himari-aws 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eb42481e34029c9e1ae8c3594dd64995f423a53818cbc867a0fd2c65c64c3ff1
-  data.tar.gz: 55e743a182643484f59544428a9384661a161d4a5657895bd9bed70714c19024
+  metadata.gz: 2cc2ae7b20fd4a41872281249587bacae7170a411651458cfab901afc08a9bfe
+  data.tar.gz: dc2cd99bad600b636b817c1534b5ea8c17e59bb49a9bf667b4ee7f0d41f17acd
 SHA512:
-  metadata.gz: fc863a5752789f4b83b030c5bb44fc6de47d52acdc44225baf74d97e04f4c2de6ff3b3e1a4fb03bde80b377c956bd70137c8dc0d2cdb2c2e33238d107644c4c1
-  data.tar.gz: d5093ed3e72bae790f76b9709443b37bf97be5686b53b676cb35fc1d01568685c93d228a1c9825157480328439d6c638e8846afb746a522f9a24320fe61239d8
+  metadata.gz: 5f0fdb41114958bf5330173fd12de1db680f77ef8719d84e0fc1724ea9bb0311c8d7d63363111ec9490ee4a39227d91acff8224f601a5ae055e1199a239a7f64
+  data.tar.gz: 2ee76e5b556d477ee37d51a92a5a4fb03d8c751c5e877d295c46970bb073cfb6bf6b7f4a70611b4ade5890caec4e15f42a98a6d94fb81a02553df6cf2815a8ff

data/README.md

@@ -1,24 +1,137 @@
-# Himari::Aws
+# himari-aws: AWS related plugins for Himari
 
-TODO: Delete this and the text below, and describe your gem
+- DynamoDB storage backend
+- Secrets Manager automatic rotation Lambda function for signing keys
+- Secrets Manager signing key provider
+- Lambda container image to host Himari itself (TODO)
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/himari/aws`. To experiment with that code, run `bin/console` for an interactive prompt.
+## Deploy on Lambda with Terraform
 
-## Installation
-
-TODO: Replace `UPDATE_WITH_YOUR_GEM_NAME_PRIOR_TO_RELEASE_TO_RUBYGEMS_ORG` with your gem name right after releasing it to RubyGems.org. Please do not do it earlier due to security reasons. Alternatively, replace this section with instructions to install your gem from git if you don't plan to release to RubyGems.org.
-
-Install the gem and add to the application's Gemfile by executing:
+- See [./lambda/terraform/](./lambda/terraform/) for quick deployment using Terraform modules.
 
-    $ bundle add UPDATE_WITH_YOUR_GEM_NAME_PRIOR_TO_RELEASE_TO_RUBYGEMS_ORG
-
-If bundler is not being used to manage dependencies, install the gem by executing:
+## Installation
 
-    $ gem install UPDATE_WITH_YOUR_GEM_NAME_PRIOR_TO_RELEASE_TO_RUBYGEMS_ORG
+```ruby
+gem 'himari'
+gem 'himari-aws'
+gem 'nokogiri'
+```
+
+### IAM policy
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "dynamodb:DeleteItem",
+        "dynamodb:Query",
+        "dynamodb:UpdateItem"
+      ],
+      "Resource": "arn:aws:dynamodb:[REGION]:[ACCOUNTID]:table/himari_*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:PutSecretValue",
+        "secretsmanager:UpdateSecretVersionStage"
+      ],
+      "Resource": "arn:aws:secretsmanager:[REGION]:[ACCOUNTID]:secret:himari_*"
+    }
+  ]
+}
+```
 
 ## Usage
 
-TODO: Write usage instructions here
+### Secrets Manager Rotation Handler
+
+1. Deploy [./lib/himari/aws/secretsmanager_signing_key_rotation_handler.rb]() as a Lambda function. This file works standalone.
+
+   - Refer to the [./lambda](./lambda) for prebuilt container image
+
+2. Grant secrets manager a `lambda:InvokeFunction` to the function.
+3. Create a secrets manager secret and set up rotation.
+
+You can tag a secret with `HimariKey` key and the following value to customize key types:
+
+- RSA 2048-bit: `kty=rsa,len=2048`
+- RSA 4096-bit: `kty=rsa,len=4096`
+- EC P-256: `kty=ec,len=256`
+
+_you may also specify in base64'd json_
+
+### config.ru
+
+```ruby
+# config.ru
+require 'himari'
+require 'himari/aws'
+require 'json'
+require 'omniauth'
+require 'open-uri'
+require 'rack/session/cookie'
+
+use(Rack::Session::Cookie,
+  path: '/',
+  expire_after: 3600,
+  secure: true,
+  secret: ENV.fetch('SECRET_KEY_BASE'),
+)
+
+use OmniAuth::Builder do
+  provider :developer, fields: %i(login), uid_field: :login
+end
+
+use(Himari::Middlewares::Config,
+  issuer: 'https://idp.example.net',
+  providers: [
+    { name: :github, button: 'Log in with GitHub' },
+  ],
+  storage: Himari::Aws::DynamodbStorage.new(table_name: 'himari'),
+)
+
+# Signing key from Secrets Manager. For rotation deployment, read 
+use(Himari::Aws::SecretsmanagerSigningKeyProvider, 
+  secret_id: 'arn:aws:secretsmanager:ap-northeast-1:...:secret:himari-xxx',
+  group: nil,
+  kid_prefix: 'asm1',
+)
+
+# Add clients as many as you need
+use(Himari::Middlewares::Client,
+  name: 'awsalb',
+  id: '...',
+  secret_hash: '...', # sha384 hexdigest of secret
+  # secret: '...' # or in cleartext
+  redirect_uris: %w(https://app.example.net/oauth2/idpresponse),
+)
+
+use(Himari::Middlewares::ClaimsRule, name: 'developer-initialize') do |context, decision|
+  next decision.skip!("provider not in scope") unless context.provider == 'developer'
+  decision.initialize_claims!(
+    sub: "dev_#{Digest::SHA256.hexdigest(context.auth[:uid])}",
+    name: context.auth[:info][:login],
+    preferred_username: context.auth[:info][:login],
+  )
+  decision.continue!
+end
+
+use(Himari::Middlewares::AuthenticationRule, name: 'always-allow') do |context, decision|
+  next decision.skip!("provider not in scope") unless context.provider == 'developer'
+  decision.allow!
+end
+
+use(Himari::Middlewares::AuthorizationRule, name: 'always-allow') do |context, decision|
+  decision.allow! 
+end
+
+run Himari::App
+```
 
