initial commit for serverless integration

saltukalakus · Dec 30, 2020 · 2e8467d · 2e8467d
1 parent 0b301e4
commit 2e8467d
Show file tree

Hide file tree

Showing 9 changed files with 111 additions and 23 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,9 @@
+# package directories
+node_modules
+
+# Serverless directories
+.serverless
+.env.*
+
+# Other
+.DS_Store
diff --git a/README.md b/README.md
@@ -1,2 +1,29 @@
 # aws-oidc-thumbprint
 A lambda function to update the AWS OIDC Identity Provider thumbprint
+
+
+## Conf
+
+Add files for the env variables.
+
+```bash
+mv env.yml .env.yml
+```
+
+## Setup
+
+```bash
+yarn
+```
+
+## Deploy
+
+```bash
+serverless deploy
+```
+
+## Cleanup
+
+```bash
+serverless remove
+```
diff --git a/config.js b/config.js
@@ -0,0 +1,9 @@
+const Conf = {
+  APP_IAM_AWS_REGION: process.env.APP_IAM_AWS_REGION,
+  APP_OIDC_IAM_ARN: process.env.APP_OIDC_IAM_ARN,
+  OIDC_LOGIN_DOMAIN: process.env.OIDC_LOGIN_DOMAIN
+}
+
+module.exports.config = () => {
+  return Conf
+}
diff --git a/env.yml b/env.yml
@@ -0,0 +1,3 @@
+APP_IAM_AWS_REGION: us-east-1
+APP_OIDC_IAM_ARN: arn:aws:iam::xxxxxxxx:oidc-provider/login-domain.com
+OIDC_LOGIN_DOMAIN: login-domain.com
diff --git a/handler.js b/handler.js
@@ -1,49 +1,50 @@
 "use strict";
-const {aws_iam} = require("./lib/aws");
+const { aws_iam } = require("./lib/aws");
 const openssl = require('openssl-nodejs');
 const crypto = require('crypto');
+const config = require('./config');
 
-module.exports.handler = (event)=>{
-  const domainName = event.domain;
-  let OIDC_IAM_ARN = "arn:aws:iam::1500********:oidc-provider/domain.com";
+module.exports.handler = (event, context) => {
+  console.log("Lambda executed..");
+  const domainName = config().OIDC_LOGIN_DOMAIN;
   return openssl(['s_client', '-connect', domainName, '-showcerts'], function (err, buffer) {
     let certificateString = buffer.toString();
     let certStart = locations("-----BEGIN CERTIFICATE-----", certificateString);
     let certEnd = locations("-----END CERTIFICATE-----", certificateString);
-    certStart = certStart[certStart.length-1];
-    certEnd = certEnd[certEnd.length-1];
-    certificateString = certificateString.slice(certStart+28, certEnd);
+    certStart = certStart[certStart.length - 1];
+    certEnd = certEnd[certEnd.length - 1];
+    certificateString = certificateString.slice(certStart + 28, certEnd);
 
     const sha1sum = getCertificateFingerprintSha1(certificateString);
-    
+
     const options = {
-      OpenIDConnectProviderArn : OIDC_IAM_ARN
+      OpenIDConnectProviderArn: config().APP_OIDC_IAM_ARN
     };
     const iam = aws_iam();
-    return iam.getOpenIDConnectProvider(options, (err, data)=>{
+    return iam.getOpenIDConnectProvider(options, (err, data) => {
       if (err) console.log(err, err.stack); // an error occurred
       else {
-        const certOnAWS = data.ThumbprintList[data.ThumbprintList.length-1];
-        if(certOnAWS !== sha1sum){
+        const certOnAWS = data.ThumbprintList[data.ThumbprintList.length - 1];
+        if (certOnAWS !== sha1sum) {
           console.log("UPDATE AWS CERT!!!");
           let newCerts = data.ThumbprintList;
           newCerts = newCerts.concat(sha1sum);
           const updateParams = {
-            OpenIDConnectProviderArn : OIDC_IAM_ARN,
-            ThumbprintList : newCerts
+            OpenIDConnectProviderArn: config().APP_OIDC_IAM_ARN,
+            ThumbprintList: newCerts
           };
-          return iam.updateOpenIDConnectProviderThumbprint(updateParams, function(err, data) {
+          return iam.updateOpenIDConnectProviderThumbprint(updateParams, function (err, data) {
             if (err) console.log(err, err.stack); // an error occurred
-            else     console.log('cert successfully updated',data);           // successful response
+            else console.log('Cert successfully updated', data); // successful response
           });
         }
       }
     });
   });
 
-  function locations(substring,string){
-    let a=[],i=-1;
-    while((i=string.indexOf(substring,i+1)) >= 0) a.push(i);
+  function locations(substring, string) {
+    let a = [], i = -1;
+    while ((i = string.indexOf(substring, i + 1)) >= 0) a.push(i);
     return a;
   }
 

diff --git a/lib/aws.js b/lib/aws.js
@@ -1,11 +1,12 @@
 "use strict";
 
-const awsxray = require("aws-xray-sdk-core");
-const aws = (process.env.XRAY_OFF || stage === "testing") ? require("aws-sdk") : awsxray.captureAWS(require("aws-sdk"));
+const aws = require("aws-sdk");
+const config = require('../config');
+let awsServices;
 
 module.exports.aws_iam = ((awsServices) => {
-  if(!awsServices.iam){
-    awsServices.iam = new aws.IAM({region:'us-east-1'});
+  if (!awsServices.iam) {
+    awsServices.iam = new aws.IAM({ region: config().APP_IAM_AWS_REGION });
   }
   return awsServices.iam;
 }).bind(null, awsServices);
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -0,0 +1,10 @@
+{
+  "name": "aws-oidc-thumbprint",
+  "version": "0.1.0",
+  "description": "Updates the OIDC thumbprint as the certificate rotates",
+  "author": "[email protected]",
+  "license": "MIT",
+  "dependencies": {
+    "openssl-nodejs": "^1.0.5"
+  }
+}
diff --git a/serverless.yml b/serverless.yml
@@ -0,0 +1,15 @@
+service: aws-oidc-thumbprint
+
+provider:
+  name: aws
+  runtime: nodejs12.x
+  environment:
+    APP_IAM_AWS_REGION: ${file(.env.yml):APP_IAM_AWS_REGION}
+    APP_OIDC_IAM_ARN: ${file(.env.yml):APP_OIDC_IAM_ARN}   
+
+functions:
+  cron:
+    handler: handler
+    events:
+      # Invoke Lambda function every 5 minute
+      - schedule: cron(0/1 * * * ? *)