2018-12-06 23:50:17 +02:00
|
|
|
// Package route53 implements a DNS provider for solving the DNS-01 challenge using AWS Route 53 DNS.
|
2016-02-29 04:48:41 +02:00
|
|
|
package route53
|
2015-12-03 22:01:46 +02:00
|
|
|
|
|
|
|
import (
|
2023-07-27 12:15:26 +02:00
|
|
|
"context"
|
2018-07-18 17:37:35 +02:00
|
|
|
"errors"
|
2015-12-03 22:01:46 +02:00
|
|
|
"fmt"
|
2016-03-26 05:34:31 +02:00
|
|
|
"math/rand"
|
2015-12-03 22:01:46 +02:00
|
|
|
"strings"
|
2016-01-22 19:50:18 +02:00
|
|
|
"time"
|
2016-01-22 19:18:53 +02:00
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
"github.com/aws/aws-sdk-go-v2/aws"
|
|
|
|
"github.com/aws/aws-sdk-go-v2/aws/retry"
|
|
|
|
awsconfig "github.com/aws/aws-sdk-go-v2/config"
|
|
|
|
"github.com/aws/aws-sdk-go-v2/credentials"
|
|
|
|
"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
|
|
|
|
"github.com/aws/aws-sdk-go-v2/service/route53"
|
|
|
|
awstypes "github.com/aws/aws-sdk-go-v2/service/route53/types"
|
|
|
|
"github.com/aws/aws-sdk-go-v2/service/sts"
|
2024-11-16 00:21:21 +02:00
|
|
|
"github.com/go-acme/lego/v4/challenge"
|
2020-09-02 03:20:01 +02:00
|
|
|
"github.com/go-acme/lego/v4/challenge/dns01"
|
|
|
|
"github.com/go-acme/lego/v4/platform/config/env"
|
|
|
|
"github.com/go-acme/lego/v4/platform/wait"
|
2024-12-05 20:49:13 +02:00
|
|
|
"github.com/go-acme/lego/v4/providers/dns/internal/ptr"
|
2015-12-03 22:01:46 +02:00
|
|
|
)
|
|
|
|
|
2020-03-12 00:51:10 +02:00
|
|
|
// Environment variables names.
|
|
|
|
const (
|
|
|
|
envNamespace = "AWS_"
|
|
|
|
|
|
|
|
EnvAccessKeyID = envNamespace + "ACCESS_KEY_ID"
|
|
|
|
EnvSecretAccessKey = envNamespace + "SECRET_ACCESS_KEY"
|
|
|
|
EnvRegion = envNamespace + "REGION"
|
|
|
|
EnvHostedZoneID = envNamespace + "HOSTED_ZONE_ID"
|
|
|
|
EnvMaxRetries = envNamespace + "MAX_RETRIES"
|
2023-01-16 00:50:35 +02:00
|
|
|
EnvAssumeRoleArn = envNamespace + "ASSUME_ROLE_ARN"
|
2023-05-26 22:26:40 +02:00
|
|
|
EnvExternalID = envNamespace + "EXTERNAL_ID"
|
2020-03-12 00:51:10 +02:00
|
|
|
|
2024-05-09 21:05:21 +02:00
|
|
|
EnvWaitForRecordSetsChanged = envNamespace + "WAIT_FOR_RECORD_SETS_CHANGED"
|
|
|
|
|
2020-03-12 00:51:10 +02:00
|
|
|
EnvTTL = envNamespace + "TTL"
|
|
|
|
EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
|
|
|
|
EnvPollingInterval = envNamespace + "POLLING_INTERVAL"
|
|
|
|
)
|
|
|
|
|
2024-11-16 00:21:21 +02:00
|
|
|
var _ challenge.ProviderTimeout = (*DNSProvider)(nil)
|
|
|
|
|
2020-05-08 19:35:25 +02:00
|
|
|
// Config is used to configure the creation of the DNSProvider.
