy ✗ requires an external app ✗ requires user explicit approval
  17. A device-only certificate claim Self provisioning certificate 1. Device thing

    creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup 1. Call CreateProvisioningTemplate to create a provisioning template 2. Create certificates and associated private keys to be stored securely on device 3. Assign to created certificate a restricted set of permissions 4. Define a policy that allows AWS IoT to manage things 5. Embed certificate securely on the device 6. The device calls AWS IoT (or publishes a request on an MQTT topic) then claims an effective certificate Evaluation ✓ security is enforced (only with encryption of certificates) ✓ no external app required ✓ configuration is easy ✗ unattended provisioning
  18. A service managing certificate requests, powered by CDK AWS IoT

    Vending Machine 1. Device thing creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup 1. A Thing device issues a request for a certificate, to an APIGateway endpoint with a websocket. 2. Request contains a token / serial number 3. Lambda processes the request and looks into a DynamoDB Table for a match of the provided token 4. If no match is returned, the new token is added to the DDB Table and admins get notified, to enable the new device 5. When a match is found, Lambda invokes AWS IoT to issue a certificate and create a corresponding thing 6. Certificate is sent back to device Evaluation ✓ security is enforced (devices contain public data) ✓ device needs to perform handshaking ✓ external app is not required (cloud handles certs) ✓ configuration is easy ✓ user explicit approval is not mandatory ✓ provisioning can be a two-phase process ✓ devices could be pre-authorized
  19. Greengrass

  20. Setting up Greengrass 1. Device thing creation 2. Roles creation

    3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup A simple shell rule (for a Linux environment) runs CDK to create: - a Greengrass core and its version - at least one Greengrass role for each resource to execute code and access cloud - log groups and log definitions - eventual group resources - group connectors to industrial services Using CloudFormation instead of AWS IoT APIs provides rollback and resource deletion capabilities, just deleting the corresponding stack AWS CDK allows to release this stack as a component to be integrated and extended for customization CDK is run from the device / Ansible to provision cloud resources
  21. Setting up Greengrass Greengrass Core Group Core Logger Resource Connector

    version Core Version Logger Version Resource Version Connector Version 1. Device thing creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup CDK is run from the device / Ansible to provision cloud resources
  22. CDK is run from the device / Ansible to provision

    cloud resources Setting up Greengrass A single Greengrass Core Group has one or more version of a set of resources that provide local services to local deployment. A Core must be related to an IoT Core that qualifies a device as an IoT thing. Instantiating a new Greengrass Core requires having a thing correctly provisioned into our cloud environment. 1. Device thing creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup
  23. 1. Device thing creation 2. Roles creation 3. Core and

    Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup Setting up Greengrass CDK is run from the device / Ansible to provision cloud resources
  24. putting all together

  25. Remotair system architecture

  26. Remotair system architecture

  27. Remotair system architecture

  28. Remotair system architecture

  29. Ideas about device provisioning Wrap up - AWS IoT provisioning

    is an open task - Ansible could be an enabling technology (i.e. for a master controller) - Getting a certificate for a device could be achieved by a certificate vending machine - Greengrass provisioning could be done either from a controller or the device itself - Greengrass is a game changer (cloud Lambda and container deployments, OTA updates) - consider starting with docker on bare OS and configure through Ansible
  30. Links Resources AWS IoT device provisioning https://docs.aws.amazon.com/iot/latest/developerguide/iot-provision.html AWS greener grass

    https://github.com/t04glovern/aws-greener-grass AWS IoT certificate vending machine https://github.com/awslabs/aws-iot-certificate-vending-machine AWS Greengrass the missing manual https://read.acloud.guru/aws-greengrass-the-missing-manual-2ac8df2fbdf4
  31. Thank you.

  32. bit.ly/cdkday-20200930

  33. Empathy in Technology

  34. www.neosperience.com | blog.neosperience.com | info@neosperience.com