Matsayin yana bayyana matakai don sarrafa sarrafa takaddun shaida na SSL daga amfani da и AWS.
kayan aiki ne da zai ba mu damar aiwatar da wannan fasalin. Yana iya aiki tare da takaddun shaida na SSL daga Bari mu Encrypt, adana su a cikin Manajan Takaddun shaida na Amazon, yi amfani da Route53 API don aiwatar da ƙalubalen DNS-01, kuma, a ƙarshe, tura sanarwar zuwa SNS. IN acme-dns-route53 Hakanan akwai ayyukan ginanniyar don amfani a cikin AWS Lambda, kuma wannan shine abin da muke buƙata.
Wannan labarin ya kasu kashi 4:
- ƙirƙirar fayil ɗin zip;
- ƙirƙirar rawar IAM;
- ƙirƙirar aikin lambda wanda ke gudana acme-dns-route53;
- ƙirƙirar lokacin CloudWatch wanda ke haifar da aiki sau 2 a rana;
lura: Kafin ka fara kana buƙatar shigarwa и
Ƙirƙirar fayil ɗin zip
acme-dns-route53 an rubuta shi a cikin GoLang kuma yana goyan bayan sigar baya ƙasa da 1.9.
Muna buƙatar ƙirƙirar fayil ɗin zip tare da binary acme-dns-route53 ciki. Don yin wannan kuna buƙatar shigarwa acme-dns-route53 daga wurin ajiyar GitHub ta amfani da umarnin go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53An shigar da binary a ciki $GOPATH/bin directory. Lura cewa yayin shigarwa mun ƙayyadaddun yanayi biyu da aka canza: GOOS=linux и GOARCH=amd64. Sun bayyana wa mai tarawa Go cewa yana buƙatar ƙirƙirar binary wanda ya dace da Linux OS da gine-ginen amd64 - wannan shine abin da ke gudana akan AWS.
AWS yana tsammanin za a tura shirin mu a cikin fayil ɗin zip, don haka bari mu ƙirƙira acme-dns-route53.zip archive wanda zai ƙunshi sabon shigar binary:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53lura: Ya kamata binary ya kasance a cikin tushen zip archive. Don wannan muna amfani -j tuta.
Yanzu laƙabin zip ɗin mu yana shirye don turawa, duk abin da ya rage shine ƙirƙirar rawa tare da haƙƙoƙin da suka dace.
Ƙirƙirar rawar IAM
Muna buƙatar saita rawar IAM tare da haƙƙoƙin da lambda ɗinmu ke buƙata yayin aiwatar da shi.
Bari mu kira wannan manufar lambda-acme-dns-route53-executor kuma nan da nan ya ba ta muhimmiyar rawa AWSLambdaBasicExecutionRole. Wannan zai ba da damar lambda ɗin mu don yin aiki da rubuta rajistan ayyukan zuwa sabis na AWS CloudWatch.
Da farko, mun ƙirƙiri fayil ɗin JSON wanda ke bayyana haƙƙoƙinmu. Wannan zai ba da damar sabis na lambda da gaske suyi amfani da rawar lambda-acme-dns-route53-executor:
$ touch ~/lambda-acme-dns-route53-executor-policy.jsonAbubuwan da ke cikin fayil ɗin mu sune kamar haka:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"cloudwatch:PutMetricData",
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sns:Publish",
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"acm:ImportCertificate",
"acm:DescribeCertificate"
],
"Resource": [
"arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
]
}
]
}Yanzu bari mu gudanar da umurnin aws iam create-role don ƙirƙirar rawar:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.jsonlura: tuna da manufofin ARN (Amazon Resource Name) - za mu buƙaci ta a matakai na gaba.
Matsayi lambda-acme-dns-route53-executor halitta, yanzu muna bukatar mu saka izini da shi. Hanya mafi sauƙi don yin wannan ita ce amfani da umarnin aws iam attach-role-policy, wucewa manufofin ARN AWSLambdaBasicExecutionRole kamar haka:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRolelura: ana iya samun jeri tare da wasu manufofi .
Ƙirƙirar aikin lambda mai gudana acme-dns-route53
Hooray! Yanzu zaku iya tura aikinmu zuwa AWS ta amfani da umarnin aws lambda create-function. Dole ne a saita lambda ta amfani da masu canjin yanayi masu zuwa:
AWS_LAMBDA- ya bayyana a fili acme-dns-route53 wannan kisa yana faruwa a cikin AWS Lambda.DOMAINS- jerin wuraren da aka raba ta waƙafi.LETSENCRYPT_EMAIL- ya ƙunshi .NOTIFICATION_TOPIC- Sunan Jigon Sanarwa na SNS (na zaɓi).STAGING- a daraja1Ana amfani da yanayin tsarawa.1024MB - iyakar ƙwaƙwalwar ajiya, ana iya canza shi.900daƙiƙa (minti 15) - ƙarewar lokaci.acme-dns-route53- sunan mu binary, wanda yake a cikin tarihin.fileb://~/acme-dns-route53.zip- hanyar zuwa rumbun adana bayanan da muka kirkira.
Yanzu bari mu tura:
$ aws lambda create-function
--function-name acme-dns-route53
--runtime go1.x
--role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor
--environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}"
--memory-size 1024
--timeout 900
--handler acme-dns-route53
--zip-file fileb://~/acme-dns-route53.zip
{
"FunctionName": "acme-dns-route53",
"LastModified": "2019-05-03T19:07:09.325+0000",
"RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558",
"MemorySize": 1024,
"Environment": {
"Variables": {
"DOMAINS": "example1.com,example2.com",
"STAGING": "1",
"LETSENCRYPT_EMAIL": "[email protected]",
"NOTIFICATION_TOPIC": "acme-dns-route53-obtained",
"AWS_LAMBDA": "1"
}
},
"Version": "$LATEST",
"Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor",
"Timeout": 900,
"Runtime": "go1.x",
"TracingConfig": {
"Mode": "PassThrough"
},
"CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=",
"Description": "",
"CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53",
"Handler": "acme-dns-route53"
}Ƙirƙirar lokacin CloudWatch wanda ke haifar da aiki sau 2 a rana
Mataki na ƙarshe shine saita cron, wanda ke kiran aikinmu sau biyu a rana:
- ƙirƙiri dokar CloudWatch tare da ƙimar
schedule_expression. - ƙirƙirar manufa manufa (abin da ya kamata a aiwatar) ta ƙayyade ARN na aikin lambda.
- ba da izini ga doka don kiran aikin lambda.
A ƙasa na haɗa saitin Terraform na, amma a zahiri ana yin wannan kawai ta amfani da na'urar wasan bidiyo ta AWS ko AWS CLI.
# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
name = "acme-dns-route53-issuer-scheduler"
schedule_expression = "cron(0 */12 * * ? *)"
}
# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
arn = "${aws_lambda_function.acme_dns_route53.arn}"
}
# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
principal = "events.amazonaws.com"
source_arn = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}Yanzu an saita ku don ƙirƙira da sabunta takaddun shaida ta SSL ta atomatik
source: www.habr.com