[mirror_acme.sh.git] / dnsapi / dns_aws.sh

#!/usr/bin/env sh

#
#AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje"
#
#AWS_SECRET_ACCESS_KEY="xxxxxxx"

#This is the Amazon Route53 api wrapper for acme.sh
#All `_sleep` commands are included to avoid Route53 throttling, see
#https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html#limits-api-requests

AWS_HOST="route53.amazonaws.com"
AWS_URL="https://$AWS_HOST"

AWS_WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Amazon-Route53-API"

########  Public functions #####################

#Usage: dns_myapi_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_aws_add() {
  fulldomain=$1
  txtvalue=$2

  AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
  AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
  AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}"

  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
    _use_container_role || _use_instance_role
  fi

  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
    AWS_ACCESS_KEY_ID=""
    AWS_SECRET_ACCESS_KEY=""
    _err "You haven't specified the aws route53 api key id and and api key secret yet."
    _err "Please create your key and try again. see $(__green $AWS_WIKI)"
    return 1
  fi

  #save for future use, unless using a role which will be fetched as needed
  if [ -z "$_using_role" ]; then
    _saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
    _saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
    _saveaccountconf_mutable AWS_DNS_SLOWRATE "$AWS_DNS_SLOWRATE"
  fi

  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    _sleep 1
    return 1
  fi
  _debug _domain_id "$_domain_id"
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"

  _info "Getting existing records for $fulldomain"
  if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then
    _sleep 1
    return 1
  fi

  if _contains "$response" "<Name>$fulldomain.</Name>"; then
    _resource_record="$(echo "$response" | sed 's/<ResourceRecordSet>/"/g' | tr '"' "\n" | grep "<Name>$fulldomain.</Name>" | _egrep_o "<ResourceRecords.*</ResourceRecords>" | sed "s/<ResourceRecords>//" | sed "s#</ResourceRecords>##")"
    _debug "_resource_record" "$_resource_record"
  else
    _debug "single new add"
  fi

  if [ "$_resource_record" ] && _contains "$response" "$txtvalue"; then
    _info "The TXT record already exists. Skipping."
    _sleep 1
    return 0
  fi

  _debug "Adding records"

  _aws_tmpl_xml="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>UPSERT</Action><ResourceRecordSet><Name>$fulldomain</Name><Type>TXT</Type><TTL>300</TTL><ResourceRecords>$_resource_record<ResourceRecord><Value>\"$txtvalue\"</Value></ResourceRecord></ResourceRecords></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"

  if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then
    _info "TXT record updated successfully."
    if [ -n "$AWS_DNS_SLOWRATE" ]; then
      _info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds"
      _sleep "$AWS_DNS_SLOWRATE"
    else
      _sleep 1
    fi

    return 0
  fi
  _sleep 1
  return 1
}

#fulldomain txtvalue
dns_aws_rm() {
  fulldomain=$1
  txtvalue=$2

  AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
  AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
  AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}"

  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
    _use_container_role || _use_instance_role
  fi

  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    _sleep 1
    return 1
  fi
  _debug _domain_id "$_domain_id"
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"

  _info "Getting existing records for $fulldomain"
  if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then
    _sleep 1
    return 1
  fi

  if _contains "$response" "<Name>$fulldomain.</Name>"; then
    _resource_record="$(echo "$response" | sed 's/<ResourceRecordSet>/"/g' | tr '"' "\n" | grep "<Name>$fulldomain.</Name>" | _egrep_o "<ResourceRecords.*</ResourceRecords>" | sed "s/<ResourceRecords>//" | sed "s#</ResourceRecords>##")"
    _debug "_resource_record" "$_resource_record"
  else
    _debug "no records exist, skip"
    _sleep 1
    return 0
  fi

  _aws_tmpl_xml="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>DELETE</Action><ResourceRecordSet><ResourceRecords>$_resource_record</ResourceRecords><Name>$fulldomain.</Name><Type>TXT</Type><TTL>300</TTL></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"

  if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then
    _info "TXT record deleted successfully."
    if [ -n "$AWS_DNS_SLOWRATE" ]; then
      _info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds"
      _sleep "$AWS_DNS_SLOWRATE"
    else
      _sleep 1
    fi

    return 0
  fi
  _sleep 1
  return 1

}

####################  Private functions below ##################################

_get_root() {
  domain=$1
  i=1
  p=1

  # iterate over names (a.b.c.d -> b.c.d -> c.d -> d)
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    _debug "Checking domain: $h"
    if [ -z "$h" ]; then
      _error "invalid domain"
      return 1
    fi