 ## Development
 
@@ -28,7 +141,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/himari-aws.
+Bug reports and pull requests are welcome on GitHub at https://github.com/sorah/himari.
 
 ## License
 

data/Rakefile

@@ -5,4 +5,6 @@ require "rspec/core/rake_task"
 
 RSpec::Core::RakeTask.new(:spec)
 
+Bundler::GemHelper.tag_prefix = "himari-aws/"
+
 task default: :spec

data/lambda/Dockerfile

@@ -0,0 +1,33 @@
+# context must be repository root
+FROM public.ecr.aws/lambda/ruby:2.7 as builder
+RUN yum install -y gcc gcc-c++ make pkg-config git
+
+COPY ./himari/himari.gemspec ${LAMBDA_TASK_ROOT}/app/himari/himari.gemspec
+COPY ./himari/lib/himari/version.rb ${LAMBDA_TASK_ROOT}/app/himari/lib/himari/version.rb
+COPY ./himari-aws/himari-aws.gemspec ${LAMBDA_TASK_ROOT}/app/himari-aws/himari-aws.gemspec
+COPY ./himari-aws/lib/himari/aws/version.rb ${LAMBDA_TASK_ROOT}/app/himari-aws/lib/himari/aws/version.rb
+COPY ./himari-aws/lambda/Gemfile* ${LAMBDA_TASK_ROOT}/app/himari-aws/lambda/
+WORKDIR ${LAMBDA_TASK_ROOT}/app
+
+ENV BUNDLE_GEMFILE ${LAMBDA_TASK_ROOT}/app/himari-aws/lambda/Gemfile
+ENV BUNDLE_PATH ${LAMBDA_TASK_ROOT}/vendor/bundle
+ENV BUNDLE_DEPLOYMENT 1
+ENV BUNDLE_JOBS 16
+ENV HIMARI_LAMBDA_IMAGE 1
+RUN bundle install
+
+COPY . ${LAMBDA_TASK_ROOT}/app
+
+FROM public.ecr.aws/lambda/ruby:2.7
+
+COPY --from=builder ${LAMBDA_TASK_ROOT}/vendor ${LAMBDA_TASK_ROOT}/vendor
+COPY . ${LAMBDA_TASK_ROOT}/app
+
+COPY ./himari-aws/lambda/entrypoint.rb ${LAMBDA_TASK_ROOT}/himari_lambda_entrypoint.rb
+
+WORKDIR ${LAMBDA_TASK_ROOT}/app
+ENV BUNDLE_GEMFILE ${LAMBDA_TASK_ROOT}/app/himari-aws/lambda/Gemfile
+ENV BUNDLE_PATH ${LAMBDA_TASK_ROOT}/vendor/bundle
+ENV BUNDLE_DEPLOYMENT 1
+ENV HIMARI_LAMBDA_IMAGE 1
+CMD [ "himari_lambda_entrypoint.Himari::Aws::LambdaHandler.rack_handler" ]

data/lambda/Gemfile

@@ -0,0 +1,24 @@
+source 'https://rubygems.org'
+
+root = File.join('..', '..')
+
+gem 'himari', path: File.join(root, 'himari')
+gem 'himari-aws', path: File.join(root, 'himari-aws')
+gem 'nokogiri'
+#gem 'apigatewayv2_rack', git: 'https://github.com/sorah/apigatewayv2_rack'
+gem 'apigatewayv2_rack', '>= 0.1.3'
+
+# contribs
+gem 'omniauth-oauth2'
+gem 'omniauth-saml'
+#gem 'omniauth-twitter'
+gem 'omniauth-github'
+gem 'omniauth-auth0'
+#gem 'omniauth-shibboleth'
+gem 'omniauth-gitlab'
+#gem 'omniauth-kerberos'
+gem 'omniauth-google-oauth2'
+gem 'omniauth-discord'
+gem 'omniauth-apple'
+# gem 'omniauth-ldap' # omniauth < 2
+#gem 'omniauth-slack'# omniauth-oauth2 version constraints does not match with omniauth-github

data/{Gemfile.lock → lambda/Gemfile.lock}

@@ -1,7 +1,7 @@
 PATH
-  remote: ../himari
+  remote: ../../himari
   specs:
-    himari (0.1.0)
+    himari (0.2.0)
       addressable
       omniauth (>= 2.0)
       openid_connect
@@ -10,9 +10,10 @@ PATH
       sinatra (>= 3.0)
 
