Postda SSL sertifikatlarini boshqarishni avtomatlashtirish qadamlari tasvirlangan foydalanish ΠΈ AWS.
bu xususiyatni amalga oshirishga imkon beradigan vositadir. U Let's Encrypt kompaniyasining SSL sertifikatlari bilan ishlashi, ularni Amazon Certificate Manager-da saqlashi, DNS-53 muammosini amalga oshirish uchun Route01 API-dan foydalanishi va nihoyat, SNS-ga bildirishnomalarni yuborishi mumkin. IN acme-dns-route53 AWS Lambda ichida foydalanish uchun o'rnatilgan funksionallik ham mavjud va bu bizga kerak.
Ushbu maqola 4 bo'limga bo'lingan:
- zip faylini yaratish;
- IAM rolini yaratish;
- ishlaydigan lambda funktsiyasini yaratish acme-dns-route53;
- funksiyani kuniga 2 marta ishga tushiradigan CloudWatch taymerini yaratish;
Eslatma: Boshlashdan oldin siz o'rnatishingiz kerak ΠΈ
Zip fayl yaratish
acme-dns-route53 GoLang-da yozilgan va 1.9 dan past bo'lmagan versiyani qo'llab-quvvatlaydi.
Ikkilik bilan zip faylini yaratishimiz kerak acme-dns-route53 ichida. Buning uchun siz o'rnatishingiz kerak acme-dns-route53 buyrug'i yordamida GitHub omboridan go install:
$ env GOOS=linux GOARCH=amd64 go install github.com/begmaroman/acme-dns-route53Ikkilik o'rnatilgan $GOPATH/bin katalog. O'rnatish vaqtida biz ikkita o'zgartirilgan muhitni belgilaganimizni unutmang: GOOS=linux ΠΈ GOARCH=amd64. Ular Go kompilyatoriga Linux OS va amd64 arxitekturasi uchun mos ikkilik fayl yaratish kerakligini tushuntiradi - bu AWS da ishlaydi.
AWS bizning dasturimiz zip faylda joylashtirilishini kutadi, shuning uchun yarataylik acme-dns-route53.zip yangi o'rnatilgan ikkilik faylni o'z ichiga olgan arxiv:
$ zip -j ~/acme-dns-route53.zip $GOPATH/bin/acme-dns-route53Eslatma: Ikkilik fayl zip arxivining ildizida bo'lishi kerak. Buning uchun biz foydalanamiz -j bayroq.
Endi bizning zip taxallusimiz ishga tushirishga tayyor, qolgani kerakli huquqlarga ega rol yaratishdir.
IAM rolini yaratish
Biz lambda tomonidan talab qilinadigan huquqlarga ega IAM rolini o'rnatishimiz kerak.
Keling, buni siyosat deb ataymiz lambda-acme-dns-route53-executor va darhol unga asosiy rolni bering AWSLambdaBasicExecutionRole. Bu bizning lambda-ga AWS CloudWatch xizmatiga jurnallarni ishga tushirish va yozish imkonini beradi.
Birinchidan, biz huquqlarimizni tavsiflovchi JSON faylini yaratamiz. Bu lambda xizmatlariga roldan foydalanishga imkon beradi lambda-acme-dns-route53-executor:
$ touch ~/lambda-acme-dns-route53-executor-policy.jsonBizning faylimizning mazmuni quyidagicha:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/lambda/acme-dns-route53:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"cloudwatch:PutMetricData",
"acm:ImportCertificate",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sns:Publish",
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"acm:ImportCertificate",
"acm:DescribeCertificate"
],
"Resource": [
"arn:aws:sns:${var.region}:<AWS_ACCOUNT_ID>:<TOPIC_NAME>",
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:acm:<AWS_REGION>:<AWS_ACCOUNT_ID>:certificate/*"
]
}
]
}Endi buyruqni bajaramiz aws iam create-role rol yaratish uchun:
$ aws iam create-role --role-name lambda-acme-dns-route53-executor
--assume-role-policy-document ~/lambda-acme-dns-route53-executor-policy.jsonEslatma: ARN siyosatini eslang (Amazon Resurs nomi) - keyingi bosqichlarda bizga kerak bo'ladi.
Uning ahamiyati lambda-acme-dns-route53-executor yaratilgan, endi buning uchun ruxsatlarni belgilashimiz kerak. Buni qilishning eng oson yo'li buyruqni ishlatishdir aws iam attach-role-policy, ARN siyosatidan o'tish AWSLambdaBasicExecutionRole quyida bayon qilinganidek:
$ aws iam attach-role-policy --role-name lambda-acme-dns-route53-executor
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRoleEslatma: boshqa siyosatlar ro'yxatini topish mumkin .
