Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ブログサービスのHTTPS化を支えたAWSで作るピタゴラスイッチ / The construction of large scale TLS certificates management system with AWS

aereal
September 08, 2018
Programming
2
390k

ブログサービスのHTTPS化を支えたAWSで作るピタゴラスイッチ / The construction of large scale TLS certificates management system with AWS

talked at builderscon tokyo 2018

aereal

September 08, 2018
Tweet

More Decks by aereal

See All by aereal
自動作曲入門 / introduction to programatic music composition
aereal
1
530k
はてなブログ タグとCDK / The epic of AWS CDK and Hatena Blog Tag
aereal
3
200k
はてなブログ タグの技術選択 / The technical details of Hatena Blog Tag
aereal
3
190k
AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS
aereal
14
16k
ScalaとPerlでMicroservices in production / Building microservices with Perl and Scala in production
aereal
0
4.9k
Scalaで自動作曲の練習 / A study of automatic composition in Scala
aereal
1
390k
Goで実装する軽量マークアップ言語パーサー / Gohn: parser written in Go
aereal
3
3.3k
Goで軽量マークアップ言語のパーサーを書く / Writing a parser with Go
aereal
0
980
はてなにおけるマイクロサービスとScala / Microservices and Scala at Hatena
aereal
6
33k

Other Decks in Programming

See All in Programming
Git Rebase
bkuhlmann
10
1.2k
Step Functions Distributed Map を使ってみた
codemountains
0
120
SwiftPMのPlugin入門 / introduction_to_swiftpm_plugin
uhooi
2
110
ITエンジニア特化型Q&Aサイトteratailを 言語、DB、クラウドなど フルリプレイスした話
leveragestech
0
460
ペパカレで入社した私が感じた2つのギャップと向き合い方
kosuke_ito
0
320
23年のJavaトレンドは?Quarkusで理解するコンテナネイティブJava
tatsuya1bm
1
140
[2023년 1월 세미나] 데이터 분석가 되면 어떤 일을 하나요?
datarian
0
650
量子コンピュータ時代のプログラミングセミナー / 20221222_Amplify_seminar _route_optimization
fixstars
0
250
Gradle build: The time is now
nonews
1
500
Spring BootとKubernetesで実現する今どきのDevOps入門
xblood
0
400
Makuakeの認証基盤とRe-Architectureチーム
bmf_san
0
640
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
tkmru
0
130

Featured

See All Featured
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
10k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
Rebuilding a faster, lazier Slack
samanthasiow
69
7.6k
The Pragmatic Product Professional
lauravandoore
21
3.5k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
The World Runs on Bad Software
bkeepers
PRO
59
5.7k
Support Driven Design
roundedbygravity
88
8.9k
Fashionably flexible responsive web design (full day workshop)
malarkey
396
63k
A Philosophy of Restraint
colly
193
15k
A better future with KSS
kneath
230
16k
Creatively Recalculating Your Daily Design Routine
revolveconf
207
11k
Into the Great Unknown - MozCon
thekraken
2
300

Transcript

  1. ϒϩάαʔϏεͷ
 HTTPSԽΛࢧ͑ͨ
 AWSͰ࡞ΔϐλΰϥεΠον id:aereal

  2. staff.hatenablog.com/entry/2018/06/13/160000 ಠࣗυϝΠϯͰӡ༻͞Ε͍ͯΔϒϩά͕ɺ HTTPSͰ഑৴Ͱ͖ΔΑ͏ʹͳΓ·ͨ͠

  3. None

  4. ࿩͢͜ͱ • ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ • എܠͱཁٻ • ࣮૷ͷ঺հ • ্هࣄྫΛݩʹෳࡶͳόον =

    ϐλΰϥεΠονߏஙͷ
 ΤοηϯεΛߟ͑ͯΈΔ

  5. ࣗݾ঺հ • id:aereal • GitHub: aereal • Twitter: aereal •

    ϒϩά౷߹νʔϜ
 ΞϓϦέʔγϣϯΤϯδχΞ
 ςοΫϦʔυ

  6. എܠ ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ

  7. • ͸ͯͳϒϩάPro (༗ྉϓϥϯ) ʹਃ͠ࠐΉͱ
 ಠࣗυϝΠϯͰࣗ෼ͷϒϩάΛ഑৴Ͱ͖Δ • ݱࡏɺສ୯ҐͷಠࣗυϝΠϯ͕ొ࿥ɾར༻͞Ε͍ͯΔ • ͜ΕΒͷಠࣗυϝΠϯͰ΋ৗ࣌HTTPS഑৴͍ͨ͠

