使用 AWS SSL 证书提供商,您可以从 Terraform 创建新证书,但在它们发布之前您不能使用它们。问题是您必须在 Route53 中创建记录才能进行验证(aaaa-xxxx-vvvv.| CNAME | 挑战)
是否可以在使用 Terraform 创建新证书后自动执行 Route53 验证过程?
这是我的 Terraform 配置:
resource "aws_acm_certificate" "acme-cert-prod" {
domain_name = "www.acme.io"
validation_method = "DNS"
tags = {
Environment = "prod"
}
lifecycle {
create_before_destroy = true
}
}
我是否缺少任何选项来自动颁发该证书?
【问题讨论】:
标签: terraform terraform-provider-aws aws-acm
aws_acm_certificate_validation resource 将处理触发验证,并可通过 DNS 质询链接到 Route53 记录的创建。
资源文档中给出了一个示例:
resource "aws_acm_certificate" "cert" {
domain_name = "example.com"
validation_method = "DNS"
}
data "aws_route53_zone" "zone" {
name = "example.com."
private_zone = false
}
resource "aws_route53_record" "cert_validation" {
name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
zone_id = "${data.aws_route53_zone.zone.zone_id}"
records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
ttl = 60
}
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = "${aws_acm_certificate.cert.arn}"
validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}
resource "aws_lb_listener" "front_end" {
# [...]
certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}"
}
【讨论】: