ブログサービスのHTTPS化を支えたAWSで作るピタゴラスイッチ / The construction of large scale TLS certificates management system with AWS

Transcript

1. ϒϩάαʔϏεͷ

   HTTPSԽΛࢧ͑ͨ

   AWSͰ࡞ΔϐλΰϥεΠον
   id:aereal
   

   View Slide

2. staff.hatenablog.com/entry/2018/06/13/160000
   ಠࣗυϝΠϯͰӡ༻͞Ε͍ͯΔϒϩά͕ɺ
   HTTPSͰ഑৴Ͱ͖ΔΑ͏ʹͳΓ·ͨ͠
   

   View Slide

3. View Slide

4. ࿩͢͜ͱ
   • ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ
   
   • എܠͱཁٻ
   
   • ࣮૷ͷ঺հ
   
   • ্هࣄྫΛݩʹෳࡶͳόον = ϐλΰϥεΠονߏஙͷ

   ΤοηϯεΛߟ͑ͯΈΔ
   

   View Slide

5. ࣗݾ঺հ
   • id:aereal
   
   • GitHub: aereal
   
   • Twitter: aereal
   
   • ϒϩά౷߹νʔϜ

   ΞϓϦέʔγϣϯΤϯδχΞ

   ςοΫϦʔυ
   

   View Slide

6. എܠ
   ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ
   

   View Slide

7. • ͸ͯͳϒϩάPro (༗ྉϓϥϯ) ʹਃ͠ࠐΉͱ

   ಠࣗυϝΠϯͰࣗ෼ͷϒϩάΛ഑৴Ͱ͖Δ
   
   • ݱࡏɺສ୯ҐͷಠࣗυϝΠϯ͕ొ࿥ɾར༻͞Ε͍ͯΔ
   
   • ͜ΕΒͷಠࣗυϝΠϯͰ΋ৗ࣌HTTPS഑৴͍ͨ͠
   

   View Slide

8. Let's Encrypt
   • ISRG = Internet Security Research Group͕ఏڙ͢Δ

   ϓϩάϥϚϒϧʹΞΫηεՄೳͳೝূہ (CA)
   
   • ͜Ε·ͰTLSূ໌ॻΛൃߦ͢Δʹ͸

   ͦͦ͜͜ͷֹۚͱख͕ؒඞཁ͕ͩͬͨɺͦΕΛม͑ͨCA
   
   • LEͷొ৔ʹΑΓTLSূ໌ॻͷେྔൃߦ͕ݱ࣮తʹͳͬͨ
   

   View Slide

9. developer.hatenastaff.com/entry/2018/06/04/140000
   ͸ͯͳϒϩάͷHTTPSԽ࣮ࢪʹ൐͍, Let's
   Encrypt΁ͷد෇Λ࣮ࢪ͠·ͨ͠

   - Hatena Developer Blog
   

   View Slide

10. 
    • LEͷొ৔͸࿕ใ͕ͩ͜Ε͚ͩͰ͸଍Γͳ͍
    
    • ສ୯ҐͷTLSূ໌ॻΛ؅ཧ͢Δઓज़ɾઓུ͕͚͍ܽͯΔ
    
    • ഑৴ͱൃߦʹେ͖͘෼͚ͯΈΔ
    

    View Slide

11. ཁ݅ͷݕ౼: ഑৴
    ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ
    

    View Slide

12. HTTPS഑৴: ͓͞Β͍
    • ͸ͯͳϒϩάͰ͸ສ୯ҐͷಠࣗυϝΠϯ͕ར༻͞Ε͍ͯΔ
    
    • ҰൠతͳWebαΠτӡ༻ͷײ֮ͩͱφʔόε͗͢Δ
    • ສ୯Ґͷূ໌ॻΛҰ౓ʹಡΈࠐΉͱ

    proxyͷϝϞϦ࢖༻ྔ͕ஶ͘͠૿Ճ͢Δ
    
    • proxyͷ࠶ىಈʹ΋͕͔͔࣌ؒΔ
    

    View Slide

13. SAN?
    • = Subject Alternative Names

    1ͭͷূ໌ॻʹෳ਺υϝΠϯΛඥ෇͚Δ֦ு
    
    • ݁࿦͔Βݴ͏ͱ͸ͯͳϒϩάͷέʔεͰ͸೉͍͠
    • LEͰSANΛར༻͢Δ৔߹ɺACME challenge͸dns-01ͷΈ
    ར༻Ͱ͖Δ (ݱࡏ)
    
