Merge pull request #26 from Keyfactor/ab#69134

Ab#69134

Author: doebrowsk

.github/workflows/keyfactor-bootstrap-workflow.yml renamed to .github/workflows/keyfactor-starter-workflow.yml

@@ -1,4 +1,4 @@
-name: Keyfactor Bootstrap Workflow
+name: Keyfactor Bootstrap Workflow 
 
 on:
   workflow_dispatch:
@@ -11,9 +11,10 @@ on:
 
 jobs:
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/starter.yml@v2
+    uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2
     secrets:
       token: ${{ secrets.V2BUILDTOKEN}}
       APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
       gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
       gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
+      scan_token: ${{ secrets.SAST_TOKEN }}

CHANGELOG.md

@@ -1,3 +1,8 @@
+2.2.0
+* Add entry parameter for ACM tags
+* Modify to produce .net6/8 dual builds
+* Modify README to use doctool
+
 2.1.0
 * Allow EC2 default credentials to also run the Assume Role command
 * Add sts:ExtenalId parameter option to Assume Role calls (not applicable when using OAuth)

Images/CertStore-1.gif

@@ -176,9 +176,10 @@ protected virtual CurrentInventoryItem BuildInventoryItem(string alias, string r
                 Logger.LogTrace($"Certificate: {certificate}");
                 string base64Cert = RemoveAnchors(certificate);
                 Logger.LogTrace($"Base64 Certificate: {base64Cert}");
-                var regionDict = new Dictionary<string, object>
+                var entryParams = new Dictionary<string, object>
                 {
-                    { "AWS Region", region }
+                    { "AWS Region", region },
+                    { "ACM Tags", GetCertificateTagsFromArn(alias) }
                 };
                 CurrentInventoryItem acsi = new CurrentInventoryItem()
                 {
@@ -187,7 +188,7 @@ protected virtual CurrentInventoryItem BuildInventoryItem(string alias, string r
                     ItemStatus = OrchestratorInventoryItemStatus.Unknown,
                     PrivateKeyEntry = true,
                     UseChainLevel = false,
-                    Parameters = regionDict
+                    Parameters = entryParams
                 };
 
                 return acsi;
@@ -218,6 +219,34 @@ private string GetCertificateFromArn(string arn)
             }
         }
 
+        private string GetCertificateTagsFromArn(string arn)
+        {
+            try
+            {
+                Logger.MethodEntry();
+                Logger.LogTrace($"arn: {arn}");
+                ListTagsForCertificateRequest getTagsRequest = new ListTagsForCertificateRequest() { CertificateArn = arn };
+                ListTagsForCertificateResponse getTagsResponse = AsyncHelpers.RunSync(() => AcmClient.ListTagsForCertificateAsync(getTagsRequest));
+
+                string tags = "";
+                foreach (Amazon.CertificateManager.Model.Tag tag in getTagsResponse.Tags)
+                {
+                    tags += $",{tag.Key}={tag.Value}";
+                }
+
+                return tags.Length > 0 ? tags.Substring(1) : tags; 
+            }
+            catch (Exception e)
+            {
+                Logger.LogError($"Error Occurred in Inventory.GetCertificateTagsFromArn: {e.Message}");
+                throw;
+            }
+            finally
+            { 
+                Logger.MethodExit(); 
+            }
+        }
+
         //Remove Anchor Tags From Encoded Cert
         private string RemoveAnchors(string base64Cert)
         {

Images/CertStore-IAM.gif

@@ -27,12 +27,16 @@
 using System.IO;
 using System.Net;
 using System.Text;
+using System.Collections.Generic;
 using Amazon;
 using Org.BouncyCastle.OpenSsl;
 using System.Linq;
 
 using ILogger = Microsoft.Extensions.Logging.ILogger;
 using Keyfactor.Orchestrators.Extensions.Interfaces;
+using static Org.BouncyCastle.Math.EC.ECCurve;
+using System.Drawing;
+using Amazon.IdentityManagement.Model;
 
 namespace Keyfactor.AnyAgent.AwsCertificateManager.Jobs
 {
@@ -73,6 +77,8 @@ internal JobResult PerformAddition(Credentials awsCredentials, ManagementJobConf
                     };
                 }
 
