Iyo posvo inotsanangura matanho ekuita otomatiki manejimendi eSSL zvitupa kubva kushandisa ΠΈ AWS.
chishandiso chinozotitendera kushandisa iyi ficha. Inogona kushanda nezvitupa zveSSL kubva kuLet Encrypt, zvichengetedze muAmazon Certificate Manager, shandisa iyo Route53 API kuita iyo DNS-01 dambudziko, uye, pakupedzisira, kusundira zviziviso kuSNS. IN acme-dns-nzira53 Kune zvakare yakavakirwa-mukati mashandiro ekushandisa mukati meAWS Lambda, uye izvi ndizvo zvatinoda.
Ichi chinyorwa chakakamurwa kuita 4 zvikamu:
- kugadzira zip file;
- kugadzira basa reIAM;
- kugadzira lambda basa rinomhanya acme-dns-nzira53;
- kugadzira CloudWatch timer inokonzeresa basa kaviri pazuva;
Cherechedza: Usati watanga unoda kuisa ΠΈ
Kugadzira zip file
acme-dns-route53 yakanyorwa muGoLang uye inotsigira vhezheni isiri yakaderera pane 1.9.
Isu tinofanirwa kugadzira zip file ine binary acme-dns-route53 mukati. Kuti uite izvi unofanirwa kuisa acme-dns-route53 kubva kuGitHub repository uchishandisa rairo go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53Iyo binary yakaiswa mukati $GOPATH/bin directory. Ndokumbira utarise kuti panguva yekumisikidza takatsanangura nharaunda mbiri dzakashandurwa: GOOS=linux ΠΈ GOARCH=amd64. Vanojekesa kune Go compiler kuti inoda kugadzira bhinari yakakodzera Linux OS uye amd64 architecture - izvi ndizvo zvinomhanya paAWS.
AWS inotarisira kuti chirongwa chedu chishandiswe mu zip faira, saka ngatigadzire acme-dns-route53.zip archive iyo ichange iine ichangobva kuiswa binary:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53Cherechedza: Iyo bhinari inofanirwa kunge iri mumudzi we zip archive. Nokuda kweizvi tinoshandisa -j mureza.
Ikozvino zita redu rezita rezip rakagadzirira kutumirwa, chasara kugadzira chikamu nekodzero dzinodiwa.
Kugadzira basa reIAM
Isu tinofanirwa kumisa basa reIAM nekodzero dzinodiwa nelambda yedu panguva yekuitwa kwayo.
Ngatidaidze mutemo uyu lambda-acme-dns-route53-executor uye pakarepo mupe basa rinokosha AWSLambdaBasicExecutionRole. Izvi zvinobvumira lambda yedu kumhanya uye kunyora matanda kune iyo AWS CloudWatch sevhisi.
Kutanga, tinogadzira faira reJSON rinotsanangura kodzero dzedu. Izvi zvinonyatso bvumidza lambda masevhisi kushandisa iro basa lambda-acme-dns-route53-executor:
$ touch ~/lambda-acme-dns-route53-executor-policy.jsonZviri mufaira redu ndezvizvi:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"cloudwatch:PutMetricData",
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sns:Publish",
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"acm:ImportCertificate",
"acm:DescribeCertificate"
],
"Resource": [
"arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
]
}
]
}Zvino ngatimhanyei murairo aws iam create-role kugadzira basa:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.jsonCherechedza: yeuka mutemo ARN (Amazon Resource Name) - isu tichaida mumatanho anotevera.
Basa lambda-acme-dns-route53-executor yakagadzirwa, ikozvino tinoda kutsanangura zvibvumirano zvayo. Nzira iri nyore yekuita izvi ndeye kushandisa murairo aws iam attach-role-policy, kupfuudza mutemo ARN AWSLambdaBasicExecutionRole sezvinotevera:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRoleCherechedza: rondedzero ine mamwe marongero anogona kuwanikwa .
Kugadzira lambda basa rinomhanya acme-dns-nzira53
Hooray! Iye zvino unogona kuendesa basa redu kuAWS uchishandisa murairo aws lambda create-function. Iyo lambda inofanirwa kugadzirwa uchishandisa anotevera nharaunda siyana:
AWS_LAMBDA- inojekesa acme-dns-nzira53 kuti kuuraya kunoitika mukati meAWS Lambda.DOMAINS- rondedzero yemadomasi akapatsanurwa nemakoma.LETSENCRYPT_EMAIL- rine .NOTIFICATION_TOPIC- zita reSNS Notification Topic (sarudzo).STAGING- pamutengo1nzvimbo yekutandarira inoshandiswa.1024MB - ndangariro muganhu, inogona kuchinjwa.900secs (15 min) - nguva yekupera.acme-dns-route53- zita rebhinari yedu, iri mudura.fileb://~/acme-dns-route53.zip- nzira inoenda kudura yatakagadzira.
Zvino ngatishandisei:
$ aws lambda create-function
--function-name acme-dns-route53
--runtime go1.x
--role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor
--environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}"
--memory-size 1024
--timeout 900
--handler acme-dns-route53
--zip-file fileb://~/acme-dns-route53.zip
{
"FunctionName": "acme-dns-route53",
"LastModified": "2019-05-03T19:07:09.325+0000",
"RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558",
"MemorySize": 1024,
"Environment": {
"Variables": {
"DOMAINS": "example1.com,example2.com",
"STAGING": "1",
"LETSENCRYPT_EMAIL": "[email protected]",
"NOTIFICATION_TOPIC": "acme-dns-route53-obtained",
"AWS_LAMBDA": "1"
}
},
"Version": "$LATEST",
"Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor",
"Timeout": 900,
"Runtime": "go1.x",
"TracingConfig": {
"Mode": "PassThrough"
},
"CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=",
"Description": "",
"CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53",
"Handler": "acme-dns-route53"
}Kugadzira CloudWatch timer inokonzeresa basa kaviri pazuva
Nhanho yekupedzisira ndeyekumisikidza cron, inodaidza basa redu kaviri pazuva:
- gadzira mutemo we CloudWatch uine kukosha
schedule_expression. - gadzira chinangwa chekutonga (chinofanira kuitwa) nekutsanangura iyo ARN yebasa re lambda.
- ipa mvumo kumutemo wekudaidza basa re lambda.
Pazasi ini ndakabatanidza yangu Terraform config, asi kutaura zvazviri izvi zvinoitwa zviri nyore kushandisa AWS console kana AWS CLI.
# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
name = "acme-dns-route53-issuer-scheduler"
schedule_expression = "cron(0 */12 * * ? *)"
}
# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
arn = "${aws_lambda_function.acme_dns_route53.arn}"
}
# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
principal = "events.amazonaws.com"
source_arn = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}Iye zvino wakagadzirirwa kugadzira otomatiki uye kugadzirisa SSL zvitupa
Source: www.habr.com