    • DNSઃఆ͸֤ϢʔβʔʹҕͶΒΕΔͷͰࣗಈԽͰ͖ͳ͍
    

    View Slide

14. ACME?
    • ACME: Automated Certificate Management Environment
    
    • ূ໌ॻൃߦͳͲͷ࡞ۀΛ

    ࣗಈԽ͢ΔϓϩτίϧΛ·ͱΊͨ࢓༷
    
    • ACME challenge: υϝΠϯͷॴ༗ݖݶΛ֬ೝ͢Δํ๏
    
    • Google AnalyticsͷΞϨΈ͍ͨͳ΍ͭ
    
    • LE͕ࡦఆɾ࠾༻͍ͯ͠Δ
    

    View Slide

15. ACME challenge?
    • dns-01: υϝΠϯͷTXTϨίʔυʹϫϯλΠϜτʔΫϯΛॻ
    ͖ࠐΉ
    
    • http-01: CAͷϦΫΤετʹର͠ॴఆͷϨεϙϯεΛฦ͢
    
    • ྫ: /.well-known/TOKEN
    
    • (ଞʹ΋͍Ζ͍Ζ)
    

    View Slide

16. HTTPS഑৴: ͓͞Β͍ (࠶)
    • ͸ͯͳϒϩάͰ͸ສ୯ҐͷಠࣗυϝΠϯ͕ར༻͞Ε͍ͯΔ
    
    • ҰൠతͳWebαΠτӡ༻ͷײ֮ͩͱφʔόε͗͢Δ
    • ສ୯Ґͷূ໌ॻΛҰ౓ʹಡΈࠐΉͱ

    proxyͷϝϞϦ࢖༻ྔ͕ஶ͘͠૿Ճ͢Δ
    
    • proxyͷ࠶ىಈʹ΋͕͔͔࣌ؒΔ
    

    View Slide

17. HTTPS഑৴: ํ਑
    • ϦΫΤετຖʹ౎౓ূ໌ॻΛબ୒ɾಡΈࠐΉ
    
    • ϝϞϦ࢖༻ྔͷ૿Ճ΍࠶ىಈ࣌ؒͷѱԽΛ཈͑Δ
    
    • ෳ਺୆proxyʹରԠ͢ΔͨΊσʔλετΞʹূ໌ॻΛอଘ
    
    • ͔͠΋ϨΠςϯγΛѱԽͤͣ͞ʹ࣮ݱ͢Δ
    
    • ϩʔΧϧΩϟογϡ
    

    View Slide

18. ཁ݅ͷݕ౼:ൃߦ
    ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ
    

    View Slide

19. ূ໌ॻൃߦ
    • Ұ؏ੑɾ໢ཏੑ͕ٻΊΒΕΔ
    
    • ൃߦʹࣦഊ͠ଓ͚Δͱϒϩά͕ӾཡͰ͖ͳ͘ͳΔ
    
    • ແޮͳυϝΠϯΛ์ஔͯ͠΋͍͚ͳ͍
    
    • ཁٻ͸ߴ͍͕ෆ࣮֬ੑ͸ߴ͍
    
    • ূ໌ॻΛߋ৽͢ΔࡍɺυϝΠϯ਺ʹର͠εέʔϧ͢Δ͜ͱ
    

    View Slide

20. ແޮͳυϝΠϯͷ࡟আ
    • ແޮͳυϝΠϯ = ඞͣACME challengeʹࣦഊ͢Δ
    
    • LEʹ͸ΞΧ΢ϯτ * time window͝ͱʹࣦഊͷ্ݶ͕͋Δ
    
    • ์ஔ͢ΔͱඞͣAPI limitʹ͋ͨͬͯ͠·͏
    • ࣦഊͨ͠υϝΠϯ͸ඞͣ࡟আ
    

    View Slide

21. ূ໌ॻൃߦ: ෆ࣮֬ੑ
    • υϝΠϯͷ༗ޮੑ͸มΘΓ͏Δ
    
    • ՝ۚऴྃ
    
    • DNSϨίʔυҟৗ
    
    • ֎෦API = LEͱͷ౷߹
    
    • API Limit
    
    • ద੾ͳϦτϥΠͱΤϥʔϦΧόϦ͕ඞਢ
    

    View Slide

22. ূ໌ॻൃߦ: εέʔϥϏϦςΟ
    • ର৅υϝΠϯ਺ͷ૿Ճʹର͠εέʔϧ͢Δ࢓૊Έʹ͍ͨ͠
    
    • SELECT * FROM custom_domain WHERE id > ?

