refactor: enforce single thing type per thing (AWS IoT limitation)

AWS IoT Core allows only one thing type per thing. Refactored codebase
to remove plural thing type support and enforce singular thing type.

Changes:
- Removed IoTThingTypes parameter and THING_TYPE_NAMES env var
- Updated product_verifier to only handle THING_TYPE_NAME (singular)
- Simplified bulk_importer to process single thing type
- Updated E2E test framework for singular thing type validation
- Fixed unit test isolation issues (env var cleanup in tearDown)
- Updated all documentation (MULTI_ATTACHMENT_GUIDE.md and vendor docs)

Breaking change: IoTThingTypes parameter removed. Use IoTThingType instead.

All unit tests passing (160 passed, 1 xpassed)

Author: rpcme

docs/MULTI_ATTACHMENT_GUIDE.md

@@ -2,7 +2,7 @@
 
 ## Overview
 
-Thingpress now supports attaching multiple policies, thing groups, and thing types to each certificate/thing. This enables enterprise IoT deployment patterns with hierarchical organization.
+Thingpress supports attaching multiple policies and thing groups to each certificate/thing. **Note: AWS IoT Core allows only one thing type per thing.**
 
 ## Parameter Syntax
 
@@ -14,7 +14,7 @@ Use comma-delimited lists for multiple values:
 sam deploy --parameter-overrides \
   IoTPolicies=policy1,policy2,policy3 \
   IoTThingGroups=dept-eng,location-seattle,product-sensor \
-  IoTThingTypes=temp-sensor,humidity-sensor
+  IoTThingType=temp-sensor
 ```
 
 ### Legacy Single-Value Parameters (Still Supported)
@@ -28,6 +28,8 @@ sam deploy --parameter-overrides \
   IoTThingType=my-type
 ```
 
+**Note:** Thing type is always singular - AWS IoT Core allows only one thing type per thing.
+
 ## Common Use Cases
 
 ### 1. Organizational Hierarchy
@@ -53,10 +55,10 @@ Applies multiple policies:
 ### 3. Device Categorization
 
 ```bash
-IoTThingTypes=hardware-esp32,firmware-v2.1,capability-temperature
+IoTThingType=hardware-esp32
 ```
 
-Multiple classifications:
+Single classification per device (AWS IoT limitation):
 - Hardware model
 - Firmware version
 - Device capabilities
@@ -104,16 +106,20 @@ IoTThingGroups=acme-corp,manufacturing,quality-control,seattle-plant,sensor-netw
 
 ### Thing Type Strategy
 
-Use for device characteristics:
+**AWS IoT Limitation:** Each thing can have only one thing type.
+
+Use thing types to categorize device characteristics:
 ```bash
-IoTThingTypes=hardware-esp32,sensor-temperature,protocol-mqtt
+IoTThingType=sensor-temperature
+# OR
+IoTThingType=hardware-esp32
 ```
 
 ## Recommended Limits
 
 - **Policies**: Maximum 5 per certificate
 - **Thing Groups**: Maximum 10 per thing
-- **Thing Types**: Maximum 3 per thing
+- **Thing Type**: Exactly 1 per thing (AWS IoT limitation)
 
 Exceeding these limits may impact performance.
 
@@ -199,23 +205,23 @@ sam deploy --parameter-overrides \
 ```bash
 IoTPolicies=base-mqtt,manufacturing-floor,quality-control
 IoTThingGroups=factory-seattle,line-assembly-1,zone-welding
-IoTThingTypes=plc-controller,sensor-vibration
+IoTThingType=plc-controller
 ```
 
 ### Smart Buildings
 
 ```bash
 IoTPolicies=base-connectivity,building-automation,hvac-control
 IoTThingGroups=building-hq,floor-3,zone-west-wing
-IoTThingTypes=thermostat,occupancy-sensor
+IoTThingType=thermostat
 ```
 
 ### Fleet Management
 
 ```bash
 IoTPolicies=base-telemetry,fleet-tracking,geofence-enabled
 IoTThingGroups=fleet-delivery,region-west,vehicle-type-van
-IoTThingTypes=gps-tracker,obd-reader
+IoTThingType=gps-tracker
 ```
 
