terrafying-components 1.14.10 → 1.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/terrafying/components/letsencrypt.rb +65 -60
  3. data/lib/terrafying/components/version.rb +1 -1
  4. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 96ab02163f59abbca33da70716d52b158df9b5bd82311babe7f895a754fbc7d3
4
- data.tar.gz: 35012aee6747600bee403b48402fb4ef8e84b72f90cd9a6c390ee55d72adcf04
3
+ metadata.gz: 6b23fdea2286a2479dbf077b4c22324c2b0aadd3eb9b92da59c1518ea1ca47c5
4
+ data.tar.gz: cf2b7383cea8ea495f8762b663d6d595365b4da58563dc8c34f94197ad75c87f
5
5
  SHA512:
6
- metadata.gz: 51290d391c153825fdc4def0660132722a0a9d632cce7bde8d9230201b608833338ca551e81ef2b71c9993eb6d6ac4a3bc7b4352ec9d9bce79d757fdc574ad49
7
- data.tar.gz: 3540ebe6318ab64509011792d333ea48bfabb5eceb03f28e07d5f39ae0bc0b12959ec36e689ec4d2e9699f89dba28be8c49372eca74ca10a2e7fe1852235fcb4
6
+ metadata.gz: ec5cda26c1162f9b0e9b034ae84a97ac0c27c1d14a350ca20bca601afe9c354f6d059e75a3ed781c37f6bbe96784464e4f0531cfbc2fdd448b7968b10d4cd9a1
7
+ data.tar.gz: 601c572f76ca019a6621bbdd66639b03b5ce1334b043e50716cf65346f32a6a233345f618db2314a08b459e7bde62bdafb582e40ee88dd46f93577a0a511876e
data/lib/terrafying/components/letsencrypt.rb CHANGED
@@ -16,13 +16,11 @@ module Terrafying
16
16
  def self.find(name, bucket, options = {})
17
17
  LetsEncrypt.new.find name, bucket, options
18
18
  end
19
- def self.renew(name, bucket, domains, options = {})
20
- LetsEncrypt.new.renew name, bucket, domains, options
21
- end
22
19
 
23
20
  def initialize
24
21
  super
25
22
  @acme_providers = setup_providers
23
+ @zones = []
26
24
  end
27
25
 
28
26
  def setup_providers
@@ -48,7 +46,8 @@ module Terrafying
48
46
  public_certificate: false,
49
47
  curve: 'P384',
50
48
  rsa_bits: '3072',
51
- use_external_dns: false
49
+ use_external_dns: false,
50
+ renewing: false
52
51
  }.merge(options)
53
52
 
54
53
  @name = name
@@ -56,6 +55,9 @@ module Terrafying
56
55
  @prefix = options[:prefix]
57
56
  @acme_provider = @acme_providers[options[:provider]]
58
57
  @use_external_dns = options[:use_external_dns]
58
+ @renewing = options[:renewing]
59
+
60
+ renew() if @renewing
59
61
 
60
62
  provider :tls, {}
61
63
 
@@ -145,9 +147,11 @@ module Terrafying
145
147
  organization: "uSwitch Limited",
146
148
  dns_names: [],
147
149
  ip_addresses: [],
148
- curve: "P384",
150
+ curve: "P384"
149
151
  }.merge(options)
150
152
 
153
+ @zones << options[:zone] if options[:zone]
154
+
151
155
  key_ident = "#{@name}-#{tf_safe(name)}"
152
156
 
153
157
  ctx.resource :tls_private_key, key_ident,
@@ -203,11 +207,14 @@ module Terrafying
203
207
 
204
208
  cert_version = "${sha256(acme_certificate.#{key_ident}.certificate_pem)}"
205
209
 
206
- ctx.resource :aws_s3_bucket_object, "#{key_ident}-cert",
210
+ cert_config = {
207
211
  bucket: @bucket,
208
212
  key: object_key(name, :cert, cert_version),
209
213
  content: output_of(:acme_certificate, key_ident, :certificate_pem).to_s + @ca_cert,
210
- lifecycle: { ignore_changes: [ "content" ] } # the lambda will be updating it
214
+ }
215
+ cert_config[:lifecycle] = { ignore_changes: [ "content" ] } if @renewing
216
+
217
+ ctx.resource :aws_s3_bucket_object, "#{key_ident}-cert", cert_config
211
218
 
212
219
  ctx.resource :aws_s3_bucket_object, "#{key_ident}-cert-latest",
213
220
  bucket: @bucket,
@@ -217,55 +224,14 @@ module Terrafying
217
224
  reference_keypair(ctx, name, key_version: key_version, cert_version: cert_version)
218
225
  end
219
226
 
220
- def renew(name, bucket, domains, options={})
221
- options = {
222
- prefix: "",
223
- provider: :staging,
224
- }.merge(options)
227
+ def output_with_children
228
+ @prefix_path = [@prefix, @name].reject(&:empty?).join("/")
225
229
 
