Use `hostedzonesbyname` Route 53 API endpoint instead of `hostedzones` endpoint.
The `hostedzones` endpoint returns all hosted zones for a given Route 53 account in groups of 100. For AWS Route 53 accounts with many domains, this could mean a large number of requests to the `hostedzones` endpoint as it progresses through each page of 100 results. This will often result in a "Rate exceeded" API error from Route 53.
Instead of using `hostedzones` endpoint, we can use `hostedzonesbyname` and then filter by the specific domain we are looking for and ask for a `max-items` of 1.
The while loop in _get_root() starts with a given domain and removes parts from the front of the given domain if no match is found.
For example, when requesting a certificate for `test.www.domain.co.uk`, the while loop will check for Route 53 hosted zones for:
1st: test.www.domain.co.uk
2nd: www.domain.co.uk
3rd: domain.co.uk
4th: co.uk
5th: uk
The first two checks will result in no matches, while the third check should be successful (if, of course, domain.co.uk is actually a hosted zone in the given AWS account).
Now imagine that the given AWS account owns 2500 domains and, therefore, has 2500 hosted zones.
Using the `hostedzones` endpoint would result in:
1st: 25 GET requests to the Route 53 API looking for a match to test.www.domain.co.uk
2nd: 25 GET requests to the Route 53 API looking for a match to www.domain.co.uk
3rd: 25 GET requests to the Route 53 API looking for a match to domain.co.uk
4th: 25 GET requests to the Route 53 API looking for a match to co.uk
5th: 25 GET requests to the Route 53 API looking for a match to uk
This would far exceed the Route 53 limit of five requests per second.
Using `hostedzonesbyname` results in a dramatic reduction in Route 53 API GET requests for AWS accounts with large numbers of hosted zones.
_saveaccountconf_mutable instead of _saveaccountconf now used.
Co-Authored-By: kapper.net support account <33451837+kappernet@users.noreply.github.com>
This provider relies on the the python-openstackclient and
python-designateclient tools be installed and working, with
either password or application credentials loaded in your env.
$fulldomain could be just 'domain.duckdns.org' if provided with --domain-alias or '_acme-challenge.domain.duckdns.org' otherwise. In the latter case, '_acme-challenge' is thrown away. Correctly extract 'domain' in both cases.
The current call uses the /domains end-point which lists all domains.
This only returns 100 domains at a time, so for long domain lists you
may not match and find the required ID.
Switch to using the search interface that only returns values matching
the requested domain. This will avoid missing results.
Reported by @jjamfd.
Closes: #2944
Roger Lehrke
neil
kapper.net support account
Andy Botting
Draevin Luke
12bbf7608ae1
Adrian Fedoreanu
Viktor Szépe
robertoetcheverryr
peterkelm
Matthew
snv
Tom Sommer
Tony Gravagno
msamoylych
Maarten den Braber
DerVerruckteFuchs
Ian Wienand
Gassan Gousseinov
Dennis Vestergaard Værum