terrafying-components 1.13.6 → 1.14.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/terrafying/components/letsencrypt.rb +91 -22
- data/lib/terrafying/components/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 027ba420f40c64ea39dabaa69b9f6b63feaafd7e43b7cb016e735aeb4a46fb5b
|
|
4
|
+
data.tar.gz: dbbc8f0bb1a659c33a3a47b39dabda6a512d4b83288a6c0d2559c127eca6304c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 302656e4916d511bde944f6ebf9c240c16dd815bebf4a8486699825522a869611292fff9b885de6cd32f0c4dbcd095ffb49ffe3440d18508d284b9cd6fe074c8
|
|
7
|
+
data.tar.gz: 86d7be5a5a00bf6a60ac90cdd878c1696efd3e1b58ad6f03f1a7934e7a1c7b503b864df9b5feed50aacb4e84f77844e1cf035c3d108868f7fa6c4b850fce383c
|
|
@@ -16,6 +16,9 @@ module Terrafying
|
|
|
16
16
|
def self.find(name, bucket, options = {})
|
|
17
17
|
LetsEncrypt.new.find name, bucket, options
|
|
18
18
|
end
|
|
19
|
+
def self.renew(name, bucket, options = {})
|
|
20
|
+
LetsEncrypt.new.renew name, bucket, options
|
|
21
|
+
end
|
|
19
22
|
|
|
20
23
|
def initialize
|
|
21
24
|
super
|
|
@@ -25,10 +28,12 @@ module Terrafying
|
|
|
25
28
|
def setup_providers
|
|
26
29
|
{
|
|
27
30
|
staging: {
|
|
31
|
+
url: 'https://acme-staging-v02.api.letsencrypt.org/directory',
|
|
28
32
|
ref: provider(:acme, alias: :staging, server_url: 'https://acme-staging-v02.api.letsencrypt.org/directory'),
|
|
29
33
|
ca_cert: 'https://letsencrypt.org/certs/fakeleintermediatex1.pem'
|
|
30
34
|
},
|
|
31
35
|
live: {
|
|
36
|
+
url: 'https://acme-v02.api.letsencrypt.org/directory',
|
|
32
37
|
ref: provider(:acme, alias: :live, server_url: 'https://acme-v02.api.letsencrypt.org/directory'),
|
|
33
38
|
ca_cert: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt'
|
|
34
39
|
}
|
|
@@ -54,8 +59,8 @@ module Terrafying
|
|
|
54
59
|
provider :tls, {}
|
|
55
60
|
|
|
56
61
|
resource :tls_private_key, "#{@name}-account",
|
|
57
|
-
|
|
58
|
-
|
|
62
|
+
algorithm: "ECDSA",
|
|
63
|
+
ecdsa_curve: options[:curve]
|
|
59
64
|
|
|
60
65
|
resource :acme_registration, "#{@name}-reg",
|
|
61
66
|
provider: @acme_provider[:ref],
|
|
@@ -69,6 +74,16 @@ module Terrafying
|
|
|
69
74
|
key: File.join('', @prefix, @name, 'account.key'),
|
|
70
75
|
content: @account_key
|
|
71
76
|
|
|
77
|
+
resource :aws_s3_bucket_object, "#{@name}-config", {
|
|
78
|
+
bucket: @bucket,
|
|
79
|
+
key: File.join('', @prefix, @name, "config.json"),
|
|
80
|
+
content: {
|
|
81
|
+
id: output_of(:acme_registration, "#{@name}-reg", "id"),
|
|
82
|
+
url: @acme_provider[:url],
|
|
83
|
+
email_address: options[:email_address],
|
|
84
|
+
}.to_json,
|
|
85
|
+
}
|
|
86
|
+
|
|
72
87
|
@ca_cert_acl = options[:public_certificate] ? 'public-read' : 'private'
|
|
73
88
|
|
|
74
89
|
open(@acme_provider[:ca_cert], 'rb') do |cert|
|
|
@@ -126,17 +141,10 @@ module Terrafying
|
|
|
126
141
|
def create_keypair_in(ctx, name, options = {})
|
|
127
142
|
options = {
|
|
128
143
|
common_name: name,
|
|
129
|
-
organization:
|
|
130
|
-
validity_in_hours: 24 * 365,
|
|
131
|
-
allowed_uses: %w[
|
|
132
|
-
nonRepudiation
|
|
133
|
-
digitalSignature
|
|
134
|
-
keyEncipherment
|
|
135
|
-
],
|
|
144
|
+
organization: "uSwitch Limited",
|
|
136
145
|
dns_names: [],
|
|
137
146
|
ip_addresses: [],
|
|
138
|
-
|
|
139
|
-
curve: 'P384'
|
|
147
|
+
curve: "P384",
|
|
140
148
|
}.merge(options)
|
|
141
149
|
|
|
142
150
|
key_ident = "#{@name}-#{tf_safe(name)}"
|
|
@@ -161,7 +169,7 @@ module Terrafying
|
|
|
161
169
|
ctx.resource :acme_certificate, key_ident, {
|
|
162
170
|
provider: @acme_provider[:ref],
|
|
163
171
|
account_key_pem: @account_key,
|
|
164
|
-