 ## API Reference
@@ -260,5 +266,6 @@ For issues or questions:
 
 ## Version History
 
-- **v1.0.1**: Added multiple policies, thing groups, and thing types support
+- **v1.1.0**: Removed IoTThingTypes parameter (AWS IoT allows only one thing type per thing)
+- **v1.0.1**: Added multiple policies and thing groups support
 - **v1.0.0**: Initial release with single-value parameters

docs/vendors/espressif.md

@@ -92,7 +92,7 @@ $ sam deploy \
    --parameter-overrides \
      IoTPolicies=base-connectivity,sensor-telemetry,admin-access \
      IoTThingGroups=dept-engineering,location-seattle,product-sensor \
-     IoTThingTypes=esp32-s3 \
+     IoTThingType=esp32-s3 \
    --capabilities CAPABILITY_NAMED_IAM
 ```
 

docs/vendors/generated.md

@@ -90,7 +90,7 @@ $ sam deploy \
    --parameter-overrides \
      IoTPolicies=base-connectivity,sensor-telemetry,admin-access \
      IoTThingGroups=dept-engineering,location-seattle,product-sensor \
-     IoTThingTypes=custom-device \
+     IoTThingType=custom-device \
    --capabilities CAPABILITY_NAMED_IAM
 ```
 

docs/vendors/infineon.md

@@ -95,7 +95,7 @@ $ sam deploy \
    --parameter-overrides \
      IoTPolicies=base-connectivity,sensor-telemetry,admin-access \
      IoTThingGroups=dept-engineering,location-seattle,product-sensor \
-     IoTThingTypes=optiga-trust-m \
+     IoTThingType=optiga-trust-m \
    --capabilities CAPABILITY_NAMED_IAM
 ```
 

docs/vendors/microchip.md

@@ -83,7 +83,7 @@ $ sam deploy \
    --parameter-overrides \
      IoTPolicies=base-connectivity,sensor-telemetry,admin-access \
      IoTThingGroups=dept-engineering,location-seattle,product-sensor \
-     IoTThingTypes=atecc608b \
+     IoTThingType=atecc608b \
    --capabilities CAPABILITY_NAMED_IAM
 ```
 

src/bulk_importer/bulk_importer/main.py

@@ -148,20 +148,12 @@ def process_sqs(config, session: Session=default_session):
                                thing_arn=thing_arn,
                                session=session)
 
-    # Process multiple thing types (backward compatible)
-    thing_types = config.get('thing_types', [])
-    if thing_types:
-        for thing_type_name in thing_types:
-            process_thing_type(thing_name=config.get(ImporterMessageKey.THING_NAME.value),
-                              thing_type_name=thing_type_name,
-                              session=session)
-    else:
-        # Legacy single thing type support
-        thing_type_name = config.get(ImporterMessageKey.THING_TYPE_NAME.value)
-        if thing_type_name:
-            process_thing_type(thing_name=config.get(ImporterMessageKey.THING_NAME.value),
-                              thing_type_name=thing_type_name,
-                              session=session)
+    # Process thing type (singular - AWS IoT allows only one thing type per thing)
+    thing_type_name = config.get(ImporterMessageKey.THING_TYPE_NAME.value)
+    if thing_type_name:
+        process_thing_type(thing_name=config.get(ImporterMessageKey.THING_NAME.value),
+                          thing_type_name=thing_type_name,
+                          session=session)
 
     return {
         "certificate_id": certificate_id,

src/product_verifier/main.py

@@ -62,23 +62,24 @@ def lambda_handler(event,
     QUEUE_TARGET_ESPRESSIF, QUEUE_TARGET_INFINEON, QUEUE_TARGET_MICROCHIP, QUEUE_TARGET_GENERATED
     
     Supports both new multi-value and legacy single-value parameters:
-    New: POLICY_NAMES, THING_GROUP_NAMES, THING_TYPE_NAMES (comma-delimited)
-    Legacy: POLICY_NAME, THING_GROUP_NAME, THING_TYPE_NAME (single values)
+    New: POLICY_NAMES, THING_GROUP_NAMES (comma-delimited)
+    Legacy: POLICY_NAME, THING_GROUP_NAME (single values)
+    Thing Type: THING_TYPE_NAME (always singular - AWS IoT limitation)
     """
     config = {}
 
