Merge 01e454b into d6b1d71

Author: leefine02

.github/workflows/keyfactor-bootstrap-workflow.yml renamed to .github/workflows/keyfactor-starter-workflow.yml

@@ -1,4 +1,4 @@
-name: Keyfactor Bootstrap Workflow
+name: Keyfactor Bootstrap Workflow 
 
 on:
   workflow_dispatch:
@@ -11,9 +11,10 @@ on:
 
 jobs:
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/starter.yml@v2
+    uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2
     secrets:
       token: ${{ secrets.V2BUILDTOKEN}}
       APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
       gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
       gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
+      scan_token: ${{ secrets.SAST_TOKEN }}

Images/CertStore-1.gif

@@ -1,15 +1,13 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp3.1</TargetFramework>
-	<CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
+    <AppendTargetFrameworkToOutputPath>true</AppendTargetFrameworkToOutputPath>
+    <TargetFrameworks>net6.0;net8.0</TargetFrameworks>
+    <CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
+    <ImplicitUsings>disable</ImplicitUsings>
     <RootNamespace>Keyfactor.AnyAgent.AwsCertificateManager</RootNamespace>
     <AssemblyName>Keyfactor.AnyAgent.AwsCertificateManager</AssemblyName>
   </PropertyGroup>
-  
-  <Target Name="PostBuild" AfterTargets="PostBuildEvent">
-    <Exec Command="echo F | xcopy &quot;$(SolutionDir)sample-manifest.json&quot; &quot;$(TargetDir)\manifest.json&quot; /Y" />
-  </Target>
 
   <ItemGroup>
     <PackageReference Include="AWSSDK.CertificateManager" Version="3.7.101.21" />
@@ -27,6 +25,10 @@
     <PackageReference Include="RestSharp" Version="106.13.0" />
     <PackageReference Include="System.Data.DataSetExtensions" Version="4.5.0" />
     <PackageReference Include="System.Drawing.Common" Version="5.0.3" />
+
+    <None Update="manifest.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
   </ItemGroup>
 
 </Project>

Images/CertStore-IAM.gif

@@ -0,0 +1,20 @@
+## Overview
+
+TODO Overview is a required section
+
+## Requirements
+
+TODO Requirements is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
+
+## Discovery Job Configuration
+
+TODO Discovery Job Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
+
+## Certificate Store Configuration
+
+TODO Certificate Store Configuration is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
+
+## Global Store Type Section
+
+TODO Global Store Type Section is an optional section. If this section doesn't seem necessary on initial glance, please delete it. Refer to the docs on [Confluence](https://keyfactor.atlassian.net/wiki/x/SAAyHg) for more info
+

Images/CertStore2.gif

@@ -0,0 +1,54 @@
+## Overview
+
+AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.  The orchestrator supports Okta OAth authentication, as well as AWS IAM accounts. The Okta Support allows authentication against a 3rd party identity provider in AWS.  From there you can get temporary credentials for a role that you setup in each AWS Account.
+ 
+### Documentation
+
+- [Cert Manager API](https://docs.aws.amazon.com/acm/latest/userguide/sdk.html)
+- [Aws Region Codes](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html)
+
+
+## Requirements
+
+Depending on your choice of authentication providers, choose the appropriate section:
+<details>
+<summary>AWS Certificate Manager <code>AWS-ACM</code></summary>
+
+### AWS Setup
+Options for authenticating:
+1. Okta or other OAuth configuration (refer to `AwsCerManO` below)
+2. IAM User Auth configuration (refer to `AwsCerManA` below)
+3. EC2 Role Auth or other default method supported by the [AWS SDK](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-assign.html)
+
+As one option for #3, to set up Role Auth for an EC2 instance, follow the steps below. Note, this applies specifically __when the orchestrator is running `ACM-AWS` inside of an EC2 instance__. When the option to assume an EC2 role is selected, the Account ID and Role will be assumed using the default credentials supplied in the EC2 instance via the AWS SDK.
+1. Assign or note the existing IAM Role assigned to the EC2 instance running
+2. Make sure that role has access to ACM
+3. When configuring the `AWS-ACM` store, do not select either IAM or OAuth methods in the store's settings. This will make it use the AWS SDK to lookup EC2 credentials.
+
+</details>
+
+<details>
+<summary>[Deprecated] AWS Certificate Manager with Okta Auth Configuration <code>AwsCerManO</code></summary>
+
+### AWS Setup
+1. A 3rd party [identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) similar to [this](/Images/AWSIdentityProvider.gif) needs to be setup in AWS for each account.
+2. An Aws [Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) similar to [this](/Images/AWSRole1.gif) needs Added for each AWS account.
+3. Ensure the [trust relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html) is setup for that role.  Should  look like [this](/Images/AWSRole2.gif).
+
+### OKTA Setup
+1. Ensure your Authorization Server Is Setup in OKTA.  Here is a [sample](/Images/OktaSampleAuthorizationServer.gif).
+2. Ensure the appropriate scopes are setup in Okta.  Here is a [sample](/Images/OktaSampleAuthorizationServer-scopes.gif).
+3. Setup an Okta App with similar settings to [this](/Images/OktaApp1.gif) and [this](/Images/OktaApp2.gif).
+
+</details>
+
+<details>
+<summary>[Deprecated] AWS Certificate Manager with IAM Auth Configuration <code>AwsCerManA</code></summary>
+
+### AWS Setup
+1. An Aws [Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) Needs Added for the permissions you want to grant, see [sample](/Images/AWSRole1.gif).
+2. A [Trust Relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html) is setup for that role.  Should look like something like [this](/Images/AssumeRoleTrust.gif).
+3. AWS does not support programmatic access for AWS SSO accounts. The account used here must be a [standard AWS IAM User](/Images/UserAccount.gif) with an Access Key credential type.
+
+</details>
+

