Cholembacho chikufotokoza njira zoyendetsera kasamalidwe ka satifiketi za SSL kuchokera
Nkhaniyi yagawidwa m'magawo 4:
- kupanga zip file;
- kupanga gawo la IAM;
- kupanga ntchito ya lambda yomwe imayenda acme-dns-njira53;
- kupanga CloudWatch timer yomwe imayambitsa ntchito 2 pa tsiku;
Zindikirani: Musanayambe muyenera kukhazikitsa
Kupanga zip file
acme-dns-route53 yalembedwa mu GoLang ndipo imathandizira mtundu wosachepera 1.9.
Tiyenera kupanga zip file ndi binary acme-dns-route53
mkati. Kuti muchite izi muyenera kukhazikitsa acme-dns-route53
kuchokera ku GitHub posungira pogwiritsa ntchito lamulo go install
:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53
Binary imayikidwa mkati $GOPATH/bin
directory. Chonde dziwani kuti pakukhazikitsa tidatchula malo awiri osinthidwa: GOOS=linux
ΠΈ GOARCH=amd64
. Amafotokoza momveka bwino kwa Go compiler kuti ikufunika kupanga binary yoyenera Linux OS ndi amd64 zomangamanga - izi ndi zomwe zikuyenda pa AWS.
AWS ikuyembekeza kuti pulogalamu yathu iyikidwa mu zip file, tiyeni tipange acme-dns-route53.zip
archive yomwe idzakhala ndi binary yomwe yakhazikitsidwa kumene:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53
Zindikirani: Binary iyenera kukhala muzu wa zip archive. Kwa ichi timagwiritsa ntchito -j
mbendera.
Tsopano dzina lathu lakutchulidwa la zip lakonzeka kutumizidwa, zomwe zatsala ndikupanga gawo ndi ufulu wofunikira.
Kupanga gawo la IAM
Tiyenera kukhazikitsa gawo la IAM ndi ufulu wofunidwa ndi lambda yathu pakuphedwa kwake.
Tiyeni tiitane ndondomekoyi lambda-acme-dns-route53-executor
ndipo nthawi yomweyo mupatseni udindo wofunikira AWSLambdaBasicExecutionRole
. Izi zidzalola lambda yathu kuyendetsa ndikulemba zipika ku ntchito ya AWS CloudWatch.
Choyamba, timapanga fayilo ya JSON yomwe imalongosola ufulu wathu. Izi zidzalola kuti ntchito za lambda zigwiritse ntchito ntchitoyi lambda-acme-dns-route53-executor
:
$ touch ~/lambda-acme-dns-route53-executor-policy.json
Zomwe zili mufayilo yathu ndi izi:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"cloudwatch:PutMetricData",
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sns:Publish",
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"acm:ImportCertificate",
"acm:DescribeCertificate"
],
"Resource": [
"arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
]
}
]
}
Tsopano tiyeni tiyendetse lamulo aws iam create-role
kupanga gawo:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.json
Zindikirani: kumbukirani ndondomeko ARN (Amazon Resource Name) - tidzayifuna muzotsatira.
Udindo wa lambda-acme-dns-route53-executor
adapanga, tsopano tiyenera kufotokoza zilolezo zake. Njira yosavuta yochitira izi ndi kugwiritsa ntchito lamulo aws iam attach-role-policy
podutsa ndondomeko ya ARN AWSLambdaBasicExecutionRole
motere:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Zindikirani: mndandanda wokhala ndi ndondomeko zina ukhoza kupezeka
Kupanga ntchito ya lambda yomwe imayenda acme-dns-njira53
Uwu! Tsopano mutha kutumiza ntchito yathu ku AWS pogwiritsa ntchito lamulo aws lambda create-function
. Lambda iyenera kukhazikitsidwa pogwiritsa ntchito mitundu yotsatirayi:
AWS_LAMBDA
- zimamveketsa bwino acme-dns-njira53 kuphedwa kumeneku kumachitika mkati mwa AWS Lambda.DOMAINS
- mndandanda wa madambwe olekanitsidwa ndi koma.LETSENCRYPT_EMAIL
- ziliTiyeni Tilembe Imelo .NOTIFICATION_TOPIC
- dzina la SNS Notification Topic (posankha).STAGING
- pa mtengo1
chilengedwe chimagwiritsidwa ntchito.1024
MB - malire a kukumbukira, akhoza kusinthidwa.900
mphindi (15 min) - nthawi yatha.acme-dns-route53
- dzina la binary yathu, yomwe ili munkhokwe.fileb://~/acme-dns-route53.zip
- njira yopita kumalo osungirako zakale omwe tidapanga.
Tsopano tiyeni tiyike:
$ aws lambda create-function
--function-name acme-dns-route53
--runtime go1.x
--role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor
--environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}"
--memory-size 1024
--timeout 900
--handler acme-dns-route53
--zip-file fileb://~/acme-dns-route53.zip
{
"FunctionName": "acme-dns-route53",
"LastModified": "2019-05-03T19:07:09.325+0000",
"RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558",
"MemorySize": 1024,
"Environment": {
"Variables": {
"DOMAINS": "example1.com,example2.com",
"STAGING": "1",
"LETSENCRYPT_EMAIL": "[email protected]",
"NOTIFICATION_TOPIC": "acme-dns-route53-obtained",
"AWS_LAMBDA": "1"
}
},
"Version": "$LATEST",
"Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor",
"Timeout": 900,
"Runtime": "go1.x",
"TracingConfig": {
"Mode": "PassThrough"
},
"CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=",
"Description": "",
"CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53",
"Handler": "acme-dns-route53"
}
Kupanga chowerengera cha CloudWatch chomwe chimayambitsa ntchito 2 pa tsiku
Chomaliza ndikukhazikitsa cron, yomwe imatcha ntchito yathu kawiri patsiku:
- pangani lamulo la CloudWatch ndi mtengo wake
schedule_expression
. - pangani cholinga chalamulo (chomwe chiyenera kuchitidwa) pofotokoza ARN ya ntchito ya lambda.
- perekani chilolezo ku lamulo loyitana ntchito ya lambda.
Pansipa ndaphatikiza kasinthidwe kanga ka Terraform, koma kwenikweni izi zimachitika mongogwiritsa ntchito AWS console kapena AWS CLI.
# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
name = "acme-dns-route53-issuer-scheduler"
schedule_expression = "cron(0 */12 * * ? *)"
}
# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
arn = "${aws_lambda_function.acme_dns_route53.arn}"
}
# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
principal = "events.amazonaws.com"
source_arn = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}
Tsopano mwakonzedwa kuti mupange zokha ndikusintha ma satifiketi a SSL
Source: www.habr.com