 PATH
-  remote: .
+  remote: ..
   specs:
-    himari-aws (0.1.0)
+    himari-aws (0.2.0)
+      apigatewayv2_rack
       aws-sdk-dynamodb
       aws-sdk-secretsmanager
       himari
@@ -30,9 +31,11 @@ GEM
     addressable (2.8.1)
       public_suffix (>= 2.0.2, < 6.0)
     aes_key_wrap (1.1.0)
+    apigatewayv2_rack (0.1.3)
+      rack
     attr_required (1.0.1)
     aws-eventstream (1.2.0)
-    aws-partitions (1.730.0)
+    aws-partitions (1.732.0)
     aws-sdk-core (3.170.1)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.651.0)
@@ -49,7 +52,6 @@ GEM
     bindata (2.4.15)
     concurrent-ruby (1.2.2)
     date (3.3.3)
-    diff-lcs (1.5.0)
     faraday (2.7.4)
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
@@ -66,6 +68,7 @@ GEM
       bindata
       faraday (~> 2.0)
       faraday-follow_redirects
+    jwt (2.7.0)
     mail (2.8.1)
       mini_mime (>= 0.1.1)
       net-imap
@@ -74,6 +77,7 @@ GEM
     mini_mime (1.1.2)
     mini_portile2 (2.8.1)
     minitest (5.18.0)
+    multi_xml (0.6.0)
     mustermann (3.0.0)
       ruby2_keywords (~> 0.0.1)
     net-imap (0.3.4)
@@ -88,10 +92,43 @@ GEM
     nokogiri (1.14.2)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
+    oauth2 (2.0.9)
+      faraday (>= 0.17.3, < 3.0)
+      jwt (>= 1.0, < 3.0)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 4)
+      snaky_hash (~> 2.0)
+      version_gem (~> 1.1)
     omniauth (2.1.1)
       hashie (>= 3.4.6)
       rack (>= 2.2.3)
       rack-protection
+    omniauth-apple (1.3.0)
+      json-jwt
+      omniauth-oauth2
+    omniauth-auth0 (3.1.0)
+      omniauth (~> 2)
+      omniauth-oauth2 (~> 1)
+    omniauth-discord (1.0.0)
+      omniauth
+      omniauth-oauth2
+    omniauth-github (2.0.1)
+      omniauth (~> 2.0)
+      omniauth-oauth2 (~> 1.8)
+    omniauth-gitlab (4.1.0)
+      omniauth (~> 2.0)
+      omniauth-oauth2 (~> 1.8.0)
+    omniauth-google-oauth2 (1.1.1)
+      jwt (>= 2.0)
+      oauth2 (~> 2.0.6)
+      omniauth (~> 2.0)
+      omniauth-oauth2 (~> 1.8.0)
+    omniauth-oauth2 (1.8.0)
+      oauth2 (>= 1.4, < 3)
+      omniauth (~> 2.0)
+    omniauth-saml (2.1.0)
+      omniauth (~> 2.0)
+      ruby-saml (~> 1.12)
     openid_connect (2.2.0)
       activemodel
       attr_required (>= 1.0.0)
@@ -117,26 +154,19 @@ GEM
       rack (>= 2.1.0)
     rack-protection (3.0.5)
       rack
-    rake (13.0.6)
-    rspec (3.12.0)
-      rspec-core (~> 3.12.0)
-      rspec-expectations (~> 3.12.0)
-      rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.1)
-      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.2)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.4)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-support (3.12.0)
+    rexml (3.2.5)
+    ruby-saml (1.15.0)
+      nokogiri (>= 1.13.10)
+      rexml
     ruby2_keywords (0.0.5)
     sinatra (3.0.5)
       mustermann (~> 3.0)
       rack (~> 2.2, >= 2.2.4)
       rack-protection (= 3.0.5)
       tilt (~> 2.0)
+    snaky_hash (2.0.1)
+      hashie
+      version_gem (~> 1.1, >= 1.1.1)
     swd (2.0.2)
       activesupport (>= 3)
       attr_required (>= 0.0.5)
@@ -152,6 +182,7 @@ GEM
     validate_url (1.0.15)
       activemodel (>= 3.0.0)
       public_suffix
+    version_gem (1.1.2)
     webfinger (2.1.2)
       activesupport
       faraday (~> 2.0)
@@ -161,11 +192,18 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  apigatewayv2_rack (>= 0.1.3)
   himari!
   himari-aws!
   nokogiri
-  rake (~> 13.0)
-  rspec (~> 3.0)
+  omniauth-apple
+  omniauth-auth0
+  omniauth-discord
+  omniauth-github
+  omniauth-gitlab
+  omniauth-google-oauth2
+  omniauth-oauth2
+  omniauth-saml
 