  8. Let's Encrypt • ISRG = Internet Security Research Group͕ఏڙ͢Δ
 ϓϩάϥϚϒϧʹΞΫηεՄೳͳೝূہ

    (CA) • ͜Ε·ͰTLSূ໌ॻΛൃߦ͢Δʹ͸
 ͦͦ͜͜ͷֹۚͱख͕ؒඞཁ͕ͩͬͨɺͦΕΛม͑ͨCA • LEͷొ৔ʹΑΓTLSূ໌ॻͷେྔൃߦ͕ݱ࣮తʹͳͬͨ

  9. developer.hatenastaff.com/entry/2018/06/04/140000 ͸ͯͳϒϩάͷHTTPSԽ࣮ࢪʹ൐͍, Let's Encrypt΁ͷد෇Λ࣮ࢪ͠·ͨ͠
 - Hatena Developer Blog

  10. • LEͷొ৔͸࿕ใ͕ͩ͜Ε͚ͩͰ͸଍Γͳ͍ • ສ୯ҐͷTLSূ໌ॻΛ؅ཧ͢Δઓज़ɾઓུ͕͚͍ܽͯΔ • ഑৴ͱൃߦʹେ͖͘෼͚ͯΈΔ

  11. ཁ݅ͷݕ౼: ഑৴ ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ

  12. HTTPS഑৴: ͓͞Β͍ • ͸ͯͳϒϩάͰ͸ສ୯ҐͷಠࣗυϝΠϯ͕ར༻͞Ε͍ͯΔ • ҰൠతͳWebαΠτӡ༻ͷײ֮ͩͱφʔόε͗͢Δ • ສ୯Ґͷূ໌ॻΛҰ౓ʹಡΈࠐΉͱ
 proxyͷϝϞϦ࢖༻ྔ͕ஶ͘͠૿Ճ͢Δ •

    proxyͷ࠶ىಈʹ΋͕͔͔࣌ؒΔ

  13. SAN? • = Subject Alternative Names
 1ͭͷূ໌ॻʹෳ਺υϝΠϯΛඥ෇͚Δ֦ு • ݁࿦͔Βݴ͏ͱ͸ͯͳϒϩάͷέʔεͰ͸೉͍͠ •

    LEͰSANΛར༻͢Δ৔߹ɺACME challenge͸dns-01ͷΈ ར༻Ͱ͖Δ (ݱࡏ) • DNSઃఆ͸֤ϢʔβʔʹҕͶΒΕΔͷͰࣗಈԽͰ͖ͳ͍

  14. ACME? • ACME: Automated Certificate Management Environment • ূ໌ॻൃߦͳͲͷ࡞ۀΛ
 ࣗಈԽ͢ΔϓϩτίϧΛ·ͱΊͨ࢓༷

    • ACME challenge: υϝΠϯͷॴ༗ݖݶΛ֬ೝ͢Δํ๏ • Google AnalyticsͷΞϨΈ͍ͨͳ΍ͭ • LE͕ࡦఆɾ࠾༻͍ͯ͠Δ

  15. ACME challenge? • dns-01: υϝΠϯͷTXTϨίʔυʹϫϯλΠϜτʔΫϯΛॻ ͖ࠐΉ • http-01: CAͷϦΫΤετʹର͠ॴఆͷϨεϙϯεΛฦ͢ •

    ྫ: /.well-known/TOKEN • (ଞʹ΋͍Ζ͍Ζ)

