These days, it's challenging to imagine systems that have public API endpoints without TLS certificate protection. There are several ways to issue certificates: Paid wildcard certificates that can be bought from any big TLS provider Paid root certificates that sign all downstream certificates that are issued by corporate PKI systems Free certificates issued by TLS providers like LetsEncrypt or AWS Certificate Manager Self-signed certificates, issued by OpenSSL or another tool Within the context of this post, I will mainly discuss free certificates that can be used inside of AWS, but not only by AWS services. Clearly, using anything other than AWS Certificate Manager makes no sense if you exclusively use managed AWS services and don't have strict security requirements. AWS Certificate Manager offers a very convenient and speedy method of issuing certificates via DNS or HTTP challenges; however, you face basic AWS limitations if you need to use these certificates outside of AWS services (API Gateway, ALB, NLB, etc.) , such as an EC2 instance running Nginx that needs a physical certificate file. Additionally, even if you request it, AWS Certificate Manager does not display the certificate content. At this point it’s a good time to remind you about LetsEncrypt, a more widely used tool than Certificate Manager—at least because it doesn't depend on the cloud. Unfortunately, there are no built-in LetsEncrypt certificate issuance techniques available in AWS. It is possible to utilize the certbot tool for your EC2 or ECS services, but in that scenario, you will need to consider how to configure the renew process. I also don't want to combine different strategies since I think it's better to have a single procedure for everything since it reduces the whole system complexity. Taking that into consideration, I created a Lambda function that automatically issues and renews LetsEncrypt certificates without requiring complex configuration. The certificate can be utilized at any AWS service using ARN along with AWS Certificate Manager certificates after the initial certificate issue. Additionally, you can use a physical certificate version that is kept in AWS Secrets Manager in whatever location you choose, whether it be an EC2 instance running Nginx or another place. How does AWS LetsEncrypt Lambda works In this article, I'll assume that your DNS zone is managed by AWS Route53. The Lambda function that is described in this article is written on Go v1.22. All outcome resources such as DNS records, secrets, or certificates are controlled by Amazon IAM role, that is created via Terraform code by default. The sequence of Lambda actions is the following: Get an event containing a certificate list. Typically, this event can be a result of manual execution, or execution by cron that is made via aws_cloudwatch_event_target. Event example: { "domainName": "hackernoon.referrs.me", "acmeUrl": "prod", "acmeEmail": "alexander.sharov@cloudexpress.app", "reImportThreshold": 10, "issueType": "default", "storeCertInSecretsManager" : true } Verify whether the certificate exists in the AWS Certificate Manager. If yes, confirm the expiration date. Start the LetsEncrypt DNS-01 challenge if the number of days until the expiration date is fewer than the reImportThreshold. This step involves Lambda creating a TXT record matching the domain name to the AWS Route53 zone and waiting for your certificate to be ready. Lambda updates the certificate in the AWS Certificate Manager when it's ready. Lambda will store certificate files inside the AWS Secrets Manager if storeCertInSecretsManager is true. Lambda implementation details The code The Lambda is written on Go 1.22. Using as few libraries as possible helped me maintain my goal of keeping the code dry. The full list of required go libraries: URL Description github.com/aws/aws-lambda-go Libraries, samples and tools to help Go developers develop AWS Lambda functions. github.com/aws/aws-sdk-go-v2 AWS SDK for the Go programming language. github.com/go-acme/lego LetsEncrypt / ACME client and library. github.com/guregu/null Reasonable handling of nullable values. github.com/sirupsen/logrus Structured, pluggable logging for Go. Docker image I used gcr.io/distroless/static:nonroot as a basic docker image. For Go applications that don't require libc, this image is perfect. It is not completely empty as scratch and includes the following: CA certificates: no need to copy them from any other stage. /etc/passwd: contains users and groups such as nonroot. /tmp folder. tzdata: in case you want to set the timezone other than UTC. Build process In large software projects, overseeing the build process can turn into a laborious and time-consuming chore. Makefiles can help automate and streamline this process, ensuring that your project is built efficiently and consistently. For that reason, I prefer to use Makefile for all my Golang projects. The file is simple: ##@ General help: ## Display this help. @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) fmt: ## Run go fmt against code. go fmt ./... vet: ## Run go vet against code. go vet ./... ##@ Build build: fmt vet ## Build service binary. go build -o bin/lambda main.go run: vet ## Run service from your laptop. go run ./main.go ##@ Test lint: ## Run Go linter golangci-lint run ./... test: ## Run Go tests go test ./... From the CICD side I used the typical setup for Go application GitHub Actions as continuous integration. ghcr.io as docker registry. Compared to DockerHub, this one offers two key features that make it my preference to use: The build, test, and deployment workflows can be more easily automated straight from the GitHub repository thanks to GHCR's smooth integration with GitHub Actions. This can increase productivity and simplify the development process. GHCR leverages GitHub’s permission model, allowing users to manage access to container images using the same teams and permissions they use for their code repositories. This simplifies user management and enhances security. kvendingoldo/semver-action: my GitHub Actions plugin for automatic versioning. It’s A GitHub action that generates SemVer compatible tags for repository commits. The action can manage versions, generate GitHub releases, and control release branches inside of the repository. It works wonderfully with both single and monorepos. Automatic changelog generation. I enjoy changelogs! In the context of other OpenSource projects that I manage (e.g., https://github.com/tofuutils/tenv, https://github.com/tofuutils/tofuenv, etc.), my team recognized the importance of informing users about changes. golangci-lint. From my perspective, all code should be reviewed by a static code analyzer. SonarQube cannot be set up for all projects, however golangci, in my opinion, is sufficient for small to medium Go projects. codespell.yml. In addition to code checking, it is a good idea to verify the grammar, especially if you have a large amount of documentation. How to deploy Lambda to AWS via Terraform/OpenTofu The code discussed in this page is the same for Terraform and OpenTofu, but starting with Terraform v1.6, Hashicorp has been modified the Terraform license to Business Source License (BSL) v1.1.If you're developing something commercial on top of Terraform, switch to OpenTofu as soon as possible. If you need to manage multiple versions of OpenTofu or Terraform , use the tenv - OpenTofu, Terraform, Terragrunt, and Atmos version manager, written in Go. More Terraform / OpenTofu examples can be found in the examples folder within the Git repository. To work with AWS LetsEncrypt Lambda via OpenTofu you need to do the following steps: Add module into to your OpenTofu / Terraform code module "letsencrypt_lambda" { source = "git@github.com:kvendingoldo/aws-letsencrypt-lambda.git//files/terraform/module?ref=0.31.4" blank_name = "kvendingoldo-letsencrypt-lambda" tags = var.tags cron_schedule = var.letsencrypt_lambda_cron_schedule events = var.letsencrypt_lambda_events ecr_proxy_username = var.ecr_proxy_username ecr_proxy_access_token = var.ecr_proxy_access_token } Specify variables variable "tags" { default = { hackernoon : "demo" } } variable "ecr_proxy_username" { default = "kvendingoldo" } variable "ecr_proxy_access_token" { default = "ghp_xxx" } variable "letsencrypt_lambda_cron_schedule" { default = "rate(168 hours)" } variable "letsencrypt_lambda_events" { default = [ { "acmRegion" : "us-east-1", "route53Region" : "us-east-1", "domainName" : "hackernoon.referrs.me", "acmeUrl" : "stage", "acmeEmail" : "alexander.sharov@cloudexpress.app", "reImportThreshold" : 100, "issueType" : "default", "storeCertInSecretsManager" : false } ] } Pay attention to variables ecr_proxy_username and ecr_proxy_access_token. By default, AWS Lambda cannot pull images from sources other than AWS ECR. Fortunately, the AWS team created ECR Proxy cache, which can fetch images from publicly available registries such as DockerHub or GHCR and store them inside ECR. Despite this possibility, AWS does not allow images to be pulled without a token, even from open public repositories, thus you must acquire a personal GitHub token to gain access to pre-built Docker images. Alternatively, you can pull my GitHub repository, build the image locally, then upload it to your pre-existing ECR repository. In this scenario, the example can be modified as follows: module "letsencrypt_lambda" { source = "../../" blank_name = "kvendingoldo-letsencrypt-lambda" tags = var.tags cron_schedule = var.letsencrypt_lambda_cron_schedule events = var.letsencrypt_lambda_events ecr_proxy_enabled = false ecr_image_uri = "<YOUR_ACCOUNT_ID>.dkr.ecr.us-east-2.amazonaws.com/aws_letsencrypt_lambda:<VERSION>" } When you complete changing the code, run the following command to install OpenTofu by OpenTofu version switcher tenv: $ tenv tofu install And finally, execute the following commands to apply the produced code: $ tofu init $ tofu plan $ tofu