amazon-web-services - 如何将 ssl 证书列表添加到我使用 Terraform for 循环构造之一创建的 alb 侦听器列表中?
问题描述
在 AWS 上,使用 Terraform 可以将多个 ssl 证书添加到 ALB 侦听器。我可以通过创建侦听器资源并创建多个 aws_lb_listener_certificate 资源来做到这一点。
所以像这样的东西很好用:
resource "aws_alb_listener" "alb_listener" {
load_balancer_arn = aws_alb.alb.arn
port = 443
protocol = "HTTPS"
default_action {
target_group_arn = aws_alb_target_group.alb_target_group.arn
type = lookup(var.alb_listener, "action")
}
}
resource "aws_lb_listener_certificate" "testme_ssl_cert" {
listener_arn = "${aws_alb_listener.alb_listener.arn}"
certificate_arn = "${data.aws_acm_certificate.testme.arn}"
}
但是我试图通过从配置中构建我的侦听器来减少我用来执行此操作的代码量。所以我可以从这样的地图变量中构建我的监听器。这很好用。
resource "aws_lb_listener" "encrypted_listener" {
load_balancer_arn = aws_alb.alb.arn
for_each = var.ssl_forwarding
port = each.key
protocol = each.value
certificate_arn = lookup(var.default_certificate,each.key)
default_action {
target_group_arn = aws_alb_target_group.alb_target_group.arn
type = "forward"
}
}
variable "ssl_forwarding" {
default = {
443 = "HTTPS"
8081 = "HTTPS"
}
现在我想将其余的证书添加到我刚刚创建的侦听器中。
So I need something that looks like this (I think):
variable "additional_certificates" {
default=[
"arn:aws:acm:eu-west-1:blah_blach_ect-3ba688bab27a", #cert 1
"arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a", #cert 2
]
}
resource "aws_lb_listener_certificate" "ssl_certs"
listener_arn = //for every listener that I just created
certificate_arn = //add every certificate in additional_certificates
}
我不明白如何处理听众的多样性。证书的多样性。最后,证书的多样性与听众的多样性有关。
**所有关于如何解决这个问题的建议表示赞赏。变通方法的建议也受到赞赏。谢谢.....
更新:感谢 Marcin 的回答……但这只允许我添加一个额外的 SSL cer。我认为 var 看起来像这样......所以我可以将 n 个证书添加到 n 个负载均衡器。
variable "additional_certificates" {
default = {
443 = ["arn:aws:acm:eu-west-1:blah_blah_ect1",
"arn:aws:acm:eu-west-1:blah_blah_ect2"
""arn:aws:acm:eu-west-1:blah_blah_ect....n" //could be any number of certs here
]
8081 = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
}
解决方案
我假设你aws_lb_listener.encrypted_listener
是有效的并且它有效,因为它没有在问题中另行指定。additional_certificates
此外,如果是地图会更好,因为您正在使用地图ssl_forwarding
。因此,您ssl_certs
可能是:
variable "additional_certificates" {
default = {
443 = "arn:aws:acm:eu-west-1:blah_blach_ect-3ba688bab27a",
8081 = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
}
}
resource "aws_lb_listener_certificate" "ssl_certs" {
for_each = aws_lb_listener.encrypted_listener
listener_arn = each.value.arn
certificate_arn = var.additional_certificates[each.key]
}
更新
如果您可以拥有随机数量的端口和随机数量的证书,我可以提出以下建议:
variable "additional_certificates" {
default = {
443 = ["arn:aws:acm:eu-west-1:blah_blah_ect1",
"arn:aws:acm:eu-west-1:blah_blah_ect2",
"arn:aws:acm:eu-west-1:blah_blah_ect....n"
]
8081 = ["arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"]
9999 = ["arn:aws:acm:eu-west-1:blah_blach_ect-223332",
"arn:aws:acm:eu-west-1:blah_blach_ect-22222"]
}
}
locals {
# flatten the additional_certificates
additional_certificates_flat = merge([
for port, certs in var.additional_certificates:
{for cert in certs:
"${port}-${cert}" => {"port" = port, "cert" = cert}
}
]...)
}
var.additional_certificates
扁平local.additional_certificates_flat
化为:
{
"443-arn:aws:acm:eu-west-1:blah_blah_ect....n" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect....n"
"port" = "443"
}
"443-arn:aws:acm:eu-west-1:blah_blah_ect1" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect1"
"port" = "443"
}
"443-arn:aws:acm:eu-west-1:blah_blah_ect2" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect2"
"port" = "443"
}
"8081-arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
"port" = "8081"
}
"9999-arn:aws:acm:eu-west-1:blah_blach_ect-22222" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-22222"
"port" = "9999"
}
"9999-arn:aws:acm:eu-west-1:blah_blach_ect-223332" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-223332"
"port" = "9999"
}
}
然后,
resource "aws_lb_listener_certificate" "ssl_certs" {
for_each = local.additional_certificates_flat
listener_arn = aws_lb_listener.encrypted_listener[each.value.port].arn
certificate_arn = each.value.cert
}
推荐阅读
- typescript - 在反应 redux 中保存选定的日期而不是 utc 日期
- r - 自动化许多 txt 文件的功能
- r - 将仪表板发布到 RSConnect 后访问项目目录外的文件
- vba - VBA Word - Documents.Open 网站 URL,但间接取自 Word 文档
- spring-boot - 从 spring-boot 1.2.2 迁移到 2.3 时如何修复记录器
- mysql - mysql 按组计算总和 IF
- reactjs - react中常见的条件渲染模式
- java - 替换字符串中的第一个和最后一个符号
- html - 通过 html 链接打开和编辑文本文件
- javascript - 在启用 WAF 的情况下阻止托管在 Amazon ALB 中的 webapp 上的 AJAX Post 请求 - 以防表单数据包含空格字符