feat!: 🏗 restructure using docker (#24)

- Docker is now used for deployment.
- Route 53 functionality has been removed.

Author: j3ko

.env.sample

@@ -0,0 +1,26 @@
+# <REQUIRED> Name used for docker images/aws resources
+APP_NAME=aws-certbot
+
+# <REQUIRED> AWS access key
+AWS_ACCESS_KEY_ID=
+
+# <REQUIRED> AWS secret access key
+AWS_SECRET_ACCESS_KEY=
+
+# <REQUIRED> AWS region to use
+AWS_DEFAULT_REGION=us-east-1
+
+# <REQUIRED> Cloudflare API key with edit.zone permissions
+DNS_CLOUDFLARE_API_TOKEN=
+
+# <REQUIRED> A list of domains separated by commas and semicolons.
+# The semicolon separates groups of domains, while commas separate
+# individual domains. For example:
+# domain.com,*.domain.com;example.io,staging.example.io
+DOMAIN_LIST=
+
+# <REQUIRED> Email to associate with SSL certificate
+DOMAIN_EMAIL=[email protected]
+
+# <REQUIRED> Number of days before expiration to request renewal
+DAYS_BEFORE_EXPIRATION=20

.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf

.gitignore

@@ -2,3 +2,4 @@
 /dist
 *.ini
 __pycache__
+.env

.releaserc

@@ -0,0 +1,35 @@
+FROM ubuntu:22.04
+
+# Dependencies (needed for scripts as well)
+RUN apt-get update && \
+    apt-get install -y unzip jq curl
+
+# Install docker
+RUN curl -fsSL https://get.docker.com -o get-docker.sh && \
+    sh get-docker.sh
+
+# Install AWS CLI
+RUN ARCH=$(dpkg --print-architecture) && \
+    if [ "$ARCH" = "amd64" ]; then \
+        curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
+        unzip awscliv2.zip && \
+        ./aws/install; \
+    elif [ "$ARCH" = "arm64" ]; then \
+        curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip" && \
+        unzip awscliv2.zip && \
+        ./aws/install; \
+    else \
+        echo "Unsupported architecture: $ARCH"; \
+    fi
+
+# Setup workspace
+WORKDIR /app
+
+COPY . /app
+
+# Give executable permissions
+RUN chmod +x /app/run.sh
+RUN chmod +x /app/deploy.sh
+
+# Entry point to run Docker commands on the host
+CMD ["./run.sh"]

Dockerfile

@@ -1,66 +1,73 @@
 # AWS-Certbot ![tests](https://github.com/j3ko/aws-certbot/actions/workflows/test.yml/badge.svg)
-Auto renew and update [letsencrypt.org](https://letsencrypt.org) SSL certificates provisioned on [ACM](https://aws.amazon.com/certificate-manager/).
+Auto renew [letsencrypt.org](https://letsencrypt.org) SSL certificates provisioned on [ACM](https://aws.amazon.com/certificate-manager/).
 
