[mirror_acme.sh.git] / dnsapi / dns_aws.sh

#!/usr/bin/env sh

#
#AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje"
#
#AWS_SECRET_ACCESS_KEY="xxxxxxx"

#This is the Amazon Route53 api wrapper for acme.sh
#All `_sleep` commands are included to avoid Route53 throttling, see
#https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html#limits-api-requests

AWS_HOST="route53.amazonaws.com"
AWS_URL="https://$AWS_HOST"

AWS_WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Amazon-Route53-API"

########  Public functions #####################

#Usage: dns_myapi_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_aws_add() {
  fulldomain=$1
  txtvalue=$2

  AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
  AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
  AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}"

  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
    _use_container_role || _use_instance_role
  fi

  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
    AWS_ACCESS_KEY_ID=""
    AWS_SECRET_ACCESS_KEY=""
    _err "You haven't specifed the aws route53 api key id and and api key secret yet."
    _err "Please create your key and try again. see $(__green $AWS_WIKI)"
    return 1
  fi

  #save for future use, unless using a role which will be fetched as needed
  if [ -z "$_using_role" ]; then
    _saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
    _saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
    _saveaccountconf_mutable AWS_DNS_SLOWRATE "$AWS_DNS_SLOWRATE"
  fi

  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    _sleep 1
    return 1
  fi
  _debug _domain_id "$_domain_id"
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"

  _info "Getting existing records for $fulldomain"
  if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then
    _sleep 1
    return 1
  fi

  if _contains "$response" "<Name>$fulldomain.</Name>"; then
    _resource_record="$(echo "$response" | sed 's/<ResourceRecordSet>/"/g' | tr '"' "\n" | grep "<Name>$fulldomain.</Name>" | _egrep_o "<ResourceRecords.*</ResourceRecords>" | sed "s/<ResourceRecords>//" | sed "s#</ResourceRecords>##")"
    _debug "_resource_record" "$_resource_record"
  else
    _debug "single new add"
  fi

  if [ "$_resource_record" ] && _contains "$response" "$txtvalue"; then
    _info "The TXT record already exists. Skipping."
    _sleep 1
    return 0
  fi

  _debug "Adding records"

  _aws_tmpl_xml="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>UPSERT</Action><ResourceRecordSet><Name>$fulldomain</Name><Type>TXT</Type><TTL>300</TTL><ResourceRecords>$_resource_record<ResourceRecord><Value>\"$txtvalue\"</Value></ResourceRecord></ResourceRecords></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"

  if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then
    _info "TXT record updated successfully."
    if [ -n "$AWS_DNS_SLOWRATE" ]; then
      _info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds"
      _sleep "$AWS_DNS_SLOWRATE"
    else
      _sleep 1
    fi

    return 0
  fi
  _sleep 1
  return 1
}

#fulldomain txtvalue
dns_aws_rm() {
  fulldomain=$1
  txtvalue=$2

  AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
  AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
  AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}"

  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
    _use_container_role || _use_instance_role
  fi

  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    _sleep 1
    return 1
  fi
  _debug _domain_id "$_domain_id"
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"

  _info "Getting existing records for $fulldomain"
  if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then
    _sleep 1
    return 1
  fi

  if _contains "$response" "<Name>$fulldomain.</Name>"; then
    _resource_record="$(echo "$response" | sed 's/<ResourceRecordSet>/"/g' | tr '"' "\n" | grep "<Name>$fulldomain.</Name>" | _egrep_o "<ResourceRecords.*</ResourceRecords>" | sed "s/<ResourceRecords>//" | sed "s#</ResourceRecords>##")"
    _debug "_resource_record" "$_resource_record"
  else
    _debug "no records exist, skip"
    _sleep 1
    return 0
  fi