|
2018-07-18 17:37:35 +02:00
|
|
|
type Config struct {
|
2023-01-16 00:50:35 +02:00
|
|
|
// Static credential chain.
|
|
|
|
// These are not set via environment for the time being and are only used if they are explicitly provided.
|
|
|
|
AccessKeyID string
|
|
|
|
SecretAccessKey string
|
|
|
|
SessionToken string
|
|
|
|
Region string
|
|
|
|
|
2022-05-27 18:32:39 +02:00
|
|
|
HostedZoneID string
|
|
|
|
MaxRetries int
|
|
|
|
AssumeRoleArn string
|
2023-05-26 22:26:40 +02:00
|
|
|
ExternalID string
|
2022-05-27 18:32:39 +02:00
|
|
|
|
2024-05-09 21:05:21 +02:00
|
|
|
WaitForRecordSetsChanged bool
|
|
|
|
|
2018-07-18 17:37:35 +02:00
|
|
|
TTL int
|
|
|
|
PropagationTimeout time.Duration
|
|
|
|
PollingInterval time.Duration
|
2022-05-27 18:32:39 +02:00
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
Client *route53.Client
|
2018-07-18 17:37:35 +02:00
|
|
|
}
|
|
|
|
|
2020-05-08 19:35:25 +02:00
|
|
|
// NewDefaultConfig returns a default configuration for the DNSProvider.
|
2018-07-18 17:37:35 +02:00
|
|
|
func NewDefaultConfig() *Config {
|
|
|
|
return &Config{
|
2022-05-27 18:32:39 +02:00
|
|
|
HostedZoneID: env.GetOrFile(EnvHostedZoneID),
|
|
|
|
MaxRetries: env.GetOrDefaultInt(EnvMaxRetries, 5),
|
|
|
|
AssumeRoleArn: env.GetOrDefaultString(EnvAssumeRoleArn, ""),
|
2023-05-26 22:26:40 +02:00
|
|
|
ExternalID: env.GetOrDefaultString(EnvExternalID, ""),
|
2022-05-27 18:32:39 +02:00
|
|
|
|
2024-05-09 21:05:21 +02:00
|
|
|
WaitForRecordSetsChanged: env.GetOrDefaultBool(EnvWaitForRecordSetsChanged, true),
|
|
|
|
|
2020-03-12 00:51:10 +02:00
|
|
|
TTL: env.GetOrDefaultInt(EnvTTL, 10),
|
|
|
|
PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute),
|
|
|
|
PollingInterval: env.GetOrDefaultSecond(EnvPollingInterval, 4*time.Second),
|
2018-07-18 17:37:35 +02:00
|
|
|
}
|
|
|
|
}
|
2016-03-26 05:34:31 +02:00
|
|
|
|
2020-05-08 19:35:25 +02:00
|
|
|
// DNSProvider implements the challenge.Provider interface.
|
2016-03-11 04:46:09 +02:00
|
|
|
type DNSProvider struct {
|
2023-07-27 12:15:26 +02:00
|
|
|
client *route53.Client
|
2018-07-18 17:37:35 +02:00
|
|
|
config *Config
|
2015-12-03 22:01:46 +02:00
|
|
|
}
|
|
|
|
|
2018-10-09 19:03:07 +02:00
|
|
|
// NewDNSProvider returns a DNSProvider instance configured for the AWS Route 53 service.
|
2016-03-26 05:34:31 +02:00
|
|
|
//
|
2018-10-09 19:03:07 +02:00
|
|
|
// AWS Credentials are automatically detected in the following locations and prioritized in the following order:
|
2022-08-22 17:05:31 +02:00
|
|
|
// 1. Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY,
|
|
|
|
// AWS_REGION, [AWS_SESSION_TOKEN]
|
|
|
|
// 2. Shared credentials file (defaults to ~/.aws/credentials)
|
|
|
|
// 3. Amazon EC2 IAM role
|
2016-03-26 05:34:31 +02:00
|
|
|
//
|
2018-10-09 19:03:07 +02:00
|
|
|
// If AWS_HOSTED_ZONE_ID is not set, Lego tries to determine the correct public hosted zone via the FQDN.