     # Try new multi-value parameters first, fall back to legacy
     e_policies = os.environ.get('POLICY_NAMES', '')
     e_thing_groups = os.environ.get('THING_GROUP_NAMES', '')
-    e_thing_types = os.environ.get('THING_TYPE_NAMES', '')
 
     # Backward compatibility: if new params empty, try legacy
     if not e_policies:
         e_policies = os.environ.get('POLICY_NAME', '')
     if not e_thing_groups:
         e_thing_groups = os.environ.get('THING_GROUP_NAME', '')
-    if not e_thing_types:
-        e_thing_types = os.environ.get('THING_TYPE_NAME', '')
+    
+    # Thing type is always singular (AWS IoT limitation: one thing type per thing)
+    e_thing_type = os.environ.get('THING_TYPE_NAME', '')
 
     # Handle both raw dict and S3Event object formats
     if hasattr(event, 'records'):
@@ -116,16 +117,10 @@ def lambda_handler(event,
         if thing_groups:
             config['thing_groups'] = thing_groups
 
-    # Parse and validate thing types
-    thing_type_names = parse_comma_delimited_list(e_thing_types)
-    if thing_type_names:
-        thing_types = []
-        for thing_type_name in thing_type_names:
-            if check_cfn_prop_valid(thing_type_name):
-                get_thing_type_arn(thing_type_name, default_session)
-                thing_types.append(thing_type_name)
-        if thing_types:
-            config['thing_types'] = thing_types
+    # Parse and validate thing type (singular - AWS IoT allows only one thing type per thing)
+    if e_thing_type and check_cfn_prop_valid(e_thing_type):
+        get_thing_type_arn(e_thing_type, default_session)
+        config['thing_type_name'] = e_thing_type
 
     try:
         queue_url = get_provider_queue(config['bucket'])

template.yaml

@@ -59,13 +59,7 @@ Parameters:
   IoTThingType:
     Default: None
     Type: String
-    Description: (DEPRECATED - Use IoTThingTypes) Single Thing Type for backward compatibility.
-
-  IoTThingTypes:
-    Default: None
-    Type: CommaDelimitedList
-    Description: Comma-separated list of AWS IoT Thing Types.
-      Use 'None' for no thing types. Example sensor-temp,sensor-humidity
+    Description: AWS IoT Thing Type to apply to things. Use 'None' for no thing type.
 
   InfineonCertBundleType:
     Default: E0E0
@@ -394,7 +388,6 @@ Resources:
           QUEUE_TARGET_GENERATED: !Ref ThingpressGeneratedProviderQueue
           POLICY_NAMES: !Join [',', !Ref IoTPolicies]
           THING_GROUP_NAMES: !Join [',', !Ref IoTThingGroups]
-          THING_TYPE_NAMES: !Join [',', !Ref IoTThingTypes]
           POLICY_NAME: !Ref IoTPolicy
           THING_GROUP_NAME: !Ref IoTThingGroup
           THING_TYPE_NAME: !Ref IoTThingType

test/integration/end_to_end/e2e_test_framework.py

@@ -526,8 +526,8 @@ def _add_validation_summary(self):
                 'exact_match_count': validation_details.get('summary', {}).get('correct_thing_groups', 0),
                 'count_mismatch_count': validation_details.get('summary', {}).get('thing_group_count_mismatches', 0)
             },
-            'thing_types': {
-                'expected': self.expected_config.get('thing_types', []),
+            'thing_type': {
+                'expected': self.expected_config.get('thing_type'),
                 'correct_count': validation_details.get('summary', {}).get('correct_thing_types', 0),
                 'incorrect_count': len(validation_details.get('summary', {}).get('incorrect_thing_types', []))
             }
@@ -564,12 +564,12 @@ def _log_validation_summary(self):
         if groups['count_mismatch_count'] > 0:
             self.logger.warning(f"  ⚠️  Count Mismatches: {groups['count_mismatch_count']}")
 