    # iterate over paginated result for list_hosted_zones
    aws_rest GET "2013-04-01/hostedzone"
    while true; do
      if _contains "$response" "<Name>$h.</Name>"; then
        hostedzone="$(echo "$response" | tr -d '\n' | sed 's/<HostedZone>/#&/g' | tr '#' '\n' | _egrep_o "<HostedZone><Id>[^<]*<.Id><Name>$h.<.Name>.*<PrivateZone>false<.PrivateZone>.*<.HostedZone>")"
        _debug hostedzone "$hostedzone"
        if [ "$hostedzone" ]; then
          _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o "<Id>.*<.Id>" | head -n 1 | _egrep_o ">.*<" | tr -d "<>")
          if [ "$_domain_id" ]; then
            _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
            _domain=$h
            return 0
          fi
          _err "Can't find domain with id: $h"
          return 1
        fi
      fi
      if _contains "$response" "<IsTruncated>true</IsTruncated>" && _contains "$response" "<NextMarker>"; then
        _debug "IsTruncated"
        _nextMarker="$(echo "$response" | _egrep_o "<NextMarker>.*</NextMarker>" | cut -d '>' -f 2 | cut -d '<' -f 1)"
        _debug "NextMarker" "$_nextMarker"
      else
        break
      fi
      _debug "Checking domain: $h - Next Page "
      aws_rest GET "2013-04-01/hostedzone" "marker=$_nextMarker"
    done
    p=$i
    i=$(_math "$i" + 1)
  done
  return 1
}

_use_container_role() {
  # automatically set if running inside ECS
  if [ -z "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then
    _debug "No ECS environment variable detected"
    return 1
  fi
  _use_metadata "169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
}

_use_instance_role() {
  _url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
  _debug "_url" "$_url"
  if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then
    _debug "Unable to fetch IAM role from instance metadata"
    return 1
  fi
  _aws_role=$(_get "$_url" "" 1)
  _debug "_aws_role" "$_aws_role"
  _use_metadata "$_url$_aws_role"
}

_use_metadata() {
  _aws_creds="$(
    _get "$1" "" 1 |
      _normalizeJson |
      tr '{,}' '\n' |
      while read -r _line; do
        _key="$(echo "${_line%%:*}" | tr -d '"')"
        _value="${_line#*:}"
        _debug3 "_key" "$_key"
        _secure_debug3 "_value" "$_value"
        case "$_key" in
        AccessKeyId) echo "AWS_ACCESS_KEY_ID=$_value" ;;
        SecretAccessKey) echo "AWS_SECRET_ACCESS_KEY=$_value" ;;
        Token) echo "AWS_SESSION_TOKEN=$_value" ;;
        esac
      done |
      paste -sd' ' -
  )"
  _secure_debug "_aws_creds" "$_aws_creds"

  if [ -z "$_aws_creds" ]; then
    return 1
  fi

  eval "$_aws_creds"
  _using_role=true
}

#method uri qstr data
aws_rest() {
  mtd="$1"
  ep="$2"
  qsr="$3"
  data="$4"

  _debug mtd "$mtd"
  _debug ep "$ep"
  _debug qsr "$qsr"
  _debug data "$data"

  CanonicalURI="/$ep"
  _debug2 CanonicalURI "$CanonicalURI"

  CanonicalQueryString="$qsr"
  _debug2 CanonicalQueryString "$CanonicalQueryString"

  RequestDate="$(date -u +"%Y%m%dT%H%M%SZ")"
  _debug2 RequestDate "$RequestDate"

  #RequestDate="20161120T141056Z" ##############

  export _H1="x-amz-date: $RequestDate"

  aws_host="$AWS_HOST"
  CanonicalHeaders="host:$aws_host\nx-amz-date:$RequestDate\n"
  SignedHeaders="host;x-amz-date"
  if [ -n "$AWS_SESSION_TOKEN" ]; then
    export _H3="x-amz-security-token: $AWS_SESSION_TOKEN"
    CanonicalHeaders="${CanonicalHeaders}x-amz-security-token:$AWS_SESSION_TOKEN\n"
    SignedHeaders="${SignedHeaders};x-amz-security-token"
  fi
  _debug2 CanonicalHeaders "$CanonicalHeaders"
  _debug2 SignedHeaders "$SignedHeaders"

