potyarkin/lego
1
0
Fork 0
forked from TrueCloudLab/lego
Code Pull requests Activity

route53: add assume role ARN (#1650)

Browse source 
Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>
This commit is contained in:
nonchan 2022-05-28 01:32:39 +09:00 committed by GitHub
parent 9b029d53d7
commit d95b487af1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 41 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
cmd/zz_gen_cmd_dnshelp.go
View file

@ -1860,6 +1860,7 @@ func displayDNSHelp(name string) error {
ew.writeln(`Credentials:`) ew.writeln(`Credentials:`)
ew.writeln(` - "AWS_ACCESS_KEY_ID": Managed by the AWS client. Access key ID ('AWS_ACCESS_KEY_ID_FILE' is not supported, use 'AWS_SHARED_CREDENTIALS_FILE' instead)`) ew.writeln(` - "AWS_ACCESS_KEY_ID": Managed by the AWS client. Access key ID ('AWS_ACCESS_KEY_ID_FILE' is not supported, use 'AWS_SHARED_CREDENTIALS_FILE' instead)`)
ew.writeln(` - "AWS_ASSUME_ROLE_ARN": Managed by the AWS Role ARN ('AWS_ASSUME_ROLE_ARN' is not supported)`)
ew.writeln(` - "AWS_HOSTED_ZONE_ID": Override the hosted zone ID.`) ew.writeln(` - "AWS_HOSTED_ZONE_ID": Override the hosted zone ID.`)
ew.writeln(` - "AWS_PROFILE": Managed by the AWS client ('AWS_PROFILE_FILE' is not supported)`) ew.writeln(` - "AWS_PROFILE": Managed by the AWS client ('AWS_PROFILE_FILE' is not supported)`)
ew.writeln(` - "AWS_REGION": Managed by the AWS client ('AWS_REGION_FILE' is not supported)`) ew.writeln(` - "AWS_REGION": Managed by the AWS client ('AWS_REGION_FILE' is not supported)`)

1
docs/content/dns/zz_gen_route53.md
View file

@ -30,6 +30,7 @@ _Please contribute by adding a CLI example._
| Environment Variable Name | Description | | Environment Variable Name | Description |
|-----------------------|-------------| |-----------------------|-------------|
| `AWS_ACCESS_KEY_ID` | Managed by the AWS client. Access key ID (`AWS_ACCESS_KEY_ID_FILE` is not supported, use `AWS_SHARED_CREDENTIALS_FILE` instead) | | `AWS_ACCESS_KEY_ID` | Managed by the AWS client. Access key ID (`AWS_ACCESS_KEY_ID_FILE` is not supported, use `AWS_SHARED_CREDENTIALS_FILE` instead) |
| `AWS_ASSUME_ROLE_ARN` | Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN` is not supported) |
| `AWS_HOSTED_ZONE_ID` | Override the hosted zone ID. | | `AWS_HOSTED_ZONE_ID` | Override the hosted zone ID. |
| `AWS_PROFILE` | Managed by the AWS client (`AWS_PROFILE_FILE` is not supported) | | `AWS_PROFILE` | Managed by the AWS client (`AWS_PROFILE_FILE` is not supported) |
| `AWS_REGION` | Managed by the AWS client (`AWS_REGION_FILE` is not supported) | | `AWS_REGION` | Managed by the AWS client (`AWS_REGION_FILE` is not supported) |

