ืืคืืกื ืืชืืจ ืฉืืืื ืืืืืืืฆืื ืฉื ื ืืืื ืชืขืืืืช SSL ื ืืืืฆืขืืช ะธ AWS.
ืืื ืืื ืฉืืืคืฉืจ ืื ื ืืืืฉื ืชืืื ื ืื. ืื ืืืื ืืขืืื ืขื ืืืฉืืจื SSL ื-Let's Encrypt, ืืฉืืืจ ืืืชื ืืื ืื ืืชืขืืืืช ืฉื Amazon, ืืืฉืชืืฉ ื-API ืฉื Route53 ืืื ืืืืฉื ืืช ืืชืืจ ื-DNS-01, ืืืืกืืฃ, ืืืืืฃ ืืชืจืืืช ื-SNS. IN acme-dns-route53 ืืฉ ืื ืคืื ืงืฆืืื ืืืืช ืืืื ืืช ืืฉืืืืฉ ืืชืื AWS Lambda, ืืื ืื ืฉืื ืื ื ืฆืจืืืื.
ืืืืจ ืื ืืืืืง ื-4 ืืืงืื:
- ืืฆืืจืช ืงืืืฅ zip;
- ืืฆืืจืช ืชืคืงืื IAM;
- ืืฆืืจืช ืคืื ืงืฆืืืช ืืืืื ืฉืคืืขืืช acme-dns-route53;
- ืืฆืืจืช ืืืืืจ CloudWatch ืฉืืคืขืื ืคืื ืงืฆืื 2 ืคืขืืื ืืืื;
ืืขืจื: ืืคื ื ืฉืชืชืืื ืืชื ืฆืจืื ืืืชืงืื ะธ
ืืฆืืจืช ืงืืืฅ zip
acme-dns-route53 ืืชืื ื-GoLang ืืชืืื ืืืจืกื ืฉืืื ื ื ืืืื ื-1.9.
ืื ืื ื ืฆืจืืืื ืืืฆืืจ ืงืืืฅ zip ืขื ืงืืืฅ ืืื ืืจื acme-dns-route53 ืึผึฐืชืึนื. ืืื ืืขืฉืืช ืืืช ืืชื ืฆืจืื ืืืชืงืื acme-dns-route53 ืืืืืจ GitHub ืืืืฆืขืืช ืืคืงืืื go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53ืืืื ืืจื ืืืชืงื ื $GOPATH/bin ืึทืืจึดืื. ืฉืืื ืื ืฉืืืืื ืืืชืงื ื ืฆืืื ื ืฉืชื ืกืืืืืช ืฉืืฉืชื ื: GOOS=linux ะธ GOARCH=amd64. ืื ืืืืืจืื ืืืืืจ ืฉื Go ืฉืืื ืฆืจืื ืืืฆืืจ ืงืืืฅ ืืื ืืจื ืืืชืืื ืืืจืืืืงืืืจืช ืืื ืืงืก ื-amd64 - ืื ืื ืฉืจืฅ ืขื AWS.
AWS ืืฆืคื ืฉืืชืืื ืืช ืฉืื ื ืชืืคืจืก ืืงืืืฅ zip, ืื ืืืื ื ืืฆืืจ acme-dns-route53.zip ืืจืืืื ืฉืืืื ืืช ืืืื ืืจื ืฉืืืชืงื ืืืืจืื ื:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53ืืขืจื: ืืงืืืฅ ืืืื ืืจื ืฆืจืื ืืืืืช ืืฉืืจืฉ ืฉื ืืจืืืื ื-zip. ืืฉืืื ืื ืื ืื ื ืืฉืชืืฉืื -j ืึถืึถื.
ืืขืช ืืื ืื ื-zip ืฉืื ื ืืืื ืืคืจืืกื, ืื ืื ืฉื ืืชืจ ืืื ืืืฆืืจ ืชืคืงืื ืขื ืืืืืืืช ืืืจืืฉืืช.
ืืฆืืจืช ืชืคืงืื IAM
ืื ืื ื ืฆืจืืืื ืืืงืื ืชืคืงืื IAM ืขื ืืืืืืืช ืื ืืจืฉืืช ืขื ืืื ืืืืืื ืฉืื ื ืืืืื ืืืฆืืขื.
ืืืื ื ืงืจื ืืื ืืืื ืืืช lambda-acme-dns-route53-executor ืืืื ืืชืช ืื ืชืคืงืื ืืกืืกื AWSLambdaBasicExecutionRole. ืื ืืืคืฉืจ ืืืืื ืฉืื ื ืืืคืขืื ืืืืชืื ืืืื ืื ืืฉืืจืืช AWS CloudWatch.
ืจืืฉืืช, ืื ื ืืืฆืจืื ืงืืืฅ JSON ืฉืืชืืจ ืืช ืืืืืืืช ืฉืื ื. ืื ืืขืฆื ืืืคืฉืจ ืืฉืืจืืชื ืืืืื ืืืฉืชืืฉ ืืชืคืงืื lambda-acme-dns-route53-executor:
$ touch ~/lambda-acme-dns-route53-executor-policy.jsonืืชืืื ืฉื ืืงืืืฅ ืฉืื ื ืืื ืืืืงืื:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"cloudwatch:PutMetricData",
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sns:Publish",
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"acm:ImportCertificate",
"acm:DescribeCertificate"
],
"Resource": [
"arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
]
}
]
}ืขืืฉืื ืืืื ื ืจืืฅ ืืช ืืคืงืืื aws iam create-role ืืื ืืืฆืืจ ืชืคืงืื:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.jsonืืขืจื: ืืืืจ ืืช ืืืืื ืืืช ARN (ืฉื ืืฉืื ืืืืื) - ื ืฆืืจื ืืืชื ืืฉืืืื ืืืืื.