|
2017-07-17 21:50:53 +02:00
|
|
|
//
|
2016-03-26 05:34:31 +02:00
|
|
|
// See also: https://github.com/aws/aws-sdk-go/wiki/configuring-sdk
|
|
|
|
func NewDNSProvider() (*DNSProvider, error) {
|
2018-07-18 17:37:35 +02:00
|
|
|
return NewDNSProviderConfig(NewDefaultConfig())
|
|
|
|
}
|
|
|
|
|
2023-07-29 12:59:24 +02:00
|
|
|
// NewDNSProviderConfig takes a given config and returns a custom configured DNSProvider instance.
|
2018-07-18 17:37:35 +02:00
|
|
|
func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
|
|
|
|
if config == nil {
|
2018-09-15 19:07:24 +02:00
|
|
|
return nil, errors.New("route53: the configuration of the Route53 DNS provider is nil")
|
2018-07-18 17:37:35 +02:00
|
|
|
}
|
2017-07-17 21:50:53 +02:00
|
|
|
|
2020-02-01 13:10:40 +02:00
|
|
|
if config.Client != nil {
|
|
|
|
return &DNSProvider{client: config.Client, config: config}, nil
|
|
|
|
}
|
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
ctx := context.Background()
|
|
|
|
|
|
|
|
cfg, err := createAWSConfig(ctx, config)
|
2018-04-12 15:08:23 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-02-14 08:24:19 +02:00
|
|
|
|
2022-05-27 18:32:39 +02:00
|
|
|
return &DNSProvider{
|
2023-07-27 12:15:26 +02:00
|
|
|
client: route53.NewFromConfig(cfg),
|
2022-05-27 18:32:39 +02:00
|
|
|
config: config,
|
|
|
|
}, nil
|
2015-12-03 22:01:46 +02:00
|
|
|
}
|
|
|
|
|
2020-05-08 19:35:25 +02:00
|
|
|
// Timeout returns the timeout and interval to use when checking for DNS propagation.
|
2018-10-09 19:03:07 +02:00
|
|
|
func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
|
|
|
|
return d.config.PropagationTimeout, d.config.PollingInterval
|
2018-07-18 17:37:35 +02:00
|
|
|
}
|
|
|
|
|
2020-05-08 19:35:25 +02:00
|
|
|
// Present creates a TXT record using the specified parameters.
|
2018-10-09 19:03:07 +02:00
|
|
|
func (d *DNSProvider) Present(domain, token, keyAuth string) error {
|
2023-07-27 12:15:26 +02:00
|
|
|
ctx := context.Background()
|
2023-03-07 10:39:05 +02:00
|
|
|
info := dns01.GetChallengeInfo(domain, keyAuth)
|
2018-09-15 19:07:24 +02:00
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
hostedZoneID, err := d.getHostedZoneID(ctx, info.EffectiveFQDN)
|
2018-10-09 19:03:07 +02:00
|
|
|
if err != nil {
|
2020-02-27 20:14:46 +02:00
|
|
|
return fmt.Errorf("route53: failed to determine hosted zone ID: %w", err)
|
2018-10-09 19:03:07 +02:00
|
|
|
}
|
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
records, err := d.getExistingRecordSets(ctx, hostedZoneID, info.EffectiveFQDN)
|
2018-09-15 19:07:24 +02:00
|
|
|
if err != nil {
|
2020-02-27 20:14:46 +02:00
|
|
|
return fmt.Errorf("route53: %w", err)
|
2018-09-15 19:07:24 +02:00
|
|
|
}
|
2015-12-03 22:01:46 +02:00
|
|
|
|
2023-03-07 10:39:05 +02:00
|
|
|
realValue := `"` + info.Value + `"`
|
2018-09-15 19:07:24 +02:00
|
|
|
|
2018-10-09 19:03:07 +02:00
|
|
|
var found bool
|
|
|
|
for _, record := range records {
|
2024-12-05 20:49:13 +02:00
|
|
|
if ptr.Deref(record.Value) == realValue {
|
2018-10-09 19:03:07 +02:00
