-
Notifications
You must be signed in to change notification settings - Fork 17
/
ssl_cert.tf
58 lines (52 loc) · 2.31 KB
/
ssl_cert.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# This data source looks up the public DNS zone
data "aws_route53_zone" "public" {
name = var.demo_dns_zone
private_zone = false
provider = aws.account_route53
}
# This creates an SSL certificate
resource "aws_acm_certificate" "myapp" {
domain_name = aws_route53_record.myapp.fqdn
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
# This is a DNS record for the ACM certificate validation to prove we own the domain
#
# This example, we make an assumption that the certificate is for a single domain name so can just use the first value of the
# domain_validation_options. It allows the terraform to apply without having to be targeted.
# This is somewhat less complex than the example at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation
# - that above example, won't apply without targeting
resource "aws_route53_record" "cert_validation" {
allow_overwrite = true
name = tolist(aws_acm_certificate.myapp.domain_validation_options)[0].resource_record_name
records = [ tolist(aws_acm_certificate.myapp.domain_validation_options)[0].resource_record_value ]
type = tolist(aws_acm_certificate.myapp.domain_validation_options)[0].resource_record_type
zone_id = data.aws_route53_zone.public.id
ttl = 60
provider = aws.account_route53
}
# This tells terraform to cause the route53 validation to happen
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = aws_acm_certificate.myapp.arn
validation_record_fqdns = [ aws_route53_record.cert_validation.fqdn ]
}
# Standard route53 DNS record for "myapp" pointing to an ALB
resource "aws_route53_record" "myapp" {
zone_id = data.aws_route53_zone.public.zone_id
name = "${var.demo_dns_name}.${data.aws_route53_zone.public.name}"
type = "A"
alias {
name = aws_alb.mylb.dns_name
zone_id = aws_alb.mylb.zone_id
evaluate_target_health = false
}
provider = aws.account_route53
}
output "testing" {
value = "Test this demo code by going to https://${aws_route53_record.myapp.fqdn} and checking your have a valid SSL cert"
}
output "testing_sclient" {
value = "Test this SSL by using openssl s_client -host ${aws_route53_record.myapp.fqdn} -port 443 and looking at the certs"
}