terrafying-components 1.13.6 → 1.14.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/terrafying/components/letsencrypt.rb +91 -22
- data/lib/terrafying/components/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 027ba420f40c64ea39dabaa69b9f6b63feaafd7e43b7cb016e735aeb4a46fb5b
|
4
|
+
data.tar.gz: dbbc8f0bb1a659c33a3a47b39dabda6a512d4b83288a6c0d2559c127eca6304c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 302656e4916d511bde944f6ebf9c240c16dd815bebf4a8486699825522a869611292fff9b885de6cd32f0c4dbcd095ffb49ffe3440d18508d284b9cd6fe074c8
|
7
|
+
data.tar.gz: 86d7be5a5a00bf6a60ac90cdd878c1696efd3e1b58ad6f03f1a7934e7a1c7b503b864df9b5feed50aacb4e84f77844e1cf035c3d108868f7fa6c4b850fce383c
|
@@ -16,6 +16,9 @@ module Terrafying
|
|
16
16
|
def self.find(name, bucket, options = {})
|
17
17
|
LetsEncrypt.new.find name, bucket, options
|
18
18
|
end
|
19
|
+
def self.renew(name, bucket, options = {})
|
20
|
+
LetsEncrypt.new.renew name, bucket, options
|
21
|
+
end
|
19
22
|
|
20
23
|
def initialize
|
21
24
|
super
|
@@ -25,10 +28,12 @@ module Terrafying
|
|
25
28
|
def setup_providers
|
26
29
|
{
|
27
30
|
staging: {
|
31
|
+
url: 'https://acme-staging-v02.api.letsencrypt.org/directory',
|
28
32
|
ref: provider(:acme, alias: :staging, server_url: 'https://acme-staging-v02.api.letsencrypt.org/directory'),
|
29
33
|
ca_cert: 'https://letsencrypt.org/certs/fakeleintermediatex1.pem'
|
30
34
|
},
|
31
35
|
live: {
|
36
|
+
url: 'https://acme-v02.api.letsencrypt.org/directory',
|
32
37
|
ref: provider(:acme, alias: :live, server_url: 'https://acme-v02.api.letsencrypt.org/directory'),
|
33
38
|
ca_cert: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt'
|
34
39
|
}
|
@@ -54,8 +59,8 @@ module Terrafying
|
|
54
59
|
provider :tls, {}
|
55
60
|
|
56
61
|
resource :tls_private_key, "#{@name}-account",
|
57
|
-
|
58
|
-
|
62
|
+
algorithm: "ECDSA",
|
63
|
+
ecdsa_curve: options[:curve]
|
59
64
|
|
60
65
|
resource :acme_registration, "#{@name}-reg",
|
61
66
|
provider: @acme_provider[:ref],
|
@@ -69,6 +74,16 @@ module Terrafying
|
|
69
74
|
key: File.join('', @prefix, @name, 'account.key'),
|
70
75
|
content: @account_key
|
71
76
|
|
77
|
+
resource :aws_s3_bucket_object, "#{@name}-config", {
|
78
|
+
bucket: @bucket,
|
79
|
+
key: File.join('', @prefix, @name, "config.json"),
|
80
|
+
content: {
|
81
|
+
id: output_of(:acme_registration, "#{@name}-reg", "id"),
|
82
|
+
url: @acme_provider[:url],
|
83
|
+
email_address: options[:email_address],
|
84
|
+
}.to_json,
|
85
|
+
}
|
86
|
+
|
72
87
|
@ca_cert_acl = options[:public_certificate] ? 'public-read' : 'private'
|
73
88
|
|
74
89
|
open(@acme_provider[:ca_cert], 'rb') do |cert|
|
@@ -126,17 +141,10 @@ module Terrafying
|
|
126
141
|
def create_keypair_in(ctx, name, options = {})
|
127
142
|
options = {
|
128
143
|
common_name: name,
|
129
|
-
organization:
|
130
|
-
validity_in_hours: 24 * 365,
|
131
|
-
allowed_uses: %w[
|
132
|
-
nonRepudiation
|
133
|
-
digitalSignature
|
134
|
-
keyEncipherment
|
135
|
-
],
|
144
|
+
organization: "uSwitch Limited",
|
136
145
|
dns_names: [],
|
137
146
|
ip_addresses: [],
|
138
|
-
|
139
|
-
curve: 'P384'
|
147
|
+
curve: "P384",
|
140
148
|
}.merge(options)
|
141
149
|
|
142
150
|
key_ident = "#{@name}-#{tf_safe(name)}"
|
@@ -161,7 +169,7 @@ module Terrafying
|
|
161
169
|
ctx.resource :acme_certificate, key_ident, {
|
162
170
|
provider: @acme_provider[:ref],
|
163
171
|
account_key_pem: @account_key,