|
|
|
found = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if !found {
|
2023-07-27 12:15:26 +02:00
|
|
|
records = append(records, awstypes.ResourceRecord{Value: aws.String(realValue)})
|
2018-10-09 19:03:07 +02:00
|
|
|
}
|
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
recordSet := &awstypes.ResourceRecordSet{
|
2023-03-07 10:39:05 +02:00
|
|
|
Name: aws.String(info.EffectiveFQDN),
|
2023-07-27 12:15:26 +02:00
|
|
|
Type: "TXT",
|
2018-10-09 19:03:07 +02:00
|
|
|
TTL: aws.Int64(int64(d.config.TTL)),
|
|
|
|
ResourceRecords: records,
|
|
|
|
}
|
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
err = d.changeRecord(ctx, awstypes.ChangeActionUpsert, hostedZoneID, recordSet)
|
2018-09-15 19:07:24 +02:00
|
|
|
if err != nil {
|
2020-02-27 20:14:46 +02:00
|
|
|
return fmt.Errorf("route53: %w", err)
|
2018-09-15 19:07:24 +02:00
|
|
|
}
|
2023-07-27 12:15:26 +02:00
|
|
|
|
2018-09-15 19:07:24 +02:00
|
|
|
return nil
|
2015-12-03 22:01:46 +02:00
|
|
|
}
|
|
|
|
|
2020-05-08 19:35:25 +02:00
|
|
|
// CleanUp removes the TXT record matching the specified parameters.
|
2018-10-09 19:03:07 +02:00
|
|
|
func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
|
2023-07-27 12:15:26 +02:00
|
|
|
ctx := context.Background()
|
2023-03-07 10:39:05 +02:00
|
|
|
info := dns01.GetChallengeInfo(domain, keyAuth)
|
2018-10-09 19:03:07 +02:00
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
hostedZoneID, err := d.getHostedZoneID(ctx, info.EffectiveFQDN)
|
2015-12-03 22:01:46 +02:00
|
|
|
if err != nil {
|
2020-02-27 20:14:46 +02:00
|
|
|
return fmt.Errorf("failed to determine Route 53 hosted zone ID: %w", err)
|
2015-12-03 22:01:46 +02:00
|
|
|
}
|
2016-03-26 05:34:31 +02:00
|
|
|
|
2023-07-27 20:56:40 +02:00
|
|
|
existingRecords, err := d.getExistingRecordSets(ctx, hostedZoneID, info.EffectiveFQDN)
|
2018-10-09 19:03:07 +02:00
|
|
|
if err != nil {
|
2020-02-27 20:14:46 +02:00
|
|
|
return fmt.Errorf("route53: %w", err)
|
2018-10-09 19:03:07 +02:00
|
|
|
}
|
|
|
|
|
2023-07-27 20:56:40 +02:00
|
|
|
if len(existingRecords) == 0 {
|
2018-10-09 19:03:07 +02:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2023-07-27 20:56:40 +02:00
|
|
|
var nonLegoRecords []awstypes.ResourceRecord
|
|
|
|
for _, record := range existingRecords {
|
2024-12-05 20:49:13 +02:00
|
|
|
if ptr.Deref(record.Value) != `"`+info.Value+`"` {
|
2023-07-27 20:56:40 +02:00
|
|
|
nonLegoRecords = append(nonLegoRecords, record)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
action := awstypes.ChangeActionUpsert
|
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
recordSet := &awstypes.ResourceRecordSet{
|
2023-03-07 10:39:05 +02:00
|
|
|
Name: aws.String(info.EffectiveFQDN),
|
2023-07-27 12:15:26 +02:00
|
|
|
Type: "TXT",
|
2018-10-09 19:03:07 +02:00
|
|
|
TTL: aws.Int64(int64(d.config.TTL)),
|
2023-07-27 20:56:40 +02:00
|
|
|
ResourceRecords: nonLegoRecords,
|
2018-10-09 19:03:07 +02:00
|
|
|
}
|
|
|
|
|
2023-07-27 20:56:40 +02:00
|
|
|
// If the records are only records created by lego.
