Cholembacho chikufotokoza njira zoyendetsera kasamalidwe ka satifiketi za SSL kuchokera kugwiritsa ΠΈ AWS.
ndi chida chomwe chingatithandize kuti tigwiritse ntchito izi. Itha kugwira ntchito ndi satifiketi ya SSL kuchokera ku Let's Encrypt, kuwasunga mu Amazon Certificate Manager, gwiritsani ntchito Route53 API kukhazikitsa vuto la DNS-01, ndipo, pomaliza, kukankhira zidziwitso ku SNS. MU acme-dns-njira53 Palinso magwiridwe antchito opangidwa kuti agwiritsidwe ntchito mkati mwa AWS Lambda, ndipo izi ndi zomwe tikufuna.
Nkhaniyi yagawidwa m'magawo 4:
- kupanga zip file;
- kupanga gawo la IAM;
- kupanga ntchito ya lambda yomwe imayenda acme-dns-njira53;
- kupanga CloudWatch timer yomwe imayambitsa ntchito 2 pa tsiku;
Zindikirani: Musanayambe muyenera kukhazikitsa ΠΈ
Kupanga zip file
acme-dns-route53 yalembedwa mu GoLang ndipo imathandizira mtundu wosachepera 1.9.
Tiyenera kupanga zip file ndi binary acme-dns-route53 mkati. Kuti muchite izi muyenera kukhazikitsa acme-dns-route53 kuchokera ku GitHub posungira pogwiritsa ntchito lamulo go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53Binary imayikidwa mkati $GOPATH/bin directory. Chonde dziwani kuti pakukhazikitsa tidatchula malo awiri osinthidwa: GOOS=linux ΠΈ GOARCH=amd64. Amafotokoza momveka bwino kwa Go compiler kuti ikufunika kupanga binary yoyenera Linux OS ndi amd64 zomangamanga - izi ndi zomwe zikuyenda pa AWS.
AWS ikuyembekeza kuti pulogalamu yathu iyikidwa mu zip file, tiyeni tipange acme-dns-route53.zip archive yomwe idzakhala ndi binary yomwe yakhazikitsidwa kumene:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53Zindikirani: Binary iyenera kukhala muzu wa zip archive. Kwa ichi timagwiritsa ntchito -j mbendera.
Tsopano dzina lathu lakutchulidwa la zip lakonzeka kutumizidwa, zomwe zatsala ndikupanga gawo ndi ufulu wofunikira.
Kupanga gawo la IAM
Tiyenera kukhazikitsa gawo la IAM ndi ufulu wofunidwa ndi lambda yathu pakuphedwa kwake.
Tiyeni tiitane ndondomekoyi lambda-acme-dns-route53-executor ndipo nthawi yomweyo mupatseni udindo wofunikira AWSLambdaBasicExecutionRole. Izi zidzalola lambda yathu kuyendetsa ndikulemba zipika ku ntchito ya AWS CloudWatch.
Choyamba, timapanga fayilo ya JSON yomwe imalongosola ufulu wathu. Izi zidzalola kuti ntchito za lambda zigwiritse ntchito ntchitoyi lambda-acme-dns-route53-executor:
$ touch ~/lambda-acme-dns-route53-executor-policy.jsonZomwe zili mufayilo yathu ndi izi:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"cloudwatch:PutMetricData",
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sns:Publish",
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"acm:ImportCertificate",
"acm:DescribeCertificate"
],
"Resource": [
"arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
]
}
]
}Tsopano tiyeni tiyendetse lamulo aws iam create-role kupanga gawo:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.jsonZindikirani: kumbukirani ndondomeko ARN (Amazon Resource Name) - tidzayifuna muzotsatira.
Udindo wa lambda-acme-dns-route53-executor adapanga, tsopano tiyenera kufotokoza zilolezo zake. Njira yosavuta yochitira izi ndi kugwiritsa ntchito lamulo aws iam attach-role-policypodutsa ndondomeko ya ARN AWSLambdaBasicExecutionRole motere:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRoleZindikirani: mndandanda wokhala ndi ndondomeko zina ukhoza kupezeka .
Kupanga ntchito ya lambda yomwe imayenda acme-dns-njira53
Uwu! Tsopano mutha kutumiza ntchito yathu ku AWS pogwiritsa ntchito lamulo aws lambda create-function. Lambda iyenera kukhazikitsidwa pogwiritsa ntchito mitundu yotsatirayi:
AWS_LAMBDA- zimamveketsa bwino acme-dns-njira53 kuphedwa kumeneku kumachitika mkati mwa AWS Lambda.DOMAINS- mndandanda wa madambwe olekanitsidwa ndi koma.LETSENCRYPT_EMAIL- zili .NOTIFICATION_TOPIC- dzina la SNS Notification Topic (posankha).STAGING- pa mtengo1chilengedwe chimagwiritsidwa ntchito.1024MB - malire a kukumbukira, akhoza kusinthidwa.900mphindi (15 min) - nthawi yatha.acme-dns-route53- dzina la binary yathu, yomwe ili munkhokwe.fileb://~/acme-dns-route53.zip- njira yopita kumalo osungirako zakale omwe tidapanga.
Tsopano tiyeni tiyike:
$ aws lambda create-function
--function-name acme-dns-route53
--runtime go1.x
--role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor
--environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}"
--memory-size 1024
--timeout 900
--handler acme-dns-route53
--zip-file fileb://~/acme-dns-route53.zip
{
"FunctionName": "acme-dns-route53",
"LastModified": "2019-05-03T19:07:09.325+0000",
"RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558",
"MemorySize": 1024,
"Environment": {
"Variables": {
"DOMAINS": "example1.com,example2.com",
"STAGING": "1",
"LETSENCRYPT_EMAIL": "[email protected]",
"NOTIFICATION_TOPIC": "acme-dns-route53-obtained",
"AWS_LAMBDA": "1"
}
},
"Version": "$LATEST",
"Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor",
"Timeout": 900,
"Runtime": "go1.x",
"TracingConfig": {
"Mode": "PassThrough"
},
"CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=",
"Description": "",
"CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53",
"Handler": "acme-dns-route53"
}Kupanga chowerengera cha CloudWatch chomwe chimayambitsa ntchito 2 pa tsiku
Chomaliza ndikukhazikitsa cron, yomwe imatcha ntchito yathu kawiri patsiku:
- pangani lamulo la CloudWatch ndi mtengo wake
schedule_expression. - pangani cholinga chalamulo (chomwe chiyenera kuchitidwa) pofotokoza ARN ya ntchito ya lambda.
- perekani chilolezo ku lamulo loyitana ntchito ya lambda.
Pansipa ndaphatikiza kasinthidwe kanga ka Terraform, koma kwenikweni izi zimachitika mongogwiritsa ntchito AWS console kapena AWS CLI.
# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
name = "acme-dns-route53-issuer-scheduler"
schedule_expression = "cron(0 */12 * * ? *)"
}
# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
arn = "${aws_lambda_function.acme_dns_route53.arn}"
}
# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
principal = "events.amazonaws.com"
source_arn = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}Tsopano mwakonzedwa kuti mupange zokha ndikusintha ma satifiketi a SSL
Source: www.habr.com