  16. HTTPS഑৴: ͓͞Β͍ (࠶) • ͸ͯͳϒϩάͰ͸ສ୯ҐͷಠࣗυϝΠϯ͕ར༻͞Ε͍ͯΔ • ҰൠతͳWebαΠτӡ༻ͷײ֮ͩͱφʔόε͗͢Δ • ສ୯Ґͷূ໌ॻΛҰ౓ʹಡΈࠐΉͱ
 proxyͷϝϞϦ࢖༻ྔ͕ஶ͘͠૿Ճ͢Δ

    • proxyͷ࠶ىಈʹ΋͕͔͔࣌ؒΔ

  17. HTTPS഑৴: ํ਑ • ϦΫΤετຖʹ౎౓ূ໌ॻΛબ୒ɾಡΈࠐΉ • ϝϞϦ࢖༻ྔͷ૿Ճ΍࠶ىಈ࣌ؒͷѱԽΛ཈͑Δ • ෳ਺୆proxyʹରԠ͢ΔͨΊσʔλετΞʹূ໌ॻΛอଘ • ͔͠΋ϨΠςϯγΛѱԽͤͣ͞ʹ࣮ݱ͢Δ

    • ϩʔΧϧΩϟογϡ

  18. ཁ݅ͷݕ౼:ൃߦ ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ

  19. ূ໌ॻൃߦ • Ұ؏ੑɾ໢ཏੑ͕ٻΊΒΕΔ • ൃߦʹࣦഊ͠ଓ͚Δͱϒϩά͕ӾཡͰ͖ͳ͘ͳΔ • ແޮͳυϝΠϯΛ์ஔͯ͠΋͍͚ͳ͍ • ཁٻ͸ߴ͍͕ෆ࣮֬ੑ͸ߴ͍ •

    ূ໌ॻΛߋ৽͢ΔࡍɺυϝΠϯ਺ʹର͠εέʔϧ͢Δ͜ͱ

  20. ແޮͳυϝΠϯͷ࡟আ • ແޮͳυϝΠϯ = ඞͣACME challengeʹࣦഊ͢Δ • LEʹ͸ΞΧ΢ϯτ * time

    window͝ͱʹࣦഊͷ্ݶ͕͋Δ • ์ஔ͢ΔͱඞͣAPI limitʹ͋ͨͬͯ͠·͏ • ࣦഊͨ͠υϝΠϯ͸ඞͣ࡟আ

  21. ূ໌ॻൃߦ: ෆ࣮֬ੑ • υϝΠϯͷ༗ޮੑ͸มΘΓ͏Δ • ՝ۚऴྃ • DNSϨίʔυҟৗ • ֎෦API

    = LEͱͷ౷߹ • API Limit • ద੾ͳϦτϥΠͱΤϥʔϦΧόϦ͕ඞਢ

  22. ূ໌ॻൃߦ: εέʔϥϏϦςΟ • ର৅υϝΠϯ਺ͷ૿Ճʹର͠εέʔϧ͢Δ࢓૊Έʹ͍ͨ͠ • SELECT * FROM custom_domain WHERE

    id > ?
 Έ͍ͨͳΫΤϦ͸ආ͚͍ͨ • υϝΠϯ਺͕૿͑Δͱϖʔδϯά͕ඞཁ • ࣮ߦ్தͰࣦഊͨ͠ΒɺϦτϥΠΩϡʔʹೖΕ௚͢Α͏ ͳ޻෉ΛڽΒ͞ͳ͍ͱ͍͚ͳ͘ͳΔ

  23. γεςϜͷཁ݅: ·ͱΊ • ϦΫΤετຖʹূ໌ॻΛऔಘɾ࢖༻ • Ͱ͖Δ͚ͩ௿ϨΠςϯγͰ • Τϥʔ଱ੑ͕ߴ͍ • ࣦഊͨ͠Βऔಘର৅ͷυϝΠϯ͔Β֎͢

    • ֎෦API௨৴ͷΤϥʔΛద੾ʹॲཧͰ͖Δ • υϝΠϯ਺ͷ૿Ճʹεέʔϧ͢Δ

  24. γεςϜͷ঺հ ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ

  25. cert-dispatcher cert-cache-gw cert-store cert-cache User Blog HTTP ssl_handshake_handler HTTP Get/Set

    Get ഑৴

  26. ഑৴γεςϜ • ngx_mruby: ূ໌ॻಡΈࠐΈ࣌ʹmrubyͷίʔυΛ࣮ߦ • cache gateway΁HTTP GET͢Δ͚ͩ • https://github.com/matsumotory/ngx_mruby

