Ngosipụta ahụ na-akọwa usoro iji megharịa njikwa nke asambodo SSL site na eji и AWS.
bụ ngwá ọrụ ga-ekwe ka anyị mejuputa atụmatụ a. Ọ nwere ike ịrụ ọrụ na asambodo SSL sitere na Ka anyị Encrypt, chekwaa ha na njikwa Asambodo Amazon, jiri Route53 API mejuputa ihe ịma aka DNS-01, na, n'ikpeazụ, tinye ọkwa na SNS. N'ime acme-dns-ụzọ53 Enwekwara arụmọrụ arụnyere maka ojiji n'ime AWS Lambda, nke a bụkwa ihe anyị chọrọ.
E kewara akụkọ a na ngalaba anọ:
- ịmepụta faịlụ zip;
- ịmepụta ọrụ IAM;
- ịmepụta ọrụ lambda na-agba ọsọ acme-dns-ụzọ53;
- ịmepụta oge CloudWatch nke na-ebute ọrụ ugboro 2 n'ụbọchị;
Cheta na: Tupu ịmalite, ịkwesịrị ịwụnye и
Ịmepụta faịlụ zip
acme-dns-route53 ka edere na GoLang ma na-akwado ụdị adịghị ala karịa 1.9.
Anyị kwesịrị ịmepụta faịlụ zip na ọnụọgụ abụọ acme-dns-route53 n'ime. Iji mee nke a, ịkwesịrị ịwụnye acme-dns-route53 site na ebe nchekwa GitHub site na iji iwu go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53Awụnyere ọnụọgụ abụọ $GOPATH/bin ndekọ. Biko mara na n'oge echichi anyị kọwapụtara gburugburu abụọ gbanwere: GOOS=linux и GOARCH=amd64. Ha na-eme ka o doo ndị Go compiler anya na ọ kwesịrị ịmepụta ọnụọgụ abụọ kwesịrị ekwesị maka Linux OS na amd64 architecture - nke a bụ ihe na-agba ọsọ na AWS.
AWS na-atụ anya ka etinyere mmemme anyị na faịlụ zip, yabụ ka anyị mepụta acme-dns-route53.zip Archive ga-enwe ọnụọgụ abụọ arụnyere ọhụrụ:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53Cheta na: ọnụọgụ abụọ kwesịrị ịdị na mgbọrọgwụ nke ebe nchekwa zip. Maka nke a anyị na-eji -j ọkọlọtọ.
Ugbu a aha otutu zip anyị dị njikere maka ibuga, naanị ihe fọdụrụ bụ ịmepụta ọrụ na ikike ndị dị mkpa.
Ịmepụta ọrụ IAM
Anyị kwesịrị ịmalite ọrụ IAM nwere ikike nke lambda anyị chọrọ n'oge a na-egbu ya.
Ka anyị kpọọ amụma a lambda-acme-dns-route53-executor ozugbo nye ya ọrụ bụ isi AWSLambdaBasicExecutionRole. Nke a ga-ekwe ka lambda anyị na-agba ọsọ wee dee ndekọ na ọrụ AWS CloudWatch.
Nke mbụ, anyị na-emepụta faịlụ JSON na-akọwa ikike anyị. Nke a ga-ekwe ka ọrụ lambda jiri ọrụ ahụ lambda-acme-dns-route53-executor:
$ touch ~/lambda-acme-dns-route53-executor-policy.jsonIhe dị n'ime faịlụ anyị bụ nke a:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"cloudwatch:PutMetricData",
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sns:Publish",
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"acm:ImportCertificate",
"acm:DescribeCertificate"
],
"Resource": [
"arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
]
}
]
}Ugbu a, ka anyị mee iwu ahụ aws iam create-role imepụta ọrụ:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.jsonCheta na: cheta amụma ARN (Amazon Resource Name) - anyị ga-achọ ya na usoro ndị ọzọ.
Ọrụ lambda-acme-dns-route53-executor kere, ugbu a, anyị kwesịrị ezipụta ikike maka ya. Ụzọ kacha mfe ime nke a bụ iji iwu aws iam attach-role-policy, na-agafe amụma ARN AWSLambdaBasicExecutionRole dị ka ndị a:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRoleCheta na: enwere ike ịchọta ndepụta nwere amụma ndị ọzọ .
Ịmepụta ọrụ lambda na-agba ọsọ acme-dns-ụzọ53
Hooray! Ugbu a ị nwere ike ibuga ọrụ anyị na AWS site na iji iwu ahụ aws lambda create-function. A ga-ahazirịrị lambda site na iji mgbanwe gburugburu ebe a:
AWS_LAMBDA- na-eme ka o doo anya acme-dns-ụzọ53 ogbugbu ahụ na-eme n'ime AWS Lambda.DOMAINS- ndepụta ngalaba kewapụrụ site na rikoma.LETSENCRYPT_EMAIL- nwere .NOTIFICATION_TOPIC- aha isiokwu ngosi SNS (nhọrọ).STAGING- na uru1A na-eji gburugburu ebe obibi eme ihe.1024MB - oke ebe nchekwa, enwere ike gbanwee.900sk (nkeji iri na ise) - oge agwụla.acme-dns-route53- aha ọnụọgụ abụọ anyị, nke dị na ebe nchekwa.fileb://~/acme-dns-route53.zip- ụzọ nke Archive na anyị kere.
Ugbu a, ka anyị tinye:
$ aws lambda create-function
--function-name acme-dns-route53
--runtime go1.x
--role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor
--environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}"
--memory-size 1024
--timeout 900
--handler acme-dns-route53
--zip-file fileb://~/acme-dns-route53.zip
{
"FunctionName": "acme-dns-route53",
"LastModified": "2019-05-03T19:07:09.325+0000",
"RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558",
"MemorySize": 1024,
"Environment": {
"Variables": {
"DOMAINS": "example1.com,example2.com",
"STAGING": "1",
"LETSENCRYPT_EMAIL": "[email protected]",
"NOTIFICATION_TOPIC": "acme-dns-route53-obtained",
"AWS_LAMBDA": "1"
}
},
"Version": "$LATEST",
"Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor",
"Timeout": 900,
"Runtime": "go1.x",
"TracingConfig": {
"Mode": "PassThrough"
},
"CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=",
"Description": "",
"CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53",
"Handler": "acme-dns-route53"
}Ịmepụta ngụ oge CloudWatch nke na-ebute ọrụ ugboro abụọ n'ụbọchị
Nzọụkwụ ikpeazụ bụ ịtọlite cron, nke na-akpọ ọrụ anyị ugboro abụọ n'ụbọchị:
- mepụta iwu CloudWatch jiri uru ahụ
schedule_expression. - mepụta ebumnuche iwu (ihe a ga-eme) site na ịkọwapụta ARN nke ọrụ lambda.
- nye ikike ka iwu na-akpọ ọrụ lambda.
N'okpuru ebe a, etinyela m nhazi Terraform m, mana n'ezie, a na-eme nke a naanị site na iji AWS console ma ọ bụ AWS CLI.
# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
name = "acme-dns-route53-issuer-scheduler"
schedule_expression = "cron(0 */12 * * ? *)"
}
# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
arn = "${aws_lambda_function.acme_dns_route53.arn}"
}
# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
principal = "events.amazonaws.com"
source_arn = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}Ugbu a ị na-ahazi ka ịmepụta na melite asambodo SSL na-akpaghị aka
isi: www.habr.com