  _aws_tmpl_xml="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>DELETE</Action><ResourceRecordSet><ResourceRecords>$_resource_record</ResourceRecords><Name>$fulldomain.</Name><Type>TXT</Type><TTL>300</TTL></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"

  if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then
    _info "TXT record deleted successfully."
    if [ -n "$AWS_DNS_SLOWRATE" ]; then
      _info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds"
      _sleep "$AWS_DNS_SLOWRATE"
    else
      _sleep 1
    fi

    return 0
  fi
  _sleep 1
  return 1

}

####################  Private functions below ##################################

_get_root() {
  domain=$1
  i=2
  p=1

  if aws_rest GET "2013-04-01/hostedzone"; then
    while true; do
      h=$(printf "%s" "$domain" | cut -d . -f $i-100)
      _debug2 "Checking domain: $h"
      if [ -z "$h" ]; then
        if _contains "$response" "<IsTruncated>true</IsTruncated>" && _contains "$response" "<NextMarker>"; then
          _debug "IsTruncated"
          _nextMarker="$(echo "$response" | _egrep_o "<NextMarker>.*</NextMarker>" | cut -d '>' -f 2 | cut -d '<' -f 1)"
          _debug "NextMarker" "$_nextMarker"
          if aws_rest GET "2013-04-01/hostedzone" "marker=$_nextMarker"; then
            _debug "Truncated request OK"
            i=2
            p=1
            continue
          else
            _err "Truncated request error."
          fi
        fi
        #not valid
        _err "Invalid domain"
        return 1
      fi

      if _contains "$response" "<Name>$h.</Name>"; then
        hostedzone="$(echo "$response" | sed 's/<HostedZone>/#&/g' | tr '#' '\n' | _egrep_o "<HostedZone><Id>[^<]*<.Id><Name>$h.<.Name>.*<PrivateZone>false<.PrivateZone>.*<.HostedZone>")"
        _debug hostedzone "$hostedzone"
        if [ "$hostedzone" ]; then
          _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o "<Id>.*<.Id>" | head -n 1 | _egrep_o ">.*<" | tr -d "<>")
          if [ "$_domain_id" ]; then
            _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
            _domain=$h
            return 0
          fi
          _err "Can't find domain with id: $h"
          return 1
        fi
      fi
      p=$i
      i=$(_math "$i" + 1)
    done
  fi
  return 1
}

_use_container_role() {
  # automatically set if running inside ECS
  if [ -z "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then
    _debug "No ECS environment variable detected"
    return 1
  fi
  _use_metadata "169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
}

_use_instance_role() {
  _url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
  _debug "_url" "$_url"
  if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then
    _debug "Unable to fetch IAM role from instance metadata"
    return 1
  fi
  _aws_role=$(_get "$_url" "" 1)
  _debug "_aws_role" "$_aws_role"
  _use_metadata "$_url$_aws_role"
}

_use_metadata() {
  _aws_creds="$(
    _get "$1" "" 1 |
      _normalizeJson |
      tr '{,}' '\n' |
      while read -r _line; do
        _key="$(echo "${_line%%:*}" | tr -d '"')"
        _value="${_line#*:}"
        _debug3 "_key" "$_key"
        _secure_debug3 "_value" "$_value"
        case "$_key" in
        AccessKeyId) echo "AWS_ACCESS_KEY_ID=$_value" ;;
        SecretAccessKey) echo "AWS_SECRET_ACCESS_KEY=$_value" ;;
        Token) echo "AWS_SESSION_TOKEN=$_value" ;;
        esac
      done |
      paste -sd' ' -
  )"
  _secure_debug "_aws_creds" "$_aws_creds"

  if [ -z "$_aws_creds" ]; then
    return 1
  fi

  eval "$_aws_creds"
  _using_role=true
}

#method uri qstr data
aws_rest() {
  mtd="$1"
  ep="$2"
  qsr="$3"
  data="$4"

  _debug mtd "$mtd"
  _debug ep "$ep"
  _debug qsr "$qsr"
  _debug data "$data"

  CanonicalURI="/$ep"
  _debug2 CanonicalURI "$CanonicalURI"

  CanonicalQueryString="$qsr"
  _debug2 CanonicalQueryString "$CanonicalQueryString"

  RequestDate="$(date -u +"%Y%m%dT%H%M%SZ")"
  _debug2 RequestDate "$RequestDate"