  RequestPayload="$data"
  _debug2 RequestPayload "$RequestPayload"

  Hash="sha256"

  CanonicalRequest="$mtd\n$CanonicalURI\n$CanonicalQueryString\n$CanonicalHeaders\n$SignedHeaders\n$(printf "%s" "$RequestPayload" | _digest "$Hash" hex)"
  _debug2 CanonicalRequest "$CanonicalRequest"

  HashedCanonicalRequest="$(printf "$CanonicalRequest%s" | _digest "$Hash" hex)"
  _debug2 HashedCanonicalRequest "$HashedCanonicalRequest"

  Algorithm="AWS4-HMAC-SHA256"
  _debug2 Algorithm "$Algorithm"

  RequestDateOnly="$(echo "$RequestDate" | cut -c 1-8)"
  _debug2 RequestDateOnly "$RequestDateOnly"

  Region="us-east-1"
  Service="route53"

  CredentialScope="$RequestDateOnly/$Region/$Service/aws4_request"
  _debug2 CredentialScope "$CredentialScope"

  StringToSign="$Algorithm\n$RequestDate\n$CredentialScope\n$HashedCanonicalRequest"

  _debug2 StringToSign "$StringToSign"

  kSecret="AWS4$AWS_SECRET_ACCESS_KEY"

  #kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################

  _secure_debug2 kSecret "$kSecret"

  kSecretH="$(printf "%s" "$kSecret" | _hex_dump | tr -d " ")"
  _secure_debug2 kSecretH "$kSecretH"

  kDateH="$(printf "$RequestDateOnly%s" | _hmac "$Hash" "$kSecretH" hex)"
  _debug2 kDateH "$kDateH"

  kRegionH="$(printf "$Region%s" | _hmac "$Hash" "$kDateH" hex)"
  _debug2 kRegionH "$kRegionH"

  kServiceH="$(printf "$Service%s" | _hmac "$Hash" "$kRegionH" hex)"
  _debug2 kServiceH "$kServiceH"

  kSigningH="$(printf "%s" "aws4_request" | _hmac "$Hash" "$kServiceH" hex)"
  _debug2 kSigningH "$kSigningH"

  signature="$(printf "$StringToSign%s" | _hmac "$Hash" "$kSigningH" hex)"
  _debug2 signature "$signature"

  Authorization="$Algorithm Credential=$AWS_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature"
  _debug2 Authorization "$Authorization"

  _H2="Authorization: $Authorization"
  _debug _H2 "$_H2"

  url="$AWS_URL/$ep"
  if [ "$qsr" ]; then
    url="$AWS_URL/$ep?$qsr"
  fi

  if [ "$mtd" = "GET" ]; then
    response="$(_get "$url")"
  else
    response="$(_post "$data" "$url")"
  fi

  _ret="$?"
  _debug2 response "$response"
  if [ "$_ret" = "0" ]; then
    if _contains "$response" "<ErrorResponse"; then
      _err "Response error:$response"
      return 1
    fi
  fi