226
- @name = name
227
- @bucket = bucket
228
- @domains = domains
229
- @prefix = options[:prefix]
230
-
231
- resource :aws_lambda_function, "#{@name}_lambda", {
232
- function_name: "#{@name}_lambda",
233
- s3_bucket: "uswitch-certbot-lambda",
234
- s3_key: "certbot-lambda.zip",
235
- handler: "main.handler",
236
- runtime: "python3.7",
237
- timeout: "900",
238
- role: "${aws_iam_role.#{@name}_lambda_execution.arn}",
239
- environment:{
240
- variables: {
241
- CA_BUCKET: @bucket,
242
- CA_PREFIX: @prefix,
243
- }
244
- }
245
- }
246
-
247
- resource :aws_iam_role, "#{@name}_lambda_execution", {
248
- name: "#{@name}_lambda_execution",
249
- assume_role_policy: JSON.pretty_generate(
250
- {
251
- Version: "2012-10-17",
252
- Statement: [
253
- {
254
- Action: "sts:AssumeRole",
255
- Principal: {
256
- Service: "lambda.amazonaws.com"
257
- },
258
- Effect: "Allow",
259
- Sid: ""
260
- }
261
- ]
262
- }
263
- )
264
- }
265
-
266
- resource :aws_iam_policy, "#{@name}_lambda_execution_policy", {
230
+ iam_policy = {}
231
+ if @renewing
232
+ iam_policy = resource :aws_iam_policy, "#{@name}_lambda_execution_policy", {
267
233
  name: "#{@name}_lambda_execution_policy",
268
- description: "A policy for the #{@name}-lambda function to access S3",
234
+ description: "A policy for the #{@name}_lambda function to access S3 and R53",
269
235
  policy: JSON.pretty_generate(
270
236
  {
271
237
  Version: "2012-10-17",
@@ -277,7 +243,7 @@ module Terrafying
277
243
  "s3:DeleteObject"
278
244
  ],
279
245
  Resource: [
280
- "arn:aws:s3:::#{@bucket}/#{@prefix}/*"
246
+ "arn:aws:s3:::#{@bucket}/#{@prefix_path}/*"
281
247
  ],
282
248
  Effect: "Allow"
283
249
  },
@@ -324,8 +290,8 @@ module Terrafying
324
290
  "route53:ChangeResourceRecordSets",
325
291
  ],
326
292
  Resource:
327
- domains.map { | domain |
328
- "arn:aws:route53:::#{domain.zone.id[1..-1]}"
293
+ @zones.compact.map { | zone |
294
+ "arn:aws:route53:::#{zone.id[1..-1]}"
329
295
  },
330
296
  Effect: "Allow"
331
297
  }
@@ -333,14 +299,53 @@ module Terrafying
333
299
  }
334
300
  )
335
301
  }
302
+ end
303
+ super
304
+ end
305
+
306
+ def renew
307
+ execution_role = resource :aws_iam_role, "#{@name}_lambda_execution", {
308
+ name: "#{@name}_lambda_execution",
309
+ assume_role_policy: JSON.pretty_generate(
310
+ {
311
+ Version: "2012-10-17",
312
+ Statement: [
313
+ {
314
+ Action: "sts:AssumeRole",
315
+ Principal: {
316
+ Service: "lambda.amazonaws.com"
317
+ },
318
+ Effect: "Allow",
319
+ Sid: ""
320
+ }
321
+ ]
322
+ }
323
+ )
324
+ }
325
+
326
+ resource :aws_lambda_function, "#{@name}_lambda", {
327
+ function_name: "#{@name}_lambda",
328
+ s3_bucket: "uswitch-certbot-lambda",
329
+ s3_key: "certbot-lambda.zip",
330
+ handler: "main.handler",
331
+ runtime: "python3.7",
332
+ timeout: "900",
333
+ role: execution_role["arn"],
334
+ environment:{
335
+ variables: {
336
+ CA_BUCKET: @bucket,
337
+ CA_PREFIX: @prefix_path
338
+ }
339
+ }
340
+ }
336
341
 
337
342
  resource :aws_iam_role_policy_attachment, "#{@name}_lambda_policy_attachment", {
338
- role: "${aws_iam_role.#{@name}_lambda_execution.name}",
343
+ role: execution_role["name"],
339
344
  policy_arn: "${aws_iam_policy.#{@name}_lambda_execution_policy.arn}"
340
345
  }
341
346
 
342
- self
343
- end
347
+ self
348
+ end
344
349
 
345
350
  end
346
351
  end
data/lib/terrafying/components/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Terrafying
4
4
  module Components
5
- VERSION = '1.14.10'
5
+ VERSION = '1.15.0'
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: terrafying-components
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.14.10
4
+ version: 1.15.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - uSwitch Limited
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-12-19 00:00:00.000000000 Z
11
+ date: 2020-01-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake