时间戳

首页 > 解决方案 > Setting up ssl cert for load balancer terraform

amazon-web-services - Setting up ssl cert for load balancer terraform

问题描述

I have a cert setup in the London region and attached to a load balancer listener which works perfectly. I am attempting to create another cert from the same Route53 domain and attach it to a listener but this time in the Ireland region.

My terraform looks like

resource "aws_acm_certificate" "default" {
  count       = var.prod ? 1 : 0
  domain_name = "www.example.uk"
  subject_alternative_names = [
    "example.uk",
  ]
  validation_method = "DNS"
}

resource "aws_route53_record" "validation" {
  count   = var.prod ? 1 : 0
  name    = aws_acm_certificate.default[count.index].domain_validation_options[count.index].resource_record_name
  type    = aws_acm_certificate.default[count.index].domain_validation_options[count.index].resource_record_type
  zone_id = "Z0725470IF9R8J77LPTU"
  records = [
  aws_acm_certificate.default[count.index].domain_validation_options[count.index].resource_record_value]
  ttl = "60"
}

resource "aws_route53_record" "validation_alt1" {
  count   = var.prod ? 1 : 0
  name    = aws_acm_certificate.default[count.index].domain_validation_options[count.index + 1].resource_record_name
  type    = aws_acm_certificate.default[count.index].domain_validation_options[count.index + 1].resource_record_type
  zone_id = "Z0725470IF9R8J77LPTU"
  records = [
  aws_acm_certificate.default[count.index].domain_validation_options[count.index + 1].resource_record_value]
  ttl = 60
}

resource "aws_acm_certificate_validation" "default" {
  count           = var.prod ? 1 : 0
  certificate_arn = aws_acm_certificate.default[count.index].arn
  validation_record_fqdns = [
    aws_route53_record.validation[count.index].fqdn,
    aws_route53_record.validation_alt1[count.index].fqdn,
  ]
}

This worked perfectly the first time I set this up in the London region, when I try and run it in the Ireland region on AWS I get the following errors:

enter image description here

I'm not 100% on why the cert validation seems to bring back no records.

标签: amazon-web-servicessslterraformamazon-route53

解决方案

There is a change in domain_validation_options attribute with aws provider version 3. Previously it was list type and now it's changed to set type. So you have 2 options:

  1. Version lock aws provider to version 2
provider "aws" {
  version = "~>2"
}
  1. Update code to work with new provider version. For that you need to update count with for_each and make similar updates as shown below.
resource "aws_route53_record" "existing" {
  for_each = {
    for dvo in aws_acm_certificate.existing.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = data.aws_route53_zone.public_root_domain.zone_id
}
    
resource "aws_acm_certificate_validation" "existing" {
  certificate_arn         = aws_acm_certificate.existing.arn
  validation_record_fqdns = [for record in aws_route53_record.existing : record.fqdn]
}

You can check this for more details: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-3-upgrade#resource-aws_acm_certificate

推荐阅读