  return "$_ret"
}
Commit	Line	Data
e009ec8b	1	#!/usr/bin/env sh
	2
	3	#
	4	#AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje"
	5	#
	6	#AWS_SECRET_ACCESS_KEY="xxxxxxx"
	7
	8	#This is the Amazon Route53 api wrapper for acme.sh
a22d3b23	9	#All `_sleep` commands are included to avoid Route53 throttling, see
df357521	10	#https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html#limits-api-requests
e009ec8b	11
	12	AWS_HOST="route53.amazonaws.com"
	13	AWS_URL="https://$AWS_HOST"
	14
d795fac3	15	AWS_WIKI="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Amazon-Route53-API"
e009ec8b	16
	17	######## Public functions #####################
	18
	19	#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
	20	dns_aws_add() {
	21	fulldomain=$1
	22	txtvalue=$2
	23
693627a8 MG	24	AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
693627a8 MG	25	AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
b64f0ba8	26	AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}"
693627a8 MG	27
693627a8 MG	28	if [ -z "$AWS_ACCESS_KEY_ID" ] \|\| [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
f49f55f4	29	_use_container_role \|\| _use_instance_role
48eaa0e5 MG	30	fi
48eaa0e5 MG	31
e009ec8b	32	if [ -z "$AWS_ACCESS_KEY_ID" ] \|\| [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
	33	AWS_ACCESS_KEY_ID=""
	34	AWS_SECRET_ACCESS_KEY=""
ec678bc6	35	_err "You haven't specified the aws route53 api key id and and api key secret yet."
60814ecf	36	_err "Please create your key and try again. see $(__green $AWS_WIKI)"
e009ec8b	37	return 1
	38	fi
	39
693627a8	40	#save for future use, unless using a role which will be fetched as needed
759f4f2c	41	if [ -z "$_using_role" ]; then
48eaa0e5 MG	42	_saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
48eaa0e5 MG	43	_saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
b64f0ba8	44	_saveaccountconf_mutable AWS_DNS_SLOWRATE "$AWS_DNS_SLOWRATE"
48eaa0e5	45	fi
e009ec8b	46
	47	_debug "First detect the root zone"
	48	if ! _get_root "$fulldomain"; then
	49	_err "invalid domain"
a22d3b23	50	_sleep 1
e009ec8b	51	return 1
	52	fi
	53	_debug _domain_id "$_domain_id"
	54	_debug _sub_domain "$_sub_domain"
	55	_debug _domain "$_domain"
	56
688fe131	57	_info "Getting existing records for $fulldomain"
64f07d9b	58	if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then
a22d3b23	59	_sleep 1
64f07d9b	60	return 1
	61	fi
	62
	63	if _contains "$response" "<Name>$fulldomain.</Name>"; then
5f345d20	64	_resource_record="$(echo "$response" \| sed 's/<ResourceRecordSet>/"/g' \| tr '"' "\n" \| grep "<Name>$fulldomain.</Name>" \| _egrep_o "<ResourceRecords.*</ResourceRecords>" \| sed "s/<ResourceRecords>//" \| sed "s#</ResourceRecords>##")"
64f07d9b	65	_debug "_resource_record" "$_resource_record"
	66	else
	67	_debug "single new add"
	68	fi
	69
	70	if [ "$_resource_record" ] && _contains "$response" "$txtvalue"; then
4fbd21da	71	_info "The TXT record already exists. Skipping."
a22d3b23	72	_sleep 1
64f07d9b	73	return 0
	74	fi
	75
	76	_debug "Adding records"
	77
	78	_aws_tmpl_xml="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>UPSERT</Action><ResourceRecordSet><Name>$fulldomain</Name><Type>TXT</Type><TTL>300</TTL><ResourceRecords>$_resource_record<ResourceRecord><Value>\"$txtvalue\"</Value></ResourceRecord></ResourceRecords></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"
16d79eba	79
