Support for certbot-aws-store files

* Pull certificates from certbot-aws-files registry
* Improved configuration import to job definition
* Files are no longer mandatory

Author: JohnPreston

Makefile

@@ -93,13 +93,13 @@ dist: clean ## builds source and wheel package
 	poetry build
 	ls -l dist
 
-install: clean ## install the package to the active Python's site-packages
+install: clean conform ## install the package to the active Python's site-packages
 	pip install . --use-pep517
 
-conform	: ## Conform to a standard of coding syntax
+conform:	data-model
 	isort --profile black ecs_files_composer
 	black ecs_files_composer tests
 	find ecs_files_composer -name "*.json" -type f  -exec sed -i '1s/^\xEF\xBB\xBF//' {} +
 
 data-model:
-			datamodel-codegen
+	datamodel-codegen

ecs-files-input.json

@@ -3,9 +3,6 @@
   "type": "object",
   "typeName": "input",
   "description": "Configuration input definition for ECS Files Composer",
-  "required": [
-    "files"
-  ],
   "properties": {
     "files": {
       "type": "object",
@@ -29,6 +26,15 @@
         }
       }
     },
+    "certbot_store": {
+      "type": "object",
+      "uniqueItems": true,
+      "patternProperties": {
+        "[\\W\\-\\.]+$": {
+          "$ref": "#/definitions/CertbotAwsStoreCertificate"
+        }
+      }
+    },
     "IamOverride": {
       "type": "object",
       "$ref": "#/definitions/IamOverrideDef"
@@ -158,34 +164,47 @@
         "VersionStage": {
           "type": "string"
         },
+        "JsonKey": {
+          "type": "string",
+          "description": "If the SecretString is a valid JSON, use the Key to map to the value stored in secret"
+        },
         "IamOverride": {
           "$ref": "#/definitions/IamOverrideDef"
         }
       }
     },
     "S3Def": {
-      "type": "object",
-      "required": [
-        "BucketName",
-        "Key"
-      ],
-      "properties": {
-        "BucketName": {
-          "type": "string",
-          "description": "Name of the S3 Bucket"
-        },
-        "BucketRegion": {
-          "type": "string",
-          "description": "S3 Region to use. Default will ignore or retrieve via s3:GetBucketLocation"
+      "oneOf": [
+        {
+          "type": "object",
+          "required": [
+            "BucketName",
+            "Key"
+          ],
+          "properties": {
+            "BucketName": {
+              "type": "string",
+              "description": "Name of the S3 Bucket"
+            },
+            "BucketRegion": {
+              "type": "string",
+              "description": "S3 Region to use. Default will ignore or retrieve via s3:GetBucketLocation"
+            },
+            "Key": {
+              "type": "string",
+              "description": "Full path to the file to retrieve"
+            },
+            "IamOverride": {
+              "$ref": "#/definitions/IamOverrideDef"
+            }
+          }
         },
-        "Key": {
+        {
           "type": "string",
-          "description": "Full path to the file to retrieve"
-        },
-        "IamOverride": {
-          "$ref": "#/definitions/IamOverrideDef"
+          "pattern": "^arn:aws(?:-[a-z]+)?:s3:::(\\S+)::(\\S+)$",
+          "description": "OneLiner with bucket ARN and path to key."
         }
-      }
+      ]
     },
     "IamOverrideDef": {
       "type": "object",
@@ -290,6 +309,45 @@
           "default": "root"
         }
       }
+    },
+    "CertbotAwsStoreCertificate": {
+      "type": "object",
+      "required": [
+        "storage_path"
+      ],
+      "properties": {
+        "storage_path": {
+          "type": "string",
+          "pattern": "^/[\\x00-\\x7F]+$",
+          "description": "path to folder to store the certbot certificates into."
+        },
+        "table_name": {
+          "type": "string",
+          "description": "dynamodb table name of the certbot-aws-store registry",
+          "default": "certbot-registry"
+        },
+        "table_region_name": {
+          "type": "string",
+          "description": "Region in which the table_name is. Defaults to profile default region, or eu-west-1"
+        }
+      }
+    }
+  },
+  "anyOf": [
+    {
+      "required": [
+        "files"
+      ]
+    },
+    {
+      "required": [
+        "certbot_store"
+      ]
+    },
+    {
+      "required": [
+        "certificates"
+      ]
     }
-  }
+  ]
 }

ecs_files_composer/__init__.py

@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: MPL-2.0
-# Copyright 2020-2021 John Mille<[email protected]>
+# Copyright 2020-2022 John Mille<[email protected]>
 