    • cache gateway (Go): HTTP GET͢Δͱূ໌ॻΛฦ͢ • DynamoDB: ূ໌ॻΛอଘ͢ΔσʔλετΞ

  27. cache gateway • AWS (DynamoDB) APIݺͼग़͠ΛHTTP APIʹม͑Δ • mrubyʹ͸AWS SDK͕ͳ͍

    • ಉډ͢Δmemcachedʹ΋ಡΈॻ͖͠ɺ
 DynamoDB΁ͷΞΫηεΛͰ͖Δ͚ͩݮΒ͢

  28. cert-dispatcher cert-cache-gw cert-store cert-cache User Blog HTTP ssl_handshake_handler HTTP Get/Set

    Get ഑৴

  29. cert-dispatcher cert-cache-gw cert-store cert-cache User Blog HTTP ssl_handshake_handler HTTP Get/Set

    Get ഑৴

  30. cert-dispatcher cert-cache-gw cert-store cert-cache User Blog HTTP ssl_handshake_handler HTTP Get/Set

    Get ഑৴

  31. cert-dispatcher cert-cache-gw cert-store cert-cache User Blog HTTP ssl_handshake_handler HTTP Get/Set

    Get ഑৴

  32. cert-dispatcher cert-cache-gw cert-store cert-cache User Blog HTTP ssl_handshake_handler HTTP Get/Set

    Get ഑৴

  33. ഑৴γεςϜ • ngx_mrubyΛ࢖ͬͯϦΫΤετຖʹূ໌ॻΛऔಘͰ͖ͨ • proxyʹಉډͨ͠memcachedΛ࢖͏͜ͱͰ
 DynamoDB΁ͷϦΫΤετΛݮΒ͠ϨΠςϯγΛԼ͛ͨ

  34. cert-updater-state cert-updater-function cert-update-notifier Let's Encrypt cert-store cert-lifecycle-store Blog HTTP HTTP

    ࣮ߦ ࣮ߦ UpdateItem UpdateItem ূ໌ॻൃߦ ࣮ߦ ূ໌ॻൃߦ

  35. ূ໌ॻൃߦγεςϜ • cert-updater-state: AWS StepFunctions; ֤LambdaΛىಈ • Τϥʔ಺༰ʹԠͨ͡ϦΧόϦɾϦτϥΠ (ޙड़) •

    cert-updater-function: AWS Lambda; ূ໌ॻΛൃߦɺ DynamoDB΁ॻ͖ࠐΈ • cert-update-notifier: Lambda; ੒൱Λ͸ͯͳϒϩά΁௨஌
  36. None
  37. None

  38. cert-updater-state cert-updater-function cert-update-notifier Let's Encrypt cert-store cert-lifecycle-store Blog HTTP HTTP

    ࣮ߦ ࣮ߦ UpdateItem UpdateItem ূ໌ॻൃߦ ࣮ߦ ূ໌ॻൃߦ

  39. cert-updater-state cert-updater-function cert-update-notifier Let's Encrypt cert-store cert-lifecycle-store Blog HTTP HTTP

    ࣮ߦ ࣮ߦ UpdateItem UpdateItem ূ໌ॻൃߦ ࣮ߦ ূ໌ॻൃߦ

  40. cert-updater-state cert-updater-function cert-update-notifier Let's Encrypt cert-store cert-lifecycle-store Blog HTTP HTTP

    ࣮ߦ ࣮ߦ UpdateItem UpdateItem ূ໌ॻൃߦ ࣮ߦ ূ໌ॻൃߦ

  41. cert-updater-state cert-updater-function cert-update-notifier Let's Encrypt cert-store cert-lifecycle-store Blog HTTP HTTP

    ࣮ߦ ࣮ߦ UpdateItem UpdateItem ূ໌ॻൃߦ ࣮ߦ ূ໌ॻൃߦ

  42. cert-updater-state cert-updater-function cert-update-notifier Let's Encrypt cert-store cert-lifecycle-store Blog HTTP HTTP

    ࣮ߦ ࣮ߦ UpdateItem UpdateItem ূ໌ॻൃߦ ࣮ߦ ূ໌ॻൃߦ

  43. cert-updater-state cert-updater-function cert-update-notifier Let's Encrypt cert-store cert-lifecycle-store Blog HTTP HTTP