ืชืคืงืืื ืฉื lambda-acme-dns-route53-executor ื ืืฆืจ, ืืขืช ืขืืื ื ืืฆืืื ืืจืฉืืืช ืขืืืจื. ืืืจื ืืงืื ืืืืชืจ ืืขืฉืืช ืืืช ืืื ืืืฉืชืืฉ ืืคืงืืื aws iam attach-role-policyืขื ืืื ืืขืืจืช ืืคืืืืกื ARN AWSLambdaBasicExecutionRole ืืืืงืื:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRoleืืขืจื: ื ืืชื ืืืฆืื ืจืฉืืื ืขื ืืืื ืืืช ืืืจืช .
ืืฆืืจืช ืคืื ืงืฆืืืช ืืืืื ืฉืคืืขืืช acme-dns-route53
ืืืื! ืขืืฉืื ืืชื ืืืื ืืคืจืืก ืืช ืืคืื ืงืฆืื ืฉืื ื ื-AWS ืืืืฆืขืืช ืืคืงืืื aws lambda create-function. ืืฉ ืืืืืืจ ืืช ืืืืืื ืืืืฆืขืืช ืืฉืชื ื ืืกืืืื ืืืืื:
AWS_LAMBDA- ืืืืืจ acme-dns-route53 ืฉืืืืฆืืข ืืชืจืืฉ ืืชืื AWS Lambda.DOMAINS- ืจืฉืืื ืฉื ืชืืืืื ืืืคืจืืื ืืคืกืืงืื.LETSENCRYPT_EMAIL- ืืืื .NOTIFICATION_TOPIC- ืฉื ื ืืฉื ืืืืขืช SNS (ืืืคืฆืืื ืื).STAGING- ืืคื ืืขืจื1ื ืขืฉื ืฉืืืืฉ ืืกืืืืช ืืืื.1024MB - ืืืืืช ืืืืจืื, ื ืืชื ืืฉืื ืื.900ืฉื ืืืช (15 ืืงืืช) - ืคืกืง ืืื.acme-dns-route53- ืฉื ืืืื ืืจื ืฉืื ื, ืฉื ืืฆื ืืืจืืืื.fileb://~/acme-dns-route53.zip- ืืืจื ืืืจืืืื ืฉืืฆืจื ื.
ืขืืฉืื ืืืื ื ืคืจืืก:
$ aws lambda create-function
--function-name acme-dns-route53
--runtime go1.x
--role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor
--environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}"
--memory-size 1024
--timeout 900
--handler acme-dns-route53
--zip-file fileb://~/acme-dns-route53.zip
{
"FunctionName": "acme-dns-route53",
"LastModified": "2019-05-03T19:07:09.325+0000",
"RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558",
"MemorySize": 1024,
"Environment": {
"Variables": {
"DOMAINS": "example1.com,example2.com",
"STAGING": "1",
"LETSENCRYPT_EMAIL": "[email protected]",
"NOTIFICATION_TOPIC": "acme-dns-route53-obtained",
"AWS_LAMBDA": "1"
}
},
"Version": "$LATEST",
"Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor",
"Timeout": 900,
"Runtime": "go1.x",
"TracingConfig": {
"Mode": "PassThrough"
},
"CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=",
"Description": "",
"CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53",
"Handler": "acme-dns-route53"
}ืืฆืืจืช ืืืืืจ CloudWatch ืฉืืคืขืื ืคืื ืงืฆืื 2 ืคืขืืื ืืืื
ืืฉืื ืืืืจืื ืืื ืืืืืืจ ืืช cron, ืฉืงืืจื ืืคืื ืงืฆืื ืฉืื ื ืคืขืืืื ืืืื:
- ืฆืืจ ืืื CloudWatch ืขื ืืขืจื
schedule_expression. - ืฆืืจ ืืขื ืืื (ืื ืืฉ ืืืฆืข) ืขื ืืื ืฆืืื ื-ARN ืฉื ืคืื ืงืฆืืืช lambda.
- ืืชืช ืจืฉืืช ืืืื ืืงืจืื ืืคืื ืงืฆืืืช lambda.
ืืืื ืฆืืจืคืชื ืืช ืชืฆืืจืช ื- Terraform ืฉืื, ืืื ืืืขืฉื ืื ื ืขืฉื ืืฆืืจื ืคืฉืืื ืืืื ืืืืฆืขืืช ืงืื ืกืืืช AWS ืื AWS CLI.
# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
name = "acme-dns-route53-issuer-scheduler"
schedule_expression = "cron(0 */12 * * ? *)"
}
# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
arn = "${aws_lambda_function.acme_dns_route53.arn}"
}
# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
principal = "events.amazonaws.com"
source_arn = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}ืืขืช ืืชื ืืืืืจ ืืืฆืืจ ืืืขืืื ืืืืคื ืืืืืืื ืชืขืืืืช SSL
ืืงืืจ: www.habr.com