diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9f50125 --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +# package directories +node_modules + +# Serverless directories +.serverless +.env.* + +# Other +.DS_Store \ No newline at end of file diff --git a/README.md b/README.md index 07b4068..8311ca4 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,29 @@ # aws-oidc-thumbprint A lambda function to update the AWS OIDC Identity Provider thumbprint + + +## Conf + +Add files for the env variables. + +```bash +mv env.yml .env.yml +``` + +## Setup + +```bash +yarn +``` + +## Deploy + +```bash +serverless deploy +``` + +## Cleanup + +```bash +serverless remove +``` diff --git a/config.js b/config.js new file mode 100644 index 0000000..3263fa8 --- /dev/null +++ b/config.js @@ -0,0 +1,9 @@ +const Conf = { + APP_IAM_AWS_REGION: process.env.APP_IAM_AWS_REGION, + APP_OIDC_IAM_ARN: process.env.APP_OIDC_IAM_ARN, + OIDC_LOGIN_DOMAIN: process.env.OIDC_LOGIN_DOMAIN +} + +module.exports.config = () => { + return Conf +} \ No newline at end of file diff --git a/env.yml b/env.yml new file mode 100644 index 0000000..5fbe7d6 --- /dev/null +++ b/env.yml @@ -0,0 +1,3 @@ +APP_IAM_AWS_REGION: us-east-1 +APP_OIDC_IAM_ARN: arn:aws:iam::xxxxxxxx:oidc-provider/login-domain.com +OIDC_LOGIN_DOMAIN: login-domain.com \ No newline at end of file diff --git a/handler.js b/handler.js index 849e18d..590b2bf 100644 --- a/handler.js +++ b/handler.js @@ -1,49 +1,50 @@ "use strict"; -const {aws_iam} = require("./lib/aws"); +const { aws_iam } = require("./lib/aws"); const openssl = require('openssl-nodejs'); const crypto = require('crypto'); +const config = require('./config'); -module.exports.handler = (event)=>{ - const domainName = event.domain; - let OIDC_IAM_ARN = "arn:aws:iam::1500********:oidc-provider/domain.com"; +module.exports.handler = (event, context) => { + console.log("Lambda executed.."); + const domainName = config().OIDC_LOGIN_DOMAIN; return openssl(['s_client', '-connect', domainName, '-showcerts'], function (err, buffer) { let certificateString = buffer.toString(); let certStart = locations("-----BEGIN CERTIFICATE-----", certificateString); let certEnd = locations("-----END CERTIFICATE-----", certificateString); - certStart = certStart[certStart.length-1]; - certEnd = certEnd[certEnd.length-1]; - certificateString = certificateString.slice(certStart+28, certEnd); + certStart = certStart[certStart.length - 1]; + certEnd = certEnd[certEnd.length - 1]; + certificateString = certificateString.slice(certStart + 28, certEnd); const sha1sum = getCertificateFingerprintSha1(certificateString); - + const options = { - OpenIDConnectProviderArn : OIDC_IAM_ARN + OpenIDConnectProviderArn: config().APP_OIDC_IAM_ARN }; const iam = aws_iam(); - return iam.getOpenIDConnectProvider(options, (err, data)=>{ + return iam.getOpenIDConnectProvider(options, (err, data) => { if (err) console.log(err, err.stack); // an error occurred else { - const certOnAWS = data.ThumbprintList[data.ThumbprintList.length-1]; - if(certOnAWS !== sha1sum){ + const certOnAWS = data.ThumbprintList[data.ThumbprintList.length - 1]; + if (certOnAWS !== sha1sum) { console.log("UPDATE AWS CERT!!!"); let newCerts = data.ThumbprintList; newCerts = newCerts.concat(sha1sum); const updateParams = { - OpenIDConnectProviderArn : OIDC_IAM_ARN, - ThumbprintList : newCerts + OpenIDConnectProviderArn: config().APP_OIDC_IAM_ARN, + ThumbprintList: newCerts }; - return iam.updateOpenIDConnectProviderThumbprint(updateParams, function(err, data) { + return iam.updateOpenIDConnectProviderThumbprint(updateParams, function (err, data) { if (err) console.log(err, err.stack); // an error occurred - else console.log('cert successfully updated',data); // successful response + else console.log('Cert successfully updated', data); // successful response }); } } }); }); - function locations(substring,string){ - let a=[],i=-1; - while((i=string.indexOf(substring,i+1)) >= 0) a.push(i); + function locations(substring, string) { + let a = [], i = -1; + while ((i = string.indexOf(substring, i + 1)) >= 0) a.push(i); return a; } diff --git a/lib/aws.js b/lib/aws.js index a43b9bc..8c60537 100644 --- a/lib/aws.js +++ b/lib/aws.js @@ -1,11 +1,12 @@ "use strict"; -const awsxray = require("aws-xray-sdk-core"); -const aws = (process.env.XRAY_OFF || stage === "testing") ? require("aws-sdk") : awsxray.captureAWS(require("aws-sdk")); +const aws = require("aws-sdk"); +const config = require('../config'); +let awsServices; module.exports.aws_iam = ((awsServices) => { - if(!awsServices.iam){ - awsServices.iam = new aws.IAM({region:'us-east-1'}); + if (!awsServices.iam) { + awsServices.iam = new aws.IAM({ region: config().APP_IAM_AWS_REGION }); } return awsServices.iam; }).bind(null, awsServices); \ No newline at end of file diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 0000000..0105edd --- /dev/null +++ b/package-lock.json @@ -0,0 +1,13 @@ +{ + "name": "aws-oidc-thumbprint", + "version": "0.1.0", + "lockfileVersion": 1, + "requires": true, + "dependencies": { + "openssl-nodejs": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/openssl-nodejs/-/openssl-nodejs-1.0.5.tgz", + "integrity": "sha512-6+nxZBw96nK1WUk5yIjhv9NRjqtNTfklB508T64BG5TQ8fU1x1rJrc1I3iVW+31KjnYYYwInGTopYxFJa7wMqA==" + } + } +} diff --git a/package.json b/package.json new file mode 100644 index 0000000..eca0694 --- /dev/null +++ b/package.json @@ -0,0 +1,10 @@ +{ + "name": "aws-oidc-thumbprint", + "version": "0.1.0", + "description": "Updates the OIDC thumbprint as the certificate rotates", + "author": "saltukalakus@gmail.com", + "license": "MIT", + "dependencies": { + "openssl-nodejs": "^1.0.5" + } +} diff --git a/serverless.yml b/serverless.yml new file mode 100644 index 0000000..ec25a96 --- /dev/null +++ b/serverless.yml @@ -0,0 +1,15 @@ +service: aws-oidc-thumbprint + +provider: + name: aws + runtime: nodejs12.x + environment: + APP_IAM_AWS_REGION: ${file(.env.yml):APP_IAM_AWS_REGION} + APP_OIDC_IAM_ARN: ${file(.env.yml):APP_OIDC_IAM_ARN} + +functions: + cron: + handler: handler + events: + # Invoke Lambda function every 5 minute + - schedule: cron(0/1 * * * ? *) \ No newline at end of file