+                List<Amazon.CertificateManager.Model.Tag> acmTags = ParseACMTags(config.JobProperties);
+
                 Logger.LogTrace($"Targeting AWS Region - {region}");
                 var endpoint = RegionEndpoint.GetBySystemName(region);
                 Logger.LogTrace($"Got Endpoint From Job Properties JSON: {JsonConvert.SerializeObject(endpoint)}");
@@ -178,8 +184,12 @@ internal JobResult PerformAddition(Credentials awsCredentials, ManagementJobConf
                             }
                         }
                         icr.CertificateArn = config.JobCertificate.Alias?.Length >= 20 ? config.JobCertificate.Alias.Trim() : null; //If an arn is provided, use it, this will perform a renewal/replace
+                        if (icr.CertificateArn == null )
+                        {
+                            icr.Tags = acmTags;
+                        }
                         Logger.LogTrace($"Certificate arn {icr.CertificateArn}");
-
+                        
                         ImportCertificateResponse IcrResponse = AsyncHelpers.RunSync(() => AcmClient.ImportCertificateAsync(icr));
                         Logger.LogTrace($"IcrResponse JSON: {JsonConvert.SerializeObject(IcrResponse)}");
                         // Ensure 200 Response
@@ -332,5 +342,30 @@ private static MemoryStream CertStringToStream(string certString)
             byte[] certBytes = Encoding.ASCII.GetBytes(certString);
             return new MemoryStream(certBytes);
         }
+
+        private List<Amazon.CertificateManager.Model.Tag> ParseACMTags(Dictionary<string, object> jobProperties)
+        {
+            List<Amazon.CertificateManager.Model.Tag> acmTags = new List<Amazon.CertificateManager.Model.Tag>();
+
+            if (jobProperties != null && jobProperties.ContainsKey("ACM Tags") && jobProperties["ACM Tags"] != null)
+            {
+                string acmTagsString = jobProperties["ACM Tags"].ToString();
+                string[] acmTagsAry = acmTagsString.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
+
+                foreach(string acmTagString in acmTagsAry)
+                {
+                    string[] acmTagAry = acmTagString.Split("=", StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
+                    if (acmTagAry.Length != 2)
+                    {
+                        throw new Exception($"Error parsing ACM Tags - invalid format.  Found {acmTagAry.Length.ToString()} items for a tag instead of 2 (key/value).");
+                    }
+
+                    Amazon.CertificateManager.Model.Tag acmTag = new Amazon.CertificateManager.Model.Tag() { Key = acmTagAry[0], Value = acmTagAry[1] };
+                    acmTags.Add(acmTag);
+                }
+            }
+
+            return acmTags;
+        }
     }
 }

Images/CertStore2.gif

@@ -1,15 +1,13 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp3.1</TargetFramework>
-	<CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
+    <AppendTargetFrameworkToOutputPath>true</AppendTargetFrameworkToOutputPath>
+    <TargetFrameworks>net6.0;net8.0</TargetFrameworks>
+    <CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
+    <ImplicitUsings>disable</ImplicitUsings>
     <RootNamespace>Keyfactor.AnyAgent.AwsCertificateManager</RootNamespace>
     <AssemblyName>Keyfactor.AnyAgent.AwsCertificateManager</AssemblyName>
   </PropertyGroup>
-  
-  <Target Name="PostBuild" AfterTargets="PostBuildEvent">
-    <Exec Command="echo F | xcopy &quot;$(SolutionDir)sample-manifest.json&quot; &quot;$(TargetDir)\manifest.json&quot; /Y" />
-  </Target>
 
   <ItemGroup>
     <PackageReference Include="AWSSDK.CertificateManager" Version="3.7.101.21" />
@@ -27,6 +25,10 @@
     <PackageReference Include="RestSharp" Version="106.13.0" />
     <PackageReference Include="System.Data.DataSetExtensions" Version="4.5.0" />
     <PackageReference Include="System.Drawing.Common" Version="5.0.3" />
+
+    <None Update="manifest.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
   </ItemGroup>
 