    Έ͍ͨͳΫΤϦ͸ආ͚͍ͨ
    
    • υϝΠϯ਺͕૿͑Δͱϖʔδϯά͕ඞཁ
    
    • ࣮ߦ్தͰࣦഊͨ͠ΒɺϦτϥΠΩϡʔʹೖΕ௚͢Α͏
    ͳ޻෉ΛڽΒ͞ͳ͍ͱ͍͚ͳ͘ͳΔ
    

    View Slide

23. γεςϜͷཁ݅: ·ͱΊ
    • ϦΫΤετຖʹূ໌ॻΛऔಘɾ࢖༻
    
    • Ͱ͖Δ͚ͩ௿ϨΠςϯγͰ
    
    • Τϥʔ଱ੑ͕ߴ͍
    
    • ࣦഊͨ͠Βऔಘର৅ͷυϝΠϯ͔Β֎͢
    
    • ֎෦API௨৴ͷΤϥʔΛద੾ʹॲཧͰ͖Δ
    
    • υϝΠϯ਺ͷ૿Ճʹεέʔϧ͢Δ
    

    View Slide

24. γεςϜͷ঺հ
    ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷղઆ
    

    View Slide

25. cert-dispatcher
    cert-cache-gw
    cert-store
    cert-cache
    User Blog
    HTTP ssl_handshake_handler
    HTTP
    Get/Set Get
    ഑৴
    

    View Slide

26. ഑৴γεςϜ
    • ngx_mruby: ূ໌ॻಡΈࠐΈ࣌ʹmrubyͷίʔυΛ࣮ߦ
    
    • cache gateway΁HTTP GET͢Δ͚ͩ
    
    • https://github.com/matsumotory/ngx_mruby
    
    • cache gateway (Go): HTTP GET͢Δͱূ໌ॻΛฦ͢
    
    • DynamoDB: ূ໌ॻΛอଘ͢ΔσʔλετΞ
    

    View Slide

27. cache gateway
    • AWS (DynamoDB) APIݺͼग़͠ΛHTTP APIʹม͑Δ
    
    • mrubyʹ͸AWS SDK͕ͳ͍
    
    • ಉډ͢Δmemcachedʹ΋ಡΈॻ͖͠ɺ

    DynamoDB΁ͷΞΫηεΛͰ͖Δ͚ͩݮΒ͢
    

    View Slide

28. cert-dispatcher
    cert-cache-gw
    cert-store
    cert-cache
    User Blog
    HTTP ssl_handshake_handler
    HTTP
    Get/Set Get
    ഑৴
    

    View Slide

29. cert-dispatcher
    cert-cache-gw
    cert-store
    cert-cache
    User Blog
    HTTP ssl_handshake_handler
    HTTP
    Get/Set Get
    ഑৴
    

    View Slide

30. cert-dispatcher
    cert-cache-gw
    cert-store
    cert-cache
    User Blog
    HTTP ssl_handshake_handler
    HTTP
    Get/Set Get
    ഑৴
    

    View Slide

31. cert-dispatcher
    cert-cache-gw
    cert-store
    cert-cache
    User Blog
    HTTP ssl_handshake_handler
    HTTP
    Get/Set Get
    ഑৴
    

    View Slide

32. cert-dispatcher
    cert-cache-gw
    cert-store
    cert-cache
    User Blog
    HTTP ssl_handshake_handler
    HTTP
    Get/Set Get
    ഑৴
    

    View Slide

33. ഑৴γεςϜ
    • ngx_mrubyΛ࢖ͬͯϦΫΤετຖʹূ໌ॻΛऔಘͰ͖ͨ
    
    • proxyʹಉډͨ͠memcachedΛ࢖͏͜ͱͰ

    DynamoDB΁ͷϦΫΤετΛݮΒ͠ϨΠςϯγΛԼ͛ͨ
    

    View Slide

34. cert-updater-state cert-updater-function
    cert-update-notifier
    Let's Encrypt
    cert-store cert-lifecycle-store
    Blog
    HTTP
    HTTP
    ࣮ߦ
    ࣮ߦ
    UpdateItem
    UpdateItem
    ূ໌ॻൃߦ
    ࣮ߦ
    ূ໌ॻൃߦ
    

    View Slide

35. ূ໌ॻൃߦγεςϜ
    • cert-updater-state: AWS StepFunctions; ֤LambdaΛىಈ
    
    • Τϥʔ಺༰ʹԠͨ͡ϦΧόϦɾϦτϥΠ (ޙड़)
    
