Poso e hlalosa mehato ea ho iketsetsa tsamaiso ea setifikeiti sa SSL ho tloha sebedisa и AWS.
ke sesebelisoa se tla re lumella ho kenya tšebetsong tšobotsi ena. E ka sebetsa le litifikeiti tsa SSL tse tsoang ho Let's Encrypt, li li boloke ho Motsamaisi oa Setifikeiti sa Amazon, sebelisa Route53 API ho kenya ts'ebetsong phephetso ea DNS-01, 'me, qetellong, e sutumelletsa litsebiso ho SNS. IN acme-dns-route53 Ho boetse ho na le ts'ebetso e hahelletsoeng kahare bakeng sa ts'ebeliso ka hare ho AWS Lambda, mme sena ke seo re se hlokang.
Sengoliloeng sena se arotsoe ka likarolo tse 4:
- ho theha faele ea zip;
- ho theha karolo ea IAM;
- ho theha mosebetsi wa lambda o sebetsang acme-dns-route53;
- ho theha nako ea CloudWatch e bakang ts'ebetso makhetlo a 2 ka letsatsi;
Hlokomela: Pele o qala o hloka ho kenya и
Ho theha faele ea zip
acme-dns-route53 e ngotsoe ka GoLang mme e tšehetsa mofuta o seng tlase ho 1.9.
Re hloka ho theha faele ea zip ka binary acme-dns-route53 ka hare. Ho etsa sena o hloka ho kenya acme-dns-route53 ho tloha polokelong ea GitHub u sebelisa taelo go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53Binary e kentsoe ka har'a $GOPATH/bin directory. Ka kopo hlokomela hore nakong ea ho kenya re boletse maemo a mabeli a fetohileng: GOOS=linux и GOARCH=amd64. Ba hlakisa ho moqapi oa Go hore e hloka ho theha binary e loketseng Linux OS le meralo ea amd64 - sena ke sona se sebetsang ho AWS.
AWS e lebelletse hore lenaneo la rona le kenngoe ka faele ea zip, kahoo ha re theheng acme-dns-route53.zip archive e tla ba le binary e sa tsoa kenngoa:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53Hlokomela: Binary e lokela ho ba motso oa polokelo ea zip. Bakeng sa sena re sebelisa -j folakha.
Hona joale lebitso la rona la bosoasoi la zip le se le loketse ho romelloa, se setseng ke ho theha karolo e nang le litokelo tse hlokahalang.
Ho theha karolo ea IAM
Re hloka ho theha karolo ea IAM ka litokelo tse hlokoang ke lambda ea rona nakong ea ts'ebetso ea eona.
Ha re bitse leano lena lambda-acme-dns-route53-executor mme hanghang mo fe karolo ya motheo AWSLambdaBasicExecutionRole. Sena se tla lumella lambda ea rona ho matha le ho ngola li-log ho tšebeletso ea AWS CloudWatch.
Taba ea pele, re theha faele ea JSON e hlalosang litokelo tsa rona. Sena se tla lumella lits'ebeletso tsa lambda ho sebelisa karolo eo lambda-acme-dns-route53-executor:
$ touch ~/lambda-acme-dns-route53-executor-policy.jsonLitaba tsa faele ea rona ke tse latelang:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"cloudwatch:PutMetricData",
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sns:Publish",
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"acm:ImportCertificate",
"acm:DescribeCertificate"
],
"Resource": [
"arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
]
}
]
}Joale ha re tsamaiseng taelo aws iam create-role ho theha karolo:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.jsonHlokomela: hopola pholisi ARN (Amazon Resource Name) - re tla e hloka mehatong e latelang.
Karolo lambda-acme-dns-route53-executor e thehiloe, joale re hloka ho hlakisa litumello bakeng sa eona. Mokhoa o bonolo oa ho etsa sena ke ho sebelisa taelo aws iam attach-role-policy, ho fetisa leano la ARN AWSLambdaBasicExecutionRole ka tsela e latelang:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRoleHlokomela: lenane le nang le maano a mang le ka fumanoa .
Ho theha mosebetsi oa lambda o sebetsang acme-dns-route53
Hooray! Joale o ka tsamaisa mosebetsi oa rona ho AWS o sebelisa taelo aws lambda create-function. Lambda e tlameha ho hlophisoa ho sebelisoa mefuta e latelang ea tikoloho:
AWS_LAMBDA- e hlakisa acme-dns-route53 phethahatso eo e etsahala ka hare ho AWS Lambda.DOMAINS— lenane la libaka tse arotsoeng ka lifeheloa.LETSENCRYPT_EMAIL- e na le .NOTIFICATION_TOPIC- lebitso la SNS Notification Topic (boikhethelo).STAGING- ka boleng1sebaka sa sethala se sebedisoang.1024MB - moeli oa memori, o ka fetoloa.900metsotsoana (15 min) - nako e felile.acme-dns-route53- lebitso la binary ea rona, e leng polokelong ea polokelo.fileb://~/acme-dns-route53.zip- tsela ea polokelo eo re e entseng.
Joale ha re sebeliseng:
$ aws lambda create-function
--function-name acme-dns-route53
--runtime go1.x
--role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor
--environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}"
--memory-size 1024
--timeout 900
--handler acme-dns-route53
--zip-file fileb://~/acme-dns-route53.zip
{
"FunctionName": "acme-dns-route53",
"LastModified": "2019-05-03T19:07:09.325+0000",
"RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558",
"MemorySize": 1024,
"Environment": {
"Variables": {
"DOMAINS": "example1.com,example2.com",
"STAGING": "1",
"LETSENCRYPT_EMAIL": "[email protected]",
"NOTIFICATION_TOPIC": "acme-dns-route53-obtained",
"AWS_LAMBDA": "1"
}
},
"Version": "$LATEST",
"Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor",
"Timeout": 900,
"Runtime": "go1.x",
"TracingConfig": {
"Mode": "PassThrough"
},
"CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=",
"Description": "",
"CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53",
"Handler": "acme-dns-route53"
}Ho theha sebali sa nako sa CloudWatch se hlahisang ts'ebetso makhetlo a 2 ka letsatsi
Mohato oa ho qetela ke ho theha cron, e bitsang ts'ebetso ea rona habeli ka letsatsi:
- theha molao oa CloudWatch ka boleng
schedule_expression. - theha sepheo sa molao (se lokelang ho etsoa) ka ho hlakisa ARN ea mosebetsi oa lambda.
- fana ka tumello ho molao oa ho letsetsa tšebetso ea lambda.
Ka tlase ke kentse tlhophiso ea ka ea Terraform, empa ha e le hantle sena se etsoa habonolo feela ho sebelisa AWS console kapa AWS CLI.
# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
name = "acme-dns-route53-issuer-scheduler"
schedule_expression = "cron(0 */12 * * ? *)"
}
# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
arn = "${aws_lambda_function.acme_dns_route53.arn}"
}
# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
principal = "events.amazonaws.com"
source_arn = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}Joale u se u lokiselitsoe ho iketsetsa le ho ntlafatsa litifikeiti tsa SSL
Source: www.habr.com