Initial AWS Lambda support (#1)

* Initial AWS Lambda support

Author: aries1980

.gitignore

@@ -0,0 +1,17 @@
+# Editors
+# =======
+.*code
+.idea
+*.todo
+*.history
+
+# Build artifacts
+# ===============
+certbot_build
+certbot_build_aws
+build_artifacts
+
+# Misc files
+# ==========
+*.DS_Store
+

.travis.yml

@@ -0,0 +1,27 @@
+dist: cosmic
+language: bash
+services:
+- docker
+
+cache:
+  directories:
+  - "/home/travis/.python_cache/"
+
+env:
+  global:
+  - CERTBOT_VERSION=0.32.0 # Bump this version for new builds
+
+jobs:
+  include:
+  - stage: build
+    script:
+    - ". build.sh; run"
+
+deploy:
+  provider: releases
+  api_key:
+    secure: RRreMcvDnaqpNGJwhktPso7kuyxTpRO6xZC5I0aob9W06o1IESZZN8JaiUiP2Ya3j58h97uIL+iYPIeXhNNn2LdpH6/b2I6Ei73htkpluTFF54Xws+8cjz5tkAgzgskjrFI80xOpa323+bdlLMz3ndnrxyUMUphWOAshq13L1rCWeCor48BUC0h09GSkaPLFlfSEu/AWLl3HLmzHcePJs1G7UQmxgR+zdXoVu5FBRcGHeDyiQrI9k06+rS8ue8hcbvgTr9/9D9z/3ESA4nYoyeDbXckwWjw4hdggTA5dTrTk3+l0AZNjD0oLa/NDdJQ/Jaal92woW0LHgoysM3V3rVSh9OXva7peUgkOH51geA/rFURK3i2/QY46+cKWB8VqUMjU/GQlB8B6h/sU8aAW/P2twVQ8CsjSyhln1CtGCS2OLPY9y7/sW3ygoisyyTjW7lTGC5uJ55AKBNtZrvsIyeGgaAWOOjrSFKRvAxxr+xUNcwKVnG0qb/Qj80Ch1WtwUSaJCJLF5jGSnu+9mYUWb72AZ/MQ4lkKZAmOeO5d86VN2URxWREckVlCOATWZ7Ehjf++55SXB4HBqaWXRq7P64SFcJ65JlTByCzNjCLEXbHXA6Na52vhGi/yWRgt6A6325Owx9lCOlr3lw24/yYPPyzHGBOcbGk5ERNjRu9bh1M=
+  skip_cleanup: true
+  file: build_artefacts/*
+  on:
+    tags: true

README.md

@@ -0,0 +1,34 @@
+[![Build Status](https://travis-ci.org/aries1980/serverless-certbot.svg?branch=master)](https://travis-ci.org/aries1980/serverless-certbot)
+
+## The Problem
+
+> Run Certbot on the first of every month and upload the certificates to a cloud stora,ge.
+
+SSL/TLS certificates is a must for any external communication. Not just because the served traffic is a secret, but also
+to hide the endpoint that is serving. Also it is a must for SEO, HTTP/2, but it is a good practice in general.
+
+Company-provided TLS certificates are expensive, thank God we have the free [Let's Encrypt](https://letsencrypt.org)
+and [Certbot](https://certbot.eff.org)!  Because the letsencrypted TLS certificates have to be renewed in every 90
+days the least.  So let's say, this task should run monthly.  Because it is written in Python, it would make sense to
+run it as a serverless application.  Unfortunately Certbot saves the certificates on a local storage, so an extra code
+needs to bundled to handle the serverless requests and
+
+
+## The Solution
+
+- Have a code that glues the serverless event and Certbot. Luckly there is a [code snippet for AWS Lambda](https://github.com/rog2/certbot-lambda/blob/master/main.py)
+what I borrowed.  Cheers, mate!
+
+The process is inspired by [Deploying EFF's Certbot in AWS Lambda](https://arkadiyt.com/2018/01/26/deploying-effs-certbot-in-aws-lambda/).
+
+- Create a build pipeline
+  - Installs a given version of Certbot into a Python virtual environment.
+  - Adds the snippet
+  - Zips it up
+  - Provide a release artifact on Github.
+
+## Usage
+
+- Copy the certbot-lambda-[certbot_version].zip into AWS S3.  (More cloud provider support is planned.  Feel free to create a PR!)
+- Terraform the serverless application.
+

aws/README.md

@@ -0,0 +1,22 @@
+This snippet is proudly borrowed from [https://github.com/rog2/certbot-lambda](https://github.com/rog2/certbot-lambda/blob/master/main.py):
+
+# Running Certbot on AWS Lambda.
+
+Inspired by [Deploying EFF's Certbot in AWS Lambda](https://arkadiyt.com/2018/01/26/deploying-effs-certbot-in-aws-lambda/).
+
+## Features
+
+- Supports wildcard certificates (Let's Encrypt ACME v2).
+- Uploads certificates to specified Amazon S3 bucket.
+- Works with CloudWatch Scheduled Events for certificate renewal.
+
+## Sample Event
+
+```json
+{
+    "domains": "*.foobar.com,foobar.com",
+    "email": "[EMAIL]",
+    "s3_bucket": "[BUCKET]",
+    "s3_prefix": "[KEY_PREFIX]"
+}
+```

