那些遇到过的问题

如何 Terraform 创建和验证 AWS 证书

ada*_*ter 6 amazon-web-services terraform terraform-provider-aws

我尝试按照此处 Terraform 文档中的示例使用 Terraform 创建和验证 AWS 证书: https: //registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation#dns-validation-与路线 53

\n

我的 Terraform 文件如下所示:

\n
resource "aws_acm_certificate" "vpn_server" {\n  domain_name = "stuff.mine.com"\n  \n  validation_method = "DNS"\n\n  tags = {\n    Name = "certificate"\n    Scope = "vpn_server"\n    Environment = "vpn"\n  }\n}\n\nresource "aws_acm_certificate_validation" "vpn_server" {\n  certificate_arn = aws_acm_certificate.vpn_server.arn\n\n  validation_record_fqdns = [for record in aws_route53_record.my_dns_record_vpn_server : record.fqdn]\n\n  timeouts {\n    create = "2m"\n  }\n}\n\nresource "aws_route53_zone" "my_dns" {\n  name = "stuff.mine.com"\n\n  tags = {\n    name = "dns_zone"\n  }\n}\n\n\nresource "aws_route53_record" "my_dns_record_vpn_server" {\n  for_each = {\n    for dvo in aws_acm_certificate.vpn_server.domain_validation_options : dvo.domain_name => {\n      name   = dvo.resource_record_name\n      record = dvo.resource_record_value\n      type   = dvo.resource_record_type\n    }\n  }\n\n  allow_overwrite = true\n  name            = each.value.name\n  records         = [each.value.record]\n  ttl             = 60\n  type            = each.value.type\n  zone_id         = resource.aws_route53_zone.my_dns.zone_id\n}\n
Run Code Online (Sandbox Code Playgroud)\n

问题是,运行terraform apply验证时总是会超时并失败并显示错误消息:

\n
aws_acm_certificate.vpn_server: Creating...\naws_acm_certificate.vpn_server: Creation complete after 8s [id=arn:aws:acm:eu-west-2:320289993971:certificate/7e859491-141f-49d5-b50e-c44cf4e1db4e]\naws_route53_zone.my_dns: Creating...\naws_route53_zone.my_dns: Still creating... [10s elapsed]\naws_route53_zone.my_dns: Creation complete after 52s [id=Z09112516IIP4OEAIIQ7]\naws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Creating...\naws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [10s elapsed]\naws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [20s elapsed]\naws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [30s elapsed]\naws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [40s elapsed]\naws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [50s elapsed]\naws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Creation complete after 58s [id=Z09112516IIP4OEAIIQ7__ebd2853fcbfc7cc8bd6582e65d940d54.stuff.mine.com._CNAME]\naws_acm_certificate_validation.vpn_server: Creating...\naws_acm_certificate_validation.vpn_server: Still creating... [10s elapsed]\naws_acm_certificate_validation.vpn_server: Still creating... [20s elapsed]\naws_acm_certificate_validation.vpn_server: Still creating... [30s elapsed]\naws_acm_certificate_validation.vpn_server: Still creating... [40s elapsed]\naws_acm_certificate_validation.vpn_server: Still creating... [50s elapsed]\naws_acm_certificate_validation.vpn_server: Still creating... [1m0s elapsed]\naws_acm_certificate_validation.vpn_server: Still creating... [1m10s elapsed]\naws_acm_certificate_validation.vpn_server: Still creating... [1m20s elapsed]\naws_acm_certificate_validation.vpn_server: Still creating... [1m30s elapsed]\naws_acm_certificate_validation.vpn_server: Still creating... [1m40s elapsed]\naws_acm_certificate_validation.vpn_server: Still creating... [1m50s elapsed]\naws_acm_certificate_validation.vpn_server: Still creating... [2m0s elapsed]\n\n\xe2\x95\xb7\n\xe2\x94\x82 Error: Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION\n\xe2\x94\x82\n\xe2\x94\x82   with aws_acm_certificate_validation.vpn_server,\n\xe2\x94\x82   on main.tf line 61, in resource "aws_acm_certificate_validation" "vpn_server":\n\xe2\x94\x82   61: resource "aws_acm_certificate_validation" "vpn_server" {\n\xe2\x94\x82\n\xe2\x95\xb5\n
Run Code Online (Sandbox Code Playgroud)\n

有人可以告诉我为了完成证书验证我缺少什么吗?

\n

yda*_*coR 5

域验证记录需要位于正确委派的公共区域中。因此,如果您拥有mine.com并想要创建一个名为 then 的区域stuff.mine.com,则需要设置指向该区域的 NS 服务器的NS记录,但您在这里没有执行此操作,也没有使用已配置的区域。mine.comstuff.mine.comstuff.mine.com

否则,记录将在您的区域中创建,但该区域不会被正确委派,因此任何东西都无法解析这些记录。您应该能够通过尝试自己解析它们或使用外部解析器工具(例如MX Toolbox )来测试这一点。

这里可能有很多需要考虑的地方,但您可能想要设置一个区域,其中包含您想要创建的最终记录(因此指向您想要证书的 Web 服务器/负载均衡器的记录以及 ACM 域验证记录) )单独,然后只需使用aws_route53_zone数据源引用该区域,以便在其中创建域验证记录。

归档时间:

查看次数:

8056 次

最近记录:

1 年,10 月 前
相关归档
Lambda不能假定为函数定义的角色 29
如何让VAL中的AWS lambda发布SNS通知? 16
Django QuerySet .count() 为 0 并且 .exists() 为 false,即使 QuerySet 中有一个对象(Django Rest Framework) 10
我可以从 lambda 函数触发 AWS AppSync 中的订阅事件吗? 8
如何从 Node.js Lambda 函数调用步骤函数? 7
.terraform.lock.hcl 应该包含在 .gitignore 文件中吗? 7
使用Java查找AWS ElastiCache端点 6
Cloudformation 模板在 S3 事件上触发 Lambda 6
EMR (AWS) 上的笔记本:无法启动内核 6
EKS 受管节点组中的附加安全组 3
难疑归档
如何在Git中克隆所有远程分支? 3987
如何正确克隆JavaScript对象? 2922
是什么 !!(不是)JavaScript中的运算符? 2906
如何使用scp将文件夹从远程复制到本地? 2562
如何在Node.js中退出 1762
如何在Linux中一步更改文件夹及其所有子文件夹和文件的权限? 1711
如何迭代Bash中变量定义的一系列数字? 1409
将文件从主机复制到Docker容器 1391
使用Twitter Bootstrap 3将列居中 1109
"静态"在C中意味着什么? 1062