    ࣮ߦ ࣮ߦ UpdateItem UpdateItem ূ໌ॻൃߦ ࣮ߦ ূ໌ॻൃߦ

  44. AWS SFn: ϦτϥΠ "Retry": [ { "ErrorEquals": ["ErrMaybeRecoverable"], "IntervalSeconds": 1,

    "MaxAttempts": 3, "BackoffRate": 2.0 } ], "Catch": [ { "ErrorEquals": ["States.TaskFailed"], "Next": "Notify result to Hatena-Epic" } ],

  45. AWS SFn: ϦτϥΠ "Retry": [ { "ErrorEquals": ["ErrMaybeRecoverable"], "IntervalSeconds": 1,

    "MaxAttempts": 3, "BackoffRate": 2.0 } ], "Catch": [ { "ErrorEquals": ["States.TaskFailed"], "Next": "Notify result to Hatena-Epic" } ],

  46. AWS SFn: ϦτϥΠ "Retry": [ { "ErrorEquals": ["ErrMaybeRecoverable"], "IntervalSeconds": 1,

    "MaxAttempts": 3, "BackoffRate": 2.0 } ], "Catch": [ { "ErrorEquals": ["States.TaskFailed"], "Next": "Notify result to Hatena-Epic" } ],

  47. AWS SFn: ϦτϥΠ "Retry": [ { "ErrorEquals": ["ErrMaybeRecoverable"], "IntervalSeconds": 1,

    "MaxAttempts": 3, "BackoffRate": 2.0 } ], "Catch": [ { "ErrorEquals": ["States.TaskFailed"], "Next": "Notify result to Hatena-Epic" } ],

  48. ূ໌ॻൃߦγεςϜ • AWS StepFunctionsΛ࢖ͬͯద੾ͳΤϥʔॲཧΛ࣮ݱ • Ϧιʔε্ݶʹୡ͢ΔͳͲ
 ҟৗऴྃͨ࣌͠͸ଈ࠲ʹ݁ՌΛ௨஌ • APIݺͼग़ࣦ͠ഊͳͲϦτϥΠՄೳͳ࣌͸ϦτϥΠ

  49. cert-reissue-state cert-reissue-confirmer cert-updater-state-caller cert-cleanup-function Blog cert-lifecycle-store cert-update-trigger cert-updater-state cert-store ࣮ߦ

    ࣮ߦ ࣮ߦ ࣮ߦ ࣮ߦ HTTP TTL Trigger DeleteItem ূ໌ॻൃߦ
 (ߋ৽)

  50. ূ໌ॻൃߦ: ߋ৽ • DynamoDBͷTTL Trigger͕Lambdaܦ༝ͰSFnΛىಈ • cert-reissue-confirmer: ͸ͯͳϒϩάʹυϝΠϯ༗ޮੑΛ໰ ͍߹Θͤͯɺߋ৽͢Δඞཁ͕͋Δ͔Λޙଓʹ఻͑Δ •

    cert-cleanup-function: ແޮͳυϝΠϯΛDynamoDB͔Βফ ͢

  51. cert-lifecycle-store
 (DynamoDB) Domain: ex1.example.com ExpiresAt: 2018-05-23T02:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00

    Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  52. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00

    Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  53. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  54. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

  55. cert-lifecycle-store
 (DynamoDB)

  56. publish SELECT * FROM ... ࣮ߦ

  57. Τϥʔॲཧ͕؆ܿʹ • όονॲཧͩͱ: औಘͨ͠ෳ਺ͷυϝΠϯΛϧʔϓͰॲཧ • = ॲཧ୯Ґ͕ෳ਺υϝΠϯʹͳΔ • Ұ෦ͷυϝΠϯ͕ࣦഊͨ࣌͠ɺόονॲཧશମͷ
 εςʔλε͸Ͳ͏͢Δ?