 BUNDLED WITH
-   2.4.8
+   2.3.21

data/lambda/README.md

@@ -0,0 +1,42 @@
+# Himari Lambda Container Image
+
+## Deploy
+
+- See [./terraform/](./terraform/) for quick deployment using Terraform modules.
+
+## Image
+
+### Prebuilt image
+
+- https://gallery.ecr.aws/sorah/himari-lambda
+- `public.ecr.aws/sorah/himari-lambda`
+
+Images are tagged with commit SHA.
+
+### Build an image
+
+Run the following at the repository root:
+
+```
+docker build -f himari-aws/lambda/Dockerfile .
+```
+
+### Usage
+
+The same container image supports multiple handlers:
+
+#### Rack app for API Gateway v2, Function URL, ALB target
+
+- Handler: `himari_lambda_entrypoint.Himari::Aws::LambdaHandler.rack_handler`
+
+Served through [apigatewayv2_rack](https://github.com/sorah/apigatewayv2_rack).
+
+This handler reads `config.ru` from:
+
+- `${LAMBDA_TASK_ROOT}/config.ru` in a container image
+- DynamoDB Table item (pk=`rack`, sk=`rack:${HIMARI_RACK_DIGEST}`, file=config.ru content) on table `$HIMARI_RACK_DYNAMODB_TABLE`
+  - where HIMARI_RACK_DIGEST must be [base64'd sha256 hash](https://developer.hashicorp.com/terraform/language/functions/base64sha256) of `file` attribute
+
+#### Secrets Manager automatic rotation handler
+
+- Handler: `himari_lambda_entrypoint.Himari::Aws::LambdaHandler.secrets_rotation_handler`

data/lambda/entrypoint.rb

@@ -0,0 +1,3 @@
+# BUNDLE_GEMFILE is defined at Dockerfile
+require 'bundler/setup'
+require 'himari/aws/lambda_handler'

data/lambda/terraform/README.md

@@ -0,0 +1,89 @@
+# Himari Terraform modules for AWS Lambda
+
+himari-aws/lambda/terraform provides the following modules:
+
+- **iam:** to establish IAM role
+- **image:** to copy prebuilt container image for Lambda from ECR Public
+- **functions:** to deploy Lambda function
+- **signing_key:** to create a secret with auto rotation enabled on Secrets Manager
+
+## iam
+
+Provisions IAM role for Lambda functions.
+
+```terraform
+module "himari_iam" {
+  source = "github.com/sorah/himari//himari-aws/lambda/terraform/iam"
+
+  role_name = "HimariRole"
+
+  # for policy hardening
+  secrets_rotation_function_arn = module.himari_functions.secrets_rotation_function_arn
+
+  # Add grants
+  dynamodb_table_arn  = module.himari_functions.dynamodb_table_arn
+  secret_arns         = toset([module.himari_signing_key.secret_arn])
+}
+```
+
+## image
+
+Create ECR private repository then mirror specified image tag from https://gallery.ecr.aws/sorah/himari-lambda
+
+```terraform
+module "himari_image" {
+  source = "github.com/sorah/himari//himari-aws/lambda/terraform/image"
+
+  repository_name  = "himari-lambda"
+  source_image_tag = "" # Replace with image tag
+}
+```
+
+- Uses null_resource with `docker` command to perform pull, retag and push to ECR private locally
+- Prebuilt image tag is based on git commit SHA: https://github.com/sorah/himari/commits/main
+
+## functions
+
+Deploy lambda functions and DynamoDB table
+
+```terraform
+module "himari_functions" {
+  source = "github.com/sorah/himari//himari-aws/lambda/terraform/functions"
+
+  iam_role_arn = module.himari_iam.role_arn
+  image_url    = module.himari_image.image.url
+
+  dynamodb_table_name  = "himari"
+  function_name_prefix = "himari"
+
+  config_ru = file("${path.module}/config.ru")
+
+  environment = {
+    HIMARI_SIGNING_KEY_ARN   = module.himari_signing_key.secret_arn
+    HIMARI_SECRET_PARAMS_ARN = aws_secretsmanager_secret.params.arn
+  }
+}
+```
+
+## signing_key
+
+```terraform
+module "himari_signing_key" {
+  source = "github.com/sorah/himari//himari-aws/lambda/terraform/signing_key"
+
+  secret_name = "himari-prd-signing-key"
+
+  rotation_function_arn           = module.himari_functions.secrets_rotation_function_arn
+  rotate_automatically_after_days = 20
+}
+```
+
+## misc (not modules)
+
+Use secrets manager to store additional secrets like upstream client secrets and SECRET_KEY_BASE...
+
+```terraform
+resource "aws_secretsmanager_secret" "params" {
+  name = "himari-secret-params"
+}
+```

data/lambda/terraform/functions/aws.tf

@@ -0,0 +1,2 @@
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}

data/lambda/terraform/functions/dynamodb.tf

@@ -0,0 +1,18 @@
+resource "aws_dynamodb_table" "table" {
+  count = var.create_dynamodb_table ? 1 : 0
+
+  name         = var.dynamodb_table_name
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "pk"
+  range_key    = "sk"
+
+  attribute {
+    name = "pk"
+    type = "S"
+  }
+
+  attribute {
+    name = "sk"
+    type = "S"
+  }
+}