 ## Requirements
-- [AWS CLI v2](https://aws.amazon.com/cli/)
-- [PowerShell 7.1+](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell?view=powershell-7.1)
-- Registered domain ([namecheap](https://www.namecheap.com/), [godaddy](https://godaddy.com/), etc..)
-- DNS service ([cloudflare](https://www.cloudflare.com/), [route53](https://aws.amazon.com/route53/), etc..)
-
-## Setup
-
-### Introduction
-Certbot integrates with many popular [DNS services](https://certbot.eff.org/docs/using.html?highlight=dns#dns-plugins) to verify SSL certificate challenges automatically via API. AWS-Certbot currently handles Route53 and Cloudflare integration.  Cloudflare has the advantage of offering free DNS services for personal/hobby project sites.  For integrations with other services, please open a [Feature Request](https://github.com/j3ko/aws-certbot/issues/new?assignees=j3ko&labels=enhancement&template=feature_request.md&title=).
-
-### Cloudflare Setup
-1. [Register](https://dash.cloudflare.com/sign-up) for a Cloudflare account
-1. Configure your domain registrar to use Cloudflare as your DNS service provider.  This is specific for each registrar ([namecheap specific guide](https://www.namecheap.com/support/knowledgebase/article.aspx/9607/2210/how-to-set-up-dns-records-for-your-domain-in-cloudflare-account/)).
-1. [Create](https://developers.cloudflare.com/api/tokens/create) a Cloudflare API token.  It is recommended to generate a token with the minimum required permissions (ie. read/write access to the DNS zone you want AWS-Certbot to handle).
-1. Rename `cloudflare.ini.sample` to `cloudflare.ini` and replace the placeholder `<API TOKEN HERE>` with your newly created API token.
-
-### Route53 Setup
-1. [Create](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html) a new hosted zone for your domain in AWS Route53
-1. Configure your domain registrar to use Route53 as your DNS service provider.  This is specific for each registrar ([namecheap specific guide](https://www.namecheap.com/support/knowledgebase/article.aspx/10371/2208/how-do-i-link-my-domain-to-amazon-web-services/))
-1. Uncomment the following block in `cloud.yaml`:
+- [Docker v24+](https://docs.docker.com/engine/)
+
+## Quick Start
+1. ```
+   git clone [email protected]:j3ko/aws-certbot.git
+   ```
+
+1. ```
+   cd aws-certbot
+   ```
+
+1. Edit `.env.sample` and fill in the [required fields](#environment-variables)
+
+1. Build the docker image
+
+   ```bash
+   docker build -t aws-certbot-builder .
    ```
-    # - PolicyName: Route53ListZones
-    #   PolicyDocument:
-    #     Version: "2012-10-17"
-    #     Statement:
-    #       - Effect: Allow
-    #         Action:
-    #           - "route53:ListHostedZones"
-    #         Resource: "*"
-    # - PolicyName: Route53ModifyZones
-    #   PolicyDocument:
-    #     Version: "2012-10-17"
-    #     Statement:
-    #       - Effect: Allow
-    #         Action:
-    #           - "route53:GetChange"
-    #           - "route53:ChangeResourceRecordSets"
-    #         Resource:
-    #           - "arn:aws:route53:::change/*"
-    #           - "arn:aws:route53:::hostedzone/<HOSTED ZONE ID HERE>"
+1. Run **aws-certbot** locally
+
+   ```bash
+   docker run -it --rm --env-file=./.env.sample -v /var/run/docker.sock:/var/run/docker.sock aws-certbot-builder
    ```
-1. Replace the `<HOSTED ZONE ID HERE>` placeholder with your newly created hosted zone id
 
-## Deployment
-Run
-```
-.\deploy.ps1
-```
+### What does it do?
+Running **aws-certbot** locally will:
+1.  Check ACM to see if any domains in `DOMAIN_LIST` are expiring soon.
+1.  If domains are missing or expiring, certbot runs and generates a new SSL certificate
+1.  Any newly generated certificates are uploaded to ACM
 
-## Configuration
-Several configuration variables are available on the AWS-Certbot lambda function:
+## Environment Variables
+| Variable | Description | Required? |
+|---|---|---|
+| APP_NAME | Name used for docker images/AWS resources | ✅ |
+| AWS_ACCESS_KEY_ID | AWS access key |  ✅ |
+| AWS_SECRET_ACCESS_KEY | AWS secret access key |  ✅ |
+| AWS_DEFAULT_REGION | AWS region to use |  ✅ |
+| DOMAIN_LIST | A list of domains separated by commas and semicolons. The semicolon separates groups of domains, while commas separate individual domains. For example: `domain.com,*.domain.com;example.io,staging.example.io` |  ✅ |
+| DOMAIN_EMAIL | Cloudflare API key with edit.zone permissions |  ✅ |
+| DAYS_BEFORE_EXPIRATION | Number of days before expiration to request renewal |  ✅ |
+
+## Deploying to AWS
+
+1. Edit `.env.sample` and fill in the [required fields](#environment-variables)
+
+1. Build the docker image
+
+   ```bash
+   docker build -t aws-certbot-builder .
+   ```
+1. Deploy **aws-certbot** to AWS
+
+   ```bash
+   docker run -it --rm --env-file=./.env.sample -v /var/run/docker.sock:/var/run/docker.sock aws-certbot-builder ./deploy.sh
+   ```
 
-`CERTBOT_BUCKET` - Bucket name containing AWS-Certbot code
+### What does it do?
 
-`DOMAIN_EMAIL` - Email address to use for [letsencrypt.org](https://letsencrypt.org) registration
+1. The **aws-certbot** docker image is built and uploaded to [ECR](https://aws.amazon.com/ecr/).
+1. The cloud formation defined in `cloud.yaml` is deployed to run the docker image as a lambda function.
+1. A timer is defined in `cloud.yaml` to execute the lambda function once a day.
 
-`DOMAIN_LIST` - Comma separated list of domains/subdomains to enlist for automatic renewal (eg. `foo.com,sub.foo.com`).  Multiple domains are separated by semi-colons (eg. `foo.com,sub.foo.com;bar.com,*.bar.com`)
+## Known Issues
 
-`CERTS_RENEW_DAYS_BEFORE_EXPIRATION` - Number of days before expiration to attempt renewal
+- Only Cloudflare-managed domains can currently be used.
+- Cloudflare API key is visible in lambda environment variables.
 
