From 77ad2c0271e9c370218c9b9e189bef5cbfff3884 Mon Sep 17 00:00:00 2001
From: Kurtis Mash <24705116+kurtismash@users.noreply.github.com>
Date: Tue, 14 May 2024 23:00:15 +0100
Subject: [PATCH] Fix Certificates issued outside GitOps process have lifetime
 hardcoded to 30 days (#126)

---
 .../lambda_code/tls_cert/tls_cert.py                  | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/modules/terraform-aws-ca-lambda/lambda_code/tls_cert/tls_cert.py b/modules/terraform-aws-ca-lambda/lambda_code/tls_cert/tls_cert.py
index f3c3863d..f715ba56 100644
--- a/modules/terraform-aws-ca-lambda/lambda_code/tls_cert/tls_cert.py
+++ b/modules/terraform-aws-ca-lambda/lambda_code/tls_cert/tls_cert.py
@@ -93,7 +93,7 @@ def is_invalid_certificate_request(ca_name, common_name, lifetime, force_issue):
     if not force_issue and not db_issue_certificate(common_name):
         return {"error": "Certificate already issued"}
 
-    if int(lifetime) < 1:
+    if lifetime < 1:
         return {"error": f"{lifetime} is too short"}
 
     return None
@@ -133,6 +133,7 @@ def get_csr_info(event):
     common_name = event["common_name"]  # string, DNS common name, also used for certificate SAN if no SANs provided
     country = event.get("country")  # string, country code
     email_address = event.get("email_address")  # string, email address
+    lifetime = event.get("lifetime", 30)  # integer, days until certificate expires. Defaults to 30.
     locality = event.get("locality")  # string, location
     organization = event.get("organization")  # string, organization name
     organizational_unit = event.get("organizational_unit")  # string, organizational unit name
@@ -140,7 +141,7 @@ def get_csr_info(event):
     sans = event.get("sans")  # list of strings, DNS Subject Alternative Names
 
     return create_csr_info_1(common_name, locality, organization, organizational_unit, country), create_csr_info_2(
-        30, email_address, purposes, sans
+        int(lifetime), email_address, purposes, sans
     )
 
 
@@ -152,14 +153,10 @@ def lambda_handler(event, context):  # pylint:disable=unused-argument, too-many-
     # process input
     print(f"Input: {event}")
 
-    # integer, days until certificate expires, defaults to 30
-    lifetime = 30
-    if "lifetime" in event:
-        lifetime = int(event.get("lifetime"))
-
     csr_info_1, csr_info_2 = get_csr_info(event)
 
     common_name = csr_info_1["commonName"]
+    lifetime = csr_info_2.get("lifetime")  # integer, days until certificate expires
     csr_file = event.get("csr_file")  # string, reference to static file
     force_issue = event.get("force_issue")  # boolean, force certificate generation even if one already exists
     cert_bundle = event.get("cert_bundle")  # boolean, include Root CA and Issuing CA with client certificate