|
|
|
|
if len(nonLegoRecords) == 0 {
|
|
|
|
action = awstypes.ChangeActionDelete
|
|
|
|
|
|
|
|
recordSet.ResourceRecords = existingRecords
|
|
|
|
}
|
|
|
|
|
|
|
|
err = d.changeRecord(ctx, action, hostedZoneID, recordSet)
|
2018-10-09 19:03:07 +02:00
|
|
|
if err != nil {
|
2020-02-27 20:14:46 +02:00
|
|
|
return fmt.Errorf("route53: %w", err)
|
2018-10-09 19:03:07 +02:00
|
|
|
}
|
2023-07-27 20:56:40 +02:00
|
|
|
|
2018-10-09 19:03:07 +02:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
func (d *DNSProvider) changeRecord(ctx context.Context, action awstypes.ChangeAction, hostedZoneID string, recordSet *awstypes.ResourceRecordSet) error {
|
2018-10-09 19:03:07 +02:00
|
|
|
recordSetInput := &route53.ChangeResourceRecordSetsInput{
|
2016-03-26 05:34:31 +02:00
|
|
|
HostedZoneId: aws.String(hostedZoneID),
|
2023-07-27 12:15:26 +02:00
|
|
|
ChangeBatch: &awstypes.ChangeBatch{
|
2016-03-26 05:34:31 +02:00
|
|
|
Comment: aws.String("Managed by Lego"),
|
2023-07-27 12:15:26 +02:00
|
|
|
Changes: []awstypes.Change{{
|
|
|
|
Action: action,
|
2018-10-09 19:03:07 +02:00
|
|
|
ResourceRecordSet: recordSet,
|
|
|
|
}},
|
2016-03-26 05:34:31 +02:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
resp, err := d.client.ChangeResourceRecordSets(ctx, recordSetInput)
|
2016-02-03 08:04:12 +02:00
|
|
|
if err != nil {
|
2020-02-27 20:14:46 +02:00
|
|
|
return fmt.Errorf("failed to change record set: %w", err)
|
2016-02-03 08:04:12 +02:00
|
|
|
}
|
|
|
|
|
2018-10-09 19:03:07 +02:00
|
|
|
changeID := resp.ChangeInfo.Id
|
2016-03-26 05:34:31 +02:00
|
|
|
|
2024-05-09 21:05:21 +02:00
|
|
|
if d.config.WaitForRecordSetsChanged {
|
|
|
|
return wait.For("route53", d.config.PropagationTimeout, d.config.PollingInterval, func() (bool, error) {
|
|
|
|
resp, err := d.client.GetChange(ctx, &route53.GetChangeInput{Id: changeID})
|
|
|
|
if err != nil {
|
|
|
|
return false, fmt.Errorf("failed to query change status: %w", err)
|
|
|
|
}
|
2018-10-09 19:03:07 +02:00
|
|
|
|
2024-05-09 21:05:21 +02:00
|
|
|
if resp.ChangeInfo.Status == awstypes.ChangeStatusInsync {
|
|
|
|
return true, nil
|
|
|
|
}
|
2018-10-09 19:03:07 +02:00
|
|
|
|
2024-12-05 20:49:13 +02:00
|
|
|
return false, fmt.Errorf("unable to retrieve change: ID=%s", ptr.Deref(changeID))
|
2024-05-09 21:05:21 +02:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
2015-12-03 22:01:46 +02:00
|
|
|
}
|
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
func (d *DNSProvider) getExistingRecordSets(ctx context.Context, hostedZoneID, fqdn string) ([]awstypes.ResourceRecord, error) {
|
2018-10-09 19:03:07 +02:00
|
|
|
listInput := &route53.ListResourceRecordSetsInput{
|
|
|
|
HostedZoneId: aws.String(hostedZoneID),
|
|
|
|
StartRecordName: aws.String(fqdn),
|
2023-07-27 12:15:26 +02:00
|
|
|
StartRecordType: "TXT",
|
2018-10-09 19:03:07 +02:00
|
|
|
}
|
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
recordSetsOutput, err := d.client.ListResourceRecordSets(ctx, listInput)
|
2018-10-09 19:03:07 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if recordSetsOutput == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
