Create initial release

Author: diego-ojeda-binbash

README.md

@@ -1,2 +1,26 @@
-# terraform-certbot-lambda
-Terraform module for deploying an AWS Lambda that generates Let's Encrypt certificates via Certbot
+# Certbot Lambda
+
+This module deploys an AWS Lambda function that generates Let's Encrypt certificates via *certbot*, for the given domains. The Lambda is triggered by a CloudWatch event rule whose schedule can be set through the 'function_trigger_schedule_expression' variable.
+
+## Examples
+The following example will deploy a Lambda that will generate certificates for *test.example.com*:
+```
+module "certbot_lambda_test" {
+  source                                = "../../"
+  
+  # This is used for naming resources
+  name                                  = "test"
+  
+  # This email used by Let's Encrypt for sending notifications about certificates
+  contact_email                         = "admin@example.com"
+  
+  # This is the domain for the certificate
+  certificate_domains                   = "test.example.com"
+  
+  # This zone will be automatically updated to meet the DNS challenge required by Let's Encrypt
+  hosted_zone_id                        = aws_route53_record.example_com.zone_id
+  
+  # This is a cron-like expressions that determines when the Lambda is triggered
+  function_trigger_schedule_expression  = "cron(12 20 * * ? *)"
+}
+```

bucket.tf

@@ -0,0 +1,26 @@
+#
+# This bucket will be used for storing certificates.
+#
+resource "aws_s3_bucket" "certificates_store" {
+  bucket = "${var.name_prefix}-certificates-${var.name}"
+  acl    = "private"
+  force_destroy = true
+  
+  versioning {
+    enabled = true
+  }
+  
+  lifecycle {
+    prevent_destroy = false
+  }
+  
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+  
+  tags = local.tags
+}

cloudwatch.tf

@@ -0,0 +1,19 @@
+# Create a timer that runs every 12 hours
+resource "aws_cloudwatch_event_rule" "certbot_lambda_timer" {
+  name                = "${var.name_prefix}-timer-${var.name}"
+  schedule_expression = "cron(0 */12 * * ? *)"
+}
+
+# Specify the lambda function to run
+resource "aws_cloudwatch_event_target" "lets_encrypt_timer_target" {
+  rule = aws_cloudwatch_event_rule.certbot_lambda_timer.name
+  arn  = module.certbot_lambda_jenkins.function_arn
+}
+
+# Give cloudwatch permission to invoke the function
+resource "aws_lambda_permission" "permission" {
+  action = "lambda:InvokeFunction"
+  function_name = module.certbot_lambda_jenkins.function_name
+  principal = "events.amazonaws.com"
+  source_arn = aws_cloudwatch_event_rule.certbot_lambda_timer.arn
+}

lambda.tf

@@ -0,0 +1,71 @@
+#
+# Lambda function that takes care of requesting the creation and renewal of
+# LetsEncrypt certificates and stores them in an S3 bucket.
+#
+module "certbot_lambda_jenkins" {
+  source  = "git::https://github.com/binbashar/terraform-aws-lambda?ref=master"
+  
+  function_name = "${var.name_prefix}-${var.name}"
+  description   = "CertBot Lambda that creates and renews certificates for ${var.certificate_domains}"
+  handler       = "main.lambda_handler"
+  runtime       = "python3.6"
+  timeout       = 300
+  
+  source_path = "${path.module}/src/"
+  
+  trusted_entities = ["events.amazonaws.com"]
+  
+  policy = {
+    json = data.aws_iam_policy_document.bucket_permissions.json
+  }
+  
+  environment = {
+    variables = {
+      EMAIL     = var.contact_email
+      DOMAINS   = var.certificate_domains
+      S3_BUCKET = aws_s3_bucket.certificates_store.id
+      S3_PREFIX = var.name
+    }
+  }
+}
+
+#
+# Lambda permissions on the bucket used to store certificates.
+#
+data "aws_iam_policy_document" "bucket_permissions" {
+  statement {
+    actions = [
+      "s3:ListBucket"
+    ]
+    resources = [
+      aws_s3_bucket.certificates_store.arn
+    ]
+  }
+  
+  statement {
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      aws_s3_bucket.certificates_store.arn,
+      "${aws_s3_bucket.certificates_store.arn}/*"
+    ]
+  }
+  
+  statement {
+    actions = [
+      "route53:ListHostedZones",
+      "route53:GetChange"
+    ]
+    resources = ["*"]
+  }
+  
+  statement {
+    actions = [
+      "route53:ChangeResourceRecordSets"
+    ]
+    resources = [
+      "arn:aws:route53:::hostedzone/${var.hosted_zone_id}"
+    ]
+  }
+}

locals.tf

@@ -0,0 +1,3 @@
+locals {
+  tags = merge(var.tags, map("Application", "certbot-lambda"))
+}

src/.libs_cffi_backend/libffi-806b1a9d.so.6.0.4

@@ -0,0 +1 @@
+pip

src/ConfigArgParse-1.2.dist-info/INSTALLER

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 bw2
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.