αααααΆααα·αααααΆα’αααΈααα αΆαααΎααααΈααααΎα±ααααΆαααααααααααα·ααααΆαααααα SSL αααααααααααααααα·
α’ααααααααα ααα ααααΆ α€ αααααα
- αααααΎαα―αααΆα zip;
- αααααΎααα½ααΆααΈ IAM;
- αααααΎααα»αααΆα lambda αααααααΎαααΆα acme-dns-route53;
- αααααΎααααααα·ααΈααααααααα CloudWatch αααααααα±ααααΆααα»αααΆα 2 αααααα»ααα½αααααα
α
αααΆα: αα»ααααα’αααα
αΆααααααΎαα’αααααααΌαααα‘αΎα
ααΆααααααΎαα―αααΆα zip
acme-dns-route53 ααααΌαααΆααααααααΆ GoLang αα·αααΆαααααααααα·αααΆαααΆα 1.9 ααα
ααΎαααααΌααααααΎαα―αααΆα zip ααΆαα½ααααααααααααααΈα acme-dns-route53
ααΆααααα»αα ααΎααααΈααααΎααΌα
αααα’αααααααΌαααα‘αΎα acme-dns-route53
ααΈααααΆαα GitHub αααααααΎααΆααααααααΆ go install
:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53
αααααααααααααΈαααααΌαααΆαααα‘αΎααα
αααα»α $GOPATH/bin
ααα ααΌαα
αααΆαααΆααα‘α»ααααααα‘αΎα ααΎαααΆααααααΆααααα·ααΆααΆααααααΆαααααΆααααααΌαααΈαα GOOS=linux
ΠΈ GOARCH=amd64
. αα½αααααααΎα±ααααΆα
αααΆααα
ααααα’αααα
ααααα Go ααΆααΆααααΌαααΆααααααΎααααααααααααααΈαααααααααααααααΆαα Linux OS αα·αααααΆαααααααα amd64 - αααααΊααΆα’αααΈαααααααΎαααΆαααΎ AWS α
AWS ααααΉαααΆαααααα·ααΈααααααΎαααΉαααααΌαααΆαααΆαααααααΆααααα»αα―αααΆα zip ααΌα
ααααααΌααααααΎα acme-dns-route53.zip
ααααααΆααααααΉαααΆααααααααααααααΈααααααΆαααα‘αΎαααααΈα
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53
α
αααΆα: αααααααααααααΈααα½ααααααα·ααα
αααα»αα«ααααααααααΆαα ααααΈαα αααααΆααααΏααααααΎαααααΎ -j
αααααΆαα·α
α₯α‘αΌαααααααααα α αααα zip ααααααΎαααΊαα½α ααΆαααααααΆααααΆαααΆαααααααΆα α αΎαα’αααΈααααα ααααααααΊααΎααααΈαααααΎααα½ααΆααΈααΆαα½αααΉααα·αααα·α αΆαααΆα αα
ααΆααααααΎααα½ααΆααΈ IAM
ααΎαααααΌααααα
ααα½ααΆααΈ IAM ααΆαα½αααΉααα·αααα·αααααΆαααΆαααα lambda ααααααΎαααα‘α»ααααααααα·ααααα·ααααααΆα
αααα α
αααααΆααααααα lambda-acme-dns-route53-executor
α αΎααααααα±ααααΆαααΌααα½ααΆααΈααΆααΌαααααΆαααααΆαα AWSLambdaBasicExecutionRole
. ααΆααΉαα’αα»ααααΆαα±αα lambda ααααααΎαααααΎαααΆα αα·αααααααααααα ααα»αα
ααΆααααααΆαααα AWS CloudWatch α
ααααΌα ααΎααααααΎαα―αααΆα JSON ααααα·αααααΆα’αααΈαα·αααα·ααααααΎαα αααααΉαα’αα»ααααΆαα±ααααααΆαααα lambda ααααΎααααΆαααα½ααΆααΈαααΆαααααΆαα lambda-acme-dns-route53-executor
:
$ touch ~/lambda-acme-dns-route53-executor-policy.json
ααααΉαααΆαααα―αααΆαααααααΎαααΆαααΌα ααΆααααααα
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"cloudwatch:PutMetricData",
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sns:Publish",
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"acm:ImportCertificate",
"acm:DescribeCertificate"
],
"Resource": [
"arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
]
}
]
}
α₯α‘αΌααααααΌαααααΎαααΆαααΆααααααααΆ aws iam create-role
ααΎααααΈαααααΎααα½ααΆααΈα
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.json
α αααΆα: α αα αΆααααααΆααα ARN (αααααααααΆα Amazon) - ααΎαααΉαααααΌαααΆαααΆαα ααα αΆααααααΆααα
αα½ααΆααΈαααα lambda-acme-dns-route53-executor
ααΆααααααΎαα₯α‘αΌαααα ααΎαααααΌααααααΆααααΆαα’αα»ααααΆααααααΆααααΆα αααααααΆαααΆααααα½ααααα»αααΎααααΈααααΎααΆααΊααααΎααΆααααααααΆ aws iam attach-role-policy
ααααααααΆαα’αα»ααα ARN AWSLambdaBasicExecutionRole
ααΌα