  #RequestDate="20161120T141056Z" ##############

  export _H1="x-amz-date: $RequestDate"

  aws_host="$AWS_HOST"
  CanonicalHeaders="host:$aws_host\nx-amz-date:$RequestDate\n"
  SignedHeaders="host;x-amz-date"
  if [ -n "$AWS_SESSION_TOKEN" ]; then
    export _H3="x-amz-security-token: $AWS_SESSION_TOKEN"
    CanonicalHeaders="${CanonicalHeaders}x-amz-security-token:$AWS_SESSION_TOKEN\n"
    SignedHeaders="${SignedHeaders};x-amz-security-token"
  fi
  _debug2 CanonicalHeaders "$CanonicalHeaders"
  _debug2 SignedHeaders "$SignedHeaders"

  RequestPayload="$data"
  _debug2 RequestPayload "$RequestPayload"

  Hash="sha256"

  CanonicalRequest="$mtd\n$CanonicalURI\n$CanonicalQueryString\n$CanonicalHeaders\n$SignedHeaders\n$(printf "%s" "$RequestPayload" | _digest "$Hash" hex)"
  _debug2 CanonicalRequest "$CanonicalRequest"

  HashedCanonicalRequest="$(printf "$CanonicalRequest%s" | _digest "$Hash" hex)"
  _debug2 HashedCanonicalRequest "$HashedCanonicalRequest"

  Algorithm="AWS4-HMAC-SHA256"
  _debug2 Algorithm "$Algorithm"

  RequestDateOnly="$(echo "$RequestDate" | cut -c 1-8)"
  _debug2 RequestDateOnly "$RequestDateOnly"

  Region="us-east-1"
  Service="route53"

  CredentialScope="$RequestDateOnly/$Region/$Service/aws4_request"
  _debug2 CredentialScope "$CredentialScope"

  StringToSign="$Algorithm\n$RequestDate\n$CredentialScope\n$HashedCanonicalRequest"

  _debug2 StringToSign "$StringToSign"

  kSecret="AWS4$AWS_SECRET_ACCESS_KEY"

  #kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################

  _secure_debug2 kSecret "$kSecret"

  kSecretH="$(printf "%s" "$kSecret" | _hex_dump | tr -d " ")"
  _secure_debug2 kSecretH "$kSecretH"

  kDateH="$(printf "$RequestDateOnly%s" | _hmac "$Hash" "$kSecretH" hex)"
  _debug2 kDateH "$kDateH"

  kRegionH="$(printf "$Region%s" | _hmac "$Hash" "$kDateH" hex)"
  _debug2 kRegionH "$kRegionH"

  kServiceH="$(printf "$Service%s" | _hmac "$Hash" "$kRegionH" hex)"
  _debug2 kServiceH "$kServiceH"

  kSigningH="$(printf "%s" "aws4_request" | _hmac "$Hash" "$kServiceH" hex)"
  _debug2 kSigningH "$kSigningH"

  signature="$(printf "$StringToSign%s" | _hmac "$Hash" "$kSigningH" hex)"
  _debug2 signature "$signature"

  Authorization="$Algorithm Credential=$AWS_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature"
  _debug2 Authorization "$Authorization"

  _H2="Authorization: $Authorization"
  _debug _H2 "$_H2"

  url="$AWS_URL/$ep"
  if [ "$qsr" ]; then
    url="$AWS_URL/$ep?$qsr"
  fi

  if [ "$mtd" = "GET" ]; then
    response="$(_get "$url")"
  else
    response="$(_post "$data" "$url")"
  fi

  _ret="$?"
  _debug2 response "$response"
  if [ "$_ret" = "0" ]; then
    if _contains "$response" "<ErrorResponse"; then
      _err "Response error:$response"
      return 1
    fi
  fi