apply Wait until the code is deployed to AWS and events are triggered. After a few minutes, you will see ready certificates inside the certificate manager. Example: Starting now, AWS can use the issued certificate at any services by ARN. If you need to use the certificate outside of AWS services or have access to its content, set the storeCertInSecretsManager event option to true. In this situation, when Lambda completes the basic execution, the certificate will be saved in AWS Secrets Manager. It gives users more flexibility: they can inspect the certificate's content, work with it directly from EC2, etc. To learn more about AWS Secrets Manager, read the official guide. Environment variables Name Description Possible values Default value Example Required FORMATTER_TYPE Formatter type for logs JSON | TEXT TEXT JSON ❌ MODE Application mode. Set cloud mode for AWS execution, and local mode for local testing. cloud | local cloud cloud ✅ LOG_LEVEL Logging level panic|fatal|error|warn|info|debug|trace warn warn ❌ AWS_REGION Default AWS Region. After the deployment to AWS it settings automatically. <any valid AWS region> - us-east-1 ✅ DOMAIN_NAME Domain name for which the certificate is being issued or renewed any valid domain name - hackernoon.referrs.me ✅ ACME_URL The production LetsEncrypt URL will be utilized if it is set to prod; if not, the stage URL will be used. prod | stage prod prod ✅ ACME_EMAIL Email address linked to the LetsEncrypt certificate any valid email alexander.sharov@cloudexpress.app alexander.sharov@cloudexpress.app ✅ REIMPORT_THRESHOLD The certificate will be renewed if its time to live (TTL) equals REIMPORT_THRESHOLD. any int > 0 10 10 ✅ STORE_CERT_IN_SECRETSMANAGER If true, Lambda will keep the certificate in both Certificate Manager and Secrets Manager. “true” | “false” “false” “false” ❌ How to check LetsEncrypt Lambda logs In scope of work with aws-letsencrypt-lambda you may occasionally want to review the logs. It's quite easy to accomplish: Go to AWS Cloudwatch, click to “Log groups” Find log group with name, that you specified in OpenTofu code. For example, in my case it’s /aws/lambda/kvendingoldo-letsencrypt-lambda Go to the group, select the desired stream from the list, and review the logs. How to trigger Lambda manually via AWS UI Go to Lambda function that has been created via OpenTofu. Click to “Tests” button. Fill Test Event and click Test { "domainName": "<YOUR_VALID_DOMAIN>", "acmeUrl": <stage | prod>, "acmeEmail": "<ANY_VALID_EMAIL>", "reImportThreshold": 10, "issueType": "<default | force>", "storeCertInSecretsManager" : <true | false> } Example #1: { "domainName": "hackernoon.referrs.me", "acmeUrl": "prod", "acmeEmail": "alexander.sharov@cloudexpress.app", "reImportThreshold": 10, "issueType": "default" } Wait until execution will be completed. You can the execution log is available in Cloudwatch. Usually the initial issue takes around 5 minutes. How to test Lambda locally Clone https://github.com/kvendingoldo/aws-letsencrypt-lambda repository to your laptop Configure AWS Cli credentials via the official guide. Examine the environment variables section and set the minimum number of variables needed. Since LetsEncrypt will limit the amount of retries per hour for ACME_URL="prod", I advise using ACME_URL="stage" for testing. Environment variables example: export AWS_REGION="us-east-2" export MODE=local export DOMAIN_NAME="hackernoon.referrs.me" export ACME_URL="stage" export ACME_EMAIL="alexander.sharov@cloudexpress.app" export REIMPORT_THRESHOLD=10 export ISSUE_TYPE="default" export STORE_CERT_IN_SECRETSMANAGER="true" Execute the lambda locally via the following command: go run main.go Following Lambda's successful execution, the following log will appear. INFO[0000] Starting lambda execution ... INFO[0000] Lambda will use STAGING ACME URL; If you need to use PROD URL specify it via 'ACME_URL' or pass in event body INFO[0000] Certificate found, arn is arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af. Trying to renew ... INFO[0000] Checking certificate for domain 'hackernoon.referrs.me' with arn 'arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af' INFO[0000] Certificate status is 'ISSUED' INFO[0000] Certificate in use by [] INFO[0000] Certificate valid until 2024-08-31 13:50:49 +0000 UTC (89 days left) INFO[0000] Try to get certificate for hackernoon.referrs.me domain 2024/06/02 17:56:23 [INFO] acme: Registering account for alex.sharov@referrs.me 2024/06/02 17:56:24 [INFO] [hackernoon.referrs.me, www.hackernoon.referrs.me] acme: Obtaining bundled SAN certificate 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12603809394 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12603809404 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Could not find solver for: tls-alpn-01 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Could not find solver for: http-01 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: use dns-01 solver 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: Could not find solver for: tls-alpn-01 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: Could not find solver for: http-01 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: use dns-01 solver 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Preparing to solve DNS-01 2024/06/02 17:56:26 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:00 [INFO] [www.hackernoon.referrs.me] acme: Preparing to solve DNS-01 2024/06/02 17:57:00 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:30 [INFO] [hackernoon.referrs.me] acme: Trying to solve DNS-01 2024/06/02 17:57:30 [INFO] [hackernoon.referrs.me] acme: Checking DNS record propagation. [nameservers=109.122.99.130:53,109.122.99.129:53] 2024/06/02 17:57:34 [INFO] Wait for propagation [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:46 [INFO] [hackernoon.referrs.me] The server validated our request 2024/06/02 17:57:46 [INFO] [www.hackernoon.referrs.me] acme: Trying to solve DNS-01 2024/06/02 17:57:46 [INFO] [www.hackernoon.referrs.me] acme: Checking DNS record propagation. [nameservers=109.122.99.130:53,109.122.99.129:53] 2024/06/02 17:57:50 [INFO] Wait for propagation [timeout: 5m0s, interval: 4s] 2024/06/02 17:58:30 [INFO] [www.hackernoon.referrs.me] The server validated our request 2024/06/02 17:58:30 [INFO] [hackernoon.referrs.me] acme: Cleaning DNS-01 challenge 2024/06/02 17:58:30 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:59:09 [INFO] [www.hackernoon.referrs.me] acme: Cleaning DNS-01 challenge 2024/06/02 17:59:09 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:59:43 [INFO] [hackernoon.referrs.me, www.hackernoon.referrs.me] acme: Validations succeeded; requesting certificates 2024/06/02 17:59:43 [INFO] Wait for certificate [timeout: 30s, interval: 500ms] 2024/06/02 17:59:45 [INFO] [hackernoon.referrs.me] Server responded with a certificate. INFO[0203] Certificate has been successfully imported. Arn is arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af INFO[0204] Secret updated successfully. SecretId: arn:aws:secretsmanager:us-east-2:004867756392:secret:hackernoon.referrs.me-NioT77 INFO[0204] Lambda has been completed That is it. Starting now, AWS can use the issued certificate at any services by ARN or in other locations where it is physically necessary by obtaining it from the AWS Secrets Manager. Hands-on experience using it over more than 4 years at AWS I've been using the Lambda function in production for almost four years. Over the years, various aspects of the initial implementation have changed: Previously, AWS prohibited the usage of any non-ECR registries as Lambda sources. It has not changed, however AWS has added ECR proxy for GitHub, DockerHub, and a few additional registries. Without this functionality, we had to manually push Lambda images to our personal ECR and replace URL to the image in Terraform code. Now the OpenTofu code does it automatically via ECR Proxy. In the beginning, I considered introducing various challenges such as http-01 or tls-alpn-01, but no one questioned me about it for four years. It is still present on GitHub issues, and if this capability is required, we can work together to create it. I didn't want to utilize LetsEncrypt certificates at pure EC2 instances when the project originally started, but these days it's standard practice. As I previously stated, in certain situations, a certificate can be retrieved from AWS Secrets Managed using the AWS cli. I’ve written a lot of new Go code over the years, so I can tell that the original Lambda code in my repository isn't as fancy as it could be. There is a significant difference between it and my most recent Go project, tenv (OpenTofu, Terraform, Terragrunt, and Atmos version manager, written in Go), but in any case, the code is still generally supported, so making modifications to it won't be too problematic. Occasionally, I will undertake significant refactoring to make the code more elegant. The same Lambda is being used for years in several different projects. Additionally, I'm co-founder of DevOps platform cloudexpress.app, where our team manages TLS certificates for all our clients using the AWS LetsEncrypt Lambda to simplify the automation processes. Now let's talks about numbers. Over a period of 4 years, this project has helped many people and been used in numerous OpenSource and over 30 commercial projects. The Lambda issues more than 2000 certificates and don’t want to stop on that. Conclusion AWS LetsEncrypt Lambda is a suitable solution for you, if You must have a physical version of the certificate and will use it from non-AWS native services such as EC2 Nginx. You do not want to rely on AWS Certificate Manager to manage the TLS certificate issuance and renewal process (check logs, set renewal dates, etc.). You would like to get email notifications from LetsEncrypt when your certificate expires, or will be expired soon. You want to personalize the solution by