diff --git a/.github/workflows/keyfactor-bootstrap-workflow.yml b/.github/workflows/keyfactor-bootstrap-workflow.yml new file mode 100644 index 0000000..6d8de53 --- /dev/null +++ b/.github/workflows/keyfactor-bootstrap-workflow.yml @@ -0,0 +1,19 @@ +name: Keyfactor Bootstrap Workflow + +on: + workflow_dispatch: + pull_request: + types: [opened, closed, synchronize, edited, reopened] + push: + create: + branches: + - 'release-*.*' + +jobs: + call-starter-workflow: + uses: keyfactor/actions/.github/workflows/starter.yml@v2 + secrets: + token: ${{ secrets.V2BUILDTOKEN}} + APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} + gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} + gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml deleted file mode 100644 index 98315cb..0000000 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: Starter Workflow -on: [workflow_dispatch, push, pull_request] - -jobs: - call-create-github-release-workflow: - uses: Keyfactor/actions/.github/workflows/github-release.yml@main - - get-manifest-properties: - runs-on: windows-latest - outputs: - update_catalog: ${{ steps.read-json.outputs.prop }} - steps: - - uses: actions/checkout@v3 - - name: Read json - id: read-json - shell: pwsh - run: | - $json = Get-Content integration-manifest.json | ConvertFrom-Json - echo "::set-output name=prop::$(echo $json.update_catalog)" - - call-dotnet-build-and-release-workflow: - needs: [call-create-github-release-workflow] - uses: Keyfactor/actions/.github/workflows/dotnet-build-and-release.yml@main - with: - release_version: ${{ needs.call-create-github-release-workflow.outputs.release_version }} - release_url: ${{ needs.call-create-github-release-workflow.outputs.release_url }} - release_dir: aws-orchestrator-core/bin/Release/netcoreapp3.1 - secrets: - token: ${{ secrets.PRIVATE_PACKAGE_ACCESS }} - - call-generate-readme-workflow: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: Keyfactor/actions/.github/workflows/generate-readme.yml@main - secrets: - token: ${{ secrets.APPROVE_README_PUSH }} - - call-update-catalog-workflow: - needs: get-manifest-properties - if: needs.get-manifest-properties.outputs.update_catalog == 'True' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') - uses: Keyfactor/actions/.github/workflows/update-catalog.yml@main - secrets: - token: ${{ secrets.SDK_SYNC_PAT }} diff --git a/CHANGELOG.md b/CHANGELOG.md index e7d9477..17e8974 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +2.0.1 +* Remove logging of sensitive data +* Update Private Key to required for certificates in this store in docs and store definition + 2.0.0 * Consolidate all AWS auth types under one Store Type: `AWS-ACM` * Continues to provide backwards support for previous Store Types `AwsCerManO` and `AwsCerManA` diff --git a/README.md b/README.md index 590df9b..3495285 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ + # AWS Certificate Manager (ACM) Orchestrator The AWS ACM Orchestrator supports Inventory and Management of certificates in the AWS Certificate Manager. It supports three methods of authentication: Environmental Credentials loaded via the AWS SDK e.g. inside an EC2 instance; IAM User Credentials for assuming a Role as a specific user; OAuth-based Credentials to authenticate with an OAuth provider to assume a Role. #### Integration status: Production - Ready for use in production environments. - ## About the Keyfactor Universal Orchestrator Extension This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications. @@ -13,23 +13,22 @@ The Universal Orchestrator is part of the Keyfactor software distribution and is The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator. - ## Support for AWS Certificate Manager (ACM) Orchestrator AWS Certificate Manager (ACM) Orchestrator is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. - --- +--- + ## Keyfactor Version Supported The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.1 - ## Platform Specific Notes The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running. @@ -39,7 +38,7 @@ The Keyfactor Universal Orchestrator may be installed on either Windows or Linux |Supports Management Remove|✓ |✓ | |Supports Create Store| | | |Supports Discovery| | | -|Supports Renrollment| | | +|Supports Reenrollment| | | |Supports Inventory|✓ |✓ | @@ -164,7 +163,7 @@ CONFIG ELEMENT | VALUE | DESCRIPTION Store Path Type | Freeform | Determines what restrictions are applied to the store path field when configuring a new store. Store Path Value | N/A | This is reserved for the AWS Account Id when setting up the store. Supports Custom Alias | Optional | Determines if an individual entry within a store can have a custom Alias. -Private Keys | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. +Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.) **Custom Fields:** @@ -391,3 +390,6 @@ Cert Store Settings +When creating cert store type manually, that store property names and entry parameter names are case sensitive + + diff --git a/aws-orchestrator-core/Jobs/Management.cs b/aws-orchestrator-core/Jobs/Management.cs index 25438b2..d29ba07 100644 --- a/aws-orchestrator-core/Jobs/Management.cs +++ b/aws-orchestrator-core/Jobs/Management.cs @@ -100,7 +100,7 @@ internal JobResult PerformAddition(Credentials awsCredentials, ManagementJobConf if (!string.IsNullOrWhiteSpace(config.JobCertificate.Alias)) { // Alias is specified, this is a replace / renewal - Logger.LogTrace($"Alias specified, validating existing cert can be renewed / replaced: {config.JobCertificate.Alias}"); + Logger.LogDebug($"Alias specified, validating existing cert can be renewed / replaced: {config.JobCertificate.Alias}"); // ARN Provided, Verify It is Not A PCA/Amazon Issued Cert DescribeCertificateResponse DescribeCertificateResponse = AsyncHelpers.RunSync(() => AcmClient.DescribeCertificateAsync(config.JobCertificate.Alias)); Logger.LogTrace($"DescribeCertificateResponse JSON: {JsonConvert.SerializeObject(DescribeCertificateResponse)}"); @@ -152,7 +152,7 @@ internal JobResult PerformAddition(Credentials awsCredentials, ManagementJobConf pemWriter.WriteObject(keyPair.Private); streamWriter.Flush(); privateKeyString = Encoding.ASCII.GetString(memoryStream.GetBuffer()).Trim().Replace("\r", "").Replace("\0", ""); - Logger.LogTrace($"Got Private Key String {privateKeyString}"); + Logger.LogTrace("Loaded private key."); memoryStream.Close(); streamWriter.Close(); } diff --git a/integration-manifest.json b/integration-manifest.json index 18e799b..11db8b7 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -3,6 +3,7 @@ "integration_type": "orchestrator", "name": "AWS Certificate Manager (ACM) Orchestrator", "status": "production", + "update_catalog": true, "link_github": true, "release_dir": "aws-orchestrator-core/bin/Release/netcoreapp3.1", "support_level": "kf-supported", @@ -10,6 +11,7 @@ "about": { "orchestrator": { "UOFramework": "10.1", + "keyfactor_platform_version": "9.10", "pam_support": true, "win": { "supportsCreateStore": false, @@ -142,7 +144,7 @@ "StoreRequired": false, "Style": "Default" }, - "PrivateKeyAllowed": "Optional", + "PrivateKeyAllowed": "Required", "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": true, diff --git a/readme_source.md b/readme_source.md index 8a13f8c..9b4f067 100644 --- a/readme_source.md +++ b/readme_source.md @@ -64,7 +64,7 @@ CONFIG ELEMENT | VALUE | DESCRIPTION Store Path Type | Freeform | Determines what restrictions are applied to the store path field when configuring a new store. Store Path Value | N/A | This is reserved for the AWS Account Id when setting up the store. Supports Custom Alias | Optional | Determines if an individual entry within a store can have a custom Alias. -Private Keys | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. +Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.) **Custom Fields:**