50
providers/dns/route53/route53.go
View file

@ -10,6 +10,7 @@ import (
"github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/client" "github.com/aws/aws-sdk-go/aws/client"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/request" "github.com/aws/aws-sdk-go/aws/request"
"github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/route53" "github.com/aws/aws-sdk-go/service/route53"
@ -31,26 +32,32 @@ const (
EnvTTL = envNamespace + "TTL" EnvTTL = envNamespace + "TTL"
EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT" EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
EnvPollingInterval = envNamespace + "POLLING_INTERVAL" EnvPollingInterval = envNamespace + "POLLING_INTERVAL"
EnvAssumeRoleArn = envNamespace + "ASSUME_ROLE_ARN"
) )
// Config is used to configure the creation of the DNSProvider. // Config is used to configure the creation of the DNSProvider.
type Config struct { type Config struct {
MaxRetries int HostedZoneID string
MaxRetries int
AssumeRoleArn string
TTL int TTL int
PropagationTimeout time.Duration PropagationTimeout time.Duration
PollingInterval time.Duration PollingInterval time.Duration
HostedZoneID string
Client *route53.Route53 Client *route53.Route53
} }
// NewDefaultConfig returns a default configuration for the DNSProvider. // NewDefaultConfig returns a default configuration for the DNSProvider.
func NewDefaultConfig() *Config { func NewDefaultConfig() *Config {
return &Config{ return &Config{
MaxRetries: env.GetOrDefaultInt(EnvMaxRetries, 5), HostedZoneID: env.GetOrFile(EnvHostedZoneID),
MaxRetries: env.GetOrDefaultInt(EnvMaxRetries, 5),
AssumeRoleArn: env.GetOrDefaultString(EnvAssumeRoleArn, ""),
TTL: env.GetOrDefaultInt(EnvTTL, 10), TTL: env.GetOrDefaultInt(EnvTTL, 10),
PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute), PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute),
PollingInterval: env.GetOrDefaultSecond(EnvPollingInterval, 4*time.Second), PollingInterval: env.GetOrDefaultSecond(EnvPollingInterval, 4*time.Second),
HostedZoneID: env.GetOrFile(EnvHostedZoneID),
} }
} }
@ -106,17 +113,15 @@ func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
return &DNSProvider{client: config.Client, config: config}, nil return &DNSProvider{client: config.Client, config: config}, nil
} }
retry := customRetryer{} sess, err := createSession(config)
retry.NumMaxRetries = config.MaxRetries
sessionCfg := request.WithRetryer(aws.NewConfig(), retry)
sess, err := session.NewSessionWithOptions(session.Options{Config: *sessionCfg})
if err != nil { if err != nil {
return nil, err return nil, err
} }
cl := route53.New(sess) return &DNSProvider{
return &DNSProvider{client: cl, config: config}, nil client: route53.New(sess),
config: config,
}, nil
} }
// Timeout returns the timeout and interval to use when checking for DNS propagation. // Timeout returns the timeout and interval to use when checking for DNS propagation.
@ -294,3 +299,24 @@ func (d *DNSProvider) getHostedZoneID(fqdn string) (string, error) {
return hostedZoneID, nil return hostedZoneID, nil
} }
func createSession(config *Config) (*session.Session, error) {
retry := customRetryer{}
retry.NumMaxRetries = config.MaxRetries
sessionCfg := request.WithRetryer(aws.NewConfig(), retry)
sess, err := session.NewSessionWithOptions(session.Options{Config: *sessionCfg})
if err != nil {
return nil, err
}
if config.AssumeRoleArn == "" {
return sess, nil
}
return session.NewSession(&aws.Config{
Region: sess.Config.Region,
Credentials: stscreds.NewCredentials(sess, config.AssumeRoleArn),
})
}

1
providers/dns/route53/route53.toml
View file

@ -69,6 +69,7 @@ The following AWS IAM policy document describes the permissions required for leg
AWS_HOSTED_ZONE_ID = "Override the hosted zone ID." AWS_HOSTED_ZONE_ID = "Override the hosted zone ID."
AWS_PROFILE = "Managed by the AWS client (`AWS_PROFILE_FILE` is not supported)" AWS_PROFILE = "Managed by the AWS client (`AWS_PROFILE_FILE` is not supported)"
AWS_SDK_LOAD_CONFIG = "Managed by the AWS client. Retrieve the region from the CLI config file (`AWS_SDK_LOAD_CONFIG_FILE` is not supported)" AWS_SDK_LOAD_CONFIG = "Managed by the AWS client. Retrieve the region from the CLI config file (`AWS_SDK_LOAD_CONFIG_FILE` is not supported)"
AWS_ASSUME_ROLE_ARN = "Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN` is not supported)"
[Configuration.Additional] [Configuration.Additional]
AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file." AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file."
AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request" AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request"