terrafying-components 1.13.6 → 1.14.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/terrafying/components/letsencrypt.rb +91 -22
  3. data/lib/terrafying/components/version.rb +1 -1
  4. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 46403f4974ddbcadf18a638bf1158233231a0aac1f9f7949c2c7dfc321f7498d
4
- data.tar.gz: 623d3e5b6d4e61a5630b3f84483110fab7e93400bef7b3e425250618318bb390
3
+ metadata.gz: 027ba420f40c64ea39dabaa69b9f6b63feaafd7e43b7cb016e735aeb4a46fb5b
4
+ data.tar.gz: dbbc8f0bb1a659c33a3a47b39dabda6a512d4b83288a6c0d2559c127eca6304c
5
5
  SHA512:
6
- metadata.gz: e8da71a9c4d253c5ee45458f972ee45ca612a9cf3c71b4ca5f52efd369b764796a7f584f47665901e3b83c8eba39a7cc1856df541c95767ff0d2223ff822432e
7
- data.tar.gz: ffcde3793996efb7ddd1bd3d18b4cb2cf184329fba989e2e53e22c84c8933386cfc5db612bd71483fbf19af211bff8f7cfaa8445549fca69dd3488d080a6a482
6
+ metadata.gz: 302656e4916d511bde944f6ebf9c240c16dd815bebf4a8486699825522a869611292fff9b885de6cd32f0c4dbcd095ffb49ffe3440d18508d284b9cd6fe074c8
7
+ data.tar.gz: 86d7be5a5a00bf6a60ac90cdd878c1696efd3e1b58ad6f03f1a7934e7a1c7b503b864df9b5feed50aacb4e84f77844e1cf035c3d108868f7fa6c4b850fce383c
data/lib/terrafying/components/letsencrypt.rb CHANGED
@@ -16,6 +16,9 @@ module Terrafying
16
16
  def self.find(name, bucket, options = {})
17
17
  LetsEncrypt.new.find name, bucket, options
18
18
  end
19
+ def self.renew(name, bucket, options = {})
20
+ LetsEncrypt.new.renew name, bucket, options
21
+ end
19
22
 
20
23
  def initialize
21
24
  super
@@ -25,10 +28,12 @@ module Terrafying
25
28
  def setup_providers
26
29
  {
27
30
  staging: {
31
+ url: 'https://acme-staging-v02.api.letsencrypt.org/directory',
28
32
  ref: provider(:acme, alias: :staging, server_url: 'https://acme-staging-v02.api.letsencrypt.org/directory'),
29
33
  ca_cert: 'https://letsencrypt.org/certs/fakeleintermediatex1.pem'
30
34
  },
31
35
  live: {
36
+ url: 'https://acme-v02.api.letsencrypt.org/directory',
32
37
  ref: provider(:acme, alias: :live, server_url: 'https://acme-v02.api.letsencrypt.org/directory'),
33
38
  ca_cert: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt'
34
39
  }
@@ -54,8 +59,8 @@ module Terrafying
54
59
  provider :tls, {}
55
60
 
56
61
  resource :tls_private_key, "#{@name}-account",
57
- algorithm: 'ECDSA',
58
- ecdsa_curve: options[:curve]
62
+ algorithm: "ECDSA",
63
+ ecdsa_curve: options[:curve]
59
64
 
60
65
  resource :acme_registration, "#{@name}-reg",
61
66
  provider: @acme_provider[:ref],
@@ -69,6 +74,16 @@ module Terrafying
69
74
  key: File.join('', @prefix, @name, 'account.key'),
70
75
  content: @account_key
71
76
 
77
+ resource :aws_s3_bucket_object, "#{@name}-config", {
78
+ bucket: @bucket,
79
+ key: File.join('', @prefix, @name, "config.json"),
80
+ content: {
81
+ id: output_of(:acme_registration, "#{@name}-reg", "id"),
82
+ url: @acme_provider[:url],
83
+ email_address: options[:email_address],
84
+ }.to_json,
85
+ }
86
+
72
87
  @ca_cert_acl = options[:public_certificate] ? 'public-read' : 'private'
73
88
 
74
89
  open(@acme_provider[:ca_cert], 'rb') do |cert|
@@ -126,17 +141,10 @@ module Terrafying
126
141
  def create_keypair_in(ctx, name, options = {})
127
142
  options = {
128
143
  common_name: name,
129
- organization: 'uSwitch Limited',
130
- validity_in_hours: 24 * 365,
131
- allowed_uses: %w[
132
- nonRepudiation
133
- digitalSignature
134
- keyEncipherment
135
- ],
144
+ organization: "uSwitch Limited",
136
145
  dns_names: [],
137
146
  ip_addresses: [],
138
- min_days_remaining: 21,
139
- curve: 'P384'
147
+ curve: "P384",
140
148
  }.merge(options)
141
149
 