|
164
|
-
min_days_remaining:
|
172
|
+
min_days_remaining: 21,
|
165
173
|
dns_challenge: {
|
166
174
|
provider: 'route53'
|
167
175
|
},
|
@@ -169,27 +177,88 @@ module Terrafying
|
|
169
177
|
}.merge(cert_options)
|
170
178
|
|
171
179
|
key_version = "${sha256(tls_private_key.#{key_ident}.private_key_pem)}"
|
180
|
+
|
172
181
|
ctx.resource :aws_s3_bucket_object, "#{key_ident}-key",
|
173
182
|
bucket: @bucket,
|
174
183
|
key: object_key(name, :key, key_version),
|
175
184
|
content: output_of(:tls_private_key, key_ident, :private_key_pem)
|
185
|
+
|
176
186
|
ctx.resource :aws_s3_bucket_object, "#{key_ident}-key-latest",
|
177
187
|
bucket: @bucket,
|
178
188
|
key: object_key(name, :key, 'latest'),
|
179
189
|
content: key_version
|
180
190
|
|
181
|
-
|
182
|
-
|
183
|
-
|
184
|
-
|
185
|
-
|
186
|
-
|
187
|
-
|
188
|
-
|
189
|
-
|
191
|
+
cert_version = "${sha256(acme_certificate.#{key_ident}.certificate_pem)}"
|
192
|
+
|
193
|
+
ctx.resource :aws_s3_bucket_object, "#{key_ident}-cert",
|
194
|
+
bucket: @bucket,
|
195
|
+
key: object_key(name, :cert, cert_version),
|
196
|
+
content: output_of(:acme_certificate, key_ident, :certificate_pem).to_s + @ca_cert,
|
197
|
+
lifecycle: { ignore_changes: [ "content" ] } # the lambda will be updating it
|
198
|
+
|
199
|
+
ctx.resource :aws_s3_bucket_object, "#{key_ident}-cert-latest",
|
200
|
+
bucket: @bucket,
|
201
|
+
key: object_key(name, :cert, 'latest'),
|
202
|
+
content: cert_version
|
190
203
|
|
191
|
-
|
204
|
+
reference_keypair(ctx, name, key_version: key_version, cert_version: cert_version)
|
192
205
|
end
|
206
|
+
|
207
|
+
def renew(name, bucket, options={})
|
208
|
+
options = {
|
209
|
+
prefix: "",
|
210
|
+
provider: :staging,
|
211
|
+
}.merge(options)
|
212
|
+
|
213
|
+
@name = name
|
214
|
+
@bucket = bucket
|
215
|
+
@prefix = options[:prefix]
|
216
|
+
|
217
|
+
resource :aws_lambda_function, "#{@name}_lambda", {
|
218
|
+
function_name: "#{@name}_lambda",
|
219
|
+
s3_bucket: "uswitch-certbot-lambda",
|
220
|
+
s3_key: "certbot-lambda.zip",
|
221
|
+
handler: "main.handler",
|
222
|
+
runtime: "python3.7",
|
223
|
+
role: "${aws_iam_role.#{@name}_lambda_execution.arn}",
|
224
|
+
environment:{
|
225
|
+
variables: {
|
226
|
+
CA_BUCKET: @bucket,
|
227
|
+
CA_PREFIX: @prefix,
|
228
|
+
}
|
229
|
+
}
|
230
|
+
}
|
231
|
+
# Lambda execution role
|
232
|
+
resource :aws_iam_role, "#{@name}_lambda_execution", {
|
233
|
+
name: "#{@name}_lambda_execution",
|
234
|
+
assume_role_policy: JSON.pretty_generate(
|
235
|
+
{
|
236
|
+
Version: "2012-10-17",
|
237
|
+
Statement: [
|
238
|
+
{
|
239
|
+
Action: "sts:AssumeRole",
|
240
|
+
Principal: {
|
241
|
+
Service: "lambda.amazonaws.com"
|
242
|
+
},
|
243
|
+
Effect: "Allow",
|
244
|
+
Sid: ""
|
245
|
+
},
|
246
|
+
{
|
247
|
+
Action: [
|
248
|
+
"s3:Put*",
|
249
|
+
"s3:Get*",
|
250
|
+
"s3:DeleteObject"
|
251
|
+
],
|
252
|
+
Resource: ["arn:aws:s3:::#{@bucket}/#{@prefix}"],
|
253
|
+
Effect: "Allow"
|
254
|
+
}
|
255
|
+
]
|
256
|
+
}
|
257
|
+
)
|
258
|
+
}
|
259
|
+
self
|
260
|
+
end
|
261
|
+
|
193
262
|
end
|
194
263
|
end
|
195
264
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: terrafying-components
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.14.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- uSwitch Limited
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-12-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|