    • cert-updater-function: AWS Lambda; ূ໌ॻΛൃߦɺ
    DynamoDB΁ॻ͖ࠐΈ
    
    • cert-update-notifier: Lambda; ੒൱Λ͸ͯͳϒϩά΁௨஌
    

    View Slide

36. View Slide

37. View Slide

38. cert-updater-state cert-updater-function
    cert-update-notifier
    Let's Encrypt
    cert-store cert-lifecycle-store
    Blog
    HTTP
    HTTP
    ࣮ߦ
    ࣮ߦ
    UpdateItem
    UpdateItem
    ূ໌ॻൃߦ
    ࣮ߦ
    ূ໌ॻൃߦ
    

    View Slide

39. cert-updater-state cert-updater-function
    cert-update-notifier
    Let's Encrypt
    cert-store cert-lifecycle-store
    Blog
    HTTP
    HTTP
    ࣮ߦ
    ࣮ߦ
    UpdateItem
    UpdateItem
    ূ໌ॻൃߦ
    ࣮ߦ
    ূ໌ॻൃߦ
    

    View Slide

40. cert-updater-state cert-updater-function
    cert-update-notifier
    Let's Encrypt
    cert-store cert-lifecycle-store
    Blog
    HTTP
    HTTP
    ࣮ߦ
    ࣮ߦ
    UpdateItem
    UpdateItem
    ূ໌ॻൃߦ
    ࣮ߦ
    ূ໌ॻൃߦ
    

    View Slide

41. cert-updater-state cert-updater-function
    cert-update-notifier
    Let's Encrypt
    cert-store cert-lifecycle-store
    Blog
    HTTP
    HTTP
    ࣮ߦ
    ࣮ߦ
    UpdateItem
    UpdateItem
    ূ໌ॻൃߦ
    ࣮ߦ
    ূ໌ॻൃߦ
    

    View Slide

42. cert-updater-state cert-updater-function
    cert-update-notifier
    Let's Encrypt
    cert-store cert-lifecycle-store
    Blog
    HTTP
    HTTP
    ࣮ߦ
    ࣮ߦ
    UpdateItem
    UpdateItem
    ূ໌ॻൃߦ
    ࣮ߦ
    ূ໌ॻൃߦ
    

    View Slide

43. cert-updater-state cert-updater-function
    cert-update-notifier
    Let's Encrypt
    cert-store cert-lifecycle-store
    Blog
    HTTP
    HTTP
    ࣮ߦ
    ࣮ߦ
    UpdateItem
    UpdateItem
    ূ໌ॻൃߦ
    ࣮ߦ
    ূ໌ॻൃߦ
    

    View Slide

44. AWS SFn: ϦτϥΠ
    "Retry": [
    {
    "ErrorEquals": ["ErrMaybeRecoverable"],
    "IntervalSeconds": 1,
    "MaxAttempts": 3,
    "BackoffRate": 2.0
    }
    ],
    "Catch": [
    {
    "ErrorEquals": ["States.TaskFailed"],
    "Next": "Notify result to Hatena-Epic"
    }
    ],
    

    View Slide

45. AWS SFn: ϦτϥΠ
    "Retry": [
    {
    "ErrorEquals": ["ErrMaybeRecoverable"],
    "IntervalSeconds": 1,
    "MaxAttempts": 3,
    "BackoffRate": 2.0
    }
    ],
    "Catch": [
    {
    "ErrorEquals": ["States.TaskFailed"],
    "Next": "Notify result to Hatena-Epic"
    }
    ],
    

    View Slide

46. AWS SFn: ϦτϥΠ
    "Retry": [
    {
    "ErrorEquals": ["ErrMaybeRecoverable"],
    "IntervalSeconds": 1,
    "MaxAttempts": 3,
    "BackoffRate": 2.0
    }
    ],
    "Catch": [
    {
    "ErrorEquals": ["States.TaskFailed"],
    "Next": "Notify result to Hatena-Epic"
    }
    ],
    

    View Slide

47. AWS SFn: ϦτϥΠ
    "Retry": [
    {
    "ErrorEquals": ["ErrMaybeRecoverable"],
    "IntervalSeconds": 1,
    "MaxAttempts": 3,
    "BackoffRate": 2.0
    }
    ],
    "Catch": [
    {
    "ErrorEquals": ["States.TaskFailed"],
    "Next": "Notify result to Hatena-Epic"
    }
    ],
    