-        # Thing Types
-        types = summary['thing_types']
-        self.logger.info(f"Thing Types (Expected: {types['expected']})")
-        self.logger.info(f"  Correct: {types['correct_count']}/{summary['total_things']}")
-        if types['incorrect_count'] > 0:
-            self.logger.warning(f"  ⚠️  Incorrect: {types['incorrect_count']}")
+        # Thing Type (singular)
+        thing_type = summary['thing_type']
+        self.logger.info(f"Thing Type (Expected: {thing_type['expected']})")
+        self.logger.info(f"  Correct: {thing_type['correct_count']}/{summary['total_things']}")
+        if thing_type['incorrect_count'] > 0:
+            self.logger.warning(f"  ⚠️  Incorrect: {thing_type['incorrect_count']}")
 
         self.logger.info("=" * 60)
 
@@ -605,7 +605,7 @@ def _get_expected_config_from_stack(self) -> dict:
             expected_config = {
                 'policies': [],
                 'thing_groups': [],
-                'thing_types': []
+                'thing_type': None  # Singular - AWS IoT allows only one thing type per thing
             }
 
             # Extract configuration from stack parameters
@@ -634,23 +634,17 @@ def _get_expected_config_from_stack(self) -> dict:
                     if not expected_config['thing_groups']:
                         expected_config['thing_groups'] = [param_value]
 
-                # Handle thing types
-                elif param_key == 'IoTThingTypes' and param_value and param_value != 'None':
-                    expected_config['thing_types'] = [
-                        t.strip() for t in param_value.split(',')
-                        if t.strip() and t.strip() != 'None'
-                    ]
+                # Handle thing type (singular - AWS IoT allows only one thing type per thing)
                 elif param_key == 'IoTThingType' and param_value and param_value != 'None':
-                    if not expected_config['thing_types']:
-                        expected_config['thing_types'] = [param_value]
+                    expected_config['thing_type'] = param_value
 
             self.logger.info(f"Expected config from stack: {expected_config}")
             return expected_config
 
         except Exception as e:
             self.logger.error(f"Failed to get expected config from stack: {e}")
             # Return empty config rather than failing
-            return {'policies': [], 'thing_groups': [], 'thing_types': []}
+            return {'policies': [], 'thing_groups': [], 'thing_type': None}
 
     def run_test(self, timeout_minutes: int = 10) -> dict:
         """Run the complete end-to-end test for this provider"""
@@ -723,7 +717,7 @@ def _validate_iot_things(self, iot_things: list[dict]) -> dict:
 
         expected_policies = set(self.expected_config.get('policies', []))
         expected_groups = set(self.expected_config.get('thing_groups', []))
-        expected_types = self.expected_config.get('thing_types', [])
+        expected_type = self.expected_config.get('thing_type')  # Singular
 
         validation_results = {
             'valid': True,
@@ -766,8 +760,8 @@ def _validate_iot_things(self, iot_things: list[dict]) -> dict:
             extra_groups = thing_groups - expected_groups
             group_count_match = len(thing_groups) == len(expected_groups)
 
-            # EXACT MATCH: Check thing type applied to thing
-            type_match = thing_type in expected_types if expected_types else True
+            # EXACT MATCH: Check thing type applied to thing (singular)
+            type_match = thing_type == expected_type if expected_type else (thing_type is None)
 
             thing_validation = {
                 'thing_name': thing['thingName'],
@@ -792,7 +786,7 @@ def _validate_iot_things(self, iot_things: list[dict]) -> dict:
                     'extra': list(extra_groups)
                 },
                 'thing_type': {
-                    'expected': expected_types,
+                    'expected': expected_type,
                     'actual': thing_type,
                     'match': type_match
                 },

test/unit/test_bulk_importer.py

@@ -343,13 +343,12 @@ def test_process_sqs_empty_lists(self):
         """Test processing with empty policies and thing groups lists"""
         from bulk_importer.main import process_sqs
 
-        # Config with empty lists
+        # Config with empty lists and no thing type
         config = {
             'certificate': self.local_cert_loaded,
             'thing': 'test-thing-no-attachments',
             'policies': [],
-            'thing_groups': [],
-            'thing_types': []
+            'thing_groups': []
         }
 
         # Execute