Improving endpoint rotation logic (#545)

2016-11-30 15:11:17 -08:00
parent bd2abdf45f
commit e1bbf9d80c
8 changed files with 118 additions and 121 deletions
--- a/lemur/plugins/lemur_aws/elb.py
+++ b/lemur/plugins/lemur_aws/elb.py
@ -11,7 +11,7 @@ from flask import current_app
 from retrying import retry

 from lemur.exceptions import InvalidListener
-from lemur.plugins.lemur_aws.sts import sts_client, assume_service
+from lemur.plugins.lemur_aws.sts import sts_client


 def retry_throttled(exception):
@ -104,15 +104,13 @@ def describe_load_balancer_types(policies, **kwargs):


@sts_client('elb')
-def attach_certificate(account_number, region, name, port, certificate_id):
+def attach_certificate(name, port, certificate_id, **kwargs):
    """
    Attaches a certificate to a listener, throws exception
    if certificate specified does not exist in a particular account.

-    :param account_number:
-    :param region:
    :param name:
    :param port:
    :param certificate_id:
    """
-    return assume_service(account_number, 'elb', region).set_lb_listener_SSL_certificate(name, port, certificate_id)
+    return kwargs['client'].set_load_balancer_listener_ssl_certificate(LoadBalancerName=name, LoadBalancerPort=port, SSLCertificateId=certificate_id)
--- a/lemur/plugins/lemur_aws/iam.py
+++ b/lemur/plugins/lemur_aws/iam.py
@ -88,8 +88,7 @@ def create_arn_from_cert(account_number, region, certificate_name):
    :param certificate_name:
    :return:
    """
-    return "arn:aws:iam:{region}:{account_number}:{certificate_name}".format(
-        region=region,
+    return "arn:aws:iam::{account_number}:server-certificate/{certificate_name}".format(
        account_number=account_number,
        certificate_name=certificate_name)

--- a/lemur/plugins/lemur_aws/plugin.py
+++ b/lemur/plugins/lemur_aws/plugin.py
@ -40,6 +40,10 @@ from lemur.plugins.lemur_aws import iam, s3, elb, ec2
 from lemur.plugins import lemur_aws as aws


+def get_region_from_dns(dns):
+    return dns.split('.')[-4]
+
+
 class AWSDestinationPlugin(DestinationPlugin):
    title = 'AWS'
    slug = 'aws-destination'
@ -149,20 +153,21 @@ class AWSSourcePlugin(SourcePlugin):
                    )

                    if listener['PolicyNames']:
-                        policy = e.describe_load_balancer_policies(e['LoadBalancerName'], listener['PolicyNames'], account_number=account_number, region=region)
+                        policy = elb.describe_load_balancer_policies(e['LoadBalancerName'], listener['PolicyNames'], account_number=account_number, region=region)
                        endpoint['policy'] = format_elb_cipher_policy(policy)

                    endpoints.append(endpoint)

        return endpoints

-    def update_endpoint(self, options, endpoint, certificate):
+    def update_endpoint(self, endpoint, certificate):
+        options = endpoint.source.options
        account_number = self.get_option('accountNumber', options)
-        regions = self.get_option('regions', options)

-        for region in regions:
-            arn = iam.create_arn_from_cert(account_number, region, certificate.name)
-            elb.attach_certificate(account_number, region, certificate.name, endpoint.port, arn)
+        # relies on the fact that region is included in DNS name
+        region = get_region_from_dns(endpoint.dnsname)
+        arn = iam.create_arn_from_cert(account_number, region, certificate.name)
+        elb.attach_certificate(endpoint.name, endpoint.port, arn, account_number=account_number, region=region)

    def clean(self, options, **kwargs):
        account_number = self.get_option('accountNumber', options)