    View Slide

48. ূ໌ॻൃߦγεςϜ
    • AWS StepFunctionsΛ࢖ͬͯద੾ͳΤϥʔॲཧΛ࣮ݱ
    
    • Ϧιʔε্ݶʹୡ͢ΔͳͲ

    ҟৗऴྃͨ࣌͠͸ଈ࠲ʹ݁ՌΛ௨஌
    
    • APIݺͼग़ࣦ͠ഊͳͲϦτϥΠՄೳͳ࣌͸ϦτϥΠ
    

    View Slide

49. cert-reissue-state cert-reissue-confirmer
    cert-updater-state-caller
    cert-cleanup-function
    Blog
    cert-lifecycle-store
    cert-update-trigger
    cert-updater-state
    cert-store
    ࣮ߦ ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    HTTP
    TTL Trigger
    DeleteItem
    ূ໌ॻൃߦ

    (ߋ৽)
    

    View Slide

50. ূ໌ॻൃߦ: ߋ৽
    • DynamoDBͷTTL Trigger͕Lambdaܦ༝ͰSFnΛىಈ
    
    • cert-reissue-confirmer: ͸ͯͳϒϩάʹυϝΠϯ༗ޮੑΛ໰
    ͍߹Θͤͯɺߋ৽͢Δඞཁ͕͋Δ͔Λޙଓʹ఻͑Δ
    
    • cert-cleanup-function: ແޮͳυϝΠϯΛDynamoDB͔Βফ
    ͢
    

    View Slide

51. cert-lifecycle-store

    (DynamoDB)
    
    Domain: ex1.example.com
    ExpiresAt: 2018-05-23T02:00:00
    Domain: ex2.example.com
    ExpiresAt: 2018-05-23T03:00:00
    Domain: ex2.example.com
    ExpiresAt: 2018-05-23T04:00:00
    Domain: ex2.example.com
    ExpiresAt: 2018-05-23T05:00:00
    

    View Slide

52. cert-lifecycle-store

    (DynamoDB)
    
    Domain: ex2.example.com
    ExpiresAt: 2018-05-23T03:00:00
    Domain: ex2.example.com
    ExpiresAt: 2018-05-23T04:00:00
    Domain: ex2.example.com
    ExpiresAt: 2018-05-23T05:00:00
    

    View Slide

53. cert-lifecycle-store

    (DynamoDB)
    Domain: ex2.example.com
    ExpiresAt: 2018-05-23T04:00:00
    Domain: ex2.example.com
    ExpiresAt: 2018-05-23T05:00:00
    

    View Slide

54. cert-lifecycle-store

    (DynamoDB)
    
    Domain: ex2.example.com
    ExpiresAt: 2018-05-23T05:00:00
    

    View Slide

55. cert-lifecycle-store

    (DynamoDB)
    
    

    View Slide

56. publish
    SELECT * FROM ...
    ࣮ߦ
    

    View Slide

57. Τϥʔॲཧ͕؆ܿʹ
    • όονॲཧͩͱ: औಘͨ͠ෳ਺ͷυϝΠϯΛϧʔϓͰॲཧ
    
    • = ॲཧ୯Ґ͕ෳ਺υϝΠϯʹͳΔ
    
    • Ұ෦ͷυϝΠϯ͕ࣦഊͨ࣌͠ɺόονॲཧશମͷ

    εςʔλε͸Ͳ͏͢Δ? ੒ޭ? ࣦഊ?
    
    • pub/subͩͱ: Ҿ਺ͱͯ͠౉ͬͨυϝΠϯ1ͭΛॲཧ͢Δ
    
    • = ॲཧ୯Ґ͕υϝΠϯ1ͭʹͳΔ
    

    View Slide

58. cert-reissue-state cert-reissue-confirmer
    cert-updater-state-caller
    cert-cleanup-function
    Blog
    cert-lifecycle-store
    cert-update-trigger
    cert-updater-state
    cert-store
    ࣮ߦ ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    HTTP
    TTL Trigger
    DeleteItem
    ূ໌ॻൃߦ

    (ߋ৽)
    

    View Slide

59. cert-reissue-state cert-reissue-confirmer
    cert-updater-state-caller
    cert-cleanup-function
    Blog
    cert-lifecycle-store
    cert-update-trigger
    cert-updater-state
    cert-store
    ࣮ߦ ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    HTTP
    TTL Trigger
    DeleteItem
    ূ໌ॻൃߦ

    (ߋ৽)
    