var records []awstypes.ResourceRecord
|
2018-10-09 19:03:07 +02:00
|
|
|
|
|
|
|
for _, recordSet := range recordSetsOutput.ResourceRecordSets {
|
2024-12-05 20:49:13 +02:00
|
|
|
if ptr.Deref(recordSet.Name) == fqdn {
|
2018-10-09 19:03:07 +02:00
|
|
|
records = append(records, recordSet.ResourceRecords...)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return records, nil
|
|
|
|
}
|
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
func (d *DNSProvider) getHostedZoneID(ctx context.Context, fqdn string) (string, error) {
|
2018-10-09 19:03:07 +02:00
|
|
|
if d.config.HostedZoneID != "" {
|
|
|
|
return d.config.HostedZoneID, nil
|
2017-07-17 21:50:53 +02:00
|
|
|
}
|
|
|
|
|
2018-12-06 23:50:17 +02:00
|
|
|
authZone, err := dns01.FindZoneByFqdn(fqdn)
|
2015-12-03 22:01:46 +02:00
|
|
|
if err != nil {
|
2023-05-05 09:49:38 +02:00
|
|
|
return "", fmt.Errorf("could not find zone for FQDN %q: %w", fqdn, err)
|
2015-12-03 22:01:46 +02:00
|
|
|
}
|
2016-01-22 19:50:18 +02:00
|
|
|
|
2016-03-26 05:34:31 +02:00
|
|
|
// .DNSName should not have a trailing dot
|
|
|
|
reqParams := &route53.ListHostedZonesByNameInput{
|
2018-12-06 23:50:17 +02:00
|
|
|
DNSName: aws.String(dns01.UnFqdn(authZone)),
|
2016-01-22 19:50:18 +02:00
|
|
|
}
|
2023-07-27 12:15:26 +02:00
|
|
|
resp, err := d.client.ListHostedZonesByName(ctx, reqParams)
|
2016-03-21 00:00:00 +02:00
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
2016-04-21 15:47:43 +02:00
|
|
|
var hostedZoneID string
|
|
|
|
for _, hostedZone := range resp.HostedZones {
|
|
|
|
// .Name has a trailing dot
|
2024-12-05 20:49:13 +02:00
|
|
|
if !hostedZone.Config.PrivateZone && ptr.Deref(hostedZone.Name) == authZone {
|
|
|
|
hostedZoneID = ptr.Deref(hostedZone.Id)
|
2016-04-21 15:47:43 +02:00
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-03-04 21:16:59 +02:00
|
|
|
if hostedZoneID == "" {
|
2018-09-15 19:07:24 +02:00
|
|
|
return "", fmt.Errorf("zone %s not found for domain %s", authZone, fqdn)
|
2015-12-03 22:01:46 +02:00
|
|
|
}
|
|
|
|
|
2021-07-12 09:27:49 +02:00
|
|
|
hostedZoneID = strings.TrimPrefix(hostedZoneID, "/hostedzone/")
|
2016-02-03 08:04:12 +02:00
|
|
|
|
2016-04-21 15:47:43 +02:00
|
|
|
return hostedZoneID, nil
|
2015-12-03 22:01:46 +02:00
|
|
|
}
|
2022-05-27 18:32:39 +02:00
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
func createAWSConfig(ctx context.Context, config *Config) (aws.Config, error) {
|
|
|
|
if err := createAWSConfigCheckParams(config); err != nil {
|
|
|
|
return aws.Config{}, err
|
|
|
|
}
|
|
|
|
|
|
|
|
optFns := []func(options *awsconfig.LoadOptions) error{
|
|
|
|
awsconfig.WithRetryer(func() aws.Retryer {
|
|
|
|
return retry.NewStandard(func(options *retry.StandardOptions) {
|
|
|
|
options.MaxAttempts = config.MaxRetries
|
|
|
|
|
|
|
|
// It uses a basic exponential backoff algorithm that returns an initial
|
|
|
|
// delay of ~400ms with an upper limit of ~30 seconds which should prevent
|
|
|
|
// causing a high number of consecutive throttling errors.