changing the Golang code (for example, changing the LetsEncrypt challenge, storing the certificate in Hashicorp Vault, etc.). If you discovered that at least one of these points applies to your situation, you are welcome to use AWS Lambda. Also, if you wish to participate in development, I am always open to new issues and Pull Requests at GitHub. Project URL: https://github.com/kvendingoldo/aws-letsencrypt-lambda. These days, it's challenging to imagine systems that have public API endpoints without TLS certificate protection. There are several ways to issue certificates: Paid wildcard certificates that can be bought from any big TLS provider Paid root certificates that sign all downstream certificates that are issued by corporate PKI systems Free certificates issued by TLS providers like LetsEncrypt or AWS Certificate Manager Self-signed certificates, issued by OpenSSL or another tool Paid wildcard certificates that can be bought from any big TLS provider Paid root certificates that sign all downstream certificates that are issued by corporate PKI systems Free certificates issued by TLS providers like LetsEncrypt or AWS Certificate Manager Self-signed certificates, issued by OpenSSL or another tool OpenSSL Within the context of this post, I will mainly discuss free certificates that can be used inside of AWS, but not only by AWS services. Clearly, using anything other than AWS Certificate Manager makes no sense if you exclusively use managed AWS services and don't have strict security requirements. AWS Certificate Manager offers a very convenient and speedy method of issuing certificates via DNS or HTTP challenges; however, you face basic AWS limitations if you need to use these certificates outside of AWS services (API Gateway, ALB, NLB, etc.) , such as an EC2 instance running Nginx that needs a physical certificate file. Additionally, even if you request it, AWS Certificate Manager does not display the certificate content. AWS Certificate Manager At this point it’s a good time to remind you about LetsEncrypt , a more widely used tool than Certificate Manager—at least because it doesn't depend on the cloud. Unfortunately, there are no built-in LetsEncrypt certificate issuance techniques available in AWS. It is possible to utilize the certbot tool for your EC2 or ECS services, but in that scenario, you will need to consider how to configure the renew process. I also don't want to combine different strategies since I think it's better to have a single procedure for everything since it reduces the whole system complexity. LetsEncrypt Taking that into consideration, I created a Lambda function that automatically issues and renews LetsEncrypt certificates without requiring complex configuration. The certificate can be utilized at any AWS service using ARN along with AWS Certificate Manager certificates after the initial certificate issue. Additionally, you can use a physical certificate version that is kept in AWS Secrets Manager in whatever location you choose, whether it be an EC2 instance running Nginx or another place. AWS Secrets Manager How does AWS LetsEncrypt Lambda works In this article, I'll assume that your DNS zone is managed by AWS Route53. In this article, I'll assume that your DNS zone is managed by AWS Route53. The Lambda function that is described in this article is written on Go v1.22. All outcome resources such as DNS records, secrets, or certificates are controlled by Amazon IAM role, that is created via Terraform code by default. The sequence of Lambda actions is the following: Get an event containing a certificate list. Typically, this event can be a result of manual execution, or execution by cron that is made via aws_cloudwatch_event_target. Event example: Get an event containing a certificate list. Typically, this event can be a result of manual execution, or execution by cron that is made via aws_cloudwatch_event_target . Event example: aws_cloudwatch_event_target { "domainName": "hackernoon.referrs.me", "acmeUrl": "prod", "acmeEmail": "alexander.sharov@cloudexpress.app", "reImportThreshold": 10, "issueType": "default", "storeCertInSecretsManager" : true } { "domainName": "hackernoon.referrs.me", "acmeUrl": "prod", "acmeEmail": "alexander.sharov@cloudexpress.app", "reImportThreshold": 10, "issueType": "default", "storeCertInSecretsManager" : true } Verify whether the certificate exists in the AWS Certificate Manager. If yes, confirm the expiration date. Start the LetsEncrypt DNS-01 challenge if the number of days until the expiration date is fewer than the reImportThreshold. This step involves Lambda creating a TXT record matching the domain name to the AWS Route53 zone and waiting for your certificate to be ready. Lambda updates the certificate in the AWS Certificate Manager when it's ready. Lambda will store certificate files inside the AWS Secrets Manager if storeCertInSecretsManager is true. Verify whether the certificate exists in the AWS Certificate Manager. If yes, confirm the expiration date. Start the LetsEncrypt DNS-01 challenge if the number of days until the expiration date is fewer than the reImportThreshold . This step involves Lambda creating a TXT record matching the domain name to the AWS Route53 zone and waiting for your certificate to be ready. DNS-01 reImportThreshold TXT Lambda updates the certificate in the AWS Certificate Manager when it's ready. Lambda will store certificate files inside the AWS Secrets Manager if storeCertInSecretsManager is true. storeCertInSecretsManager Lambda implementation details The code The code The Lambda is written on Go 1.22. Using as few libraries as possible helped me maintain my goal of keeping the code dry. The full list of required go libraries: URL Description github.com/aws/aws-lambda-go Libraries, samples and tools to help Go developers develop AWS Lambda functions. github.com/aws/aws-sdk-go-v2 AWS SDK for the Go programming language. github.com/go-acme/lego LetsEncrypt / ACME client and library. github.com/guregu/null Reasonable handling of nullable values. github.com/sirupsen/logrus Structured, pluggable logging for Go. URL Description github.com/aws/aws-lambda-go Libraries, samples and tools to help Go developers develop AWS Lambda functions. github.com/aws/aws-sdk-go-v2 AWS SDK for the Go programming language. github.com/go-acme/lego LetsEncrypt / ACME client and library. github.com/guregu/null Reasonable handling of nullable values. github.com/sirupsen/logrus Structured, pluggable logging for Go. URL Description URL URL Description Description github.com/aws/aws-lambda-go Libraries, samples and tools to help Go developers develop AWS Lambda functions. github.com/aws/aws-lambda-go github.com/aws/aws-lambda-go github.com/aws/aws-lambda-go Libraries, samples and tools to help Go developers develop AWS Lambda functions. Libraries, samples and tools to help Go developers develop AWS Lambda functions. github.com/aws/aws-sdk-go-v2 AWS SDK for the Go programming language. github.com/aws/aws-sdk-go-v2 github.com/aws/aws-sdk-go-v2 github.com/aws/aws-sdk-go-v2 AWS SDK for the Go programming language. AWS SDK for the Go programming language. github.com/go-acme/lego LetsEncrypt / ACME client and library. github.com/go-acme/lego github.com/go-acme/lego github.com/go-acme/lego LetsEncrypt / ACME client and library. LetsEncrypt / ACME client and library. github.com/guregu/null Reasonable handling of nullable values. github.com/guregu/null github.com/guregu/null github.com/guregu/null Reasonable handling of nullable values. Reasonable handling of nullable values. github.com/sirupsen/logrus Structured, pluggable logging for Go. github.com/sirupsen/logrus github.com/sirupsen/logrus github.com/sirupsen/logrus Structured, pluggable logging for Go. Structured, pluggable logging for Go. Docker image Docker image I used gcr.io/distroless/static:nonroot as a basic docker image. For Go applications that don't require libc, this image is perfect. It is not completely empty as scratch and includes the following: gcr.io/distroless/static:nonroot scratch CA certificates: no need to copy them from any other stage. /etc/passwd: contains users and groups such as nonroot. /tmp folder. tzdata: in case you want to set the timezone other than UTC. CA certificates: no need to copy them from any other stage. /etc/passwd: contains users and groups such as nonroot. /tmp folder. tzdata: in case you want to set the timezone other than UTC. Build process Build process In large software projects, overseeing the build process can turn into a laborious and time-consuming chore. Makefiles can help automate and streamline this process, ensuring that your project is built efficiently and consistently. For that reason, I prefer to use Makefile for all my Golang projects. The file is simple: ##@ General help: ## Display this help. @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) fmt: ## Run go fmt against code. go fmt ./... vet: ## Run go vet against code. go vet ./... ##@ Build build: fmt vet ## Build service binary. go build -o bin/lambda main.go run: vet ## Run service from your laptop. go run ./main.go ##@ Test lint: ## Run Go linter golangci-lint run ./... test: ## Run Go tests go test ./... ##@ General help: ## Display this help. @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) fmt: ## Run go fmt against code. go fmt ./... vet: ## Run go vet against code. go vet ./... ##@ Build build: fmt vet ## Build service binary. go build -o bin/lambda main.go run: vet ## Run service from your laptop. go run ./main.go ##@ Test lint: ## Run Go linter golangci-lint run ./... test: ## Run Go tests go test ./... From the CICD side I used the typical setup for Go application GitHub Actions as continuous integration. ghcr.io as docker registry. Compared to DockerHub, this one offers two key features that make it my preference to use: The build, test, and deployment workflows can be more easily automated straight from the GitHub repository thanks to GHCR's