    View Slide

60. cert-reissue-state cert-reissue-confirmer
    cert-updater-state-caller
    cert-cleanup-function
    Blog
    cert-lifecycle-store
    cert-update-trigger
    cert-updater-state
    cert-store
    ࣮ߦ ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    HTTP
    TTL Trigger
    DeleteItem
    ূ໌ॻൃߦ

    (ߋ৽)
    

    View Slide

61. cert-reissue-state cert-reissue-confirmer
    cert-updater-state-caller
    cert-cleanup-function
    Blog
    cert-lifecycle-store
    cert-update-trigger
    cert-updater-state
    cert-store
    ࣮ߦ ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    HTTP
    TTL Trigger
    DeleteItem
    ূ໌ॻൃߦ

    (ߋ৽)
    

    View Slide

62. cert-reissue-state cert-reissue-confirmer
    cert-updater-state-caller
    cert-cleanup-function
    Blog
    cert-lifecycle-store
    cert-update-trigger
    cert-updater-state
    cert-store
    ࣮ߦ ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    HTTP
    TTL Trigger
    DeleteItem
    ূ໌ॻൃߦ

    (ߋ৽)
    

    View Slide

63. cert-reissue-state cert-reissue-confirmer
    cert-updater-state-caller
    cert-cleanup-function
    Blog
    cert-lifecycle-store
    cert-update-trigger
    cert-updater-state
    cert-store
    ࣮ߦ ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    HTTP
    TTL Trigger
    DeleteItem
    ূ໌ॻൃߦ

    (ߋ৽)
    

    View Slide

64. cert-reissue-state cert-reissue-confirmer
    cert-updater-state-caller
    cert-cleanup-function
    Blog
    cert-lifecycle-store
    cert-update-trigger
    cert-updater-state
    cert-store
    ࣮ߦ ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    HTTP
    TTL Trigger
    DeleteItem
    ূ໌ॻൃߦ

    (ߋ৽)
    

    View Slide

65. cert-reissue-state cert-reissue-confirmer
    cert-updater-state-caller
    cert-cleanup-function
    Blog
    cert-lifecycle-store
    cert-update-trigger
    cert-updater-state
    cert-store
    ࣮ߦ ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    ࣮ߦ
    HTTP
    TTL Trigger
    DeleteItem
    ূ໌ॻൃߦ

    (ߋ৽)
    

    View Slide

66. cert-reissue-state
    "Determine next state": {
    "Comment": "࣍ͷঢ়ଶΛܾఆ͠·͢",
    "Type": "Choice",
    "Choices": [
    {
    "Variable": "$.UpdateRequired",
    "BooleanEquals": true,
    "Next": "Call reissue of certificate"
    },
    {
    "Variable": "$.UpdateRequired",
    "BooleanEquals": false,
    "Next": "Clean up of certificate"
    }
    ]
    },
    

    View Slide

67. cert-reissue-state
    "Determine next state": {
    "Comment": "࣍ͷঢ়ଶΛܾఆ͠·͢",
    "Type": "Choice",
    "Choices": [
    {
    "Variable": "$.UpdateRequired",
    "BooleanEquals": true,
    "Next": "Call reissue of certificate"
    },
    {
    "Variable": "$.UpdateRequired",
    "BooleanEquals": false,
    "Next": "Clean up of certificate"
    }
    ]
    },
    

    View Slide

68. cert-reissue-state
    "Determine next state": {
    "Comment": "࣍ͷঢ়ଶΛܾఆ͠·͢",
    "Type": "Choice",
    "Choices": [
    {
    "Variable": "$.UpdateRequired",
    "BooleanEquals": true,
    "Next": "Call reissue of certificate"
    },
    {
    "Variable": "$.UpdateRequired",
    "BooleanEquals": false,
    "Next": "Clean up of certificate"
    }
    ]
    },
    

