Sectigo.com
Shop Enterprise Partners Resources

Installing the connector

Installation is provided as a bash script. The script supports multi-region and multi-account installation of the connector (the script should be run separately for each region). The number of regions isn’t limited. The script also creates the backend configuration.

The installation script does the following for each AWS account from the ~/.aws/config file:

  1. Checks the AWS credentials.

  2. Configures an S3 bucket as a regional resource for the acme_accounts.yaml file.

  3. Creates a Docker repository in Amazon ECR.

  4. Containerizes the Python application and pushes the image to ECR.

  5. Configures the workspace.

  6. Executes Terraform commands.

The script performs the following actions on AWS for certificate management:

  1. Enables policies for the IAM role.

  2. Installs the configuration file(s) in the S3 bucket.

  3. Installs the AWS Lambda function and API Gateway module.

  4. Installs the AWS Cloudwatch module for logging and auto-renewal.

  5. Installs API Gateway as an additional option for invoking Lambda.

Install the connector

Execute the install.sh file in your shell to run the installation script. You can install the connector for all or specific regions indicated in the ~/.aws/config file.

  • Specific region

  • All regions

Run ./install.sh <region_name>, for example, ./install.sh us-east-1. This will install the connector to the us-east-1 region for all AWS accounts noted in the ~/.aws/config file.

The script does the following:

  1. Creates an S3 bucket for the acme_accounts.yaml file and source code files in the specified region.

  2. Creates the Terraform workspace with the same name as the region.

  3. Executes terraform plan && terraform apply.

Run ./install.sh (if you have not provided the execute permission to the script, run bash install.sh). The script installs the connector for all regions noted in the ~/.aws/config file.

The script does the following:

  1. Creates an S3 bucket for the acme_accounts.yaml file and source code files in a region.

  2. Creates the Terraform workspace with the same name as the region.

  3. Executes terraform plan && terraform apply.

AWS resources created

The script creates AWS resources with a specific naming convention to allow for multi-region installation. The naming convention is resource_name-RegionName. The script appends the region name to all resource names. For example, if you install the connector in the eu-central-1 region, the AWS resources are given the following names:

  • Lambda function: SectigoAWSCM-eu-central-1

  • API Gateway: sectigoAWSCM-ag-eu-central-1

After installing the connector, the names of all important resources are printed to the console (Lambda function name, API Gateway URL, S3 bucket name, and more). Make sure to enter the Lambda function name correctly when you invoke the function for your region.

aws lambda invoke --function-name SectigoAWSCM-eu-central-1 \
--payload '{"domains": "<domain_name>", "account": "<scm_account>", "action": "enroll"}' \
response.json

The logs are stored in the install-<region_name>.log file.