Chapisho linaelezea hatua za kuhariri usimamizi wa vyeti vya SSL kutoka kutumia ΠΈ AWS.
ni chombo kitakachotuwezesha kutekeleza kipengele hiki. Inaweza kufanya kazi na vyeti vya SSL kutoka kwa Let's Encrypt, vihifadhi katika Kidhibiti Cheti cha Amazon, kutumia Route53 API kutekeleza changamoto ya DNS-01, na, hatimaye, kushinikiza arifa kwa SNS. KATIKA njia ya acme-dns53 Pia kuna utendakazi uliojengwa ndani ya matumizi ndani ya AWS Lambda, na hii ndio tunayohitaji.
Nakala hii imegawanywa katika sehemu 4:
- kuunda faili ya zip;
- kuunda jukumu la IAM;
- kuunda kazi ya lambda inayoendesha njia ya acme-dns53;
- kuunda kipima muda cha CloudWatch kinachoanzisha utendaji mara 2 kwa siku;
Kumbuka: Kabla ya kuanza unahitaji kufunga ΠΈ
Kuunda faili ya zip
acme-dns-route53 imeandikwa katika GoLang na inasaidia toleo lisilo chini ya 1.9.
Tunahitaji kuunda faili ya zip na binary acme-dns-route53 ndani. Ili kufanya hivyo unahitaji kufunga acme-dns-route53 kutoka kwa hazina ya GitHub kwa kutumia amri go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53Binary imewekwa ndani $GOPATH/bin saraka. Tafadhali kumbuka kuwa wakati wa usakinishaji tulitaja mazingira mawili yaliyobadilishwa: GOOS=linux ΠΈ GOARCH=amd64. Wanaweka wazi kwa mkusanyaji wa Go kwamba inahitaji kuunda binary inayofaa kwa Linux OS na usanifu wa amd64 - hii ndiyo inayoendesha AWS.
AWS inatarajia programu yetu kutumwa katika faili ya zip, kwa hivyo wacha tuunde acme-dns-route53.zip kumbukumbu ambayo itakuwa na binary mpya iliyosanikishwa:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53Kumbuka: Nambari inapaswa kuwa kwenye mzizi wa kumbukumbu ya zip. Kwa hili tunatumia -j bendera.
Sasa jina letu la utani la zip liko tayari kutumwa, kilichobaki ni kuunda jukumu na haki zinazohitajika.
Kuunda jukumu la IAM
Tunahitaji kusanidi jukumu la IAM na haki zinazohitajika na lambda yetu wakati wa utekelezaji wake.
Wacha tuite sera hii lambda-acme-dns-route53-executor na mara moja mpe jukumu la msingi AWSLambdaBasicExecutionRole. Hii itaruhusu lambda yetu kuendesha na kuandika kumbukumbu kwa huduma ya AWS CloudWatch.
Kwanza, tunaunda faili ya JSON inayoelezea haki zetu. Hii itaruhusu huduma za lambda kutumia jukumu hilo lambda-acme-dns-route53-executor:
$ touch ~/lambda-acme-dns-route53-executor-policy.jsonYaliyomo kwenye faili yetu ni kama ifuatavyo:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"cloudwatch:PutMetricData",
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sns:Publish",
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"acm:ImportCertificate",
"acm:DescribeCertificate"
],
"Resource": [
"arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
]
}
]
}Sasa hebu tuendeshe amri aws iam create-role kuunda jukumu:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.jsonKumbuka: kumbuka sera ya ARN (Jina la Rasilimali ya Amazon) - tutaihitaji katika hatua zinazofuata.
Jukumu lambda-acme-dns-route53-executor imeundwa, sasa tunahitaji kutaja ruhusa kwa hiyo. Njia rahisi zaidi ya kufanya hivyo ni kutumia amri aws iam attach-role-policy, kupitisha sera ARN AWSLambdaBasicExecutionRole kama ifuatavyo:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRoleKumbuka: orodha iliyo na sera zingine inaweza kupatikana .
Kuunda kitendakazi cha lambda kinachofanya kazi njia ya acme-dns53
Hooray! Sasa unaweza kupeleka kazi yetu kwa AWS kwa kutumia amri aws lambda create-function. Lambda lazima isanidiwe kwa kutumia anuwai za mazingira zifuatazo:
AWS_LAMBDA- inaweka wazi njia ya acme-dns53 utekelezaji huo unatokea ndani ya AWS Lambda.DOMAINS- orodha ya vikoa vilivyotenganishwa na koma.LETSENCRYPT_EMAIL- ina .NOTIFICATION_TOPICβ jina la Mada ya Arifa ya SNS (hiari).STAGING- kwa thamani1mazingira ya jukwaa hutumiwa.1024MB - kikomo cha kumbukumbu, kinaweza kubadilishwa.900sekunde (dakika 15) - muda umeisha.acme-dns-route53- jina la binary yetu, ambayo iko kwenye kumbukumbu.fileb://~/acme-dns-route53.zip- njia ya kumbukumbu ambayo tumeunda.
Sasa hebu tuma:
$ aws lambda create-function
--function-name acme-dns-route53
--runtime go1.x
--role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor
--environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}"
--memory-size 1024
--timeout 900
--handler acme-dns-route53
--zip-file fileb://~/acme-dns-route53.zip
{
"FunctionName": "acme-dns-route53",
"LastModified": "2019-05-03T19:07:09.325+0000",
"RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558",
"MemorySize": 1024,
"Environment": {
"Variables": {
"DOMAINS": "example1.com,example2.com",
"STAGING": "1",
"LETSENCRYPT_EMAIL": "[email protected]",
"NOTIFICATION_TOPIC": "acme-dns-route53-obtained",
"AWS_LAMBDA": "1"
}
},
"Version": "$LATEST",
"Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor",
"Timeout": 900,
"Runtime": "go1.x",
"TracingConfig": {
"Mode": "PassThrough"
},
"CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=",
"Description": "",
"CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53",
"Handler": "acme-dns-route53"
}Inaunda kipima muda cha CloudWatch kinachoanzisha utendaji mara 2 kwa siku
Hatua ya mwisho ni kusanidi cron, ambayo huita kazi yetu mara mbili kwa siku:
- unda sheria ya CloudWatch na thamani
schedule_expression. - unda lengo la sheria (nini kinapaswa kutekelezwa) kwa kubainisha ARN ya kazi ya lambda.
- toa ruhusa kwa sheria ya kupiga kazi ya lambda.
Hapo chini nimeambatisha usanidi wangu wa Terraform, lakini kwa kweli hii inafanywa kwa urahisi sana kwa kutumia koni ya AWS au AWS CLI.
# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
name = "acme-dns-route53-issuer-scheduler"
schedule_expression = "cron(0 */12 * * ? *)"
}
# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
arn = "${aws_lambda_function.acme_dns_route53.arn}"
}
# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
principal = "events.amazonaws.com"
source_arn = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}Sasa umesanidiwa kuunda na kusasisha vyeti vya SSL kiotomatiki
Chanzo: mapenzi.com