pulumi: Add pulumi-lambda-cert module

[jen20]

This pull request adds a new Pulumi module, @operator-error/pulumi-lambda-cert which creates the resources necessary to run lambda-cert.

[joeduffy]

This is really awesome 🎉

I love seeing the creation of new reusable components like this, especially when published to NPM 👍

A few minor comments, mostly questions, inline.

Thank you for letting me take a look!

[joeduffy]

Have we merged your aws.Tags change yet? (We should 😄) Would that let you just use that directly?

[jen20]

It has been merged, but isn't part of the 0.14.5 release that is current (https://github.com/pulumi/pulumi-aws/commits/v0.14.5) - so I didn't want to depend on it until I can make this package depend on a stable release. I'll open an issue to fix this up though!

[joeduffy]

This is super cool that you can do this. One thing I've wondered from time to time, do you think we should eventually look into a Let's Encrypt resource provider, so that you can declare a certificate as a first class resource?

[jen20]

This is more awkward. Terraform has an ACME provider, but I've personally found it to be of no use, as it introduces a runtime dependency to go and renew certificates. Since the validity period of certificates issued by Let's Encrypt is on the low side, this needs doing fairly often, hence the reason I built a Lambda to do it. This may not be an issue for things with frequent iterations, but personally I like to have things "self-maintain" without requiring operator input.

The (missing) companion to this is a service which runs on instances making use of the certificates to download the certificate from the bucket each day, compare against the version the instance has, and reload the TLS configuration of the target service however necessary.

Using this is also only necessary when it's desirable to maintain TLS without interception all the way to the service instances - Vault is my canonical example. Most things running in AWS in particular can happily terminate TLS at the load balancer, API Gateway etc, and use ACM-issued certificates, which are strictly better.

[joeduffy]

One thing to mention, which I am largely mentioning not because I think you should necessarily do it, but because I'd love feedback on this, is that components can have tracked inputs and outputs.

For example, instead of {}, I think you'd supply the inputs passed to create. And then you'd make a call to this.registerResourceOutputs(...) with the resulting LambdaCertOutputs.

This would cause the state to get recorded in the resulting checkpoint state. But the reason I'm questioning this whole area of our model is that I don't see how that'd immediately improve your life in any way here. (A minor point, it would allow us to show that information in the pulumi.com service UI ...)

Is that even remotely interesting in this case?

[jen20]

Having the information shown in the service UI is definitely interesting. I'll look at adding this.

[joeduffy]

I wish we had a better way of doing this sort of thing with less boilerplate 🙁

[jen20]

I opened an issue with a suggestion which may work here - I haven't looked at implementing it yet though. It would definitely be nice to eliminate the boilerplate here.

[jen20]

Thanks for reviewing, @joeduffy! There are a few things here I'll follow up on before merging and publishing the first version of this.