  return "$_ret"
}
Commit	Line	Data
e009ec8b	1	#!/usr/bin/env sh
	2
	3	#
	4	#AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje"
	5	#
	6	#AWS_SECRET_ACCESS_KEY="xxxxxxx"
	7
	8	#This is the Amazon Route53 api wrapper for acme.sh
a22d3b23	9	#All `_sleep` commands are included to avoid Route53 throttling, see
df357521	10	#https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html#limits-api-requests
e009ec8b	11
	12	AWS_HOST="route53.amazonaws.com"
	13	AWS_URL="https://$AWS_HOST"
	14
d795fac3	15	AWS_WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Amazon-Route53-API"
e009ec8b	16
	17	######## Public functions #####################
	18
	19	#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
	20	dns_aws_add() {
	21	fulldomain=$1
	22	txtvalue=$2
	23
693627a8 MG	24	AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
693627a8 MG	25	AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
b64f0ba8	26	AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}"
693627a8 MG	27
693627a8 MG	28	if [ -z "$AWS_ACCESS_KEY_ID" ] \|\| [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
f49f55f4	29	_use_container_role \|\| _use_instance_role
48eaa0e5 MG	30	fi
48eaa0e5 MG	31
e009ec8b	32	if [ -z "$AWS_ACCESS_KEY_ID" ] \|\| [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
	33	AWS_ACCESS_KEY_ID=""
	34	AWS_SECRET_ACCESS_KEY=""
4fbd21da	35	_err "You haven't specifed the aws route53 api key id and and api key secret yet."
60814ecf	36	_err "Please create your key and try again. see $(__green $AWS_WIKI)"
e009ec8b	37	return 1
	38	fi
	39
693627a8	40	#save for future use, unless using a role which will be fetched as needed
759f4f2c	41	if [ -z "$_using_role" ]; then
48eaa0e5 MG	42	_saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
48eaa0e5 MG	43	_saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
b64f0ba8	44	_saveaccountconf_mutable AWS_DNS_SLOWRATE "$AWS_DNS_SLOWRATE"
48eaa0e5	45	fi
e009ec8b	46
	47	_debug "First detect the root zone"
	48	if ! _get_root "$fulldomain"; then
	49	_err "invalid domain"
a22d3b23	50	_sleep 1
e009ec8b	51	return 1
	52	fi
	53	_debug _domain_id "$_domain_id"
	54	_debug _sub_domain "$_sub_domain"
	55	_debug _domain "$_domain"
	56
688fe131	57	_info "Getting existing records for $fulldomain"
64f07d9b	58	if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then
a22d3b23	59	_sleep 1
64f07d9b	60	return 1
	61	fi
	62
	63	if _contains "$response" "<Name>$fulldomain.</Name>"; then
5f345d20	64	_resource_record="$(echo "$response" \| sed 's/<ResourceRecordSet>/"/g' \| tr '"' "\n" \| grep "<Name>$fulldomain.</Name>" \| _egrep_o "<ResourceRecords.*</ResourceRecords>" \| sed "s/<ResourceRecords>//" \| sed "s#</ResourceRecords>##")"
64f07d9b	65	_debug "_resource_record" "$_resource_record"
	66	else
	67	_debug "single new add"
	68	fi
	69
	70	if [ "$_resource_record" ] && _contains "$response" "$txtvalue"; then
4fbd21da	71	_info "The TXT record already exists. Skipping."
a22d3b23	72	_sleep 1
64f07d9b	73	return 0
	74	fi
	75
	76	_debug "Adding records"
	77
	78	_aws_tmpl_xml="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>UPSERT</Action><ResourceRecordSet><Name>$fulldomain</Name><Type>TXT</Type><TTL>300</TTL><ResourceRecords>$_resource_record<ResourceRecord><Value>\"$txtvalue\"</Value></ResourceRecord></ResourceRecords></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"