data/lambda/terraform/functions/lambda_rack.tf

@@ -0,0 +1,66 @@
+resource "aws_lambda_function" "rack" {
+  count = var.deploy_rack ? 1 : 0
+
+  function_name = "${var.function_name_prefix}-rack"
+
+  package_type  = "Image"
+  image_uri     = var.image_url
+  architectures = var.architectures
+
+  image_config {
+    command = ["himari_lambda_entrypoint.Himari::Aws::LambdaHandler.rack_handler"]
+  }
+
+  role = var.iam_role_arn
+
+  memory_size = var.rack_memory_size
+  timeout     = 20
+
+  environment {
+    variables = merge({
+      HIMARI_RACK_DYNAMODB_TABLE = var.dynamodb_table_name
+      HIMARI_DYNAMODB_TABLE      = var.dynamodb_table_name
+
+      # dependency trick. see below
+      HIMARI_RACK_DIGEST = nonsensitive(jsondecode(aws_dynamodb_table_item.config_ru[local.config_ru_dgst].item)["dgst"]["S"])
+
+      RACK_ENV = "production"
+    }, var.environment)
+  }
+
+  depends_on = [aws_dynamodb_table_item.config_ru]
+}
+
+resource "aws_lambda_function_url" "rack" {
+  count              = (var.deploy_rack && var.enable_function_url) ? 1 : 0
+  function_name      = aws_lambda_function.rack[0].function_name
+  authorization_type = "NONE"
+}
+
+resource "aws_dynamodb_table_item" "config_ru" {
+  # Employing dependency trick to make sure a previous config_ru item removed after the function environment value update.
+  # By using for_each every updates will be a new resource and is referred by aws_lambda_function as a dependency, old item will be removed after updating the function completes.
+  for_each = { "${local.config_ru_dgst}" = var.config_ru }
+
+  table_name = var.dynamodb_table_name
+  hash_key   = "pk"
+  range_key  = "sk"
+
+  # using sensitive to supress unwanted diff, and diff is useful as we use for_each here
+  item = sensitive(jsonencode({
+    "pk"   = { "S" = "rack" },
+    "sk"   = { "S" = "rack:${each.key}" },
+    "dgst" = { "S" = each.key },
+    "file" = { "S" = each.value },
+  }))
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [aws_dynamodb_table.table]
+}
+
+locals {
+  config_ru_dgst = base64sha256(var.config_ru)
+}

data/lambda/terraform/functions/lambda_secrets_rotation.tf

@@ -0,0 +1,33 @@
+resource "aws_lambda_function" "secrets_rotation" {
+  count = var.deploy_secrets_rotation ? 1 : 0
+
+  function_name = "${var.function_name_prefix}-secrets-rotation"
+
+  package_type  = "Image"
+  image_uri     = var.image_url
+  architectures = var.architectures
+
+  image_config {
+    command = ["himari_lambda_entrypoint.Himari::Aws::LambdaHandler.secrets_rotation_handler"]
+  }
+
+  role = var.iam_role_arn
+
+  memory_size = 128
+  timeout     = 20
+
+  environment {
+    variables = merge({
+    }, var.environment)
+  }
+}
+
+resource "aws_lambda_permission" "secrets_rotation_secretsmanager" {
+  count = var.deploy_secrets_rotation ? 1 : 0
+
+  statement_id   = "secretsmanager"
+  action         = "lambda:InvokeFunction"
+  function_name  = aws_lambda_function.secrets_rotation[0].function_name
+  principal      = "secretsmanager.amazonaws.com"
+  source_account = data.aws_caller_identity.current.account_id
+}

data/lambda/terraform/functions/outputs.tf

@@ -0,0 +1,19 @@
+output "dynamodb_table_name" {
+  value = var.dynamodb_table_name
+}
+
+output "dynamodb_table_arn" {
+  value = var.create_dynamodb_table ? aws_dynamodb_table.table[0].arn : null
+}
+
+output "function_url" {
+  value = (var.deploy_rack && var.enable_function_url) ? aws_lambda_function_url.rack[0].function_url : null
+}
+
+output "rack_function_arn" {
+  value = var.deploy_rack ? aws_lambda_function.rack[0].arn : null
+}
+
+output "secrets_rotation_function_arn" {
+  value = var.deploy_secrets_rotation ? aws_lambda_function.secrets_rotation[0].arn : null
+}

data/lambda/terraform/functions/variables.tf

@@ -0,0 +1,65 @@
+variable "iam_role_arn" {
+  type        = string
+  description = "IAM role arn for functions"
+}
+
+variable "image_url" {
+  type        = string
+  description = "Image url for deploy"
+}
+
+variable "dynamodb_table_name" {
+  type        = string
+  description = "dynamodb table name to use"
+}
+
+variable "create_dynamodb_table" {
+  type        = bool
+  description = "Create dynamodb table"
+  default     = true
+}
+
+variable "function_name_prefix" {
+  type        = string
+  description = "function name prefix"
+}
+
+variable "deploy_rack" {
+  type        = bool
+  description = "Deploy rack function"
+  default     = true
+}
+
+variable "rack_memory_size" {
+  type    = number
+  default = 256
+}
+
+variable "deploy_secrets_rotation" {
+  type        = bool
+  description = "Deploy secrets rotation function"
+  default     = true
+}
+
+variable "enable_function_url" {
+  type        = bool
+  description = "Enable function URL"
+  default     = true
+}
+
+variable "config_ru" {
+  type        = string
+  description = "File content of config.ru"
+  default     = "raise 'empty config_ru'\n"
+}
+
+variable "environment" {
+  type        = map(any)
+  description = "Additional environment variables"
+  default     = {}
+}
+
+variable "architectures" {
+  type    = list(string)
+  default = ["x86_64"]
+}