smooth integration with GitHub Actions. This can increase productivity and simplify the development process. GHCR leverages GitHub’s permission model, allowing users to manage access to container images using the same teams and permissions they use for their code repositories. This simplifies user management and enhances security. kvendingoldo/semver-action: my GitHub Actions plugin for automatic versioning. It’s A GitHub action that generates SemVer compatible tags for repository commits. The action can manage versions, generate GitHub releases, and control release branches inside of the repository. It works wonderfully with both single and monorepos. Automatic changelog generation. I enjoy changelogs! In the context of other OpenSource projects that I manage (e.g., https://github.com/tofuutils/tenv, https://github.com/tofuutils/tofuenv, etc.), my team recognized the importance of informing users about changes. golangci-lint. From my perspective, all code should be reviewed by a static code analyzer. SonarQube cannot be set up for all projects, however golangci, in my opinion, is sufficient for small to medium Go projects. codespell.yml. In addition to code checking, it is a good idea to verify the grammar, especially if you have a large amount of documentation. GitHub Actions as continuous integration. GitHub Actions as continuous integration. GitHub Actions ghcr.io as docker registry. Compared to DockerHub, this one offers two key features that make it my preference to use: The build, test, and deployment workflows can be more easily automated straight from the GitHub repository thanks to GHCR's smooth integration with GitHub Actions. This can increase productivity and simplify the development process. GHCR leverages GitHub’s permission model, allowing users to manage access to container images using the same teams and permissions they use for their code repositories. This simplifies user management and enhances security. ghcr.io as docker registry. Compared to DockerHub, this one offers two key features that make it my preference to use: ghcr.io The build, test, and deployment workflows can be more easily automated straight from the GitHub repository thanks to GHCR's smooth integration with GitHub Actions. This can increase productivity and simplify the development process. GHCR leverages GitHub’s permission model, allowing users to manage access to container images using the same teams and permissions they use for their code repositories. This simplifies user management and enhances security. The build, test, and deployment workflows can be more easily automated straight from the GitHub repository thanks to GHCR's smooth integration with GitHub Actions. This can increase productivity and simplify the development process. GHCR leverages GitHub’s permission model, allowing users to manage access to container images using the same teams and permissions they use for their code repositories. This simplifies user management and enhances security. kvendingoldo/semver-action: my GitHub Actions plugin for automatic versioning. It’s A GitHub action that generates SemVer compatible tags for repository commits. The action can manage versions, generate GitHub releases, and control release branches inside of the repository. It works wonderfully with both single and monorepos. kvendingoldo/semver-action : my GitHub Actions plugin for automatic versioning. It’s A GitHub action that generates SemVer compatible tags for repository commits. The action can manage versions, generate GitHub releases, and control release branches inside of the repository. It works wonderfully with both single and monorepos. kvendingoldo/semver-action SemVer Automatic changelog generation. I enjoy changelogs! In the context of other OpenSource projects that I manage (e.g., https://github.com/tofuutils/tenv, https://github.com/tofuutils/tofuenv, etc.), my team recognized the importance of informing users about changes. Automatic changelog generation. I enjoy changelogs! In the context of other OpenSource projects that I manage (e.g., https://github.com/tofuutils/tenv , https://github.com/tofuutils/tofuenv , etc.), my team recognized the importance of informing users about changes. https://github.com/tofuutils/tenv https://github.com/tofuutils/tofuenv golangci-lint. From my perspective, all code should be reviewed by a static code analyzer. SonarQube cannot be set up for all projects, however golangci, in my opinion, is sufficient for small to medium Go projects. golangci-lint . From my perspective, all code should be reviewed by a static code analyzer. SonarQube cannot be set up for all projects, however golangci, in my opinion, is sufficient for small to medium Go projects. golangci-lint codespell.yml. In addition to code checking, it is a good idea to verify the grammar, especially if you have a large amount of documentation. codespell.yml. In addition to code checking, it is a good idea to verify the grammar, especially if you have a large amount of documentation. codespell.yml . codespell.yml How to deploy Lambda to AWS via Terraform/OpenTofu The code discussed in this page is the same for Terraform and OpenTofu, but starting with Terraform v1.6, Hashicorp has been modified the Terraform license to Business Source License (BSL) v1.1.If you're developing something commercial on top of Terraform, switch to OpenTofu as soon as possible. The code discussed in this page is the same for Terraform and OpenTofu, but starting with Terraform v1.6, Hashicorp has been modified the Terraform license to Business Source License (BSL) v1.1.If you're developing something commercial on top of Terraform, switch to OpenTofu as soon as possible. If you need to manage multiple versions of OpenTofu or Terraform , use the tenv - OpenTofu, Terraform, Terragrunt, and Atmos version manager, written in Go. If you need to manage multiple versions of OpenTofu or Terraform , use the tenv - OpenTofu, Terraform, Terragrunt, and Atmos version manager, written in Go. tenv tenv More Terraform / OpenTofu examples can be found in the examples folder within the Git repository. More Terraform / OpenTofu examples can be found in the examples folder within the Git repository . Git repository To work with AWS LetsEncrypt Lambda via OpenTofu you need to do the following steps: Add module into to your OpenTofu / Terraform code module "letsencrypt_lambda" { source = "git@github.com:kvendingoldo/aws-letsencrypt-lambda.git//files/terraform/module?ref=0.31.4" blank_name = "kvendingoldo-letsencrypt-lambda" tags = var.tags cron_schedule = var.letsencrypt_lambda_cron_schedule events = var.letsencrypt_lambda_events ecr_proxy_username = var.ecr_proxy_username ecr_proxy_access_token = var.ecr_proxy_access_token } Specify variables variable "tags" { default = { hackernoon : "demo" } } variable "ecr_proxy_username" { default = "kvendingoldo" } variable "ecr_proxy_access_token" { default = "ghp_xxx" } variable "letsencrypt_lambda_cron_schedule" { default = "rate(168 hours)" } variable "letsencrypt_lambda_events" { default = [ { "acmRegion" : "us-east-1", "route53Region" : "us-east-1", "domainName" : "hackernoon.referrs.me", "acmeUrl" : "stage", "acmeEmail" : "alexander.sharov@cloudexpress.app", "reImportThreshold" : 100, "issueType" : "default", "storeCertInSecretsManager" : false } ] } Pay attention to variables ecr_proxy_username and ecr_proxy_access_token. By default, AWS Lambda cannot pull images from sources other than AWS ECR. Fortunately, the AWS team created ECR Proxy cache, which can fetch images from publicly available registries such as DockerHub or GHCR and store them inside ECR. Despite this possibility, AWS does not allow images to be pulled without a token, even from open public repositories, thus you must acquire a personal GitHub token to gain access to pre-built Docker images. Alternatively, you can pull my GitHub repository, build the image locally, then upload it to your pre-existing ECR repository. In this scenario, the example can be modified as follows: module "letsencrypt_lambda" { source = "../../" blank_name = "kvendingoldo-letsencrypt-lambda" tags = var.tags cron_schedule = var.letsencrypt_lambda_cron_schedule events = var.letsencrypt_lambda_events ecr_proxy_enabled = false ecr_image_uri = "<YOUR_ACCOUNT_ID>.dkr.ecr.us-east-2.amazonaws.com/aws_letsencrypt_lambda:<VERSION>" } When you complete changing the code, run the following command to install OpenTofu by OpenTofu version switcher tenv: $ tenv tofu install And finally, execute the following commands to apply the produced code: $ tofu init $ tofu plan $ tofu apply Wait until the code is deployed to AWS and events are triggered. After a few minutes, you will see ready certificates inside the certificate manager. Example: Starting now, AWS can use the issued certificate at any services by ARN. If you need to use the certificate outside of AWS services or have access to its content, set the storeCertInSecretsManager event option to true. In this situation, when Lambda completes the basic execution, the certificate will be saved in AWS Secrets Manager. It gives users more flexibility: they can inspect the certificate's content, work with it directly from EC2, etc. To learn more about AWS Secrets Manager, read the official guide. Add module into to your OpenTofu / Terraform code module "letsencrypt_lambda" { source = "git@github.com:kvendingoldo/aws-letsencrypt-lambda.git//files/terraform/module?ref=0.31.4" blank_name = "kvendingoldo-letsencrypt-lambda" tags = var.tags cron_schedule = var.letsencrypt_lambda_cron_schedule events = var.letsencrypt_lambda_events ecr_proxy_username = var.ecr_proxy_username ecr_proxy_access_token = var.ecr_proxy_access_token } Add module into to your OpenTofu / Terraform code module "letsencrypt_lambda" { source = "git@github.com:kvendingoldo/aws-letsencrypt-lambda.git//files/terraform/module?ref=0.31.4" blank_name = "kvendingoldo-letsencrypt-lambda" tags = var.tags