e009ec8b	80	if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then
4fbd21da	81	_info "TXT record updated successfully."
b64f0ba8 SM	82	if [ -n "$AWS_DNS_SLOWRATE" ]; then
	83	_info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds"
	84	_sleep "$AWS_DNS_SLOWRATE"
37978b4f SM	85	else
37978b4f SM	86	_sleep 1
3021c5cf	87	fi
37978b4f	88
e009ec8b	89	return 0
e009ec8b	90	fi
a22d3b23	91	_sleep 1
16d79eba	92	return 1
e009ec8b	93	}
e009ec8b	94
dfbc244b	95	#fulldomain txtvalue
e009ec8b	96	dns_aws_rm() {
e009ec8b	97	fulldomain=$1
dfbc244b	98	txtvalue=$2
dfbc244b	99
693627a8 MG	100	AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
693627a8 MG	101	AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
b64f0ba8	102	AWS_DNS_SLOWRATE="${AWS_DNS_SLOWRATE:-$(_readaccountconf_mutable AWS_DNS_SLOWRATE)}"
693627a8 MG	103
693627a8 MG	104	if [ -z "$AWS_ACCESS_KEY_ID" ] \|\| [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
f49f55f4	105	_use_container_role \|\| _use_instance_role
48eaa0e5 MG	106	fi
48eaa0e5 MG	107
dfbc244b	108	_debug "First detect the root zone"
	109	if ! _get_root "$fulldomain"; then
	110	_err "invalid domain"
a22d3b23	111	_sleep 1
dfbc244b	112	return 1
	113	fi
	114	_debug _domain_id "$_domain_id"
	115	_debug _sub_domain "$_sub_domain"
	116	_debug _domain "$_domain"
	117
4fbd21da	118	_info "Getting existing records for $fulldomain"
64f07d9b	119	if ! aws_rest GET "2013-04-01$_domain_id/rrset" "name=$fulldomain&type=TXT"; then
a22d3b23	120	_sleep 1
64f07d9b	121	return 1
	122	fi
	123
	124	if _contains "$response" "<Name>$fulldomain.</Name>"; then
5f345d20	125	_resource_record="$(echo "$response" \| sed 's/<ResourceRecordSet>/"/g' \| tr '"' "\n" \| grep "<Name>$fulldomain.</Name>" \| _egrep_o "<ResourceRecords.*</ResourceRecords>" \| sed "s/<ResourceRecords>//" \| sed "s#</ResourceRecords>##")"
64f07d9b	126	_debug "_resource_record" "$_resource_record"
64f07d9b	127	else
4fbd21da	128	_debug "no records exist, skip"
a22d3b23	129	_sleep 1
64f07d9b	130	return 0
	131	fi
	132
	133	_aws_tmpl_xml="<ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"><ChangeBatch><Changes><Change><Action>DELETE</Action><ResourceRecordSet><ResourceRecords>$_resource_record</ResourceRecords><Name>$fulldomain.</Name><Type>TXT</Type><TTL>300</TTL></ResourceRecordSet></Change></Changes></ChangeBatch></ChangeResourceRecordSetsRequest>"
dfbc244b	134
dfbc244b	135	if aws_rest POST "2013-04-01$_domain_id/rrset/" "" "$_aws_tmpl_xml" && _contains "$response" "ChangeResourceRecordSetsResponse"; then
4fbd21da	136	_info "TXT record deleted successfully."
b64f0ba8 SM	137	if [ -n "$AWS_DNS_SLOWRATE" ]; then
	138	_info "Slow rate activated: sleeping for $AWS_DNS_SLOWRATE seconds"
	139	_sleep "$AWS_DNS_SLOWRATE"
37978b4f SM	140	else
37978b4f SM	141	_sleep 1
ea6a3c09	142	fi
37978b4f	143
dfbc244b	144	return 0
dfbc244b	145	fi
a22d3b23	146	_sleep 1
dfbc244b	147	return 1
e009ec8b	148
	149	}
	150
329174b6	151	#################### Private functions below ##################################
e009ec8b	152
e009ec8b	153	_get_root() {
873b113c	154	domain=$1
2280e66d	155	i=1
e009ec8b	156	p=1
16d79eba	157
e48d7de7	158	# iterate over names (a.b.c.d -> b.c.d -> c.d -> d)
f426940b	159	while true; do
	160	h=$(printf "%s" "$domain" \| cut -d . -f $i-100)
	161	_debug "Checking domain: $h"
	162	if [ -z "$h" ]; then
	163	_error "invalid domain"
	164	return 1
	165	fi
e009ec8b	166
