Cov ntawv tshaj tawm piav qhia cov kauj ruam los ua kom muaj kev tswj hwm ntawm SSL daim ntawv pov thawj los ntawm siv ΠΈ AWS.
yog ib lub cuab yeej uas yuav tso cai rau peb los ua qhov no. Nws tuaj yeem ua haujlwm nrog SSL daim ntawv pov thawj los ntawm Let's Encrypt, txuag lawv hauv Amazon Certificate Manager, siv Route53 API los siv qhov kev sib tw DNS-01, thiab, thaum kawg, thawb cov ntawv ceeb toom rau SNS. IN aws-dns-route53 Kuj tseem muaj kev ua haujlwm ua haujlwm rau siv hauv AWS Lambda, thiab qhov no yog qhov peb xav tau.
Kab lus no tau muab faib ua 4 ntu:
- tsim cov ntaub ntawv zip;
- tsim lub luag haujlwm IAM;
- tsim lub lambda muaj nuj nqi uas khiav aws-dns-route53;
- tsim CloudWatch timer uas ua rau muaj nuj nqi 2 zaug hauv ib hnub;
Nco ntsoov: Ua ntej koj pib koj yuav tsum tau nruab ΠΈ
Tsim ib cov ntaub ntawv zip
acme-dns-route53 yog sau rau hauv GoLang thiab txhawb nqa version tsis qis dua 1.9.
Peb yuav tsum tsim cov ntaub ntawv zip nrog binary acme-dns-route53 sab hauv. Ua li no koj yuav tsum tau nruab acme-dns-route53 los ntawm GitHub repository siv cov lus txib go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53Lub binary yog ntsia rau hauv $GOPATH/bin phau ntawv. Thov nco ntsoov tias thaum lub sijhawm teeb tsa peb tau teev ob qhov chaw hloov pauv: GOOS=linux ΠΈ GOARCH=amd64. Lawv ua kom pom tseeb rau Go compiler tias nws yuav tsum tau tsim binary haum rau Linux OS thiab amd64 architecture - qhov no yog dab tsi ua haujlwm ntawm AWS.
AWS cia siab tias peb cov kev pab cuam yuav raug xa mus rau hauv zip file, yog li cia peb tsim acme-dns-route53.zip archive uas yuav muaj cov tshiab binary ntsia:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53Nco ntsoov: Lub binary yuav tsum nyob rau hauv lub hauv paus ntawm lub zip archive. Rau qhov no peb siv -j chij.
Tam sim no peb zip lub npe menyuam yaus npaj txhij rau kev xa tawm, txhua yam uas tseem tshuav yog los tsim lub luag haujlwm nrog cov cai tsim nyog.
Tsim lub luag haujlwm IAM
Peb yuav tsum teeb tsa lub luag haujlwm IAM nrog cov cai xav tau los ntawm peb lub lambda thaum nws ua tiav.
Wb hu txoj cai no lambda-acme-dns-route53-executor thiab tam sim muab nws lub luag haujlwm tseem ceeb AWSLambdaBasicExecutionRole. Qhov no yuav tso cai rau peb lambda khiav thiab sau cov cav rau AWS CloudWatch kev pabcuam.
Ua ntej, peb tsim cov ntaub ntawv JSON uas piav txog peb txoj cai. Qhov no yuav tseem ceeb tso cai rau cov kev pabcuam lambda siv lub luag haujlwm lambda-acme-dns-route53-executor:
$ touch ~/lambda-acme-dns-route53-executor-policy.jsonCov ntsiab lus ntawm peb cov ntaub ntawv yog raws li nram no:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"cloudwatch:PutMetricData",
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sns:Publish",
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"acm:ImportCertificate",
"acm:DescribeCertificate"
],
"Resource": [
"arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
]
}
]
}Tam sim no cia peb khiav cov lus txib aws iam create-role tsim lub luag haujlwm:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.jsonNco ntsoov: nco ntsoov txoj cai ARN (Amazon Resource Name) - peb yuav xav tau nws hauv cov kauj ruam tom ntej.
