Coverage decreased (-0.4%) to 94.587% when pulling ed85a7f on pecigonzalo:feature/split_host_provider into f82e2a9 on Netflix:master.

@russell-lewis sorry for the delay, I believe this implements most of what we discussed. I sorted the code so its cleaner for the PR as well.

Added arg kwargs to the wrapper, to keep it simple, but I can add all the args if that is preferred, additionally copied/renamed the tests for the user to the wrapper, as to ensure it works.

The only thing left to do is to allow validity of host certs to be configurable, while in most cases I believe something like 1yr will be OK, but I did not know what is the preferred format for that in your config file. If you have a preference I can implement it.

FYI: I have a working WIP agent to run on the hosts, based on your example agent and using click.

This looks like a great starting point.
If you'd like me to make some changes to address the comments, I can do that.

Ultimately, I think would be good to allow for things like the additional verification found at https://github.com/lyft/bless/blob/lyft-host-certificate-lambda/bless/aws_lambda/bless_lambda.py
although theirs is very specific to their environment, and not generalized or configurable.

The issue with server certs issued like this is you can obtain a server cert for any hostname. That may or may not be a concern in your environment.

@russell-lewis Ill work on the comments, I believe they are all valid points. I did not know Lyft had a branch with this implemented, ill check for the additional verification as it can be valuable.

As for the last concern, I believe that is correct, Ill check what sort of "locking" we can do around that, but for the most part I think it could be a hard thing to validate. I personally do not believe its a concern to be honest as this is mostly about not getting fingerprint issues when sshing to servers.

@russell-lewis implemented most changes, let me know if it LG and ill squash the fixups or let me know if there is a test case I'm missing here.

Regarding "allowed" hostnames, I saw the code from Lyft and I believe its quite tailored to their infrastructure. The only way I can think about how would be more generic, is using an instance tag EG: bless:AllowedHostnames and then BLESS could query the tag in the instance or similar, but still will make it more complex for deployments across several accounts. The only change of compromise would be someone/or the instance getting write access to its own tags.
The thing that might be worth implementing is the kmsauth on the host handler, as that is not there right now, and I can see more value on that.
IMHO a host that can kmsauth and managed to spoof your instance or network would be quite rare and at that point, you probably have other problems 😄

@russell-lewis have you had a chance to look at my comment?

@russell-lewis I have squashed the commits, let me know what else is missing.

@russell-lewis any updates on this?

@pecigonzalo I'm so sorry about letting this slip through the cracks. I've spent some time this week giving BLESS some TLC. In order to keep the build workflow in line with our other tools I've backed out the pipenv changes. I took the host cert lambda, and split things out a bit more in https://github.com/Netflix/bless/pull/94/files .

@russell-lewis No worries, it was good timing as I was about to do a hard-fork for my use. Thanks a lot for the review/refactor and merge, it looks great!

Ill take it for a spin ASAP.