cron_schedule = var.letsencrypt_lambda_cron_schedule events = var.letsencrypt_lambda_events ecr_proxy_username = var.ecr_proxy_username ecr_proxy_access_token = var.ecr_proxy_access_token } module "letsencrypt_lambda" { source = "git@github.com:kvendingoldo/aws-letsencrypt-lambda.git//files/terraform/module?ref=0.31.4" blank_name = "kvendingoldo-letsencrypt-lambda" tags = var.tags cron_schedule = var.letsencrypt_lambda_cron_schedule events = var.letsencrypt_lambda_events ecr_proxy_username = var.ecr_proxy_username ecr_proxy_access_token = var.ecr_proxy_access_token } Specify variables variable "tags" { default = { hackernoon : "demo" } } variable "ecr_proxy_username" { default = "kvendingoldo" } variable "ecr_proxy_access_token" { default = "ghp_xxx" } variable "letsencrypt_lambda_cron_schedule" { default = "rate(168 hours)" } variable "letsencrypt_lambda_events" { default = [ { "acmRegion" : "us-east-1", "route53Region" : "us-east-1", "domainName" : "hackernoon.referrs.me", "acmeUrl" : "stage", "acmeEmail" : "alexander.sharov@cloudexpress.app", "reImportThreshold" : 100, "issueType" : "default", "storeCertInSecretsManager" : false } ] } Specify variables variable "tags" { default = { hackernoon : "demo" } } variable "ecr_proxy_username" { default = "kvendingoldo" } variable "ecr_proxy_access_token" { default = "ghp_xxx" } variable "letsencrypt_lambda_cron_schedule" { default = "rate(168 hours)" } variable "letsencrypt_lambda_events" { default = [ { "acmRegion" : "us-east-1", "route53Region" : "us-east-1", "domainName" : "hackernoon.referrs.me", "acmeUrl" : "stage", "acmeEmail" : "alexander.sharov@cloudexpress.app", "reImportThreshold" : 100, "issueType" : "default", "storeCertInSecretsManager" : false } ] } variable "tags" { default = { hackernoon : "demo" } } variable "ecr_proxy_username" { default = "kvendingoldo" } variable "ecr_proxy_access_token" { default = "ghp_xxx" } variable "letsencrypt_lambda_cron_schedule" { default = "rate(168 hours)" } variable "letsencrypt_lambda_events" { default = [ { "acmRegion" : "us-east-1", "route53Region" : "us-east-1", "domainName" : "hackernoon.referrs.me", "acmeUrl" : "stage", "acmeEmail" : "alexander.sharov@cloudexpress.app", "reImportThreshold" : 100, "issueType" : "default", "storeCertInSecretsManager" : false } ] } Pay attention to variables ecr_proxy_username and ecr_proxy_access_token. By default, AWS Lambda cannot pull images from sources other than AWS ECR. Fortunately, the AWS team created ECR Proxy cache, which can fetch images from publicly available registries such as DockerHub or GHCR and store them inside ECR. Despite this possibility, AWS does not allow images to be pulled without a token, even from open public repositories, thus you must acquire a personal GitHub token to gain access to pre-built Docker images. Alternatively, you can pull my GitHub repository, build the image locally, then upload it to your pre-existing ECR repository. In this scenario, the example can be modified as follows: module "letsencrypt_lambda" { source = "../../" blank_name = "kvendingoldo-letsencrypt-lambda" tags = var.tags cron_schedule = var.letsencrypt_lambda_cron_schedule events = var.letsencrypt_lambda_events ecr_proxy_enabled = false ecr_image_uri = "<YOUR_ACCOUNT_ID>.dkr.ecr.us-east-2.amazonaws.com/aws_letsencrypt_lambda:<VERSION>" } Pay attention to variables ecr_proxy_username and ecr_proxy_access_token . By default, AWS Lambda cannot pull images from sources other than AWS ECR. Fortunately, the AWS team created ECR Proxy cache, which can fetch images from publicly available registries such as DockerHub or GHCR and store them inside ECR. Despite this possibility, AWS does not allow images to be pulled without a token, even from open public repositories, thus you must acquire a personal GitHub token to gain access to pre-built Docker images. Alternatively, you can pull my GitHub repository, build the image locally, then upload it to your pre-existing ECR repository. In this scenario, the example can be modified as follows: ecr_proxy_username ecr_proxy_access_token module "letsencrypt_lambda" { source = "../../" blank_name = "kvendingoldo-letsencrypt-lambda" tags = var.tags cron_schedule = var.letsencrypt_lambda_cron_schedule events = var.letsencrypt_lambda_events ecr_proxy_enabled = false ecr_image_uri = "<YOUR_ACCOUNT_ID>.dkr.ecr.us-east-2.amazonaws.com/aws_letsencrypt_lambda:<VERSION>" } module "letsencrypt_lambda" { source = "../../" blank_name = "kvendingoldo-letsencrypt-lambda" tags = var.tags cron_schedule = var.letsencrypt_lambda_cron_schedule events = var.letsencrypt_lambda_events ecr_proxy_enabled = false ecr_image_uri = "<YOUR_ACCOUNT_ID>.dkr.ecr.us-east-2.amazonaws.com/aws_letsencrypt_lambda:<VERSION>" } When you complete changing the code, run the following command to install OpenTofu by OpenTofu version switcher tenv: $ tenv tofu install When you complete changing the code, run the following command to install OpenTofu by OpenTofu version switcher tenv : tenv $ tenv tofu install $ tenv tofu install And finally, execute the following commands to apply the produced code: $ tofu init $ tofu plan $ tofu apply And finally, execute the following commands to apply the produced code: $ tofu init $ tofu plan $ tofu apply $ tofu init $ tofu plan $ tofu apply Wait until the code is deployed to AWS and events are triggered. After a few minutes, you will see ready certificates inside the certificate manager. Example: Wait until the code is deployed to AWS and events are triggered. After a few minutes, you will see ready certificates inside the certificate manager. Example: Starting now, AWS can use the issued certificate at any services by ARN. Starting now, AWS can use the issued certificate at any services by ARN. If you need to use the certificate outside of AWS services or have access to its content, set the storeCertInSecretsManager event option to true. In this situation, when Lambda completes the basic execution, the certificate will be saved in AWS Secrets Manager. It gives users more flexibility: they can inspect the certificate's content, work with it directly from EC2, etc. To learn more about AWS Secrets Manager, read the official guide. If you need to use the certificate outside of AWS services or have access to its content, set the storeCertInSecretsManager event option to true . In this situation, when Lambda completes the basic execution, the certificate will be saved in AWS Secrets Manager. It gives users more flexibility: they can inspect the certificate's content, work with it directly from EC2, etc. To learn more about AWS Secrets Manager, read the official guide. storeCertInSecretsManager true Environment variables Environment variables Name Description Possible values Default value Example Required FORMATTER_TYPE Formatter type for logs JSON | TEXT TEXT JSON ❌ MODE Application mode. Set cloud mode for AWS execution, and local mode for local testing. cloud | local cloud cloud ✅ LOG_LEVEL Logging level panic|fatal|error|warn|info|debug|trace warn warn ❌ AWS_REGION Default AWS Region. After the deployment to AWS it settings automatically. <any valid AWS region> - us-east-1 ✅ DOMAIN_NAME Domain name for which the certificate is being issued or renewed any valid domain name - hackernoon.referrs.me ✅ ACME_URL The production LetsEncrypt URL will be utilized if it is set to prod; if not, the stage URL will be used. prod | stage prod prod ✅ ACME_EMAIL Email address linked to the LetsEncrypt certificate any valid email alexander.sharov@cloudexpress.app alexander.sharov@cloudexpress.app ✅ REIMPORT_THRESHOLD The certificate will be renewed if its time to live (TTL) equals REIMPORT_THRESHOLD. any int > 0 10 10 ✅ STORE_CERT_IN_SECRETSMANAGER If true, Lambda will keep the certificate in both Certificate Manager and Secrets Manager. “true” | “false” “false” “false” ❌ Name Description Possible values Default value Example Required FORMATTER_TYPE Formatter type for logs JSON | TEXT TEXT JSON ❌ MODE Application mode. Set cloud mode for AWS execution, and local mode for local testing. cloud | local cloud cloud ✅ LOG_LEVEL Logging level panic|fatal|error|warn|info|debug|trace warn warn ❌ AWS_REGION Default AWS Region. After the deployment to AWS it settings automatically. <any valid AWS region> - us-east-1 ✅ DOMAIN_NAME Domain name for which the certificate is being issued or renewed any valid domain name - hackernoon.referrs.me ✅ ACME_URL The production LetsEncrypt URL will be utilized if it is set to prod; if not, the stage URL will be used. prod | stage prod prod ✅ ACME_EMAIL Email address linked to the LetsEncrypt certificate any valid email alexander.sharov@cloudexpress.app alexander.sharov@cloudexpress.app ✅ REIMPORT_THRESHOLD The certificate will be renewed if its time to live (TTL) equals REIMPORT_THRESHOLD. any int > 0 10 10 ✅ STORE_CERT_IN_SECRETSMANAGER If true, Lambda will keep the certificate in both Certificate Manager and Secrets Manager. “true” | “false” “false” “false” ❌ Name Description Possible values Default value Example Required Name Name Description Description Possible values Possible values Default value Default value Example Example Required Required FORMATTER_TYPE Formatter type for logs JSON | TEXT TEXT JSON ❌ FORMATTER_TYPE FORMATTER_TYPE FORMATTER_TYPE Formatter type for logs Formatter type for logs JSON | TEXT JSON | TEXT TEXT TEXT JSON JSON ❌ ❌ MODE Application mode. Set cloud mode for AWS execution, and local mode for local testing. cloud | local cloud cloud ✅ MODE MODE MODE Application mode. Set cloud mode for AWS execution, and local mode for local testing. Application mode. Set cloud mode for AWS execution, and local mode for local testing. cloud local cloud | local cloud | local cloud cloud cloud cloud ✅ ✅ LOG_LEVEL Logging level panic|fatal|error|warn|info|debug|trace warn warn ❌ LOG_LEVEL LOG_LEVEL LOG_LEVEL Logging level Logging level panic|fatal|error|warn|info|debug|trace panic|fatal|error|warn|info|debug|trace