e48d7de7	167	# iterate over paginated result for list_hosted_zones
f426940b	168	aws_rest GET "2013-04-01/hostedzone"
f426940b	169	while true; do
e009ec8b	170	if _contains "$response" "<Name>$h.</Name>"; then
6d5743c5	171	hostedzone="$(echo "$response" \| tr -d '\n' \| sed 's/<HostedZone>/#&/g' \| tr '#' '\n' \| _egrep_o "<HostedZone><Id>[^<]<.Id><Name>$h.<.Name>.<PrivateZone>false<.PrivateZone>.*<.HostedZone>")"
e009ec8b	172	_debug hostedzone "$hostedzone"
872bfe47	173	if [ "$hostedzone" ]; then
	174	_domain_id=$(printf "%s\n" "$hostedzone" \| _egrep_o "<Id>.<.Id>" \| head -n 1 \| _egrep_o ">.<" \| tr -d "<>")
	175	if [ "$_domain_id" ]; then
	176	_sub_domain=$(printf "%s" "$domain" \| cut -d . -f 1-$p)
	177	_domain=$h
	178	return 0
	179	fi
4fbd21da	180	_err "Can't find domain with id: $h"
e009ec8b	181	return 1
e009ec8b	182	fi
e009ec8b	183	fi
f426940b	184	if _contains "$response" "<IsTruncated>true</IsTruncated>" && _contains "$response" "<NextMarker>"; then
	185	_debug "IsTruncated"
	186	_nextMarker="$(echo "$response" \| _egrep_o "<NextMarker>.*</NextMarker>" \| cut -d '>' -f 2 \| cut -d '<' -f 1)"
	187	_debug "NextMarker" "$_nextMarker"
	188	else
	189	break
	190	fi
	191	_debug "Checking domain: $h - Next Page "
	192	aws_rest GET "2013-04-01/hostedzone" "marker=$_nextMarker"
e009ec8b	193	done
f426940b	194	p=$i
	195	i=$(_math "$i" + 1)
	196	done
e009ec8b	197	return 1
	198	}
	199
f49f55f4 MG	200	_use_container_role() {
	201	# automatically set if running inside ECS
	202	if [ -z "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then
	203	_debug "No ECS environment variable detected"
	204	return 1
	205	fi
	206	_use_metadata "169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
	207	}
	208
48eaa0e5	209	_use_instance_role() {
759f4f2c MG	210	_url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
	211	_debug "_url" "$_url"
	212	if ! _get "$_url" true 1 \| _head_n 1 \| grep -Fq 200; then
f49f55f4 MG	213	_debug "Unable to fetch IAM role from instance metadata"
f49f55f4 MG	214	return 1
48eaa0e5	215	fi
759f4f2c	216	_aws_role=$(_get "$_url" "" 1)
48eaa0e5	217	_debug "_aws_role" "$_aws_role"
f49f55f4 MG	218	_use_metadata "$_url$_aws_role"
	219	}
	220
	221	_use_metadata() {
48eaa0e5	222	_aws_creds="$(
19c43451	223	_get "$1" "" 1 \|
	224	_normalizeJson \|
	225	tr '{,}' '\n' \|
	226	while read -r _line; do
48eaa0e5 MG	227	_key="$(echo "${_line%%:*}" \| tr -d '"')"
	228	_value="${_line#*:}"
	229	_debug3 "_key" "$_key"
	230	_secure_debug3 "_value" "$_value"
	231	case "$_key" in
19c43451	232	AccessKeyId) echo "AWS_ACCESS_KEY_ID=$_value" ;;
	233	SecretAccessKey) echo "AWS_SECRET_ACCESS_KEY=$_value" ;;
	234	Token) echo "AWS_SESSION_TOKEN=$_value" ;;
48eaa0e5	235	esac
19c43451	236	done \|
19c43451	237	paste -sd' ' -
48eaa0e5 MG	238	)"
48eaa0e5 MG	239	_secure_debug "_aws_creds" "$_aws_creds"
f49f55f4 MG	240
	241	if [ -z "$_aws_creds" ]; then
	242	return 1
	243	fi
	244
48eaa0e5	245	eval "$_aws_creds"
759f4f2c	246	_using_role=true
48eaa0e5 MG	247	}
48eaa0e5 MG	248
e009ec8b	249	#method uri qstr data
	250	aws_rest() {
	251	mtd="$1"
	252	ep="$2"
	253	qsr="$3"
	254	data="$4"
	255
	256	_debug mtd "$mtd"
	257	_debug ep "$ep"
	258	_debug qsr "$qsr"
	259	_debug data "$data"
	260
	261	CanonicalURI="/$ep"
	262	_debug2 CanonicalURI "$CanonicalURI"
	263
	264	CanonicalQueryString="$qsr"
	265	_debug2 CanonicalQueryString "$CanonicalQueryString"
	266
	267	RequestDate="$(date -u +"%Y%m%dT%H%M%SZ")"