 </Project>

Images/CertStoreCredentials.gif

@@ -0,0 +1 @@
+## Overview

Images/CertStoreType-Advanced.gif

@@ -0,0 +1,58 @@
+## Overview
+
+AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.  The orchestrator supports Okta OAth authentication, as well as AWS IAM accounts. The Okta Support allows authentication against a 3rd party identity provider in AWS.  From there you can get temporary credentials for a role that you setup in each AWS Account.
+
+This integration also supports the reading of existing certificate ACM key/value pair tags during inventory and adding these tags when adding new certificates.  Modifying and adding ACM tags during certificate renewal, however, is NOT supported.  This is due to the fact that the AWS API does not allow for ACM tag modification when updating a certificate in one step.  This would need to be done in multiple steps, leading to the possibility of the certificate being left in an error state if any intermediate step were to fail.  However, while the modification/addition of ACM tags is not supported, all existing ACM tags WILL remain in place during renewal.
+ 
+### Documentation
+
+- [Cert Manager API](https://docs.aws.amazon.com/acm/latest/userguide/sdk.html)
+- [Aws Region Codes](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html)
+
+
+## Requirements
+
+### Setting up AWS Authentication
+
+Depending on your choice of authentication providers, choose the appropriate section:
+<details>
+<summary>AWS Certificate Manager <code>AWS-ACM</code></summary>
+
+### AWS Setup
+Options for authenticating:
+1. Okta or other OAuth configuration (refer to `AwsCerManO` below)
+2. IAM User Auth configuration (refer to `AwsCerManA` below)
+3. EC2 Role Auth or other default method supported by the [AWS SDK](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-assign.html)
+
+As one option for #3, to set up Role Auth for an EC2 instance, follow the steps below. Note, this applies specifically __when the orchestrator is running `ACM-AWS` inside of an EC2 instance__. When the option to assume an EC2 role is selected, the Account ID and Role will be assumed using the default credentials supplied in the EC2 instance via the AWS SDK.
+1. Assign or note the existing IAM Role assigned to the EC2 instance running
+2. Make sure that role has access to ACM
+3. When configuring the `AWS-ACM` store, do not select either IAM or OAuth methods in the store's settings. This will make it use the AWS SDK to lookup EC2 credentials.
+
+</details>
+
+<details>
+<summary>[Deprecated] AWS Certificate Manager with Okta Auth Configuration <code>AwsCerManO</code></summary>
+
+### AWS Setup
+1. A 3rd party [identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) similar to [this](docsource/images/AWSIdentityProvider.gif) needs to be setup in AWS for each account.
+2. An Aws [Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) similar to [this](docsource/images/AWSRole1.gif) needs Added for each AWS account.
+3. Ensure the [trust relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html) is setup for that role.  Should  look like [this](docsource/images/AWSRole2.gif).
+
+### OKTA Setup
+1. Ensure your Authorization Server Is Setup in OKTA.  Here is a [sample](docsource/images/OktaSampleAuthorizationServer.gif).
+2. Ensure the appropriate scopes are setup in Okta.  Here is a [sample](docsource/images/OktaSampleAuthorizationServer-scopes.gif).
+3. Setup an Okta App with similar settings to [this](docsource/images/OktaApp1.gif) and [this](docsource/images/OktaApp2.gif).
+
+</details>
+
+<details>
+<summary>[Deprecated] AWS Certificate Manager with IAM Auth Configuration <code>AwsCerManA</code></summary>
+
+### AWS Setup
+1. An Aws [Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) Needs Added for the permissions you want to grant, see [sample](docsource/images/AWSRole1.gif).
+2. A [Trust Relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html) is setup for that role.  Should look like something like [this](docsource/images/AssumeRoleTrust.gif).
+3. AWS does not support programmatic access for AWS SSO accounts. The account used here must be a [standard AWS IAM User](docsource/images/UserAccount.gif) with an Access Key credential type.
+
+</details>
+