|
|
|
|
// For reference: Route 53 enforces an account-wide(!) 5req/s query limit.
|
|
|
|
options.Backoff = retry.BackoffDelayerFunc(func(attempt int, err error) (time.Duration, error) {
|
|
|
|
retryCount := attempt
|
|
|
|
if retryCount > 7 {
|
|
|
|
retryCount = 7
|
|
|
|
}
|
|
|
|
|
|
|
|
delay := (1 << uint(retryCount)) * (rand.Intn(50) + 200)
|
|
|
|
return time.Duration(delay) * time.Millisecond, nil
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}),
|
2023-01-16 00:50:35 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if config.AccessKeyID != "" && config.SecretAccessKey != "" {
|
2023-07-27 12:15:26 +02:00
|
|
|
optFns = append(optFns,
|
|
|
|
awsconfig.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(config.AccessKeyID, config.SecretAccessKey, config.SessionToken)),
|
|
|
|
)
|
2023-01-16 00:50:35 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if config.Region != "" {
|
2023-07-27 12:15:26 +02:00
|
|
|
optFns = append(optFns, awsconfig.WithRegion(config.Region))
|
2023-01-16 00:50:35 +02:00
|
|
|
}
|
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
cfg, err := awsconfig.LoadDefaultConfig(ctx, optFns...)
|
2022-05-27 18:32:39 +02:00
|
|
|
if err != nil {
|
2023-07-27 12:15:26 +02:00
|
|
|
return aws.Config{}, err
|
2022-05-27 18:32:39 +02:00
|
|
|
}
|
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
if config.AssumeRoleArn != "" {
|
|
|
|
cfg.Credentials = stscreds.NewAssumeRoleProvider(sts.NewFromConfig(cfg), config.AssumeRoleArn, func(options *stscreds.AssumeRoleOptions) {
|
2023-05-26 22:26:40 +02:00
|
|
|
if config.ExternalID != "" {
|
2023-07-27 12:15:26 +02:00
|
|
|
options.ExternalID = &config.ExternalID
|
2023-05-26 22:26:40 +02:00
|
|
|
}
|
2023-07-27 12:15:26 +02:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
return cfg, nil
|
2022-05-27 18:32:39 +02:00
|
|
|
}
|
2023-01-16 00:50:35 +02:00
|
|
|
|
2023-07-27 12:15:26 +02:00
|
|
|
func createAWSConfigCheckParams(config *Config) error {
|
2023-01-16 00:50:35 +02:00
|
|
|
if config == nil {
|
|
|
|
return errors.New("config is nil")
|
|
|
|
}
|
|
|
|
|
|
|
|
switch {
|
|
|
|
case config.SessionToken != "" && config.AccessKeyID == "" && config.SecretAccessKey == "":
|
|
|
|
return errors.New("SessionToken must be supplied with AccessKeyID and SecretAccessKey")
|
|
|
|
|
|
|
|
case config.AccessKeyID == "" && config.SecretAccessKey != "" || config.AccessKeyID != "" && config.SecretAccessKey == "":
|
|
|
|
return errors.New("AccessKeyID and SecretAccessKey must be supplied together")
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|