    View Slide

69. ূ໌ॻߋ৽γεςϜ
    • σʔλϑϩʔΛpub/subͰγϯϓϧʹ
    
    • ॳճൃߦ΋ߋ৽࣌΋DynamoDBͷI/O͚͕ͩൃੜ͢Δ
    
    • DynamoDB TTL TriggerΛ׆༻
    
    • ঢ়ଶ = σʔλΛதԝʹू໿
    

    View Slide

70. ࠶ܝ: ഑৴γεςϜ
    • ngx_mrubyΛ࢖ͬͯϦΫΤετຖʹূ໌ॻΛऔಘͰ͖ͨ
    
    • proxyʹಉډͨ͠memcachedΛ࢖͏͜ͱͰ

    DynamoDB΁ͷϦΫΤετΛݮΒ͠ϨΠςϯγΛԼ͛ͨ
    

    View Slide

71. ࠶ܝ: ূ໌ॻൃߦγεςϜ
    • AWS StepFunctionsΛ࢖ͬͯద੾ͳΤϥʔॲཧΛͰ͖ͨ
    
    • Ϧιʔε্ݶʹୡ͢ΔͳͲ

    ҟৗऴྃͨ࣌͠͸ଈ࠲ʹ݁ՌΛ௨஌
    
    • APIݺͼग़ࣦ͠ഊͳͲϦτϥΠՄೳͳ࣌͸ϦτϥΠ
    

    View Slide

72. ߟ࡯
    ϐλΰϥεΠονͷ࡞Γํ
    

    View Slide

73. ڊେͳόονͷ೉͠͞
    • ࣮ߦεςοϓશ༰Λ೺Ѳ͢Δ͜ͱͷ೉͠͞
    
    • શମͰεςοϓ͕͜Ε͚ͩ͋Δ
    
    • Ͳ͜ͷεςοϓͰࣦഊͨ͠ͷ͔
    
    • ॲཧ୯Ґ͕େ͖͘ͳΓ͕ͪ
    
    • ඞવͱ࣮ߦ࣌ؒ΋௕Ҿ͖͕ͪ
    
    • Ұ෦͚ࣦͩഊͨ࣌͠ɺ࣮ߦͷঢ়ଶ͸੒ޭ? ࣦഊ?
    

    View Slide

74. ΅͘ͷ͔Μ͕͍͖͑ͨ͞ΐ͏
    ͷϐλΰϥεΠον
    • ϫʔΫϑϩʔΤϯδϯͷಋೖ
    
    • ࣮ߦεςοϓશ༰Λ೺Ѳ͠΍͘͢
    
    • ͦΕͱߴ౓ʹ౷߹͞Εͨόον࣮ߦ؀ڥ͕͋Δͱͳ͓Α͍
    
    • pub/subϞσϧͰର৅σʔλͷ૿Ճʹର͠εέʔϧͤ͞Δ
    
    • ॲཧ͢Δσʔλ୯ҐΛෳ਺ˠ1ͭ΁
    
    • ͍ͭͰʹσʔλετΞ΁ঢ়ଶ͕ڽू͞ΕΔ
    

    View Slide

75. ෼ׂ౷࣏
    • খ͞ͳؔ਺΍ΫϥεΛ࡞ΓɺͦΕΒΛ૊Έ߹ΘͤΔ͜ͱΛ
    ීஈ͔Βҙࣝͯ͠΍͍ͬͯΔ͸ͣ
    
    • ʹ΋ؔΘΒͣόον͕ڊେʹͳΓ͕ͪͳͷ͸ͳͥͳͷ͔?
    
    • ύϑΥʔϚϯε
    
    • ߹੒Մೳ (composable) Ͱ͸ͳ͍
    

    View Slide

76. ෼ׂ౷࣏
    • খ͞ͳؔ਺΍ΫϥεΛ࡞ΓɺͦΕΒΛ૊Έ߹ΘͤΔ͜ͱΛ
    ීஈ͔Βҙࣝͯ͠΍͍ͬͯΔ͸ͣ
    
    • ʹ΋ؔΘΒͣόον͕ڊେʹͳΓ͕ͪͳͷ͸ͳͥͳͷ͔?
    
    • ύϑΥʔϚϯε
    
    • ߹੒Մೳ (composable) Ͱ͸ͳ͍
    

    View Slide

77. ߹੒ՄೳΛࢧ͑Δٕज़
    • 2ͭͷεςοϓͷ௚ྻ࣮ߦΛೋ߲ԋࢉͱΈͳͯ͠ΈΔ
    
    • operand: ੹೚ൣғ͕খ͍͜͞ͱ
    
    • operator: ༷ʑͳ๏ଇΛຬͨ͢͜ͱ
    
    • ݁߹ଇɺ෼഑ଇ
    

    View Slide

78. ہॴঢ়ଶΛ࣋ͨͳ͍
    • ঢ়ଶ = มߋՄೳͳσʔλ
    
    • άϩʔόϧʹͨͩ1ͭͷঢ়ଶΛ࣋ͭ͜ͱ͕େࣄ
    
    • Ճ͑ͯঢ়ଶΛมߋ͢Δཁૉ͕୯ҰͰ͋Δ͜ͱ
    

    View Slide

79. άϩʔόϧม਺?
    • άϩʔόϧม਺͸ѱͱ͍͏ߟ͑ํͱ൓͠ͳ͍͔?