 ## Credits
 AWS-Certbot is based largely on the following amazing projects:

README.md

@@ -2,26 +2,24 @@ AWSTemplateFormatVersion: 2010-09-09
 Description: AWS Certbot - ACM certbot autorenewal
 
 Parameters:
-  BucketName:
-    Description: S3 Bucket (Certbot configuration tree and lambda source package)
+  EcrRepositoryUri:
     Type: String
 
-  ObjectVersion:
-    Description: Generated object version
+  DnsCloudflareApiToken:
     Type: String
+    NoEcho: true
 
   DomainList:
-    Description: List of managed domains (comma separated)
     Type: String
 
   DomainEmail:
-    Description: Email address used in cert request
     Type: String
 
-  CertRenewDays:
-    Description: Number of days before cert expiration to request renew
+  DaysBeforeExpiration:
+    Type: String
+
+  Timestamp:
     Type: String
-    Default: "20"
 
 Resources:
   AwsCertbotRole:
@@ -47,16 +45,6 @@ Resources:
                   - "logs:CreateLogStream"
                   - "logs:PutLogEvents"
                 Resource: arn:aws:logs:*:*:*
-        - PolicyName: BucketGetPutObject
-          PolicyDocument:
-            Version: "2012-10-17"
-            Statement:
-              - Effect: Allow
-                Action:
-                  - "s3:GetObject"
-                  - "s3:PutObject"
-                Resource:
-                  Fn::Join: ["", ["arn:aws:s3:::", Ref: "BucketName", "/*"]]
         - PolicyName: ACMGetImportCerts
           PolicyDocument:
             Version: "2012-10-17"
@@ -67,51 +55,24 @@ Resources:
                   - "acm:ListCertificates"
                   - "acm:ImportCertificate"
                 Resource: "*"
-        # - PolicyName: Route53ListZones
-        #   PolicyDocument:
-        #     Version: "2012-10-17"
-        #     Statement:
-        #       - Effect: Allow
-        #         Action:
-        #           - "route53:ListHostedZones"
-        #         Resource: "*"
-        # - PolicyName: Route53ModifyZones
-        #   PolicyDocument:
-        #     Version: "2012-10-17"
-        #     Statement:
-        #       - Effect: Allow
-        #         Action:
-        #           - "route53:GetChange"
-        #           - "route53:ChangeResourceRecordSets"
-        #         Resource:
-        #           - "arn:aws:route53:::change/*"
-        #           - "arn:aws:route53:::hostedzone/<HOSTED ZONE ID HERE>"
 
   AwsCertbotFunction:
     Type: AWS::Lambda::Function
     Properties:
-      Runtime: python3.6
       Description: Request and Renew Certs in ACM
-      Handler: main.handler
+      PackageType: Image
       Role:
         Fn::GetAtt: ["AwsCertbotRole", "Arn"]
       Environment:
         Variables:
-          CERTBOT_BUCKET:
-            Ref: BucketName
-          DOMAIN_EMAIL:
-            Ref: DomainEmail
-          DOMAIN_LIST:
-            Ref: DomainList
-          CERTS_RENEW_DAYS_BEFORE_EXPIRATION:
-            Ref: CertRenewDays
+          DNS_CLOUDFLARE_API_TOKEN: !Ref DnsCloudflareApiToken
+          DOMAIN_EMAIL: !Ref DomainEmail
+          DOMAIN_LIST: !Ref DomainList
+          DAYS_BEFORE_EXPIRATION: !Ref DaysBeforeExpiration
       Timeout: 120
       MemorySize: 512
       Code:
-        S3Bucket:
-          Ref: BucketName
-        S3Key:
-          Fn::Sub: "certbot-${ObjectVersion}.zip"
+        ImageUri: !Sub "${EcrRepositoryUri}:latest"
 
   AwsCertbotFunctionEvent:
     Type: AWS::Events::Rule
@@ -137,3 +98,16 @@ Resources:
         Fn::GetAtt:
           - "AwsCertbotFunctionEvent"
           - "Arn"
+
+Outputs:
+  AwsCertbotFunctionArn:
+    Description: ARN of the AWS Certbot Lambda function
+    Value: !GetAtt AwsCertbotFunction.Arn
+
+  AwsCertbotFunctionName:
+    Description: Name of the AWS Certbot Lambda function
+    Value: !Ref AwsCertbotFunction
+
+  EventRuleName:
+    Description: Name of the AWS Certbot Lambda event rule
+    Value: !Ref AwsCertbotFunctionEvent