    ੒ޭ? ࣦഊ? • pub/subͩͱ: Ҿ਺ͱͯ͠౉ͬͨυϝΠϯ1ͭΛॲཧ͢Δ • = ॲཧ୯Ґ͕υϝΠϯ1ͭʹͳΔ

  58. cert-reissue-state cert-reissue-confirmer cert-updater-state-caller cert-cleanup-function Blog cert-lifecycle-store cert-update-trigger cert-updater-state cert-store ࣮ߦ

    ࣮ߦ ࣮ߦ ࣮ߦ ࣮ߦ HTTP TTL Trigger DeleteItem ূ໌ॻൃߦ
 (ߋ৽)

  59. cert-reissue-state cert-reissue-confirmer cert-updater-state-caller cert-cleanup-function Blog cert-lifecycle-store cert-update-trigger cert-updater-state cert-store ࣮ߦ

    ࣮ߦ ࣮ߦ ࣮ߦ ࣮ߦ HTTP TTL Trigger DeleteItem ূ໌ॻൃߦ
 (ߋ৽)

  60. cert-reissue-state cert-reissue-confirmer cert-updater-state-caller cert-cleanup-function Blog cert-lifecycle-store cert-update-trigger cert-updater-state cert-store ࣮ߦ

    ࣮ߦ ࣮ߦ ࣮ߦ ࣮ߦ HTTP TTL Trigger DeleteItem ূ໌ॻൃߦ
 (ߋ৽)

  61. cert-reissue-state cert-reissue-confirmer cert-updater-state-caller cert-cleanup-function Blog cert-lifecycle-store cert-update-trigger cert-updater-state cert-store ࣮ߦ

    ࣮ߦ ࣮ߦ ࣮ߦ ࣮ߦ HTTP TTL Trigger DeleteItem ূ໌ॻൃߦ
 (ߋ৽)

  62. cert-reissue-state cert-reissue-confirmer cert-updater-state-caller cert-cleanup-function Blog cert-lifecycle-store cert-update-trigger cert-updater-state cert-store ࣮ߦ

    ࣮ߦ ࣮ߦ ࣮ߦ ࣮ߦ HTTP TTL Trigger DeleteItem ূ໌ॻൃߦ
 (ߋ৽)

  63. cert-reissue-state cert-reissue-confirmer cert-updater-state-caller cert-cleanup-function Blog cert-lifecycle-store cert-update-trigger cert-updater-state cert-store ࣮ߦ

    ࣮ߦ ࣮ߦ ࣮ߦ ࣮ߦ HTTP TTL Trigger DeleteItem ূ໌ॻൃߦ
 (ߋ৽)

  64. cert-reissue-state cert-reissue-confirmer cert-updater-state-caller cert-cleanup-function Blog cert-lifecycle-store cert-update-trigger cert-updater-state cert-store ࣮ߦ

    ࣮ߦ ࣮ߦ ࣮ߦ ࣮ߦ HTTP TTL Trigger DeleteItem ূ໌ॻൃߦ
 (ߋ৽)

  65. cert-reissue-state cert-reissue-confirmer cert-updater-state-caller cert-cleanup-function Blog cert-lifecycle-store cert-update-trigger cert-updater-state cert-store ࣮ߦ

    ࣮ߦ ࣮ߦ ࣮ߦ ࣮ߦ HTTP TTL Trigger DeleteItem ূ໌ॻൃߦ
 (ߋ৽)

  66. cert-reissue-state "Determine next state": { "Comment": "࣍ͷঢ়ଶΛܾఆ͠·͢", "Type": "Choice", "Choices":

    [ { "Variable": "$.UpdateRequired", "BooleanEquals": true, "Next": "Call reissue of certificate" }, { "Variable": "$.UpdateRequired", "BooleanEquals": false, "Next": "Clean up of certificate" } ] },

  67. cert-reissue-state "Determine next state": { "Comment": "࣍ͷঢ়ଶΛܾఆ͠·͢", "Type": "Choice", "Choices":

    [ { "Variable": "$.UpdateRequired", "BooleanEquals": true, "Next": "Call reissue of certificate" }, { "Variable": "$.UpdateRequired", "BooleanEquals": false, "Next": "Clean up of certificate" } ] },

  68. cert-reissue-state "Determine next state": { "Comment": "࣍ͷঢ়ଶΛܾఆ͠·͢", "Type": "Choice", "Choices":

    [ { "Variable": "$.UpdateRequired", "BooleanEquals": true, "Next": "Call reissue of certificate" }, { "Variable": "$.UpdateRequired", "BooleanEquals": false, "Next": "Clean up of certificate" } ] },

  69. ূ໌ॻߋ৽γεςϜ • σʔλϑϩʔΛpub/subͰγϯϓϧʹ • ॳճൃߦ΋ߋ৽࣌΋DynamoDBͷI/O͚͕ͩൃੜ͢Δ • DynamoDB TTL TriggerΛ׆༻ •