    → ͠ͳ͍
    
    • ঢ়ଶΛมߋ͢Δཁૉ͕୯ҰͳΒɺ

    ֤࣮ߦεςοϓ͸ঢ়ଶΛड͚औͬͯ৽ͨͳσʔλΛฦ͢

    ؔ਺ͱΈͳͤΔ
    

    View Slide

80. // ϫʔΫϑϩʔΤϯδϯͷঢ়ଶ
    {
    "domain":
    "www.example.com",
    "endpoint": "https://...."
    }
    // ͋Δόονͷೖྗ
    {
    "domain":
    "www.example.com"
    }
    

    View Slide

81. // ϫʔΫϑϩʔΤϯδϯͷঢ়ଶ
    {
    "domain":
    "www.example.com",
    "endpoint": "https://...."
    }
    // ͋Δόονͷೖྗ
    {
    "domain":
    "www.example.com"
    }
    άϩʔόϧঢ়ଶΛҾ਺΁ม׵͢Δ

    (όον͔Βͷมߋ͸ෆՄ)
    

    View Slide

82. // ϫʔΫϑϩʔΤϯδϯͷঢ়ଶ
    {
    "updateRequired": true,
    "domain":
    "www.example.com",
    "endpoint": "https://...."
    }
    // ͋Δόονͷग़ྗ
    {
    "updateRequired": true
    }
    

    View Slide

83. // ϫʔΫϑϩʔΤϯδϯͷঢ়ଶ
    {
    "updateRequired": true,
    "domain":
    "www.example.com",
    "endpoint": "https://...."
    }
    // ͋Δόονͷग़ྗ
    {
    "updateRequired": true
    }
    όονͷग़ྗΛάϩʔόϧͳঢ়ଶ΁ม׵

    (౰વɺग़ྗ͸ޙ͔ΒมߋෆՄ)
    

    View Slide

84. όονॲཧͷ߹੒
    • operand: ֤εςοϓ
    
    • operator: ϫʔΫϑϩʔΤϯδϯ
    

    View Slide

85. όονॲཧͷ߹੒
    • operand: ֤εςοϓ; AWS Lambda
    • operator: ϫʔΫϑϩʔΤϯδϯ; AWS StepFunctions
    

    View Slide

86. ΅͘ͷ͔Μ͕͍͖͑ͨ͞ΐ͏ͷ
    ϐλΰϥεΠον@͸ͯͳϒϩά
    • ϫʔΫϑϩʔΤϯδϯ: AWS StepFunctions
    
    • ……ͱͦΕΒ͔Β࣮ߦ͞ΕΔAWS Lambda
    
    • pub/sub: DynamoDB TTL Trigger
    

    View Slide

87. ࠶: ΅͘ͷ͔Μ͕͍͖͑ͨ͞ΐ͏
    ͷϐλΰϥεΠον
    • ϫʔΫϑϩʔΤϯδϯͷಋೖ
    
    • ࣮ߦεςοϓશ༰Λ೺Ѳ͠΍͘͢
    
    • ͦΕͱߴ౓ʹ౷߹͞Εͨόον࣮ߦ؀ڥ͕͋Δͱͳ͓Α͍
    
    • pub/subϞσϧͰର৅σʔλͷ૿Ճʹର͠εέʔϧͤ͞Δ
    
    • ॲཧ͢Δσʔλ୯ҐΛෳ਺ˠ1ͭ΁
    
    • ͍ͭͰʹσʔλετΞ΁ঢ়ଶ͕ڽू͞ΕΔ
    

    View Slide

88. ·ͱΊ
    

    View Slide

89. ·ͱΊ
    • ιϑτ΢ΣΞߏஙҰൠͷݪଇ͕࢖͑Δ
    
    • άϩʔόϧͳঢ়ଶΛ࣋ͨͳ͍ɾม͑ͳ͍ɾ࣋ͪࠐ·ͤͳ͍
    
    • ॲཧ୯ҐΛͰ͖Δ͚ͩখ͘͞ɺࣦഊΛ೺Ѳ͠΍͘͢
    
    • ͜ΕΒΛ࣮ݱ͢ΔͨΊͷҰྫͱͯ͠
    
    • ϫʔΫϑϩʔΤϯδϯ: AWS StepFunctions
    
    • pub/subΛαϙʔτ͢ΔσʔλετΞ: DynamoDB
    

    View Slide

90. ׬
    

    View Slide