16d79eba	79
e009ec8b	80	if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then
4fbd21da	81	_info "TXT record updated successfully."
b64f0ba8 SM	82	if [ -n "$AWS_DNS_SLOWRATE" ]; then
	83	_info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds"
	84	_sleep "$AWS_DNS_SLOWRATE"
37978b4f SM	85	else
37978b4f SM	86	_sleep 1
3021c5cf	87	fi
37978b4f	88
e009ec8b	89	return 0
e009ec8b	90	fi
a22d3b23	91	_sleep 1
16d79eba	92	return 1
e009ec8b	93	}
e009ec8b	94
dfbc244b	95	#fulldomain txtvalue
e009ec8b	96	dns_aws_rm() {
e009ec8b	97	fulldomain=$1
dfbc244b	98	txtvalue=$2
dfbc244b	99
693627a8 MG	100	AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
693627a8 MG	101	AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
b64f0ba8	102	AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}"
693627a8 MG	103
693627a8 MG	104	if [ -z "$AWS_ACCESS_KEY_ID" ] \|\| [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
f49f55f4	105	_use_container_role \|\| _use_instance_role
48eaa0e5 MG	106	fi
48eaa0e5 MG	107
dfbc244b	108	_debug "First detect the root zone"
	109	if ! _get_root "$fulldomain"; then
	110	_err "invalid domain"
a22d3b23	111	_sleep 1
dfbc244b	112	return 1
	113	fi
	114	_debug _domain_id "$_domain_id"
	115	_debug _sub_domain "$_sub_domain"
	116	_debug _domain "$_domain"
	117
4fbd21da	118	_info "Getting existing records for $fulldomain"
64f07d9b	119	if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then
a22d3b23	120	_sleep 1
64f07d9b	121	return 1
	122	fi
	123
	124	if _contains "$response" "<Name>$fulldomain.</Name>"; then
5f345d20	125	_resource_record="$(echo "$response" \| sed 's/<ResourceRecordSet>/"/g' \| tr '"' "\n" \| grep "<Name>$fulldomain.</Name>" \| _egrep_o "<ResourceRecords.*</ResourceRecords>" \| sed "s/<ResourceRecords>//" \| sed "s#</ResourceRecords>##")"
64f07d9b	126	_debug "_resource_record" "$_resource_record"
64f07d9b	127	else
4fbd21da	128	_debug "no records exist, skip"
a22d3b23	129	_sleep 1
64f07d9b	130	return 0
	131	fi
	132
	133	_aws_tmpl_xml="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>DELETE</Action><ResourceRecordSet><ResourceRecords>$_resource_record</ResourceRecords><Name>$fulldomain.</Name><Type>TXT</Type><TTL>300</TTL></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"
dfbc244b	134
dfbc244b	135	if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then
4fbd21da	136	_info "TXT record deleted successfully."
b64f0ba8 SM	137	if [ -n "$AWS_DNS_SLOWRATE" ]; then
	138	_info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds"
	139	_sleep "$AWS_DNS_SLOWRATE"
37978b4f SM	140	else
37978b4f SM	141	_sleep 1
ea6a3c09	142	fi
37978b4f	143
dfbc244b	144	return 0
dfbc244b	145	fi
a22d3b23	146	_sleep 1
dfbc244b	147	return 1
e009ec8b	148
	149	}
	150
329174b6	151	#################### Private functions below ##################################
e009ec8b	152
	153	_get_root() {
	154	domain=$1
	155	i=2
	156	p=1
16d79eba	157
e009ec8b	158	if aws_rest GET "2013-04-01/hostedzone"; then
e009ec8b	159	while true; do
e009ec8b	160	h=$(printf "%s" "$domain" \| cut -d . -f $i-100)
872bfe47	161	_debug2 "Checking domain: $h"
e009ec8b	162	if [ -z "$h" ]; then
f7217c5f	163	if _contains "$response" "<IsTruncated>true</IsTruncated>" && _contains "$response" "<NextMarker>"; then
1f4e64f8	164	_debug "IsTruncated"