warn warn warn warn ❌ ❌ AWS_REGION Default AWS Region. After the deployment to AWS it settings automatically. <any valid AWS region> - us-east-1 ✅ AWS_REGION AWS_REGION AWS_REGION Default AWS Region. After the deployment to AWS it settings automatically. Default AWS Region. After the deployment to AWS it settings automatically. <any valid AWS region> <any valid AWS region> - - us-east-1 us-east-1 ✅ ✅ DOMAIN_NAME Domain name for which the certificate is being issued or renewed any valid domain name - hackernoon.referrs.me ✅ DOMAIN_NAME DOMAIN_NAME DOMAIN_NAME Domain name for which the certificate is being issued or renewed Domain name for which the certificate is being issued or renewed any valid domain name any valid domain name any valid domain name - - hackernoon.referrs.me hackernoon. referrs.me referrs.me ✅ ✅ ACME_URL The production LetsEncrypt URL will be utilized if it is set to prod; if not, the stage URL will be used. prod | stage prod prod ✅ ACME_URL ACME_URL ACME_URL The production LetsEncrypt URL will be utilized if it is set to prod; if not, the stage URL will be used. The production LetsEncrypt URL will be utilized if it is set to prod ; if not, the stage URL will be used. prod prod | stage prod | stage prod prod prod prod ✅ ✅ ACME_EMAIL Email address linked to the LetsEncrypt certificate any valid email alexander.sharov@cloudexpress.app alexander.sharov@cloudexpress.app ✅ ACME_EMAIL ACME_EMAIL ACME_EMAIL Email address linked to the LetsEncrypt certificate Email address linked to the LetsEncrypt certificate any valid email any valid email any valid email alexander.sharov@cloudexpress.app alexander.sharov@cloudexpress.app alexander.sharov@cloudexpress.app alexander.sharov@cloudexpress.app ✅ ✅ REIMPORT_THRESHOLD The certificate will be renewed if its time to live (TTL) equals REIMPORT_THRESHOLD. any int > 0 10 10 ✅ REIMPORT_THRESHOLD REIMPORT_THRESHOLD REIMPORT_THRESHOLD The certificate will be renewed if its time to live (TTL) equals REIMPORT_THRESHOLD. The certificate will be renewed if its time to live (TTL) equals REIMPORT_THRESHOLD . REIMPORT_THRESHOLD any int > 0 any int > 0 any int > 0 10 10 10 10 ✅ ✅ STORE_CERT_IN_SECRETSMANAGER If true, Lambda will keep the certificate in both Certificate Manager and Secrets Manager. “true” | “false” “false” “false” ❌ STORE_CERT_IN_SECRETSMANAGER STORE_CERT_IN_SECRETSMANAGER STORE_CERT_IN_SECRETSMANAGER If true, Lambda will keep the certificate in both Certificate Manager and Secrets Manager. If true , Lambda will keep the certificate in both Certificate Manager and Secrets Manager. true “true” | “false” “true” | “false” “false” “false” “false” “false” ❌ ❌ How to check LetsEncrypt Lambda logs In scope of work with aws-letsencrypt-lambda you may occasionally want to review the logs. It's quite easy to accomplish: aws-letsencrypt-lambda Go to AWS Cloudwatch, click to “Log groups” Find log group with name, that you specified in OpenTofu code. For example, in my case it’s /aws/lambda/kvendingoldo-letsencrypt-lambda Go to the group, select the desired stream from the list, and review the logs. Go to AWS Cloudwatch, click to “Log groups” Find log group with name, that you specified in OpenTofu code. For example, in my case it’s /aws/lambda/kvendingoldo-letsencrypt-lambda /aws/lambda/kvendingoldo-letsencrypt-lambda Go to the group, select the desired stream from the list, and review the logs. How to trigger Lambda manually via AWS UI Go to Lambda function that has been created via OpenTofu. Click to “Tests” button. Fill Test Event and click Test { "domainName": "<YOUR_VALID_DOMAIN>", "acmeUrl": <stage | prod>, "acmeEmail": "<ANY_VALID_EMAIL>", "reImportThreshold": 10, "issueType": "<default | force>", "storeCertInSecretsManager" : <true | false> } Example #1: { "domainName": "hackernoon.referrs.me", "acmeUrl": "prod", "acmeEmail": "alexander.sharov@cloudexpress.app", "reImportThreshold": 10, "issueType": "default" } Wait until execution will be completed. You can the execution log is available in Cloudwatch. Usually the initial issue takes around 5 minutes. Go to Lambda function that has been created via OpenTofu. Click to “Tests” button. Go to Lambda function that has been created via OpenTofu. Click to “Tests” button. Fill Test Event and click Test { "domainName": "<YOUR_VALID_DOMAIN>", "acmeUrl": <stage | prod>, "acmeEmail": "<ANY_VALID_EMAIL>", "reImportThreshold": 10, "issueType": "<default | force>", "storeCertInSecretsManager" : <true | false> } Example #1: { "domainName": "hackernoon.referrs.me", "acmeUrl": "prod", "acmeEmail": "alexander.sharov@cloudexpress.app", "reImportThreshold": 10, "issueType": "default" } Fill Test Event and click Test Test Event Test { "domainName": "<YOUR_VALID_DOMAIN>", "acmeUrl": <stage | prod>, "acmeEmail": "<ANY_VALID_EMAIL>", "reImportThreshold": 10, "issueType": "<default | force>", "storeCertInSecretsManager" : <true | false> } { "domainName": "<YOUR_VALID_DOMAIN>", "acmeUrl": <stage | prod>, "acmeEmail": "<ANY_VALID_EMAIL>", "reImportThreshold": 10, "issueType": "<default | force>", "storeCertInSecretsManager" : <true | false> } Example #1: { "domainName": "hackernoon.referrs.me", "acmeUrl": "prod", "acmeEmail": "alexander.sharov@cloudexpress.app", "reImportThreshold": 10, "issueType": "default" } { "domainName": "hackernoon.referrs.me", "acmeUrl": "prod", "acmeEmail": "alexander.sharov@cloudexpress.app", "reImportThreshold": 10, "issueType": "default" } Wait until execution will be completed. You can the execution log is available in Cloudwatch. Usually the initial issue takes around 5 minutes. Wait until execution will be completed. You can the execution log is available in Cloudwatch. Usually the initial issue takes around 5 minutes. How to test Lambda locally Clone https://github.com/kvendingoldo/aws-letsencrypt-lambda repository to your laptop Configure AWS Cli credentials via the official guide. Examine the environment variables section and set the minimum number of variables needed. Since LetsEncrypt will limit the amount of retries per hour for ACME_URL="prod", I advise using ACME_URL="stage" for testing. Environment variables example: export AWS_REGION="us-east-2" export MODE=local export DOMAIN_NAME="hackernoon.referrs.me" export ACME_URL="stage" export ACME_EMAIL="alexander.sharov@cloudexpress.app" export REIMPORT_THRESHOLD=10 export ISSUE_TYPE="default" export STORE_CERT_IN_SECRETSMANAGER="true" Execute the lambda locally via the following command: go run main.go Following Lambda's successful execution, the following log will appear. INFO[0000] Starting lambda execution ... INFO[0000] Lambda will use STAGING ACME URL; If you need to use PROD URL specify it via 'ACME_URL' or pass in event body INFO[0000] Certificate found, arn is arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af. Trying to renew ... INFO[0000] Checking certificate for domain 'hackernoon.referrs.me' with arn 'arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af' INFO[0000] Certificate status is 'ISSUED' INFO[0000] Certificate in use by [] INFO[0000] Certificate valid until 2024-08-31 13:50:49 +0000 UTC (89 days left) INFO[0000] Try to get certificate for hackernoon.referrs.me domain 2024/06/02 17:56:23 [INFO] acme: Registering account for alex.sharov@referrs.me 2024/06/02 17:56:24 [INFO] [hackernoon.referrs.me, www.hackernoon.referrs.me] acme: Obtaining bundled SAN certificate 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12603809394 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12603809404 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Could not find solver for: tls-alpn-01 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Could not find solver for: http-01 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: use dns-01 solver 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: Could not find solver for: tls-alpn-01 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: Could not find solver for: http-01 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: use dns-01 solver 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Preparing to solve DNS-01 2024/06/02 17:56:26 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:00 [INFO] [www.hackernoon.referrs.me] acme: Preparing to solve DNS-01 2024/06/02 17:57:00 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:30 [INFO] [hackernoon.referrs.me] acme: Trying to solve DNS-01 2024/06/02 17:57:30 [INFO] [hackernoon.referrs.me] acme: Checking DNS record propagation. [nameservers=109.122.99.130:53,109.122.99.129:53] 2024/06/02 17:57:34 [INFO] Wait for propagation [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:46 [INFO] [hackernoon.referrs.me] The server validated our request 2024/06/02 17:57:46 [INFO] [www.hackernoon.referrs.me] acme: Trying to solve DNS-01 2024/06/02 17:57:46 [INFO] [www.hackernoon.referrs.me] acme: Checking DNS record propagation. [nameservers=109.122.99.130:53,109.122.99.129:53] 2024/06/02 17:57:50 [INFO] Wait for propagation [timeout: 5m0s, interval: 4s] 2024/06/02 17:58:30 [INFO] [www.hackernoon.referrs.me] The server validated our request 2024/06/02 17:58:30 [INFO] [hackernoon.referrs.me] acme: Cleaning DNS-01 challenge 2024/06/02 17:58:30 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:59:09 [INFO] [www.hackernoon.referrs.me] acme: Cleaning DNS-01 challenge 2024/06/02 17:59:09 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:59:43 [INFO] [hackernoon.referrs.me, www.hackernoon.referrs.me] acme: Validations succeeded; requesting certificates 2024/06/02 17:59:43 [INFO] Wait for certificate [timeout: 30s, interval: 500ms] 2024/06/02 17:59:45 [INFO] [hackernoon.referrs.me] Server responded with a certificate. INFO[0203] Certificate has been successfully imported. Arn is arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af INFO[0204] Secret updated successfully. SecretId: arn:aws:secretsmanager:us-east-2:004867756392:secret:hackernoon.referrs.me-NioT77 INFO[0204] Lambda has been completed