    ঢ়ଶ = σʔλΛதԝʹू໿

  70. ࠶ܝ: ഑৴γεςϜ • ngx_mrubyΛ࢖ͬͯϦΫΤετຖʹূ໌ॻΛऔಘͰ͖ͨ • proxyʹಉډͨ͠memcachedΛ࢖͏͜ͱͰ
 DynamoDB΁ͷϦΫΤετΛݮΒ͠ϨΠςϯγΛԼ͛ͨ

  71. ࠶ܝ: ূ໌ॻൃߦγεςϜ • AWS StepFunctionsΛ࢖ͬͯద੾ͳΤϥʔॲཧΛͰ͖ͨ • Ϧιʔε্ݶʹୡ͢ΔͳͲ
 ҟৗऴྃͨ࣌͠͸ଈ࠲ʹ݁ՌΛ௨஌ • APIݺͼग़ࣦ͠ഊͳͲϦτϥΠՄೳͳ࣌͸ϦτϥΠ

  72. ߟ࡯ ϐλΰϥεΠονͷ࡞Γํ

  73. ڊେͳόονͷ೉͠͞ • ࣮ߦεςοϓશ༰Λ೺Ѳ͢Δ͜ͱͷ೉͠͞ • શମͰεςοϓ͕͜Ε͚ͩ͋Δ • Ͳ͜ͷεςοϓͰࣦഊͨ͠ͷ͔ • ॲཧ୯Ґ͕େ͖͘ͳΓ͕ͪ •

    ඞવͱ࣮ߦ࣌ؒ΋௕Ҿ͖͕ͪ • Ұ෦͚ࣦͩഊͨ࣌͠ɺ࣮ߦͷঢ়ଶ͸੒ޭ? ࣦഊ?

  74. ΅͘ͷ͔Μ͕͍͖͑ͨ͞ΐ͏ ͷϐλΰϥεΠον • ϫʔΫϑϩʔΤϯδϯͷಋೖ • ࣮ߦεςοϓશ༰Λ೺Ѳ͠΍͘͢ • ͦΕͱߴ౓ʹ౷߹͞Εͨόον࣮ߦ؀ڥ͕͋Δͱͳ͓Α͍ • pub/subϞσϧͰର৅σʔλͷ૿Ճʹର͠εέʔϧͤ͞Δ

    • ॲཧ͢Δσʔλ୯ҐΛෳ਺ˠ1ͭ΁ • ͍ͭͰʹσʔλετΞ΁ঢ়ଶ͕ڽू͞ΕΔ

  75. ෼ׂ౷࣏ • খ͞ͳؔ਺΍ΫϥεΛ࡞ΓɺͦΕΒΛ૊Έ߹ΘͤΔ͜ͱΛ ීஈ͔Βҙࣝͯ͠΍͍ͬͯΔ͸ͣ • ʹ΋ؔΘΒͣόον͕ڊେʹͳΓ͕ͪͳͷ͸ͳͥͳͷ͔? • ύϑΥʔϚϯε • ߹੒Մೳ

    (composable) Ͱ͸ͳ͍

  76. ෼ׂ౷࣏ • খ͞ͳؔ਺΍ΫϥεΛ࡞ΓɺͦΕΒΛ૊Έ߹ΘͤΔ͜ͱΛ ීஈ͔Βҙࣝͯ͠΍͍ͬͯΔ͸ͣ • ʹ΋ؔΘΒͣόον͕ڊେʹͳΓ͕ͪͳͷ͸ͳͥͳͷ͔? • ύϑΥʔϚϯε • ߹੒Մೳ

    (composable) Ͱ͸ͳ͍

  77. ߹੒ՄೳΛࢧ͑Δٕज़ • 2ͭͷεςοϓͷ௚ྻ࣮ߦΛೋ߲ԋࢉͱΈͳͯ͠ΈΔ • operand: ੹೚ൣғ͕খ͍͜͞ͱ • operator: ༷ʑͳ๏ଇΛຬͨ͢͜ͱ •