Images/CertStoreCredentials.gif

@@ -4,33 +4,16 @@
   "name": "AWS Certificate Manager (ACM) Orchestrator",
   "status": "production",
   "update_catalog": true,
-  "link_github": true,
+  "link_github": true, 
   "release_dir":  "aws-orchestrator-core/bin/Release/netcoreapp3.1",
+  "release_project": "aws-orchestrator-core/aws-orchestrator-core.csproj",
   "support_level": "kf-supported",
   "description": "The AWS ACM Orchestrator supports Inventory and Management of certificates in the AWS Certificate Manager. It supports three methods of authentication: Environmental Credentials loaded via the AWS SDK e.g. inside an EC2 instance; IAM User Credentials for assuming a Role as a specific user; OAuth-based Credentials to authenticate with an OAuth provider to assume a Role.",
   "about": {
     "orchestrator": {
       "UOFramework": "10.1",
       "keyfactor_platform_version": "9.10",
       "pam_support": true,
-      "win": {
-        "supportsCreateStore": false,
-        "supportsDiscovery": false,
-        "supportsManagementAdd": true,
-        "supportsManagementRemove": true,
-        "supportsReenrollment": false,
-        "supportsInventory": true,
-        "platformSupport": "Unused"
-      },
-      "linux": {
-        "supportsCreateStore": false,
-        "supportsDiscovery": false,
-        "supportsManagementAdd": true,
-        "supportsManagementRemove": true,
-        "supportsReenrollment": false,
-        "supportsInventory": true,
-        "platformSupport": "Unused"
-      },
       "store_types": [
         {
           "Name": "AWS Certificate Manager",
@@ -49,105 +32,121 @@
               "Name": "UseEC2AssumeRole",
               "DisplayName": "Assume new Account / Role in EC2",
               "Type": "Bool",
-              "DependsOn": null,
+              "DependsOn": "",
               "DefaultValue": "false",
-              "Required": true
+              "Required": true,
+              "IsPAMEligible": false,
+              "Description": "A switch to enable the store to assume a new Account ID and Role when using EC2 credentials"
             },
             {
               "Name": "UseOAuth",
               "DisplayName": "Use OAuth 2.0 Provider",
               "Type": "Bool",
-              "DependsOn": null,
+              "DependsOn": "",
               "DefaultValue": "false",
-              "Required": true
+              "Required": true,
+              "IsPAMEligible": false,
+              "Description": "A switch to enable the store to use an OAuth provider workflow to authenticate with AWS ACM"
             },
             {
               "Name": "UseIAM",
               "DisplayName": "Use IAM User Auth",
               "Type": "Bool",
-              "DependsOn": null,
+              "DependsOn": "",
               "DefaultValue": "false",
-              "Required": true
+              "Required": true,
+              "IsPAMEligible": false,
+              "Description": "A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS ACM"
             },
             {
               "Name": "EC2AssumeRole",
               "DisplayName": "AWS Role to Assume (EC2)",
               "Type": "String",
               "DependsOn": "UseEC2AssumeRole",
-              "DefaultValue": null,
-              "Required": false
+              "DefaultValue": "",
+              "Required": false,
+              "IsPAMEligible": false,
+              "Description": "The AWS Role to assume using the EC2 instance credentials"
             },
             {
               "Name": "OAuthScope",
               "DisplayName": "OAuth Scope",
               "Type": "String",
               "DependsOn": "UseOAuth",
-              "DefaultValue": null,
-              "Required": false
+              "DefaultValue": "",
+              "Required": false,
+              "IsPAMEligible": false,
+              "Description": "This is the OAuth Scope needed for Okta OAuth, defined in Okta"
             },
             {
               "Name": "OAuthGrantType",
               "DisplayName": "OAuth Grant Type",
               "Type": "String",
               "DependsOn": "UseOAuth",
               "DefaultValue": "client_credentials",
-              "Required": false
+              "Required": false,