That is it. Starting now, AWS can use the issued certificate at any services by ARN or in other locations where it is physically necessary by obtaining it from the AWS Secrets Manager. Clone https://github.com/kvendingoldo/aws-letsencrypt-lambda repository to your laptop Clone https://github.com/kvendingoldo/aws-letsencrypt-lambda repository to your laptop https://github.com/kvendingoldo/aws-letsencrypt-lambda Configure AWS Cli credentials via the official guide. Configure AWS Cli credentials via the official guide . official guide Examine the environment variables section and set the minimum number of variables needed. Since LetsEncrypt will limit the amount of retries per hour for ACME_URL="prod", I advise using ACME_URL="stage" for testing. Environment variables example: export AWS_REGION="us-east-2" export MODE=local export DOMAIN_NAME="hackernoon.referrs.me" export ACME_URL="stage" export ACME_EMAIL="alexander.sharov@cloudexpress.app" export REIMPORT_THRESHOLD=10 export ISSUE_TYPE="default" export STORE_CERT_IN_SECRETSMANAGER="true" Examine the environment variables section and set the minimum number of variables needed. Since LetsEncrypt will limit the amount of retries per hour for ACME_URL="prod" , I advise using ACME_URL="stage" for testing. Environment variables example: ACME_URL="prod" ACME_URL="stage" export AWS_REGION="us-east-2" export MODE=local export DOMAIN_NAME="hackernoon.referrs.me" export ACME_URL="stage" export ACME_EMAIL="alexander.sharov@cloudexpress.app" export REIMPORT_THRESHOLD=10 export ISSUE_TYPE="default" export STORE_CERT_IN_SECRETSMANAGER="true" export AWS_REGION="us-east-2" export MODE=local export DOMAIN_NAME="hackernoon.referrs.me" export ACME_URL="stage" export ACME_EMAIL="alexander.sharov@cloudexpress.app" export REIMPORT_THRESHOLD=10 export ISSUE_TYPE="default" export STORE_CERT_IN_SECRETSMANAGER="true" Execute the lambda locally via the following command: go run main.go Execute the lambda locally via the following command: go run main.go go run main.go Following Lambda's successful execution, the following log will appear. INFO[0000] Starting lambda execution ... INFO[0000] Lambda will use STAGING ACME URL; If you need to use PROD URL specify it via 'ACME_URL' or pass in event body INFO[0000] Certificate found, arn is arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af. Trying to renew ... INFO[0000] Checking certificate for domain 'hackernoon.referrs.me' with arn 'arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af' INFO[0000] Certificate status is 'ISSUED' INFO[0000] Certificate in use by [] INFO[0000] Certificate valid until 2024-08-31 13:50:49 +0000 UTC (89 days left) INFO[0000] Try to get certificate for hackernoon.referrs.me domain 2024/06/02 17:56:23 [INFO] acme: Registering account for alex.sharov@referrs.me 2024/06/02 17:56:24 [INFO] [hackernoon.referrs.me, www.hackernoon.referrs.me] acme: Obtaining bundled SAN certificate 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12603809394 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12603809404 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Could not find solver for: tls-alpn-01 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Could not find solver for: http-01 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: use dns-01 solver 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: Could not find solver for: tls-alpn-01 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: Could not find solver for: http-01 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: use dns-01 solver 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Preparing to solve DNS-01 2024/06/02 17:56:26 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:00 [INFO] [www.hackernoon.referrs.me] acme: Preparing to solve DNS-01 2024/06/02 17:57:00 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:30 [INFO] [hackernoon.referrs.me] acme: Trying to solve DNS-01 2024/06/02 17:57:30 [INFO] [hackernoon.referrs.me] acme: Checking DNS record propagation. [nameservers=109.122.99.130:53,109.122.99.129:53] 2024/06/02 17:57:34 [INFO] Wait for propagation [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:46 [INFO] [hackernoon.referrs.me] The server validated our request 2024/06/02 17:57:46 [INFO] [www.hackernoon.referrs.me] acme: Trying to solve DNS-01 2024/06/02 17:57:46 [INFO] [www.hackernoon.referrs.me] acme: Checking DNS record propagation. [nameservers=109.122.99.130:53,109.122.99.129:53] 2024/06/02 17:57:50 [INFO] Wait for propagation [timeout: 5m0s, interval: 4s] 2024/06/02 17:58:30 [INFO] [www.hackernoon.referrs.me] The server validated our request 2024/06/02 17:58:30 [INFO] [hackernoon.referrs.me] acme: Cleaning DNS-01 challenge 2024/06/02 17:58:30 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:59:09 [INFO] [www.hackernoon.referrs.me] acme: Cleaning DNS-01 challenge 2024/06/02 17:59:09 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:59:43 [INFO] [hackernoon.referrs.me, www.hackernoon.referrs.me] acme: Validations succeeded; requesting certificates 2024/06/02 17:59:43 [INFO] Wait for certificate [timeout: 30s, interval: 500ms] 2024/06/02 17:59:45 [INFO] [hackernoon.referrs.me] Server responded with a certificate. INFO[0203] Certificate has been successfully imported. Arn is arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af INFO[0204] Secret updated successfully. SecretId: arn:aws:secretsmanager:us-east-2:004867756392:secret:hackernoon.referrs.me-NioT77 INFO[0204] Lambda has been completed Following Lambda's successful execution, the following log will appear. INFO[0000] Starting lambda execution ... INFO[0000] Lambda will use STAGING ACME URL; If you need to use PROD URL specify it via 'ACME_URL' or pass in event body INFO[0000] Certificate found, arn is arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af. Trying to renew ... INFO[0000] Checking certificate for domain 'hackernoon.referrs.me' with arn 'arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af' INFO[0000] Certificate status is 'ISSUED' INFO[0000] Certificate in use by [] INFO[0000] Certificate valid until 2024-08-31 13:50:49 +0000 UTC (89 days left) INFO[0000] Try to get certificate for hackernoon.referrs.me domain 2024/06/02 17:56:23 [INFO] acme: Registering account for alex.sharov@referrs.me 2024/06/02 17:56:24 [INFO] [hackernoon.referrs.me, www.hackernoon.referrs.me] acme: Obtaining bundled SAN certificate 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12603809394 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12603809404 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Could not find solver for: tls-alpn-01 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Could not find solver for: http-01 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: use dns-01 solver 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: Could not find solver for: tls-alpn-01 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: Could not find solver for: http-01 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: use dns-01 solver 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Preparing to solve DNS-01 2024/06/02 17:56:26 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:00 [INFO] [www.hackernoon.referrs.me] acme: Preparing to solve DNS-01 2024/06/02 17:57:00 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:30 [INFO] [hackernoon.referrs.me] acme: Trying to solve DNS-01 2024/06/02 17:57:30 [INFO] [hackernoon.referrs.me] acme: Checking DNS record propagation. [nameservers=109.122.99.130:53,109.122.99.129:53] 2024/06/02 17:57:34 [INFO] Wait for propagation [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:46 [INFO] [hackernoon.referrs.me] The server validated our request 2024/06/02 17:57:46 [INFO] [www.hackernoon.referrs.me] acme: Trying to solve DNS-01 2024/06/02 17:57:46 [INFO] [www.hackernoon.referrs.me] acme: Checking DNS record propagation. [nameservers=109.122.99.130:53,109.122.99.129:53] 2024/06/02 17:57:50 [INFO] Wait for propagation [timeout: 5m0s, interval: 4s] 2024/06/02 17:58:30 [INFO] [www.hackernoon.referrs.me] The server validated our request 2024/06/02 17:58:30 [INFO] [hackernoon.referrs.me] acme: Cleaning DNS-01 challenge 2024/06/02 17:58:30 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:59:09 [INFO] [www.hackernoon.referrs.me] acme: Cleaning DNS-01 challenge 2024/06/02 17:59:09 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:59:43 [INFO] [hackernoon.referrs.me, www.hackernoon.referrs.me] acme: Validations succeeded; requesting certificates 2024/06/02 17:59:43 [INFO] Wait for certificate [timeout: 30s, interval: 500ms] 2024/06/02 17:59:45 [INFO] [hackernoon.referrs.me] Server responded with a certificate. INFO[0203] Certificate has been successfully imported. Arn is arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af INFO[0204] Secret updated successfully. SecretId: arn:aws:secretsmanager:us-east-2:004867756392:secret:hackernoon.referrs.me-NioT77 INFO[0204] Lambda has been completed INFO[0000] Starting lambda execution ... INFO[0000] Lambda will use STAGING ACME URL; If you need to use PROD URL specify it via 'ACME_URL' or pass in event body INFO[0000] Certificate found, arn is arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af. Trying to renew ... INFO[0000] Checking certificate for domain 'hackernoon.referrs.me' with arn 'arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af' INFO[0000] Certificate status is 'ISSUED' INFO[0000] Certificate in use by [] INFO[0000] Certificate valid until 2024-08-31 13:50:49 +0000 UTC (89 days left) INFO[0000] Try to get certificate for hackernoon.referrs.me domain 2024/06/02 17:56:23 [INFO] acme: Registering account for alex.sharov@referrs.me 2024/06/02 17:56:24 [INFO] [hackernoon.referrs.me, www.hackernoon.referrs.me] acme: Obtaining bundled SAN certificate 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12603809394 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12603809404 