142
150
  key_ident = "#{@name}-#{tf_safe(name)}"
@@ -161,7 +169,7 @@ module Terrafying
161
169
  ctx.resource :acme_certificate, key_ident, {
162
170
  provider: @acme_provider[:ref],
163
171
  account_key_pem: @account_key,
164
- min_days_remaining: options[:min_days_remaining],
172
+ min_days_remaining: 21,
165
173
  dns_challenge: {
166
174
  provider: 'route53'
167
175
  },
@@ -169,27 +177,88 @@ module Terrafying
169
177
  }.merge(cert_options)
170
178
 
171
179
  key_version = "${sha256(tls_private_key.#{key_ident}.private_key_pem)}"
180
+
172
181
  ctx.resource :aws_s3_bucket_object, "#{key_ident}-key",
173
182
  bucket: @bucket,
174
183
  key: object_key(name, :key, key_version),
175
184
  content: output_of(:tls_private_key, key_ident, :private_key_pem)
185
+
176
186
  ctx.resource :aws_s3_bucket_object, "#{key_ident}-key-latest",
177
187
  bucket: @bucket,
178
188
  key: object_key(name, :key, 'latest'),
179
189
  content: key_version
180
190
 
181
- cert_version = "${sha256(acme_certificate.#{key_ident}.certificate_pem)}"
182
- ctx.resource :aws_s3_bucket_object, "#{key_ident}-cert",
183
- bucket: @bucket,
184
- key: object_key(name, :cert, cert_version),
185
- content: output_of(:acme_certificate, key_ident, :certificate_pem).to_s + @ca_cert
186
- ctx.resource :aws_s3_bucket_object, "#{key_ident}-cert-latest",
187
- bucket: @bucket,
188
- key: object_key(name, :cert, 'latest'),
189
- content: cert_version
191
+ cert_version = "${sha256(acme_certificate.#{key_ident}.certificate_pem)}"
192
+
193
+ ctx.resource :aws_s3_bucket_object, "#{key_ident}-cert",
194
+ bucket: @bucket,
195
+ key: object_key(name, :cert, cert_version),
196
+ content: output_of(:acme_certificate, key_ident, :certificate_pem).to_s + @ca_cert,
197
+ lifecycle: { ignore_changes: [ "content" ] } # the lambda will be updating it
198
+
199
+ ctx.resource :aws_s3_bucket_object, "#{key_ident}-cert-latest",
200
+ bucket: @bucket,
201
+ key: object_key(name, :cert, 'latest'),
202
+ content: cert_version
190
203
 
191
- reference_keypair(ctx, name, key_version: key_version, cert_version: cert_version)
204
+ reference_keypair(ctx, name, key_version: key_version, cert_version: cert_version)
192
205
  end
206
+
207
+ def renew(name, bucket, options={})
208
+ options = {
209
+ prefix: "",
210
+ provider: :staging,
211
+ }.merge(options)
212
+
213
+ @name = name
214
+ @bucket = bucket
215
+ @prefix = options[:prefix]
216
+
217
+ resource :aws_lambda_function, "#{@name}_lambda", {
218
+ function_name: "#{@name}_lambda",
219
+ s3_bucket: "uswitch-certbot-lambda",
220
+ s3_key: "certbot-lambda.zip",
221
+ handler: "main.handler",
222
+ runtime: "python3.7",
223
+ role: "${aws_iam_role.#{@name}_lambda_execution.arn}",
224
+ environment:{
225
+ variables: {
226
+ CA_BUCKET: @bucket,
227
+ CA_PREFIX: @prefix,
228
+ }
229
+ }
230
+ }
231
+ # Lambda execution role
232
+ resource :aws_iam_role, "#{@name}_lambda_execution", {
233
+ name: "#{@name}_lambda_execution",
234
+ assume_role_policy: JSON.pretty_generate(
235
+ {
236
+ Version: "2012-10-17",
237
+ Statement: [
238
+ {
239
+ Action: "sts:AssumeRole",
240
+ Principal: {
241
+ Service: "lambda.amazonaws.com"
242
+ },
243
+ Effect: "Allow",
244
+ Sid: ""
245
+ },
246
+ {
247
+ Action: [
248
+ "s3:Put*",
249
+ "s3:Get*",
250
+ "s3:DeleteObject"
251
+ ],
252
+ Resource: ["arn:aws:s3:::#{@bucket}/#{@prefix}"],
253
+ Effect: "Allow"
254
+ }
255
+ ]
256
+ }
257
+ )
258
+ }
259
+ self
260
+ end
261
+
193
262
  end
194
263
  end
195
264
  end
data/lib/terrafying/components/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Terrafying
4
4
  module Components
5
- VERSION = '1.13.6'
5
+ VERSION = '1.14.0'
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: terrafying-components
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.13.6
4
+ version: 1.14.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - uSwitch Limited
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-11-01 00:00:00.000000000 Z
11
+ date: 2019-12-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake