Sectigo.com
Shop Enterprise Partners Resources

Installing the connector

Installation is provided as a bash script. The script supports multi-region and multi-account installation of the connector (the script should be run separately for each region). The number of regions isn’t limited. The script also creates the backend configuration.

The installation script does the following for each AWS account from the ~/.aws/config file:

  1. Checks the AWS credentials.

  2. Configures an S3 bucket as a regional resource for the acme_accounts.yaml file.

  3. Creates a Docker repository in Amazon ECR.

  4. Containerizes the Python application and pushes the image to ECR.

  5. Configures the workspace.

  6. Executes Terraform commands.

The script performs the following actions on AWS for certificate management:

  1. Enables policies for the IAM role.

  2. Installs the configuration file(s) in the S3 bucket.

  3. Installs the AWS Lambda function and API Gateway module.

  4. Installs the AWS Cloudwatch module for logging and auto-renewal.

  5. Installs API Gateway as an additional option for invoking Lambda.

Extract the contents

The package you received from Sectigo is one of the following:

  • SectigoAWSCM — a zip file which includes a zip archive with Python code.

  • SectigoAWSCM_docker — a smaller zip package that does not contain the Python code but instead triggers Docker to run the installation.

In either case, do the following before running the script:

  1. Extract the contents of the SectigoAWSCM or SectigoAWSCM_docker archive to the current path.

  2. Navigate to the ./sectigo_awscm_iac directory.

  3. Give the execute permission to the install.sh file using the chmod +x install.sh command.

Install the connector

Execute the install.sh file in your shell to perform the Lambda function deployment. You can choose to install the connector for either:

  • all profiles and default regions indicated in the ~/.aws/config file

  • a specific account and region

  • Specific AWS profile and region

  • All AWS profiles and default regions

Run ./install.sh <aws_profile> <region_name>, for example, ./install.sh <aws_profile> us-east-1. This will install the connector to the us-east-1 region for a specific AWS profile noted in the ~/.aws/config file.

The script does the following:

  1. Creates an S3 bucket for the acme_accounts.yaml file and source code files in the specified region.

  2. Creates the Terraform workspace with the same name as the region.

  3. Executes terraform plan && terraform apply.

Run ./install.sh (if you have not provided the execute permission to the script, run bash install.sh). The script installs the connector for all AWS profiles and default regions noted in the ~/.aws/config file.

The script does the following:

  1. Creates an S3 bucket for the acme_accounts.yaml file and source code files in a region.

  2. Creates the Terraform workspace with the same name as the region.

  3. Executes terraform plan && terraform apply.

AWS resources created

The script creates AWS resources with a specific naming convention to allow for multi-region installation. The naming convention is resource_name-RegionName. The script appends the region name to all resource names. For example, if you install the connector in the eu-central-1 region, the AWS resources are given the following names:

  • Lambda function: sectigoawscm-multi-eu-central-1-pumped-lacewing

  • API Gateway: SectigoAWSCM-ag-default-eu-central-1

After installing the connector, the names of all important resources are printed to the console (Lambda function name, API Gateway URL, S3 bucket name, and more). Make sure to enter the Lambda function name correctly when you invoke the function for your region.

aws lambda invoke --function-name sectigoawscm-multi-eu-central-1-pumped-lacewing \
--payload '{"domains": "<domain_name>", "account": "<scm_account>", "action": "enroll"}' \
response.json

The logs are stored in the install-<region_name>.log file.