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Could not find solver for: tls-alpn-01 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Could not find solver for: http-01 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: use dns-01 solver 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: Could not find solver for: tls-alpn-01 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: Could not find solver for: http-01 2024/06/02 17:56:25 [INFO] [www.hackernoon.referrs.me] acme: use dns-01 solver 2024/06/02 17:56:25 [INFO] [hackernoon.referrs.me] acme: Preparing to solve DNS-01 2024/06/02 17:56:26 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:00 [INFO] [www.hackernoon.referrs.me] acme: Preparing to solve DNS-01 2024/06/02 17:57:00 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:30 [INFO] [hackernoon.referrs.me] acme: Trying to solve DNS-01 2024/06/02 17:57:30 [INFO] [hackernoon.referrs.me] acme: Checking DNS record propagation. [nameservers=109.122.99.130:53,109.122.99.129:53] 2024/06/02 17:57:34 [INFO] Wait for propagation [timeout: 5m0s, interval: 4s] 2024/06/02 17:57:46 [INFO] [hackernoon.referrs.me] The server validated our request 2024/06/02 17:57:46 [INFO] [www.hackernoon.referrs.me] acme: Trying to solve DNS-01 2024/06/02 17:57:46 [INFO] [www.hackernoon.referrs.me] acme: Checking DNS record propagation. [nameservers=109.122.99.130:53,109.122.99.129:53] 2024/06/02 17:57:50 [INFO] Wait for propagation [timeout: 5m0s, interval: 4s] 2024/06/02 17:58:30 [INFO] [www.hackernoon.referrs.me] The server validated our request 2024/06/02 17:58:30 [INFO] [hackernoon.referrs.me] acme: Cleaning DNS-01 challenge 2024/06/02 17:58:30 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:59:09 [INFO] [www.hackernoon.referrs.me] acme: Cleaning DNS-01 challenge 2024/06/02 17:59:09 [INFO] Wait for route53 [timeout: 5m0s, interval: 4s] 2024/06/02 17:59:43 [INFO] [hackernoon.referrs.me, www.hackernoon.referrs.me] acme: Validations succeeded; requesting certificates 2024/06/02 17:59:43 [INFO] Wait for certificate [timeout: 30s, interval: 500ms] 2024/06/02 17:59:45 [INFO] [hackernoon.referrs.me] Server responded with a certificate. INFO[0203] Certificate has been successfully imported. Arn is arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af INFO[0204] Secret updated successfully. SecretId: arn:aws:secretsmanager:us-east-2:004867756392:secret:hackernoon.referrs.me-NioT77 INFO[0204] Lambda has been completed That is it. Starting now, AWS can use the issued certificate at any services by ARN or in other locations where it is physically necessary by obtaining it from the AWS Secrets Manager. That is it. Starting now, AWS can use the issued certificate at any services by ARN or in other locations where it is physically necessary by obtaining it from the AWS Secrets Manager. Hands-on experience using it over more than 4 years at AWS I've been using the Lambda function in production for almost four years. Over the years, various aspects of the initial implementation have changed: Previously, AWS prohibited the usage of any non-ECR registries as Lambda sources. It has not changed, however AWS has added ECR proxy for GitHub, DockerHub, and a few additional registries. Without this functionality, we had to manually push Lambda images to our personal ECR and replace URL to the image in Terraform code. Now the OpenTofu code does it automatically via ECR Proxy. In the beginning, I considered introducing various challenges such as http-01 or tls-alpn-01, but no one questioned me about it for four years. It is still present on GitHub issues, and if this capability is required, we can work together to create it. I didn't want to utilize LetsEncrypt certificates at pure EC2 instances when the project originally started, but these days it's standard practice. As I previously stated, in certain situations, a certificate can be retrieved from AWS Secrets Managed using the AWS cli. I’ve written a lot of new Go code over the years, so I can tell that the original Lambda code in my repository isn't as fancy as it could be. There is a significant difference between it and my most recent Go project, tenv (OpenTofu, Terraform, Terragrunt, and Atmos version manager, written in Go), but in any case, the code is still generally supported, so making modifications to it won't be too problematic. Occasionally, I will undertake significant refactoring to make the code more elegant. The same Lambda is being used for years in several different projects. Additionally, I'm co-founder of DevOps platform cloudexpress.app, where our team manages TLS certificates for all our clients using the AWS LetsEncrypt Lambda to simplify the automation processes. Previously, AWS prohibited the usage of any non-ECR registries as Lambda sources. It has not changed, however AWS has added ECR proxy for GitHub, DockerHub, and a few additional registries. Without this functionality, we had to manually push Lambda images to our personal ECR and replace URL to the image in Terraform code. Now the OpenTofu code does it automatically via ECR Proxy. Previously, AWS prohibited the usage of any non-ECR registries as Lambda sources. It has not changed, however AWS has added ECR proxy for GitHub, DockerHub, and a few additional registries. Without this functionality, we had to manually push Lambda images to our personal ECR and replace URL to the image in Terraform code. Now the OpenTofu code does it automatically via ECR Proxy. In the beginning, I considered introducing various challenges such as http-01 or tls-alpn-01, but no one questioned me about it for four years. It is still present on GitHub issues, and if this capability is required, we can work together to create it. In the beginning, I considered introducing various challenges such as http-01 or tls-alpn-01 , but no one questioned me about it for four years. It is still present on GitHub issues , and if this capability is required, we can work together to create it. http-01 tls-alpn-01 It is still present on GitHub issues I didn't want to utilize LetsEncrypt certificates at pure EC2 instances when the project originally started, but these days it's standard practice. As I previously stated, in certain situations, a certificate can be retrieved from AWS Secrets Managed using the AWS cli. I didn't want to utilize LetsEncrypt certificates at pure EC2 instances when the project originally started, but these days it's standard practice. As I previously stated, in certain situations, a certificate can be retrieved from AWS Secrets Managed using the AWS cli. I’ve written a lot of new Go code over the years, so I can tell that the original Lambda code in my repository isn't as fancy as it could be. There is a significant difference between it and my most recent Go project, tenv (OpenTofu, Terraform, Terragrunt, and Atmos version manager, written in Go), but in any case, the code is still generally supported, so making modifications to it won't be too problematic. Occasionally, I will undertake significant refactoring to make the code more elegant. I’ve written a lot of new Go code over the years, so I can tell that the original Lambda code in my repository isn't as fancy as it could be. There is a significant difference between it and my most recent Go project, tenv (OpenTofu, Terraform, Terragrunt, and Atmos version manager, written in Go), but in any case, the code is still generally supported, so making modifications to it won't be too problematic. Occasionally, I will undertake significant refactoring to make the code more elegant. tenv The same Lambda is being used for years in several different projects. Additionally, I'm co-founder of DevOps platform cloudexpress.app, where our team manages TLS certificates for all our clients using the AWS LetsEncrypt Lambda to simplify the automation processes. The same Lambda is being used for years in several different projects. Additionally, I'm co-founder of DevOps platform cloudexpress.app , where our team manages TLS certificates for all our clients using the AWS LetsEncrypt Lambda to simplify the automation processes. cloudexpress.app AWS LetsEncrypt Lambda Now let's talks about numbers. Over a period of 4 years , this project has helped many people and been used in numerous OpenSource and over 30 commercial projects . The Lambda issues more than 2000 certificates and don’t want to stop on that. 4 years over 30 commercial projects 2000 Conclusion AWS LetsEncrypt Lambda is a suitable solution for you, if AWS LetsEncrypt Lambda You must have a physical version of the certificate and will use it from non-AWS native services such as EC2 Nginx. You do not want to rely on AWS Certificate Manager to manage the TLS certificate issuance and renewal process (check logs, set renewal dates, etc.). You would like to get email notifications from LetsEncrypt when your certificate expires, or will be expired soon. You want to personalize the solution by changing the Golang code (for example, changing the LetsEncrypt challenge, storing the certificate in Hashicorp Vault, etc.). You must have a physical version of the certificate and will use it from non-AWS native services such as EC2 Nginx. You do not want to rely on AWS Certificate Manager to manage the TLS certificate issuance and renewal process (check logs, set renewal dates, etc.). You would like to get email notifications from LetsEncrypt when your certificate expires, or will be expired soon. You want to personalize the solution by changing the Golang code (for example, changing the LetsEncrypt challenge, storing the certificate in Hashicorp Vault, etc.). If you discovered that at least one of these points applies to your situation, you are welcome to use AWS Lambda. Also, if you wish to participate in development, I am always open to new issues and Pull Requests at GitHub. Project URL: https://github.com/kvendingoldo/aws-letsencrypt-lambda . https://github.com/kvendingoldo/aws-letsencrypt-lambda
