Kiriman kasebut nggambarake langkah-langkah kanggo ngotomatisasi manajemen sertifikat SSL saka nggunakake ΠΈ AWS.
minangka alat sing bakal ngidini kita ngleksanakake fitur iki. Bisa nggarap sertifikat SSL saka Ayo Encrypt, simpen ing Amazon Certificate Manager, gunakake Route53 API kanggo ngleksanakake tantangan DNS-01, lan pungkasane, push kabar menyang SNS. ING acme-dns-rute53 Ana uga fungsi sing dibangun kanggo digunakake ing AWS Lambda, lan iki sing dibutuhake.
Artikel iki dipΓ©rang dadi 4 bagean:
- nggawe file zip;
- nggawe peran IAM;
- nggawe fungsi lambda sing mlaku acme-dns-rute53;
- nggawe wektu CloudWatch sing micu fungsi 2 kaping dina;
Catetan: Sadurunge miwiti sampeyan kudu nginstal ΠΈ
Nggawe file zip
acme-dns-route53 ditulis ing GoLang lan ndhukung versi ora luwih murah tinimbang 1.9.
Kita kudu nggawe file zip kanthi binar acme-dns-route53 ing njero. Kanggo nindakake iki, sampeyan kudu nginstal acme-dns-route53 saka repositori GitHub nggunakake printah go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53Binar wis diinstal ing $GOPATH/bin direktori. Wigati dimangerteni manawa sajrone instalasi kita nemtokake rong lingkungan sing diganti: GOOS=linux ΠΈ GOARCH=amd64. Dheweke nggawe jelas menyang kompiler Go yen kudu nggawe binar sing cocog kanggo Linux OS lan arsitektur amd64 - iki sing mlaku ing AWS.
AWS ngarepake program kita bakal disebarake ing file zip, mula ayo nggawe acme-dns-route53.zip arsip sing bakal ngemot binar sing mentas diinstal:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53Catetan: Binar kudu ana ing oyod arsip zip. Kanggo iki kita nggunakake -j gendΓ©ra.
Saiki julukan zip kita wis siyap kanggo nyebarake, sing isih ana yaiku nggawe peran kanthi hak sing dibutuhake.
Nggawe peran IAM
Kita kudu nyiyapake peran IAM kanthi hak sing dibutuhake dening lambda sajrone eksekusi.
Ayo diarani kebijakan iki lambda-acme-dns-route53-executor lan langsung menehi dheweke peran dhasar AWSLambdaBasicExecutionRole. Iki bakal ngidini lambda kita mbukak lan nulis log menyang layanan AWS CloudWatch.
Pisanan, kita nggawe file JSON sing nggambarake hak kita. Iki bakal ngidini layanan lambda nggunakake peran kasebut lambda-acme-dns-route53-executor:
$ touch ~/lambda-acme-dns-route53-executor-policy.jsonIsi file kita kaya ing ngisor iki:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"cloudwatch:PutMetricData",
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sns:Publish",
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"acm:ImportCertificate",
"acm:DescribeCertificate"
],
"Resource": [
"arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
]
}
]
}Saiki ayo mbukak perintah kasebut aws iam create-role kanggo nggawe peran:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.jsonCatetan: elinga kabijakan ARN (Amazon Resource Name) - kita butuh ing langkah sabanjure.
Role lambda-acme-dns-route53-executor digawe, saiki kita kudu nemtokake ijin kasebut. Cara paling gampang kanggo nindakake iki yaiku nggunakake printah aws iam attach-role-policy, maringaken kabijakan ARN AWSLambdaBasicExecutionRole kaya mangkene:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRoleCatetan: dhaftar karo kawicaksanan liyane bisa ditemokakΓ© .
Nggawe fungsi lambda sing mlaku acme-dns-rute53
Hore! Saiki sampeyan bisa masang fungsi kita menyang AWS nggunakake printah aws lambda create-function. Lambda kudu dikonfigurasi nggunakake variabel lingkungan ing ngisor iki:
AWS_LAMBDA- ndadekake cetha acme-dns-rute53 eksekusi kasebut dumadi ing AWS Lambda.DOMAINSβ dhaptar domain sing dipisahake karo koma.LETSENCRYPT_EMAIL- ngandhut .NOTIFICATION_TOPICβ jeneng Topik Notifikasi SNS (opsional).STAGING- ing Nilai1lingkungan pementasan digunakake.1024MB - watesan memori, bisa diganti.900secs (15 min) - wektu entek.acme-dns-route53- jeneng binar kita, sing ana ing arsip.fileb://~/acme-dns-route53.zip- path menyang arsip sing digawe.
Saiki ayo nyebarake:
$ aws lambda create-function
--function-name acme-dns-route53
--runtime go1.x
--role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor
--environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}"
--memory-size 1024
--timeout 900
--handler acme-dns-route53
--zip-file fileb://~/acme-dns-route53.zip
{
"FunctionName": "acme-dns-route53",
"LastModified": "2019-05-03T19:07:09.325+0000",
"RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558",
"MemorySize": 1024,
"Environment": {
"Variables": {
"DOMAINS": "example1.com,example2.com",
"STAGING": "1",
"LETSENCRYPT_EMAIL": "[email protected]",
"NOTIFICATION_TOPIC": "acme-dns-route53-obtained",
"AWS_LAMBDA": "1"
}
},
"Version": "$LATEST",
"Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor",
"Timeout": 900,
"Runtime": "go1.x",
"TracingConfig": {
"Mode": "PassThrough"
},
"CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=",
"Description": "",
"CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53",
"Handler": "acme-dns-route53"
}Nggawe wektu CloudWatch sing micu fungsi kaping 2 dina
Langkah pungkasan yaiku nyiyapake cron, sing nelpon fungsi kita kaping pindho saben dina:
- nggawe aturan CloudWatch karo nilai
schedule_expression. - nggawe target aturan (apa sing kudu dieksekusi) kanthi nemtokake ARN fungsi lambda.
- menehi ijin kanggo aturan kanggo nelpon fungsi lambda.
Ing ngisor iki aku wis masang config Terraform, nanging nyatane iki rampung banget mung nggunakake console AWS utawa AWS CLI.
# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
name = "acme-dns-route53-issuer-scheduler"
schedule_expression = "cron(0 */12 * * ? *)"
}
# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
arn = "${aws_lambda_function.acme_dns_route53.arn}"
}
# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
principal = "events.amazonaws.com"
source_arn = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}Saiki sampeyan wis dikonfigurasi kanggo nggawe lan nganyari sertifikat SSL kanthi otomatis
Source: www.habr.com