Qhov haujlwm lambda-acme-dns-route53-executor tsim, tam sim no peb yuav tsum qhia kom meej tso cai rau nws. Txoj kev yooj yim tshaj plaws los ua qhov no yog siv cov lus txib aws iam attach-role-policy, dhau txoj cai ARN AWSLambdaBasicExecutionRole raws li nram no:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRoleNco ntsoov: ib daim ntawv teev npe nrog lwm txoj cai tuaj yeem pom .
Tsim lub lambda muaj nuj nqi uas khiav aws-dns-route53
Hooray! Tam sim no koj tuaj yeem xa peb cov haujlwm rau AWS siv cov lus txib aws lambda create-function. Lub lambda yuav tsum tau teeb tsa siv cov hauv qab no hloov pauv ib puag ncig:
AWS_LAMBDA- ua kom pom tseeb aws-dns-route53 qhov kev ua tiav tshwm sim hauv AWS Lambda.DOMAINS- ib daim ntawv teev npe sib cais los ntawm commas.LETSENCRYPT_EMAIL- muaj .NOTIFICATION_TOPIC- Lub npe ntawm SNS Ceeb Toom Cov Ntsiab Lus (yeem).STAGING- ntawm tus nqi1staging ib puag ncig yog siv.1024MB - nco txwv, tuaj yeem hloov pauv.900secs (15 feeb) β timeout.acme-dns-route53- lub npe ntawm peb binary, uas yog nyob rau hauv lub archive.fileb://~/acme-dns-route53.zip- txoj kev mus rau archive uas peb tsim.
Tam sim no cia peb siv:
$ aws lambda create-function
--function-name acme-dns-route53
--runtime go1.x
--role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor
--environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}"
--memory-size 1024
--timeout 900
--handler acme-dns-route53
--zip-file fileb://~/acme-dns-route53.zip
{
"FunctionName": "acme-dns-route53",
"LastModified": "2019-05-03T19:07:09.325+0000",
"RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558",
"MemorySize": 1024,
"Environment": {
"Variables": {
"DOMAINS": "example1.com,example2.com",
"STAGING": "1",
"LETSENCRYPT_EMAIL": "[email protected]",
"NOTIFICATION_TOPIC": "acme-dns-route53-obtained",
"AWS_LAMBDA": "1"
}
},
"Version": "$LATEST",
"Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor",
"Timeout": 900,
"Runtime": "go1.x",
"TracingConfig": {
"Mode": "PassThrough"
},
"CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=",
"Description": "",
"CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53",
"Handler": "acme-dns-route53"
}Tsim CloudWatch timer uas ua rau muaj nuj nqi 2 zaug hauv ib hnub
Cov kauj ruam kawg yog teeb tsa cron, uas hu rau peb lub luag haujlwm ob zaug ib hnub:
- tsim CloudWatch txoj cai nrog tus nqi
schedule_expression. - tsim txoj cai lub hom phiaj (dab tsi yuav tsum tau ua) los ntawm kev qhia txog ARN ntawm lambda muaj nuj nqi.
- tso cai rau txoj cai hu rau lambda muaj nuj nqi.
Hauv qab no kuv tau txuas kuv Terraform config, tab sis qhov tseeb qhov no ua tau yooj yim siv AWS console lossis AWS CLI.
# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
name = "acme-dns-route53-issuer-scheduler"
schedule_expression = "cron(0 */12 * * ? *)"
}
# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
arn = "${aws_lambda_function.acme_dns_route53.arn}"
}
# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
principal = "events.amazonaws.com"
source_arn = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}Tam sim no koj tau teeb tsa los tsim thiab hloov kho SSL daim ntawv pov thawj
Tau qhov twg los: www.hab.com