DevOps
Terraform for FreeRTOS IoT Cloud on AWS IoT Core
Provision AWS IoT Core for FreeRTOS devices with Terraform: thing types, policies, certificates, jobs for OTA, and Greengrass core devices.
1 min read
DevOps
Terraform for Zephyr RTOS Cloud and OTA Pipelines
Provision cloud backends for Zephyr RTOS devices with Terraform: MCUboot signing, mcumgr OTA delivery, AWS IoT or Memfault integration.
LLuca Berton1 min read
Zephyr RTOS is the Linux Foundation's open-source RTOS, broadly adopted across Nordic, NXP, STMicro, Espressif, and Intel boards. Zephyr OTA flows through MCUboot-signed images; the cloud side is whatever you choose — AWS IoT, Azure IoT Hub, or specialized services like Memfault. Terraform stages the artifact bucket, OTA jobs, and observability.
Signed Firmware Bucket
#resource "aws_s3_bucket" "zephyr_fw" {
bucket = "zephyr-fw-${var.env}"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "zephyr_fw" {
bucket = aws_s3_bucket.zephyr_fw.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.fw.arn
}
}
}
resource "aws_s3_object" "fw_image" {
bucket = aws_s3_bucket.zephyr_fw.id
key = "v${var.fw_version}/app.signed.bin"
source = var.signed_image_path
etag = filemd5(var.signed_image_path)
}MCUboot Public Key in Parameter Store
#resource "aws_ssm_parameter" "mcuboot_pub" {
name = "/zephyr/mcuboot/pub"
type = "SecureString"
value = file(var.mcuboot_public_pem)
}OTA via IoT Job (mcumgr-Compatible Manifest)
#resource "aws_iot_job" "zephyr_ota" {
job_id = "zephyr-${var.fw_version}"
targets = [aws_iot_thing_group.zephyr.arn]
document = jsonencode({
image_url = "https://${aws_s3_bucket.zephyr_fw.bucket_regional_domain_name}/v${var.fw_version}/app.signed.bin"
image_sha = var.fw_sha256
slot = "secondary"
confirm = false
})
presigned_url_config {
role_arn = aws_iam_role.iot_jobs.arn
expires_in_sec = 3600
}
}Best Practices
#- Sign every image — Zephyr boots refuse unsigned images by default with MCUboot.
- Two-slot upgrade (active/standby) is the only safe pattern — never overwrite the running slot.
- Confirm-on-success — mark image good after device runs N hours, not on first boot.
- Per-board build matrices — Zephyr cares about target HW; ship OTAs gated by board name.
Related
##Terraform#Zephyr#RTOS#MCUboot#OTA
Related articles
DevOps
Terraform for ThreadX and Azure RTOS Devices on Azure IoT Hub
Provision Azure IoT Hub for ThreadX / Azure RTOS (now Eclipse ThreadX) devices with Terraform: IoT Hub, DPS, Device Update for IoT Hub.
1 min read
DevOps
Terraform for Android Automotive OS: Connected-Car Backends
Provision Android Automotive OS connected-car backends with Terraform: vehicle telemetry, OTA updates, maps APIs, and secure ingestion pipelines.
1 min read
DevOps
Terraform for QNX Connected-Car Cloud Backends
Provision QNX-vehicle cloud backends with Terraform: telemetry ingestion, OTA, BlackBerry IVY data services, and AWS / Azure Connected Vehicle stacks.
1 min read