ααααααα:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
α
αααΆα: αααααΈαααααΆααααααΆαααααααααααα’αΆα
ααααΆα
ααΆααααααΎααα»αααΆα lambda αααααααΎαααΆα acme-dns-route53
α ααΊα! α₯α‘αΌααααα’αααα’αΆα
ααΆαααα»αααΆαααααααΎααα
AWS αααααααΎααΆααααααααΆ aws lambda create-function
. lambda ααααΌαααααααααα
ααΆαααααααααααααααΎα’αααααα·ααααΆαααΆααααααα
AWS_LAMBDA
- ααααΎα±ααααΆα αααΆαα acme-dns-route53 ααΆαααααα·ααααα·αααααΎαα‘αΎααα αααα»α AWS Lambda αDOMAINS
- αααααΈαααααααααααααααααααααΆααααααLETSENCRYPT_EMAIL
- ααΆαααα α’αα·αααααΈα α’ααΈααα .NOTIFICATION_TOPIC
- ααααααααααΆαααααΆαααΌαααααΉα SNS (ααΆαααααΎα)αSTAGING
- αα ααααα1
ααα·ααΆααΆαααααΆααααΆαααααΌαααΆαααααΎα1024
MB - ααααααααα’αααα αα αΆα, α’αΆα ααααΆααααααΌαααΆαα900
αα·ααΆααΈ (15 ααΆααΈ) - α’ααααααacme-dns-route53
- ααααααααααααααααααααααΈαααααααΎα αααααΆααα αααα»ααααααααΆααfileb://~/acme-dns-route53.zip
- ααααΌααα ααΆααααααααΆααααααΎαααΆααααααΎαα
α₯α‘αΌααααααΆαααααααΆαα
$ aws lambda create-function
--function-name acme-dns-route53
--runtime go1.x
--role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor
--environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}"
--memory-size 1024
--timeout 900
--handler acme-dns-route53
--zip-file fileb://~/acme-dns-route53.zip
{
"FunctionName": "acme-dns-route53",
"LastModified": "2019-05-03T19:07:09.325+0000",
"RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558",
"MemorySize": 1024,
"Environment": {
"Variables": {
"DOMAINS": "example1.com,example2.com",
"STAGING": "1",
"LETSENCRYPT_EMAIL": "[email protected]",
"NOTIFICATION_TOPIC": "acme-dns-route53-obtained",
"AWS_LAMBDA": "1"
}
},
"Version": "$LATEST",
"Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor",
"Timeout": 900,
"Runtime": "go1.x",
"TracingConfig": {
"Mode": "PassThrough"
},
"CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=",
"Description": "",
"CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53",
"Handler": "acme-dns-route53"
}
αααααΎααααααα·ααΈααααααααα CloudWatch αααα αΆααααααΎααα»αααΆα 2 αααααα»ααα½ααααα
ααα αΆαα α»ααααααααΊααααΌαααα‘αΎα cron αααα α αα»αααΆαααααααΎαααΈααααααα»ααα½αααααα
- αααααΎαα
αααΆαα CloudWatch ααΆαα½αααΉαααααα
schedule_expression
. - αααααΎαβαααβαα βα αααΆαα (α’αααΈβαααβαα½αβααααΌαβααΆαβααααα·ααααα·) αααβαααααΆαα ARN ααβαα»αααΆα lambda α
- αααααααΆαα’αα»ααααΆαα±ααα αααΆααααΎααααΈα α αα»αααΆα lambda α
ααΆααααααααααααα»αααΆαααααΆαα Terraform config αααααααα»α ααα»ααααααΆααα·αααΆααααΌαααΆαααααΎαααΆαααΆαααααααααααΎαα»αααΌα AWS α¬ AWS CLIα
# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
name = "acme-dns-route53-issuer-scheduler"
schedule_expression = "cron(0 */12 * * ? *)"
}
# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
arn = "${aws_lambda_function.acme_dns_route53.arn}"
}
# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
principal = "events.amazonaws.com"
source_arn = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}
α₯α‘αΌααααα’αααααααΌαααΆαααααααα ααΆααααααααααΎααααΈαααααΎα αα·αααααΎαα αα α»ααααααααΆααα·ααααΆαααααα SSL αααααααααααααααα·
ααααα: www.habr.com