 """Top-level package for ECS Files Composer."""
 

ecs_files_composer/aws_mgmt.py

@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: MPL-2.0
-# Copyright 2020-2021 John Mille<[email protected]>
+# Copyright 2020-2022 John Mille<[email protected]>
 
 """AWS module."""
 

ecs_files_composer/certbot_aws_store.py

@@ -0,0 +1,37 @@
+# SPDX-License-Identifier: MPL-2.0
+# Copyright 2020-2022 John Mille<[email protected]>
+
+"""
+Manages certbot certificates download from certbot-aws-store
+"""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from .input import Model
+
+from certbot_aws_store.certificate import AcmeCertificate
+
+from ecs_files_composer.common import LOG
+
+
+def handle_certbot_store_certificates(job: Model) -> None:
+    if not job.certbot_store:
+        return
+    for _hostname, _definition in job.certbot_store.items():
+        certificate = AcmeCertificate(
+            _hostname,
+            None,
+            table_name=_definition.table_name if _definition.table_name else None,
+            region_name=_definition.table_region_name
+            if _definition.table_region_name
+            else None,
+        )
+        try:
+            certificate.pull(_definition.storage_path)
+            LOG.info("Successfully pulled certificates for %s", _hostname)
+        except Exception as error:
+            print(error)
+            print("Failed to download certificate from certbot-aws-store", _hostname)

ecs_files_composer/certificates_mgmt.py

@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: MPL-2.0
-# Copyright 2020-2021 John Mille<[email protected]>
+# Copyright 2020-2022 John Mille<[email protected]>
 
 import pathlib
 import socket

ecs_files_composer/cli.py

@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: MPL-2.0
-# Copyright 2020-2021 John Mille<[email protected]>
+# Copyright 2020-2022 John Mille<[email protected]>
 
 """Console script for ecs_files_composer."""
 import argparse

ecs_files_composer/common.py

@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: MPL-2.0
-# Copyright 2020-2021 John Mille<[email protected]>
+# Copyright 2020-2022 John Mille<[email protected]>
 
 import logging as logthings
 import sys

ecs_files_composer/ecs_files_composer.py

@@ -1,8 +1,15 @@
 # SPDX-License-Identifier: MPL-2.0
-# Copyright 2020-2021 John Mille<[email protected]>
+# Copyright 2020-2022 John Mille<[email protected]>
 
 """Main module."""
 
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from .input import Model
+
 import json
 import uuid
 from os import environ, path
@@ -13,6 +20,7 @@
 
 from ecs_files_composer import input
 from ecs_files_composer.aws_mgmt import S3Fetcher, SecretFetcher, SsmFetcher
+from ecs_files_composer.certbot_aws_store import handle_certbot_store_certificates
 from ecs_files_composer.certificates_mgmt import process_x509_certs
 from ecs_files_composer.common import LOG
 from ecs_files_composer.files_mgmt import File
@@ -110,23 +118,29 @@ def init_config(
             raise
 
 
-def start_jobs(config, override_session=None):
+def process_files(job: Model, override_session=None) -> None:
+    files: list = []
+    for file_path, file in job.files.items():
+        file_redef = File(**file.dict())
+        file_redef.path = file_path
+        files.append(file_redef)
+    for file in files:
+        file.handler(job.iam_override, override_session)
+        LOG.info(f"Tasks for {file.path} completed.")
+
+
+def start_jobs(config: dict, override_session=None):
     """
     Starting point to run the files job
 
     :param config:
     :param override_session:
     :return:
     """
-    if not keyisset("files", config):
-        raise KeyError("Missing required files from configuration input")
-    job = input.Model(files=config["files"]).parse_obj(config)
-    process_x509_certs(job)
-    for file_path, file in job.files.items():
-        if not isinstance(file, File):
-            file_def = File().parse_obj(file)
-            job.files[file_path] = file_def
-            file_def.path = file_path
-    for file in job.files.values():
-        file.handler(job.iam_override, override_session)
-        LOG.info(f"Tasks for {file.path} completed.")
+    job = input.Model(**config)
+    if job.certificates:
+        process_x509_certs(job)
+    if job.certbot_store:
+        handle_certbot_store_certificates(job)
+    if job.files:
+        process_files(job, override_session)

ecs_files_composer/envsubst.py

@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: MPL-2.0
-# Copyright 2020-2021 John Mille <[email protected]>
+# Copyright 2020-2022 John Mille <[email protected]>
 
 """
 Module to do a better env variables handling.