    ݁߹ଇɺ෼഑ଇ

  78. ہॴঢ়ଶΛ࣋ͨͳ͍ • ঢ়ଶ = มߋՄೳͳσʔλ • άϩʔόϧʹͨͩ1ͭͷঢ়ଶΛ࣋ͭ͜ͱ͕େࣄ • Ճ͑ͯঢ়ଶΛมߋ͢Δཁૉ͕୯ҰͰ͋Δ͜ͱ

  79. άϩʔόϧม਺? • άϩʔόϧม਺͸ѱͱ͍͏ߟ͑ํͱ൓͠ͳ͍͔?
 → ͠ͳ͍ • ঢ়ଶΛมߋ͢Δཁૉ͕୯ҰͳΒɺ
 ֤࣮ߦεςοϓ͸ঢ়ଶΛड͚औͬͯ৽ͨͳσʔλΛฦ͢
 ؔ਺ͱΈͳͤΔ

  80. // ϫʔΫϑϩʔΤϯδϯͷঢ়ଶ { "domain": "www.example.com", "endpoint": "https://...." } // ͋Δόονͷೖྗ

    { "domain": "www.example.com" }

  81. // ϫʔΫϑϩʔΤϯδϯͷঢ়ଶ { "domain": "www.example.com", "endpoint": "https://...." } // ͋Δόονͷೖྗ

    { "domain": "www.example.com" } άϩʔόϧঢ়ଶΛҾ਺΁ม׵͢Δ
 (όον͔Βͷมߋ͸ෆՄ)

  82. // ϫʔΫϑϩʔΤϯδϯͷঢ়ଶ { "updateRequired": true, "domain": "www.example.com", "endpoint": "https://...." }

    // ͋Δόονͷग़ྗ { "updateRequired": true }

  83. // ϫʔΫϑϩʔΤϯδϯͷঢ়ଶ { "updateRequired": true, "domain": "www.example.com", "endpoint": "https://...." }

    // ͋Δόονͷग़ྗ { "updateRequired": true } όονͷग़ྗΛάϩʔόϧͳঢ়ଶ΁ม׵
 (౰વɺग़ྗ͸ޙ͔ΒมߋෆՄ)

  84. όονॲཧͷ߹੒ • operand: ֤εςοϓ • operator: ϫʔΫϑϩʔΤϯδϯ

  85. όονॲཧͷ߹੒ • operand: ֤εςοϓ; AWS Lambda • operator: ϫʔΫϑϩʔΤϯδϯ; AWS

    StepFunctions

  86. ΅͘ͷ͔Μ͕͍͖͑ͨ͞ΐ͏ͷ ϐλΰϥεΠον@͸ͯͳϒϩά • ϫʔΫϑϩʔΤϯδϯ: AWS StepFunctions • ……ͱͦΕΒ͔Β࣮ߦ͞ΕΔAWS Lambda •

    pub/sub: DynamoDB TTL Trigger

  87. ࠶: ΅͘ͷ͔Μ͕͍͖͑ͨ͞ΐ͏ ͷϐλΰϥεΠον • ϫʔΫϑϩʔΤϯδϯͷಋೖ • ࣮ߦεςοϓશ༰Λ೺Ѳ͠΍͘͢ • ͦΕͱߴ౓ʹ౷߹͞Εͨόον࣮ߦ؀ڥ͕͋Δͱͳ͓Α͍ •

    pub/subϞσϧͰର৅σʔλͷ૿Ճʹର͠εέʔϧͤ͞Δ • ॲཧ͢Δσʔλ୯ҐΛෳ਺ˠ1ͭ΁ • ͍ͭͰʹσʔλετΞ΁ঢ়ଶ͕ڽू͞ΕΔ

  88. ·ͱΊ

  89. ·ͱΊ • ιϑτ΢ΣΞߏஙҰൠͷݪଇ͕࢖͑Δ • άϩʔόϧͳঢ়ଶΛ࣋ͨͳ͍ɾม͑ͳ͍ɾ࣋ͪࠐ·ͤͳ͍ • ॲཧ୯ҐΛͰ͖Δ͚ͩখ͘͞ɺࣦഊΛ೺Ѳ͠΍͘͢ • ͜ΕΒΛ࣮ݱ͢ΔͨΊͷҰྫͱͯ͠ •

    ϫʔΫϑϩʔΤϯδϯ: AWS StepFunctions • pub/subΛαϙʔτ͢ΔσʔλετΞ: DynamoDB

  90. ׬