data/lambda/terraform/functions/versions.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}

data/lambda/terraform/iam/aws.tf

@@ -0,0 +1,2 @@
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}

data/lambda/terraform/iam/outputs.tf

@@ -0,0 +1,3 @@
+output "role_arn" {
+  value = aws_iam_role.role.arn
+}

data/lambda/terraform/iam/role.tf

@@ -0,0 +1,77 @@
+resource "aws_iam_role" "role" {
+  name                 = var.role_name
+  description          = var.role_description
+  assume_role_policy   = data.aws_iam_policy_document.role-trust.json
+  permissions_boundary = var.role_permissions_boundary
+}
+
+data "aws_iam_policy_document" "role-trust" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type = "Service"
+      identifiers = [
+        "lambda.amazonaws.com"
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "role-AWSLambdaBasicExecutionRole" {
+  role       = aws_iam_role.role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_role_policy" "role-dynamodb" {
+  count  = local.dynamodb_table_arn != null ? 1 : 0
+  role   = aws_iam_role.role.name
+  policy = data.aws_iam_policy_document.role-dynamodb.json
+}
+
+data "aws_iam_policy_document" "role-dynamodb" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "dynamodb:DeleteItem",
+      "dynamodb:Query",
+      "dynamodb:UpdateItem",
+    ]
+    resources = [local.dynamodb_table_arn]
+  }
+}
+
+resource "aws_iam_role_policy" "role-secretsmanager" {
+  count  = length(var.secret_arns) > 0 ? 1 : 0
+  role   = aws_iam_role.role.name
+  policy = data.aws_iam_policy_document.role-secretsmanager.json
+}
+
+data "aws_iam_policy_document" "role-secretsmanager" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:GetSecretValue",
+
+    ]
+    resources = toset(var.secret_arns)
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:PutSecretValue",
+      "secretsmanager:UpdateSecretVersionStage",
+    ]
+    dynamic "condition" {
+      for_each = var.secrets_rotation_function_arn != null ? { hardening = true } : {}
+      content {
+        test     = "StringEquals"
+        variable = "lambda:SourceFunctionArn"
+        values   = [var.secrets_rotation_function_arn]
+      }
+    }
+    resources = toset(var.secret_arns)
+  }
+
+}

data/lambda/terraform/iam/variables.tf

@@ -0,0 +1,44 @@
+variable "role_name" {
+  type        = string
+  description = "IAM Role name to create"
+}
+
+variable "role_description" {
+  type        = string
+  description = "IAM Role description to specify"
+  default     = "sorah/himari lambda function role"
+}
+
+variable "role_permissions_boundary" {
+  type        = string
+  description = "IAM Role permissions boundary to specify"
+  default     = null
+}
+
+variable "dynamodb_table_arn" {
+  type        = string
+  description = "DynamoDB Table ARN"
+  default     = null
+}
+
+variable "dynamodb_table_name" {
+  type        = string
+  description = "DynamoDB Table name"
+  default     = null
+}
+
+variable "secret_arns" {
+  type        = set(string)
+  description = "Secrets Manager secret ARNs"
+  default     = null
+}
+
+variable "secrets_rotation_function_arn" {
+  type        = string
+  description = "ARN of rotation function. If set, it will be used to harden the write action policy"
+  default     = null
+}
+
+locals {
+  dynamodb_table_arn = coalesce(var.dynamodb_table_arn, var.dynamodb_table_name != null ? "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${var.dynamodb_table_name}" : null)
+}

data/lambda/terraform/iam/versions.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}

data/lambda/terraform/image/aws.tf

@@ -0,0 +1 @@
+data "aws_region" "current" {}

data/lambda/terraform/image/copy.sh

@@ -0,0 +1,5 @@
+#!/bin/bash -xe
+aws ecr get-login-password | docker login --username AWS --password-stdin "${REPOSITORY_URL}"
+docker pull "public.ecr.aws/sorah/himari-lambda:${SOURCE_IMAGE_TAG}"
+docker tag "public.ecr.aws/sorah/himari-lambda:${SOURCE_IMAGE_TAG}" "${REPOSITORY_URL}:${SOURCE_IMAGE_TAG}"
+docker push "${REPOSITORY_URL}:${SOURCE_IMAGE_TAG}"

data/lambda/terraform/image/copy.tf

@@ -0,0 +1,17 @@
+resource "null_resource" "copy-image" {
+  triggers = {
+    region           = data.aws_region.current.name
+    repository_url   = aws_ecr_repository.repo.repository_url
+    source_image_tag = var.source_image_tag
+  }
+  provisioner "local-exec" {
+    command = "cd ${path.module} && ./copy.sh"
+    environment = {
+      AWS_REGION         = data.aws_region.current.name
+      AWS_DEFAULT_REGION = data.aws_region.current.name
+
+      REPOSITORY_URL   = aws_ecr_repository.repo.repository_url
+      SOURCE_IMAGE_TAG = var.source_image_tag
+    }
+  }
+}

