Ko te pou e whakaatu ana i nga huarahi ki te whakahaere aunoa i nga tiwhikete SSL mai i whakamahi ana и AWS.
he taputapu ka taea e tatou te whakatinana i tenei ahuatanga. Ka taea e ia te mahi me nga tiwhikete SSL mai i Let's Encrypt, tiakina i roto i te Kaiwhakahaere Tiwhikete Amazon, whakamahia te Route53 API ki te whakatinana i te wero DNS-01, a, ka mutu, pana whakamohiotanga ki SNS. IN acme-dns-route53 He mahi hanga-i roto ano hei whakamahi i roto i te AWS Lambda, koinei te mea e hiahiatia ana e matou.
Kua wehea tenei tuhinga kia 4 nga waahanga:
- te hanga kōnae kōtui;
- te hanga mahi IAM;
- te hanga i te mahi lambda e rere ana acme-dns-route53;
- te hanga i te matawā CloudWatch e whakaoho ana i te mahi 2 nga wa ia ra;
Tuhipoka: I mua i to tiimata me whakauru koe и
Te hanga i te konae zip
Ko te acme-dns-route53 kua tuhia ki GoLang me te tautoko i te putanga kaua e iti iho i te 1.9.
Me hanga e tatou he konae zip me te rua acme-dns-route53 roto. Ki te mahi i tenei me whakauru koe acme-dns-route53 mai i te putunga GitHub ma te whakamahi i te whakahau go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53Kua whakauruhia te rua ki roto $GOPATH/bin whaiaronga. Kia mahara mai i te wa o te whakaurunga i tohua e matou nga taiao rereke e rua: GOOS=linux и GOARCH=amd64. Ka whakamaramatia e ratou ki te Kaihoko Haere me hanga he takirua e tika ana mo te Linux OS me te hoahoanga amd64 - koinei te mea e rere ana i runga i te AWS.
Ko te tumanako a AWS ka tukuna to tatou hotaka ki roto i te konae zip, no reira me hanga acme-dns-route53.zip pūranga kei roto te rua hou kua whakauruhia:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53Tuhipoka: Me noho te rua ki te putake o te puranga zip. Mo tenei ka whakamahia e matou -j haki.
Inaianei kua reri to tatou ingoa īngoa kōtui mo te tuku, ko te mea e toe ana ko te hanga mahi me nga mana tika.
Te hanga mahi IAM
Me whakarite he mahi IAM me nga tika e hiahiatia ana e to tatou lambda i te wa e mahia ana.
Karangatia tenei kaupapa here lambda-acme-dns-route53-executor ka hoatu tonu ki a ia he mahi taketake AWSLambdaBasicExecutionRole. Ma tenei ka taea e taatau lambda te whakahaere me te tuhi i nga raarangi ki te ratonga AWS CloudWatch.
Tuatahi, ka hangaia e matou he konae JSON e whakaatu ana i o maatau tika. Ma tenei ka taea e nga ratonga lambda te whakamahi i te mahi lambda-acme-dns-route53-executor:
$ touch ~/lambda-acme-dns-route53-executor-policy.jsonKo nga ihirangi o ta maatau konae e whai ake nei:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"cloudwatch:PutMetricData",
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sns:Publish",
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"acm:ImportCertificate",
"acm:DescribeCertificate"
],
"Resource": [
"arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
]
}
]
}Inaianei me whakahaere te whakahau aws iam create-role ki te hanga tūranga:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.jsonTuhipoka: mahara ki te kaupapa here ARN (Amazon Resource Name) - ka hiahia tatou i nga waahanga e whai ake nei.
Tuhinga o mua lambda-acme-dns-route53-executor i hangaia, inaianei me tohu whakaaetanga mo tera. Ko te huarahi ngawari ki te mahi i tenei ko te whakamahi i te whakahau aws iam attach-role-policy, haere kaupapa here ARN AWSLambdaBasicExecutionRole e whai ake nei:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRoleTuhipoka: ka kitea he rarangi me etahi atu kaupapa here .
Te hanga mahi lambda e rere ana acme-dns-route53
Hore! Inaianei ka taea e koe te tuku i ta maatau mahi ki te AWS ma te whakamahi i te whakahau aws lambda create-function. Me whirihora te lambda ma te whakamahi i nga taurangi taiao e whai ake nei:
AWS_LAMBDA- e whakamarama ana acme-dns-route53 ka puta taua mahi i roto i te AWS Lambda.DOMAINS— he rarangi rohe kua wehea e nga piko.LETSENCRYPT_EMAIL- kei roto .NOTIFICATION_TOPIC— te ingoa o te Kaupapa Whakamōhiotanga SNS (he kōwhiringa).STAGING- i te uara1Ka whakamahia te taiao whakaari.1024MB - te rohe mahara, ka taea te whakarereke.900hekona (15 min) — te waahi.acme-dns-route53— ko te ingoa o to tatou rua, kei roto i te puranga.fileb://~/acme-dns-route53.zip— te ara ki te puranga i hanga e matou.
Inaianei kia tohatohahia:
$ aws lambda create-function
--function-name acme-dns-route53
--runtime go1.x
--role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor
--environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}"
--memory-size 1024
--timeout 900
--handler acme-dns-route53
--zip-file fileb://~/acme-dns-route53.zip
{
"FunctionName": "acme-dns-route53",
"LastModified": "2019-05-03T19:07:09.325+0000",
"RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558",
"MemorySize": 1024,
"Environment": {
"Variables": {
"DOMAINS": "example1.com,example2.com",
"STAGING": "1",
"LETSENCRYPT_EMAIL": "[email protected]",
"NOTIFICATION_TOPIC": "acme-dns-route53-obtained",
"AWS_LAMBDA": "1"
}
},
"Version": "$LATEST",
"Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor",
"Timeout": 900,
"Runtime": "go1.x",
"TracingConfig": {
"Mode": "PassThrough"
},
"CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=",
"Description": "",
"CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53",
"Handler": "acme-dns-route53"
}Ko te hanga i tetahi matawā CloudWatch e whakaoho ana i tetahi mahi 2 nga wa ia ra
Ko te mahi whakamutunga ko te whakarite cron, e karanga ana i ta maatau mahi e rua nga wa ia ra:
- hanga he ture CloudWatch me te uara
schedule_expression. - hangahia he taumata ture (he aha te mahi) ma te tohu i te ARN o te mahi lambda.
- tuku whakaaetanga ki te ture ki te karanga i te mahi lambda.
Kei raro nei kua taapirihia e au taku whirihora Terraform, engari ko te mea ka mahia tenei ma te whakamahi noa i te papatohu AWS, AWS CLI ranei.
# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
name = "acme-dns-route53-issuer-scheduler"
schedule_expression = "cron(0 */12 * * ? *)"
}
# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
arn = "${aws_lambda_function.acme_dns_route53.arn}"
}
# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
principal = "events.amazonaws.com"
source_arn = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}Inaianei kua whirihora koe ki te hanga aunoa me te whakahou i nga tiwhikete SSL
Source: will.com