	165	_nextMarker="$(echo "$response" \| _egrep_o "<NextMarker>.*</NextMarker>" \| cut -d '>' -f 2 \| cut -d '<' -f 1)"
	166	_debug "NextMarker" "$_nextMarker"
fc9649db	167	if aws_rest GET "2013-04-01/hostedzone" "marker=$_nextMarker"; then
1f4e64f8	168	_debug "Truncated request OK"
	169	i=2
	170	p=1
	171	continue
	172	else
	173	_err "Truncated request error."
	174	fi
	175	fi
e009ec8b	176	#not valid
872bfe47	177	_err "Invalid domain"
e009ec8b	178	return 1
	179	fi
	180
	181	if _contains "$response" "<Name>$h.</Name>"; then
cc1d3b20	182	hostedzone="$(echo "$response" \| sed 's/<HostedZone>/#&/g' \| tr '#' '\n' \| _egrep_o "<HostedZone><Id>[^<]<.Id><Name>$h.<.Name>.<PrivateZone>false<.PrivateZone>.*<.HostedZone>")"
e009ec8b	183	_debug hostedzone "$hostedzone"
872bfe47	184	if [ "$hostedzone" ]; then
	185	_domain_id=$(printf "%s\n" "$hostedzone" \| _egrep_o "<Id>.<.Id>" \| head -n 1 \| _egrep_o ">.<" \| tr -d "<>")
	186	if [ "$_domain_id" ]; then
	187	_sub_domain=$(printf "%s" "$domain" \| cut -d . -f 1-$p)
	188	_domain=$h
	189	return 0
	190	fi
4fbd21da	191	_err "Can't find domain with id: $h"
e009ec8b	192	return 1
e009ec8b	193	fi
e009ec8b	194	fi
	195	p=$i
	196	i=$(_math "$i" + 1)
	197	done
	198	fi
	199	return 1
	200	}
	201
f49f55f4 MG	202	_use_container_role() {
	203	# automatically set if running inside ECS
	204	if [ -z "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then
	205	_debug "No ECS environment variable detected"
	206	return 1
	207	fi
	208	_use_metadata "169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
	209	}
	210
48eaa0e5	211	_use_instance_role() {
759f4f2c MG	212	_url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
	213	_debug "_url" "$_url"
	214	if ! _get "$_url" true 1 \| _head_n 1 \| grep -Fq 200; then
f49f55f4 MG	215	_debug "Unable to fetch IAM role from instance metadata"
f49f55f4 MG	216	return 1
48eaa0e5	217	fi
759f4f2c	218	_aws_role=$(_get "$_url" "" 1)
48eaa0e5	219	_debug "_aws_role" "$_aws_role"
f49f55f4 MG	220	_use_metadata "$_url$_aws_role"
	221	}
	222
	223	_use_metadata() {
48eaa0e5	224	_aws_creds="$(
19c43451	225	_get "$1" "" 1 \|
	226	_normalizeJson \|
	227	tr '{,}' '\n' \|
	228	while read -r _line; do
48eaa0e5 MG	229	_key="$(echo "${_line%%:*}" \| tr -d '"')"
	230	_value="${_line#*:}"
	231	_debug3 "_key" "$_key"
	232	_secure_debug3 "_value" "$_value"
	233	case "$_key" in
19c43451	234	AccessKeyId) echo "AWS_ACCESS_KEY_ID=$_value" ;;
	235	SecretAccessKey) echo "AWS_SECRET_ACCESS_KEY=$_value" ;;
	236	Token) echo "AWS_SESSION_TOKEN=$_value" ;;
48eaa0e5	237	esac
19c43451	238	done \|
19c43451	239	paste -sd' ' -
48eaa0e5 MG	240	)"
48eaa0e5 MG	241	_secure_debug "_aws_creds" "$_aws_creds"
f49f55f4 MG	242
	243	if [ -z "$_aws_creds" ]; then
	244	return 1
	245	fi
	246
48eaa0e5	247	eval "$_aws_creds"
759f4f2c	248	_using_role=true
48eaa0e5 MG	249	}
48eaa0e5 MG	250
e009ec8b	251	#method uri qstr data
	252	aws_rest() {
	253	mtd="$1"
	254	ep="$2"
	255	qsr="$3"
	256	data="$4"
	257
	258	_debug mtd "$mtd"
	259	_debug ep "$ep"
	260	_debug qsr "$qsr"
	261	_debug data "$data"
	262
	263	CanonicalURI="/$ep"
	264	_debug2 CanonicalURI "$CanonicalURI"
	265
	266	CanonicalQueryString="$qsr"
	267	_debug2 CanonicalQueryString "$CanonicalQueryString"
	268
	269	RequestDate="$(date -u +"%Y%m%dT%H%M%SZ")"
	270	_debug2 RequestDate "$RequestDate"
	271