aws/main.py

@@ -0,0 +1,94 @@
+#!/usr/bin/env python3
+
+import os
+import shutil
+import boto3
+import certbot.main
+
+# Let’s Encrypt acme-v02 server that supports wildcard certificates
+CERTBOT_SERVER = 'https://acme-v02.api.letsencrypt.org/directory'
+
+# Temp dir of Lambda runtime
+CERTBOT_DIR = '/tmp/certbot'
+
+
+def rm_tmp_dir():
+    if os.path.exists(CERTBOT_DIR):
+        try:
+            shutil.rmtree(CERTBOT_DIR)
+        except NotADirectoryError:
+            os.remove(CERTBOT_DIR)
+
+
+def obtain_certs(email, domains):
+    certbot_args = [
+        # Override directory paths so script doesn't have to be run as root
+        '--config-dir', CERTBOT_DIR,
+        '--work-dir', CERTBOT_DIR,
+        '--logs-dir', CERTBOT_DIR,
+
+        # Obtain a cert but don't install it
+        'certonly',
+
+        # Run in non-interactive mode
+        '--non-interactive',
+
+        # Agree to the terms of service
+        '--agree-tos',
+
+        # Email of domain administrator
+        '--email', email,
+
+        # Use dns challenge with route53
+        '--dns-route53',
+        '--preferred-challenges', 'dns-01',
+
+        # Use this server instead of default acme-v01
+        '--server', CERTBOT_SERVER,
+
+        # Domains to provision certs for (comma separated)
+        '--domains', domains,
+    ]
+    return certbot.main.main(certbot_args)
+
+
+# /tmp/certbot
+# ├── live
+# │   └── [domain]
+# │       ├── README
+# │       ├── cert.pem
+# │       ├── chain.pem
+# │       ├── fullchain.pem
+# │       └── privkey.pem
+def upload_certs(s3_bucket, s3_prefix):
+    client = boto3.client('s3')
+    cert_dir = os.path.join(CERTBOT_DIR, 'live')
+    for dirpath, _dirnames, filenames in os.walk(cert_dir):
+        for filename in filenames:
+            local_path = os.path.join(dirpath, filename)
+            relative_path = os.path.relpath(local_path, cert_dir)
+            s3_key = os.path.join(s3_prefix, relative_path)
+            print(f'Uploading: {local_path} => s3://{s3_bucket}/{s3_key}')
+            client.upload_file(local_path, s3_bucket, s3_key)
+
+
+def guarded_handler(event, context):
+    # Input parameters
+    email = event['email']
+    domains = event['domains']
+    s3_bucket = event['s3_bucket']  # The S3 bucket to publish certificates
+    s3_prefix = event['s3_prefix']  # The S3 key prefix to publish certificates
+
+    obtain_certs(email, domains)
+    upload_certs(s3_bucket, s3_prefix)
+
+    return 'Certificates obtained and uploaded successfully.'
+
+
+def lambda_handler(event, context):
+    try:
+        rm_tmp_dir()
+        return guarded_handler(event, context)
+    finally:
+        rm_tmp_dir()
+

build.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+# vim: et sr sw=2 ts=2 smartindent:
+
+set -xe
+
+##
+# Sets up the environment, sets constants and variables.
+##
+setenv() {
+  AWS_PYTHON_VERSION="${AWS_PYTHON_VERSION:-"3.7"}"
+  CERTBOT_VERSION="${CERTBOT_VERSION:-"0.32.0"}"
+  WORKSPACE=$(pwd)
+
+  [ ! -d .python_cache ] && mkdir .python_cache
+  [ ! -d .build_artifacts ] && mkdir .build_artifacts
+  
+  return 0
+}
+
+##
+# Downloads a given version of Certbot
+##
+build_for_aws() {
+  local certbot_filename="certbot-awslambda-${1}.zip"
+  local certbot_version=$1
+  local aws_python_version=$2
+
+  docker run \
+    --rm \
+    -v ${WORKSPACE}/.python_cache:/root/.cache/pip \
+    -v ${WORKSPACE}:/workspace \
+    -w /workspace \
+    python:${aws_python_version}-slim \
+      bash -c -e -x " \
+        pip install virtualenv && \
+        virtualenv venv && \
+        source venv/bin/activate && \
+        pip install certbot==${certbot_version} certbot-dns-route53==${certbot_version}
+      "
+
+  sudo chown -R $UID venv
+  cd venv/lib/python${aws_python_version}/site-packages
+  cp ${WORKSPACE}/aws/main.py .
+  zip -q -r -9 $WORKSPACE/.build_artifacts/${certbot_filename} .
+}
+
+##
+# Removes intermediary build artifacts.
+##
+cleanup() {
+  rm -rf venv
+  rm -rf build_artifacts
+}
+
+##
+# Run this function to run the build.
+##
+run() {
+  setenv
+  build_for_aws ${CERTBOT_VERSION} ${AWS_PYTHON_VERSION}
+  cleanup
+}
+