min_days_remaining:
|
|
172
|
+
min_days_remaining: 21,
|
|
165
173
|
dns_challenge: {
|
|
166
174
|
provider: 'route53'
|
|
167
175
|
},
|
|
@@ -169,27 +177,88 @@ module Terrafying
|
|
|
169
177
|
}.merge(cert_options)
|
|
170
178
|
|
|
171
179
|
key_version = "${sha256(tls_private_key.#{key_ident}.private_key_pem)}"
|
|
180
|
+
|
|
172
181
|
ctx.resource :aws_s3_bucket_object, "#{key_ident}-key",
|
|
173
182
|
bucket: @bucket,
|
|
174
183
|
key: object_key(name, :key, key_version),
|
|
175
184
|
content: output_of(:tls_private_key, key_ident, :private_key_pem)
|
|
185
|
+
|
|
176
186
|
ctx.resource :aws_s3_bucket_object, "#{key_ident}-key-latest",
|
|
177
187
|
bucket: @bucket,
|
|
178
188
|
key: object_key(name, :key, 'latest'),
|
|
179
189
|
content: key_version
|
|
180
190
|
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
|
|
186
|
-
|
|
187
|
-
|
|
188
|
-
|
|
189
|
-
|
|
191
|
+
cert_version = "${sha256(acme_certificate.#{key_ident}.certificate_pem)}"
|
|
192
|
+
|
|
193
|
+
ctx.resource :aws_s3_bucket_object, "#{key_ident}-cert",
|
|
194
|
+
bucket: @bucket,
|
|
195
|
+
key: object_key(name, :cert, cert_version),
|
|
196
|
+
content: output_of(:acme_certificate, key_ident, :certificate_pem).to_s + @ca_cert,
|
|
197
|
+
lifecycle: { ignore_changes: [ "content" ] } # the lambda will be updating it
|
|
198
|
+
|
|
199
|
+
ctx.resource :aws_s3_bucket_object, "#{key_ident}-cert-latest",
|
|
200
|
+
bucket: @bucket,
|
|
201
|
+
key: object_key(name, :cert, 'latest'),
|
|
202
|
+
content: cert_version
|
|
190
203
|
|
|
191
|
-
|
|
204
|
+
reference_keypair(ctx, name, key_version: key_version, cert_version: cert_version)
|
|
192
205
|
end
|
|
206
|
+
|
|
207
|
+
def renew(name, bucket, options={})
|
|
208
|
+
options = {
|
|
209
|
+
prefix: "",
|
|
210
|
+
provider: :staging,
|
|
211
|
+
}.merge(options)
|
|
212
|
+
|
|
213
|
+
@name = name
|
|
214
|
+
@bucket = bucket
|
|
215
|
+
@prefix = options[:prefix]
|
|
216
|
+
|
|
217
|
+
resource :aws_lambda_function, "#{@name}_lambda", {
|
|
218
|
+
function_name: "#{@name}_lambda",
|
|
219
|
+
s3_bucket: "uswitch-certbot-lambda",
|
|
220
|
+
s3_key: "certbot-lambda.zip",
|
|
221
|
+
handler: "main.handler",
|
|
222
|
+
runtime: "python3.7",
|
|
223
|
+
role: "${aws_iam_role.#{@name}_lambda_execution.arn}",
|
|
224
|
+
environment:{
|
|
225
|
+
variables: {
|
|
226
|
+
CA_BUCKET: @bucket,
|
|
227
|
+
CA_PREFIX: @prefix,
|
|
228
|
+
}
|
|
229
|
+
}
|
|
230
|
+
}
|
|
231
|
+
# Lambda execution role
|
|
232
|
+
resource :aws_iam_role, "#{@name}_lambda_execution", {
|
|
233
|
+
name: "#{@name}_lambda_execution",
|
|
234
|
+
assume_role_policy: JSON.pretty_generate(
|
|
235
|
+
{
|
|
236
|
+
Version: "2012-10-17",
|
|
237
|
+
Statement: [
|
|
238
|
+
{
|
|
239
|
+
Action: "sts:AssumeRole",
|
|
240
|
+
Principal: {
|
|
241
|
+
Service: "lambda.amazonaws.com"
|
|
242
|
+
},
|
|
243
|
+
Effect: "Allow",
|
|
244
|
+
Sid: ""
|
|
245
|
+
},
|
|
246
|
+
{
|
|
247
|
+
Action: [
|
|
248
|
+
"s3:Put*",
|
|
249
|
+
"s3:Get*",
|
|
250
|
+
"s3:DeleteObject"
|
|
251
|
+
],
|
|
252
|
+
Resource: ["arn:aws:s3:::#{@bucket}/#{@prefix}"],
|
|
253
|
+
Effect: "Allow"
|
|
254
|
+
}
|
|
255
|
+
]
|
|
256
|
+
}
|
|
257
|
+
)
|
|
258
|
+
}
|
|
259
|
+
self
|
|
260
|
+
end
|
|
261
|
+
|
|
193
262
|
end
|
|
194
263
|
end
|
|
195
264
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: terrafying-components
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.14.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- uSwitch Limited
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-12-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|