	272	#RequestDate="20161120T141056Z" ##############
	273
3ca93f4a	274	export _H1="x-amz-date: $RequestDate"
e009ec8b	275
	276	aws_host="$AWS_HOST"
	277	CanonicalHeaders="host:$aws_host\nx-amz-date:$RequestDate\n"
e009ec8b	278	SignedHeaders="host;x-amz-date"
5415381c	279	if [ -n "$AWS_SESSION_TOKEN" ]; then
819d2bc5	280	export _H3="x-amz-security-token: $AWS_SESSION_TOKEN"
5415381c KS	281	CanonicalHeaders="${CanonicalHeaders}x-amz-security-token:$AWS_SESSION_TOKEN\n"
	282	SignedHeaders="${SignedHeaders};x-amz-security-token"
	283	fi
	284	_debug2 CanonicalHeaders "$CanonicalHeaders"
e009ec8b	285	_debug2 SignedHeaders "$SignedHeaders"
	286
	287	RequestPayload="$data"
	288	_debug2 RequestPayload "$RequestPayload"
	289
	290	Hash="sha256"
	291
	292	CanonicalRequest="$mtd\n$CanonicalURI\n$CanonicalQueryString\n$CanonicalHeaders\n$SignedHeaders\n$(printf "%s" "$RequestPayload" \| _digest "$Hash" hex)"
	293	_debug2 CanonicalRequest "$CanonicalRequest"
2f1bc586	294
16d79eba	295	HashedCanonicalRequest="$(printf "$CanonicalRequest%s" \| _digest "$Hash" hex)"
e009ec8b	296	_debug2 HashedCanonicalRequest "$HashedCanonicalRequest"
	297
	298	Algorithm="AWS4-HMAC-SHA256"
	299	_debug2 Algorithm "$Algorithm"
	300
16d79eba	301	RequestDateOnly="$(echo "$RequestDate" \| cut -c 1-8)"
e009ec8b	302	_debug2 RequestDateOnly "$RequestDateOnly"
	303
	304	Region="us-east-1"
	305	Service="route53"
	306
	307	CredentialScope="$RequestDateOnly/$Region/$Service/aws4_request"
	308	_debug2 CredentialScope "$CredentialScope"
	309
	310	StringToSign="$Algorithm\n$RequestDate\n$CredentialScope\n$HashedCanonicalRequest"
	311
	312	_debug2 StringToSign "$StringToSign"
	313
	314	kSecret="AWS4$AWS_SECRET_ACCESS_KEY"
	315
	316	#kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################
	317
e6e85b0c	318	_secure_debug2 kSecret "$kSecret"
e009ec8b	319
1c22c2f7	320	kSecretH="$(printf "%s" "$kSecret" \| _hex_dump \| tr -d " ")"
e6e85b0c	321	_secure_debug2 kSecretH "$kSecretH"
e009ec8b	322
	323	kDateH="$(printf "$RequestDateOnly%s" \| _hmac "$Hash" "$kSecretH" hex)"
	324	_debug2 kDateH "$kDateH"
	325
	326	kRegionH="$(printf "$Region%s" \| _hmac "$Hash" "$kDateH" hex)"
	327	_debug2 kRegionH "$kRegionH"
	328
	329	kServiceH="$(printf "$Service%s" \| _hmac "$Hash" "$kRegionH" hex)"
	330	_debug2 kServiceH "$kServiceH"
	331
13a8c309	332	kSigningH="$(printf "%s" "aws4_request" \| _hmac "$Hash" "$kServiceH" hex)"
e009ec8b	333	_debug2 kSigningH "$kSigningH"
	334
	335	signature="$(printf "$StringToSign%s" \| _hmac "$Hash" "$kSigningH" hex)"
	336	_debug2 signature "$signature"
	337
	338	Authorization="$Algorithm Credential=$AWS_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature"
	339	_debug2 Authorization "$Authorization"
	340
819d2bc5	341	_H2="Authorization: $Authorization"
819d2bc5	342	_debug _H2 "$_H2"
e009ec8b	343
fd77e463	344	url="$AWS_URL/$ep"
	345	if [ "$qsr" ]; then
	346	url="$AWS_URL/$ep?$qsr"
	347	fi
e009ec8b	348
	349	if [ "$mtd" = "GET" ]; then
	350	response="$(_get "$url")"
	351	else
	352	response="$(_post "$data" "$url")"
	353	fi
	354
	355	_ret="$?"
64f07d9b	356	_debug2 response "$response"
e009ec8b	357	if [ "$_ret" = "0" ]; then
	358	if _contains "$response" "<ErrorResponse"; then
	359	_err "Response error:$response"
	360	return 1
	361	fi
	362	fi
2f1bc586	363
e009ec8b	364	return "$_ret"
e009ec8b	365	}