Use `hostedzonesbyname` Route 53 API endpoint instead of `hostedzones` endpoint.
The `hostedzones` endpoint returns all hosted zones for a given Route 53 account in groups of 100. For AWS Route 53 accounts with many domains, this could mean a large number of requests to the `hostedzones` endpoint as it progresses through each page of 100 results. This will often result in a "Rate exceeded" API error from Route 53.
Instead of using `hostedzones` endpoint, we can use `hostedzonesbyname` and then filter by the specific domain we are looking for and ask for a `max-items` of 1.
The while loop in _get_root() starts with a given domain and removes parts from the front of the given domain if no match is found.
For example, when requesting a certificate for `test.www.domain.co.uk`, the while loop will check for Route 53 hosted zones for:
1st: test.www.domain.co.uk
2nd: www.domain.co.uk
3rd: domain.co.uk
4th: co.uk
5th: uk
The first two checks will result in no matches, while the third check should be successful (if, of course, domain.co.uk is actually a hosted zone in the given AWS account).
Now imagine that the given AWS account owns 2500 domains and, therefore, has 2500 hosted zones.
Using the `hostedzones` endpoint would result in:
1st: 25 GET requests to the Route 53 API looking for a match to test.www.domain.co.uk
2nd: 25 GET requests to the Route 53 API looking for a match to www.domain.co.uk
3rd: 25 GET requests to the Route 53 API looking for a match to domain.co.uk
4th: 25 GET requests to the Route 53 API looking for a match to co.uk
5th: 25 GET requests to the Route 53 API looking for a match to uk
This would far exceed the Route 53 limit of five requests per second.
Using `hostedzonesbyname` results in a dramatic reduction in Route 53 API GET requests for AWS accounts with large numbers of hosted zones.
This is to provide a clean path to future extension work such as adding
a _use_container_role function to offer similar support for ECS
containers.
The $_using_role flag has also been made generic so that future role
providers can also make use of it.
Use the behavior established in the botocore python library to inform
how and when instance metadata is fetched in an attempt to acquire valid
AWS credentials.
- Use it as a fallback when no other credentials are provided
- Set the timeout of metadata requests to 1 second
Add option (AWS_USE_INSTANCE_ROLE) to have the AWS DNS API driver pull
the necessary credentials from the AWS EC2 instance metadata endpoint
when required.
This is a non-breaking change as it only takes effect when explicitly
turned on via the environment variable, and fails safe back to the
normal code path.
dns_dyn.sh, remove empty line at end
dns_dyn.sh, remove trailing spaces at end of line
Replace 'head -n' with the '_head_n' function
Update main README.md DNS API list
message:
SC2034: $VARNAME appears unused. Verify it or export it.
most of these are related to the style:
we generate global vars, which are used in other functions.
the var "lexical_url" was really unused (left it as comment)
the travis-check now does not need anymore special flags.
Signed-off-by: Bastian Bittorf <bb@npl.de>
Ignoring the Chthlulu argument 😃, Route53 returns its XML all on one line, making not possible to grep the hosted zone record with egrep/sed.
This change splits the XML in multiple lines, so that parsing can succeed.
Roger Lehrke
neil
Stephane Moser
neilpang
scottkof
mjthompson
Gunnar Liljas
Mal Graty
Lonnie Abelbeck
wizard1024
neilpang
Bastian Bittorf
Karsten Sperling
klemens
Marcello Barnaba