data/lambda/terraform/image/ecr.tf

@@ -0,0 +1,42 @@
+resource "aws_ecr_repository" "repo" {
+  name = var.repository_name
+}
+
+resource "aws_ecr_repository_policy" "repo-lambda" {
+  repository = aws_ecr_repository.repo.name
+  policy     = data.aws_iam_policy_document.repo-lambda.json
+}
+
+data "aws_iam_policy_document" "repo-lambda" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+    actions = [
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer"
+    ]
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "repo" {
+  repository = aws_ecr_repository.repo.name
+  policy = jsonencode({
+    rules = [
+      {
+        rulePriority = 10
+        description  = "expire old images"
+        selection = {
+          tagStatus   = "any"
+          countType   = "imageCountMoreThan"
+          countNumber = 10
+        }
+        action = {
+          type = "expire"
+        }
+      }
+    ]
+  })
+}

data/lambda/terraform/image/outputs.tf

@@ -0,0 +1,9 @@
+output "image" {
+  value = {
+    url = "${aws_ecr_repository.repo.repository_url}:${var.source_image_tag}"
+
+    repository_url = aws_ecr_repository.repo.repository_url
+    repository_arn = aws_ecr_repository.repo.arn
+  }
+  depends_on = [null_resource.copy-image]
+}

data/lambda/terraform/image/variables.tf

@@ -0,0 +1,9 @@
+variable "repository_name" {
+  type        = string
+  description = "Repository name to create on your AWS account"
+}
+
+variable "source_image_tag" {
+  type        = string
+  description = "Image tag for public.ecr.aws/sorah/himari-lambda. You can use Git commit hash on https://github.com/sorah/himari"
+}

data/lambda/terraform/image/versions.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}

data/lambda/terraform/signing_key/aws.tf

@@ -0,0 +1 @@
+data "aws_region" "current" {}

data/lambda/terraform/signing_key/outputs.tf

@@ -0,0 +1,3 @@
+output "secret_arn" {
+  value = aws_secretsmanager_secret.signing_key.arn
+}

data/lambda/terraform/signing_key/secret.tf

@@ -0,0 +1,18 @@
+resource "aws_secretsmanager_secret" "signing_key" {
+  name = var.secret_name
+
+  tags = {
+    HimariKey = base64encode(jsonencode(var.keygen_params))
+  }
+}
+
+resource "aws_secretsmanager_secret_rotation" "signing_key" {
+  secret_id           = aws_secretsmanager_secret.signing_key.id
+  rotation_lambda_arn = var.rotation_function_arn
+
+  # XXX: https://github.com/hashicorp/terraform-provider-aws/issues/22969
+  rotation_rules {
+    automatically_after_days = 16
+  }
+
+}

data/lambda/terraform/signing_key/variables.tf

@@ -0,0 +1,24 @@
+variable "secret_name" {
+  type        = string
+  description = "Secret name to create"
+}
+
+variable "rotation_function_arn" {
+  type        = string
+  description = "Lambda function ARN to handle secret rotation"
+}
+
+variable "rotate_automatically_after_days" {
+  type        = number
+  description = "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation#automatically_after_days"
+  default     = 16
+}
+
+variable "keygen_params" {
+  type        = object({ kty = string, len = string })
+  description = "keygen params"
+  default = {
+    "kty" = "rsa"
+    "len" = 2048
+  }
+}

data/lambda/terraform/signing_key/versions.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}

data/lib/himari/aws/lambda_handler.rb

@@ -0,0 +1,72 @@
+require 'himari'
+require 'himari/aws/secretsmanager_signing_key_rotation_handler'
+
+require 'digest/sha2'
+require 'aws-sdk-dynamodb'
+require 'apigatewayv2_rack'
+
+$stdout.sync = true
+
+module Himari
+  module Aws
+    module LambdaHandler
+      def self.app
+        @app ||= make_app()
+      end
+
+      def self.config_ru
+        a = Time.now
+        retval = config_ru_from_task_root || config_ru_from_dynamodb
+        b = Time.now
+        $stdout.puts(JSON.generate(config_ru: {ts: b, elapsed_time: b-a}))
+        retval
+      end
+
+      def self.config_ru_from_task_root
+        return nil unless ENV['LAMBDA_TASK_ROOT']
+        File.read(File.join(ENV['LAMBDA_TASK_ROOT'], 'config.ru'))
+      rescue Errno::ENOENT, Errno::EPERM
+        nil
+      end
+
+      def self.config_ru_from_dynamodb
+        dgst = ENV.fetch('HIMARI_RACK_DIGEST')
+        table_name = ENV.fetch('HIMARI_RACK_DYNAMODB_TABLE')
+        pk, sk = "rack", "rack:#{dgst}"
+
+        ddb = ::Aws::DynamoDB::Client.new()
+        item = ddb.query(
+          table_name: table_name,
+          select: 'ALL_ATTRIBUTES',
+          limit: 1,
+          key_condition_expression: 'pk = :pk AND sk = :sk',
+          expression_attribute_values: {":pk" => pk, ":sk" => sk},
+        ).items.first
+
+        unless item
+          raise "item not found (pk=#{pk.inspect}, sk=#{sk.inspect}) on dynamodb table #{table_name} for config.ru"
+        end
+
+        content = item.fetch('file')
+        content_dgst = Digest::SHA256.digest(content)
+        raise "config.ru item content digest mismatch" if content_dgst != Base64.decode64(dgst)
+
+        content
+      end
+
+      def self.make_app
+        require 'rack'
+        require 'rack/builder'
+        Rack::Builder.new_from_string(config_ru)
+      end
+
+      def self.rack_handler(event:, context:)
+        Apigatewayv2Rack.handle_request(event: event, context: context, app: app)
+      end
+
+      def self.secrets_rotation_handler(event:, context:)
+        Himari::Aws::SecretsmanagerSigningKeyRotationHandler.handler(event: event, context: context)
+      end
+    end
+  end
+end