+              "IsPAMEligible": false,
+              "Description": "In OAuth 2.0, the term �grant type� refers to the way an application gets an access token. In Okta this is `client_credentials`"
             },
             {
               "Name": "OAuthUrl",
               "DisplayName": "OAuth Url",
               "Type": "String",
               "DependsOn": "UseOAuth",
               "DefaultValue": "https://***/oauth2/default/v1/token",
-              "Required": false
+              "Required": false,
+              "IsPAMEligible": false,
+              "Description": "An optional parameter sts:ExternalId to pass with Assume Role calls"
             },
             {
               "Name": "IAMAssumeRole",
               "DisplayName": "AWS Role to Assume (IAM)",
               "Type": "String",
               "DependsOn": "UseIAM",
-              "DefaultValue": null,
-              "Required": false
+              "DefaultValue": "",
+              "Required": false,
+              "IsPAMEligible": false,
+              "Description": "The AWS Role to assume as the IAM User."
             },
             {
               "Name": "OAuthAssumeRole",
               "DisplayName": "AWS Role to Assume (OAuth)",
               "Type": "String",
               "DependsOn": "UseOAuth",
-              "DefaultValue": null,
-              "Required": false
+              "DefaultValue": "",
+              "Required": false,
+              "IsPAMEligible": false,
+              "Description": "The AWS Role to assume after getting an OAuth token."
             },
             {
               "Name": "ExternalId",
               "DisplayName": "sts:ExternalId",
               "Type": "String",
-              "DependsOn": null,
-              "DefaultValue": null,
-              "Required": false
+              "DependsOn": "",
+              "DefaultValue": "",
+              "Required": false,
+              "IsPAMEligible": false,
+              "Description": "An optional parameter sts:ExternalId to pass with Assume Role calls"
             },
             {
               "Name": "ServerUsername",
               "DisplayName": "Server Username",
               "Type": "Secret",
-              "DependsOn": null,
-              "DefaultValue": null,
-              "Required": false
+              "DependsOn": "",
+              "DefaultValue": "",
+              "Required": false,
+              "IsPAMEligible": true,
+              "Description": "The AWS Access Key for an IAM User or Client ID for OAuth. Depends on Auth method in use."
             },
             {
               "Name": "ServerPassword",
               "DisplayName": "Server Password",
               "Type": "Secret",
-              "DependsOn": null,
-              "DefaultValue": null,
-              "Required": false
-            },
-            {
-              "Name": "ServerUseSsl",
-              "DisplayName": "Use SSL",
-              "Type": "Bool",
-              "DependsOn": null,
-              "DefaultValue": "true",
-              "Required": true
+              "DependsOn": "",
+              "DefaultValue": "",
+              "Required": false,
+              "IsPAMEligible": true,
+              "Description": "The AWS Access Secret for an IAM User or Client Secret for OAuth. Depends on Auth method in use."
             }
           ],
           "EntryParameters": [
@@ -160,7 +159,20 @@
                 "OnAdd": true,
                 "OnRemove": false,
                 "OnReenrollment": false
-              }
+              },
+	      "Description": "When adding, this is the Region that the Certificate will be added to"
+            },
+            {
+              "Name": "ACM Tags",
+              "DisplayName": "ACM Tags",
+              "Type": "String",
+              "RequiredWhen": {
+                "HasPrivateKey": false,
+                "OnAdd": false,
+                "OnRemove": false,
+                "OnReenrollment": false
+              },
+	      "Description": "The ACM tags that should be assigned to the certificate.  Multiple name/value pairs may be entered in the format of `Name1=Value1,Name2=Value2,...,NameN=ValueN`"
             }
           ],
           "PasswordOptions": {