	268	_debug2 RequestDate "$RequestDate"
	269
	270	#RequestDate="20161120T141056Z" ##############
	271
3ca93f4a	272	export _H1="x-amz-date: $RequestDate"
e009ec8b	273
	274	aws_host="$AWS_HOST"
	275	CanonicalHeaders="host:$aws_host\nx-amz-date:$RequestDate\n"
e009ec8b	276	SignedHeaders="host;x-amz-date"
5415381c	277	if [ -n "$AWS_SESSION_TOKEN" ]; then
819d2bc5	278	export _H3="x-amz-security-token: $AWS_SESSION_TOKEN"
5415381c KS	279	CanonicalHeaders="${CanonicalHeaders}x-amz-security-token:$AWS_SESSION_TOKEN\n"
	280	SignedHeaders="${SignedHeaders};x-amz-security-token"
	281	fi
	282	_debug2 CanonicalHeaders "$CanonicalHeaders"
e009ec8b	283	_debug2 SignedHeaders "$SignedHeaders"
	284
	285	RequestPayload="$data"
	286	_debug2 RequestPayload "$RequestPayload"
	287
	288	Hash="sha256"
	289
	290	CanonicalRequest="$mtd\n$CanonicalURI\n$CanonicalQueryString\n$CanonicalHeaders\n$SignedHeaders\n$(printf "%s" "$RequestPayload" \| _digest "$Hash" hex)"
	291	_debug2 CanonicalRequest "$CanonicalRequest"
2f1bc586	292
16d79eba	293	HashedCanonicalRequest="$(printf "$CanonicalRequest%s" \| _digest "$Hash" hex)"
e009ec8b	294	_debug2 HashedCanonicalRequest "$HashedCanonicalRequest"
	295
	296	Algorithm="AWS4-HMAC-SHA256"
	297	_debug2 Algorithm "$Algorithm"
	298
16d79eba	299	RequestDateOnly="$(echo "$RequestDate" \| cut -c 1-8)"
e009ec8b	300	_debug2 RequestDateOnly "$RequestDateOnly"
	301
	302	Region="us-east-1"
	303	Service="route53"
	304
	305	CredentialScope="$RequestDateOnly/$Region/$Service/aws4_request"
	306	_debug2 CredentialScope "$CredentialScope"
	307
	308	StringToSign="$Algorithm\n$RequestDate\n$CredentialScope\n$HashedCanonicalRequest"
	309
	310	_debug2 StringToSign "$StringToSign"
	311
	312	kSecret="AWS4$AWS_SECRET_ACCESS_KEY"
	313
	314	#kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################
	315
e6e85b0c	316	_secure_debug2 kSecret "$kSecret"
e009ec8b	317
1c22c2f7	318	kSecretH="$(printf "%s" "$kSecret" \| _hex_dump \| tr -d " ")"
e6e85b0c	319	_secure_debug2 kSecretH "$kSecretH"
e009ec8b	320
	321	kDateH="$(printf "$RequestDateOnly%s" \| _hmac "$Hash" "$kSecretH" hex)"
	322	_debug2 kDateH "$kDateH"
	323
	324	kRegionH="$(printf "$Region%s" \| _hmac "$Hash" "$kDateH" hex)"
	325	_debug2 kRegionH "$kRegionH"
	326
	327	kServiceH="$(printf "$Service%s" \| _hmac "$Hash" "$kRegionH" hex)"
	328	_debug2 kServiceH "$kServiceH"
	329
13a8c309	330	kSigningH="$(printf "%s" "aws4_request" \| _hmac "$Hash" "$kServiceH" hex)"
e009ec8b	331	_debug2 kSigningH "$kSigningH"
	332
	333	signature="$(printf "$StringToSign%s" \| _hmac "$Hash" "$kSigningH" hex)"
	334	_debug2 signature "$signature"
	335
	336	Authorization="$Algorithm Credential=$AWS_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature"
	337	_debug2 Authorization "$Authorization"
	338
819d2bc5	339	_H2="Authorization: $Authorization"
819d2bc5	340	_debug _H2 "$_H2"
e009ec8b	341
fd77e463	342	url="$AWS_URL/$ep"
	343	if [ "$qsr" ]; then
	344	url="$AWS_URL/$ep?$qsr"
	345	fi
e009ec8b	346
	347	if [ "$mtd" = "GET" ]; then
	348	response="$(_get "$url")"
	349	else
	350	response="$(_post "$data" "$url")"
	351	fi
	352
	353	_ret="$?"
64f07d9b	354	_debug2 response "$response"
e009ec8b	355	if [ "$_ret" = "0" ]; then
	356	if _contains "$response" "<ErrorResponse"; then
	357	_err "Response error:$response"
	358	return 1
	359	fi
	360	fi
2f1bc586	361
e009ec8b	362	return "$_ret"
e009ec8b	363	}