data/lib/himari/aws/secretsmanager_signing_key_rotation_handler.rb

@@ -71,7 +71,8 @@ module Himari
       end
 
       def self.generate_secret(req, _current)
-        param = JSON.parse(req.secret.tags.find { |t| t.name == ENV.fetch('HIMARI_KEYGEN_PARAM_TAG_KEY', 'HimariKey') }&.value || ENV.fetch('HIMARI_KEYGEN_PARAM_DEFAULT', '{"kty": "rsa", "len": 2048}'), symbolize_names: true)
+        param_raw = req.secret.tags&.find { |t| t.key == ENV.fetch('HIMARI_KEYGEN_PARAM_TAG_KEY', 'HimariKey') }&.value || ENV.fetch('HIMARI_KEYGEN_PARAM_DEFAULT', '{"kty": "rsa", "len": 2048}')
+        param = parse_keygen_param(param_raw)
         puts "createSecret: generate_secret with #{param.inspect}"
 
         case param.fetch(:kty, 'rsa').downcase
@@ -93,6 +94,27 @@ module Himari
         end
       end
 
+      # Scan k=v,k2=v2
+      def self.parse_keygen_param(str)
+        begin
+          ary = str.scan(/(.+?)=(.+?)(?:,|$)/)
+          unless ary.empty?
+            return ary.to_h.transform_keys(&:to_sym)
+          end
+        end
+
+        if str.start_with?('eyJ')
+          return JSON.parse(Base64.decode64(str), symbolize_names: true)
+        end
+
+        begin
+          return JSON.parse(str, symbolize_names: true)
+        rescue JSON::ParserError
+        end
+
+        raise "cannot parse keygen param #{str.inspect}"
+      end
+
       def self.set_secret(req)
         _check = @secretsmanager.get_secret_value(secret_id: req.id, version_id: req.token, version_stage: 'AWSPENDING')
         puts "setSecret: do nothing for #{req.token} @ #{req.id}"

data/lib/himari/aws/version.rb

@@ -2,6 +2,6 @@
 
 module Himari
   module Aws
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: himari-aws
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Sorah Fukumori
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-03-20 00:00:00.000000000 Z
+date: 2023-03-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: himari
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: apigatewayv2_rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description:
 email:
 - her@sorah.jp
@@ -60,14 +74,43 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".rspec"
-- Gemfile
-- Gemfile.lock
 - LICENSE.txt
 - README.md
 - Rakefile
+- lambda/Dockerfile
+- lambda/Gemfile
+- lambda/Gemfile.lock
+- lambda/README.md
+- lambda/entrypoint.rb
+- lambda/terraform/README.md
+- lambda/terraform/functions/aws.tf
+- lambda/terraform/functions/dynamodb.tf
+- lambda/terraform/functions/lambda_rack.tf
+- lambda/terraform/functions/lambda_secrets_rotation.tf
+- lambda/terraform/functions/outputs.tf
+- lambda/terraform/functions/variables.tf
+- lambda/terraform/functions/versions.tf
+- lambda/terraform/iam/aws.tf
+- lambda/terraform/iam/outputs.tf
+- lambda/terraform/iam/role.tf
+- lambda/terraform/iam/variables.tf
+- lambda/terraform/iam/versions.tf
+- lambda/terraform/image/aws.tf
+- lambda/terraform/image/copy.sh
+- lambda/terraform/image/copy.tf
+- lambda/terraform/image/ecr.tf
+- lambda/terraform/image/outputs.tf
+- lambda/terraform/image/variables.tf
+- lambda/terraform/image/versions.tf
+- lambda/terraform/signing_key/aws.tf
+- lambda/terraform/signing_key/outputs.tf
+- lambda/terraform/signing_key/secret.tf
+- lambda/terraform/signing_key/variables.tf
+- lambda/terraform/signing_key/versions.tf
 - lib/himari-aws.rb
 - lib/himari/aws.rb
 - lib/himari/aws/dynamodb_storage.rb
+- lib/himari/aws/lambda_handler.rb
 - lib/himari/aws/secretsmanager_signing_key_provider.rb
 - lib/himari/aws/secretsmanager_signing_key_rotation_handler.rb
 - lib/himari/aws/version.rb
@@ -93,7 +136,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.0.dev
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: AWS related plugins for Himari

data/Gemfile

@@ -1,12 +0,0 @@
-# frozen_string_literal: true
-
-source "https://rubygems.org"
-
-gemspec path: '../himari'
-# Specify your gem's dependencies in himari-aws.gemspec
-gemspec
-
-gem 'nokogiri'
-
-gem "rake", "~> 13.0"
-gem "rspec", "~> 3.0"