def update_endpoint(self, endpoint, certificate):
options = endpoint.source.options
account_number = self.get_option("accountNumber", options)
# relies on the fact that region is included in DNS name
region = get_region_from_dns(endpoint.dnsname)
arn = iam.create_arn_from_cert(account_number, region,
certificate.name)
if endpoint.type == "elbv2":
listener_arn = elb.get_listener_arn_from_endpoint(
endpoint.name,
endpoint.port,
account_number=account_number,
region=region,
)
elb.attach_certificate_v2(
listener_arn,
endpoint.port,
[{
"CertificateArn": arn
}],
account_number=account_number,
region=region,
)
else:
elb.attach_certificate(
endpoint.name,
endpoint.port,
arn,
account_number=account_number,
region=region,
)
def update_endpoint(self, endpoint, certificate):
options = endpoint.source.options
account_number = self.get_option("accountNumber", options)
if endpoint.type == "cloudfront":
cert = iam.get_certificate(certificate.name,
account_number=account_number)
if not cert:
return None
cert_id = cert["ServerCertificateMetadata"]["ServerCertificateId"]
cloudfront.attach_certificate(endpoint.name,
cert_id,
account_number=account_number)
return
if endpoint.type not in ["elb", "elbv2"]:
raise NotImplementedError()
# relies on the fact that region is included in DNS name
region = get_region_from_dns(endpoint.dnsname)
if endpoint.registry_type == 'iam':
arn = iam.create_arn_from_cert(account_number, region,
certificate.name,
endpoint.certificate_path)
else:
raise Exception(
f"Lemur doesn't support rotating certificates on {endpoint.registry_type} registry"
)
if endpoint.type == "elbv2":
listener_arn = elb.get_listener_arn_from_endpoint(
endpoint.name,
endpoint.port,
account_number=account_number,
region=region,
)
elb.attach_certificate_v2(
listener_arn,
endpoint.port,
[{
"CertificateArn": arn
}],
account_number=account_number,
region=region,
)
elif endpoint.type == "elb":
elb.attach_certificate(
endpoint.name,
endpoint.port,
arn,
account_number=account_number,
region=region,
)
def test_create_arn_from_cert():
from lemur.plugins.lemur_aws.iam import create_arn_from_cert
account_number = '123456789012'
certificate_name = 'tttt2.netflixtest.net-NetflixInc-20150624-20150625'
region = '' # not used
arn = "arn:aws:iam::123456789012:server-certificate/tttt2.netflixtest.net-NetflixInc-20150624-20150625"
path = ""
assert (create_arn_from_cert(account_number, region, certificate_name,
path) == arn)
arn = "arn:aws:iam::123456789012:server-certificate/cloudfront/tttt2.netflixtest.net-NetflixInc-20150624-20150625"
path = "cloudfront"
assert (create_arn_from_cert(account_number, region, certificate_name,
path) == arn)
arn = "arn:aws:iam::123456789012:server-certificate/cloudfront/2/tttt2.netflixtest.net-NetflixInc-20150624-20150625"
path = "cloudfront/2"
assert (create_arn_from_cert(account_number, region, certificate_name,
path) == arn)
def update_endpoint(self, endpoint, certificate):
options = endpoint.source.options
account_number = self.get_option('accountNumber', options)
# relies on the fact that region is included in DNS name
region = get_region_from_dns(endpoint.dnsname)
arn = iam.create_arn_from_cert(account_number, region,
certificate.name)
elb.attach_certificate(endpoint.name,
endpoint.port,
arn,
account_number=account_number,
region=region)
def update_endpoint(self, endpoint, certificate):
options = endpoint.source.options
account_number = self.get_option('accountNumber', options)
# relies on the fact that region is included in DNS name
region = get_region_from_dns(endpoint.dnsname)
arn = iam.create_arn_from_cert(account_number, region, certificate.name)
if endpoint.type == 'elbv2':
listener_arn = elb.get_listener_arn_from_endpoint(endpoint.name, endpoint.port,
account_number=account_number, region=region)
elb.attach_certificate_v2(listener_arn, endpoint.port, [{'CertificateArn': arn}],
account_number=account_number, region=region)
else:
elb.attach_certificate(endpoint.name, endpoint.port, arn, account_number=account_number, region=region)
def update_endpoint(self, endpoint, certificate):
options = endpoint.source.options
account_number = self.get_option("accountNumber", options)
# relies on the fact that region is included in DNS name
region = get_region_from_dns(endpoint.dnsname)
if endpoint.registry_type == 'iam':
arn = iam.create_arn_from_cert(account_number, region,
certificate.name,
endpoint.certificate_path)
else:
raise Exception(
f"Lemur doesn't support rotating certificates on {endpoint.registry_type} registry"
)
return
if endpoint.type == "elbv2":
listener_arn = elb.get_listener_arn_from_endpoint(
endpoint.name,
endpoint.port,
account_number=account_number,
region=region,
)
elb.attach_certificate_v2(
listener_arn,
endpoint.port,
[{
"CertificateArn": arn
}],
account_number=account_number,
region=region,
)
else:
elb.attach_certificate(
endpoint.name,
endpoint.port,
arn,
account_number=account_number,
region=region,
)
def test_create_arn_from_cert():
from lemur.plugins.lemur_aws.iam import create_arn_from_cert
account_number = '123456789012'
certificate_name = 'tttt2.netflixtest.net-NetflixInc-20150624-20150625'
partition_commercial = 'aws'
partition_gov = 'aws-us-gov'
partition_cn = 'aws-cn'
arn = "arn:aws:iam::123456789012:server-certificate/tttt2.netflixtest.net-NetflixInc-20150624-20150625"
path = ""
assert (
create_arn_from_cert(account_number, partition_commercial, certificate_name, path) == arn
)
arn = "arn:aws:iam::123456789012:server-certificate/cloudfront/tttt2.netflixtest.net-NetflixInc-20150624-20150625"
path = "cloudfront"
assert (
create_arn_from_cert(account_number, partition_commercial, certificate_name, path) == arn
)
arn = "arn:aws:iam::123456789012:server-certificate/cloudfront/2/tttt2.netflixtest.net-NetflixInc-20150624-20150625"
path = "cloudfront/2"
assert (
create_arn_from_cert(account_number, partition_commercial, certificate_name, path) == arn
)
arn = "arn:aws:iam::123456789012:server-certificate/cloudfront/2/tttt2.netflixtest.net-NetflixInc-20150624-20150625"
path = "cloudfront/2"
assert (
create_arn_from_cert(account_number, partition_commercial, certificate_name, path) == arn
)
arn = "arn:aws-us-gov:iam::123456789012:server-certificate/cloudfront/2/tttt2.netflixtest.net-NetflixInc-20150624-20150625"
path = "cloudfront/2"
assert (
create_arn_from_cert(account_number, partition_gov, certificate_name, path) == arn
)
arn = "arn:aws-cn:iam::123456789012:server-certificate/cloudfront/2/tttt2.netflixtest.net-NetflixInc-20150624-20150625"
path = "cloudfront/2"
assert (
create_arn_from_cert(account_number, partition_cn, certificate_name, path) == arn
)