Ishlaydigan lambda funksiyasini yaratish acme-dns-route53
Xayr! Endi siz buyruq yordamida funksiyamizni AWS-ga joylashtirishingiz mumkin aws lambda create-function. Lambda quyidagi muhit o'zgaruvchilari yordamida sozlanishi kerak:
AWS_LAMBDA- aniq qiladi acme-dns-route53 bu ijro AWS Lambda ichida sodir bo'ladi.DOMAINSβ vergul bilan ajratilgan domenlar ro'yxati.LETSENCRYPT_EMAIL- o'z ichiga oladi .NOTIFICATION_TOPICβ SNS xabarnomasi mavzusining nomi (ixtiyoriy).STAGING- qiymatda1sahnalashtirish muhitidan foydalaniladi.1024MB - xotira chegarasi, o'zgartirilishi mumkin.900soniya (15 daqiqa) - vaqt tugashi.acme-dns-route53β arxivda bo'lgan ikkilik faylimiz nomi.fileb://~/acme-dns-route53.zip- biz yaratgan arxivga yo'l.
Endi tarqatamiz:
$ aws lambda create-function
--function-name acme-dns-route53
--runtime go1.x
--role arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor
--environment Variables="{AWS_LAMBDA=1,DOMAINS="example1.com,example2.com",[email protected],STAGING=0,NOTIFICATION_TOPIC=acme-dns-route53-obtained}"
--memory-size 1024
--timeout 900
--handler acme-dns-route53
--zip-file fileb://~/acme-dns-route53.zip
{
"FunctionName": "acme-dns-route53",
"LastModified": "2019-05-03T19:07:09.325+0000",
"RevisionId": "e3fadec9-2180-4bff-bb9a-999b1b71a558",
"MemorySize": 1024,
"Environment": {
"Variables": {
"DOMAINS": "example1.com,example2.com",
"STAGING": "1",
"LETSENCRYPT_EMAIL": "[email protected]",
"NOTIFICATION_TOPIC": "acme-dns-route53-obtained",
"AWS_LAMBDA": "1"
}
},
"Version": "$LATEST",
"Role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/lambda-acme-dns-route53-executor",
"Timeout": 900,
"Runtime": "go1.x",
"TracingConfig": {
"Mode": "PassThrough"
},
"CodeSha256": "+2KgE5mh5LGaOsni36pdmPP9O35wgZ6TbddspyaIXXw=",
"Description": "",
"CodeSize": 8456317,
"FunctionArn": "arn:aws:lambda:us-east-1:<AWS_ACCOUNT_ID>:function:acme-dns-route53",
"Handler": "acme-dns-route53"
}Funktsiyani kuniga 2 marta ishga tushiradigan CloudWatch taymerini yaratish
Oxirgi qadam - bu bizning funktsiyamizni kuniga ikki marta chaqiradigan cronni o'rnatish:
- qiymati bilan CloudWatch qoidasini yarating
schedule_expression. - lambda funktsiyasining ARN ni ko'rsatib, qoida maqsadini (nima bajarilishi kerak) yarating.
- lambda funksiyasini chaqirish uchun qoidaga ruxsat bering.
Quyida men Terraform konfiguratsiyasini biriktirdim, lekin aslida bu AWS konsoli yoki AWS CLI yordamida juda oddiy.
# Cloudwatch event rule that runs acme-dns-route53 lambda every 12 hours
resource "aws_cloudwatch_event_rule" "acme_dns_route53_sheduler" {
name = "acme-dns-route53-issuer-scheduler"
schedule_expression = "cron(0 */12 * * ? *)"
}
# Specify the lambda function to run
resource "aws_cloudwatch_event_target" "acme_dns_route53_sheduler_target" {
rule = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.name}"
arn = "${aws_lambda_function.acme_dns_route53.arn}"
}
# Give CloudWatch permission to invoke the function
resource "aws_lambda_permission" "permission" {
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.acme_dns_route53.function_name}"
principal = "events.amazonaws.com"
source_arn = "${aws_cloudwatch_event_rule.acme_dns_route53_sheduler.arn}"
}Endi siz SSL sertifikatlarini avtomatik ravishda yaratish va yangilash uchun tuzilgansiz
Manba: www.habr.com