Sha*_*man 6 ssl-certificate amazon-web-services terraform aws-certificate-manager terraform-provider-aws
我正在尝试使用 Terraform 0.12.0 创建 ACM 证书以应用于我的 Amazon ALB。我可以在没有证书的情况下创建我的 ALB,没有问题。整个基础架构堆栈按预期构建和部署。现在,我添加了以下代码来创建 Route 53 验证记录、请求证书并将其分配给新的 ALB 侦听器:
资源 "aws_route53_zone" "main" { name = "${var.zone_name}" }
resource "aws_route53_record" "validation" {
name = "${aws_acm_certificate.main.domain_validation_options.0.resource_record_name}"
type = "${aws_acm_certificate.main.domain_validation_options.0.resource_record_type}"
zone_id = "${aws_route53_zone.main.zone_id}"
records = ["${aws_acm_certificate.main.domain_validation_options.0.resource_record_value}"]
ttl = "60"
}
resource "aws_acm_certificate_validation" "main" {
certificate_arn = "${aws_acm_certificate.main.arn}"
validation_record_fqdns = "${aws_route53_record.validation.*.fqdn}"
}
resource "aws_alb_listener" "front_end_tls" {
load_balancer_arn = "${aws_alb.main.id}"
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016–08"
certificate_arn = "${var.certificate_arn}"
default_action {
target_group_arn = "${aws_alb_target_group.main.id}"
type = "forward"
}
}
terraform apply但是,当我运行时,它似乎卡在了证书验证上。我看到这样的消息:
module.dns.aws_acm_certificate_validation.main: Still creating... [38m21s elapsed]
我让代码运行了超过 45 分钟,直到我最终看到一条错误消息:
Error: Error creating LB Listener: SSLPolicyNotFound: SSL policy 'ELBSecurityPolicy-2016–08' not found
status code: 400, request id: a5f052c1-86df-11e9-993c-f99526fa9bba
on alb/main.tf line 25, in resource "aws_alb_listener" "front_end_tls":
25: resource "aws_alb_listener" "front_end_tls" {
Error: Expected certificate to be issued but was in state PENDING_VALIDATION
on dns/main.tf line 38, in resource "aws_acm_certificate_validation" "main":
38: resource "aws_acm_certificate_validation" "main" {
如果我登录到控制台,我会看到证书请求仍处于 Pending Validation 状态。我还看到按预期创建的 Route 53 验证记录。
为什么从未处理和应用此证书请求?我的 Terraform 代码中是否缺少某些内容?
更新: 当我使用现有的 Route 53 区域(与我上面尝试的域名不同)并将其作为数据资源引用时aws_route53_record,它可以正常工作。我在这次测试中尝试的域名是今天刚刚通过 Route 53 购买的,所以我想知道这是否与我的问题有关。我无法对任何记录执行 nslookup,即使我看到它们列在 Route 53 控制台中。也许?我会让它静置几天,看看它是否只是时间问题。
在应用以下代码之前,请确保您已经购买了一个域名,然后填写domain_name变量,如果它应该是通配符,您可以使用wildcard_enable = true这种方式,您可以创建一个通配符证书,对于ACM在不同的子域中重用相同的证书非常有用。
我的目录结构
.
|____main.tf
|____variables.tf
主.tf
locals {
final_domain = "${var.wildcard_enable == true ? "*.${var.domain_name}" : var.domain_name}"
}
resource "aws_acm_certificate" "this" {
domain_name = local.final_domain
validation_method = "DNS"
tags = {
"Name" = "acm-cert-name"
"costCenter" = "xxxxxxxxx"
"owner" = "xxxxxxxxx"
}
lifecycle {
create_before_destroy = true
}
}
resource "aws_route53_record" "this" {
depends_on = ["aws_acm_certificate.this"]
zone_id = "xxxxxxxxxx"
name = aws_acm_certificate.this.domain_validation_options.0.resource_record_name
type = "CNAME"
ttl = "300"
records = [aws_acm_certificate.this.domain_validation_options.0.resource_record_value]
}
变量.tf
variable "wildcard_enable" {
description = "Variable that allow us to choose the possibility of not use wildcard certificate"
default = false
}
variable "domain_name" {
description = "The name of the domain to which apply the cert"
}
首先:将此代码作为模块应用,或者只是应用它并等待 AWS 验证它。
最后: useaws_acm_certificate.this.arn来获取ACM arn,并且可以在 上使用ALB。
如果ACM证书尚未经过验证,则您无法将其用于,ALB因为AWSapi 不会检索ACM ARN.
我希望对您和其他用户有用。
| 归档时间: |
|
| 查看次数: |
3632 次 |
| 最近记录: |