我使用 Terraform 提供一个由以下人员组成的应用程序:
当我第一次完成证书管理器配置以在 CloudFront 上使用 SSL 证书时,它成功运行并且我可以在我的浏览器中正确定位 https://app_name.dns.com。
然后,我想将此证书用于我的 Beanstalk API,但没有成功。如果我很好理解,我认为可以对 DNS 的所有子域使用相同的证书。
要了解有关我的基础架构的更多信息,您可以在上面查看我的 Terraform 配置:
我的证书:
resource "aws_acm_certificate" "certificate" {
domain_name = var.dns
subject_alternative_names = [var.dns, "*.${var.dns}", "*.*.${var.dns}"]
validation_method = "DNS"
tags = {
Environment = var.project_env
Name = var.project_name
}
lifecycle {
create_before_destroy = true
}
}
resource "aws_acm_certificate_validation" "certificate_validation" {
certificate_arn = "${aws_acm_certificate.certificate.arn}"
validation_record_fqdns = [for record in aws_route53_record.route53_record_certificate : record.fqdn]
timeouts {
create = "2m"
}
}
我的route53记录是:
resource "aws_route53_record" "route53_record_api" {
allow_overwrite = true
name = "api.${var.project_ref}.${var.dns}"
type = "A"
zone_id = var.zone_id
alias {
name = "${aws_elastic_beanstalk_environment.beanstalk_env.cname}"
zone_id = data.aws_elastic_beanstalk_hosted_zone.beanstalk_hosted_zone.id
evaluate_target_health = false
}
}
resource "aws_route53_record" "route53_record_certificate" {
for_each = {
for dvo in aws_acm_certificate.certificate.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = var.zone_id
}
最后在我的资源配置中,由于每个特定配置,我尝试使用证书。 对于豆茎:
# Load balancing : ELB settings
setting {
namespace = "aws:elb:listener:443"
name = "ListenerProtocol"
value = "HTTPS"
}
setting {
namespace = "aws:elb:listener:443"
name = "InstancePort"
value = 80
}
setting {
namespace = "aws:elb:listener:443"
name = "SSLCertificateId"
value = aws_acm_certificate.certificate.arn
}
setting {
namespace = "aws:elb:listener:443"
name = "ListenerEnabled"
value = aws_acm_certificate.certificate.arn == "" ? "false" : "true"
}
对于CloudFront:
resource "aws_cloudfront_distribution" "cloudfront_s3_distribution" {
origin {
domain_name = aws_s3_bucket.s3_bucket_front.bucket_regional_domain_name
origin_id = aws_s3_bucket.s3_bucket_front.id
}
enabled = true
is_ipv6_enabled = true
comment = "Angular app build"
default_root_object = "index.html"
aliases = [var.dns, "*.${var.dns}", format("%s.%s", var.project_ref, var.dns)]
# [...]
viewer_certificate {
acm_certificate_arn = "${aws_acm_certificate.certificate.arn}"
ssl_support_method = "sni-only"
}
}
当我运行我的
terraform apply Error: requesting ACM Certificate (dns.com): ValidationException: 1 validation error detected: Value '[*.*.dns.com, *.dns.com, dns.com]' at 'subjectAlternativeNames' failed to satisfy constraint: Member must satisfy constraint: [Member must have length less than or equal to 253, Member must have length greater than or equal to 1, Member must satisfy regular expression pattern: ^(\*\.)?(((?!-)[A-Za-z0-9-]{0,62}[A-Za-z0-9])\.)+((?!-)[A-Za-z0-9-]{1,62}[A-Za-z0-9])$]
│
│ with aws_acm_certificate.certificate,
│ on certificate.tf line 1, in resource "aws_acm_certificate" "certificate":
│ 1: resource "aws_acm_certificate" "certificate" {
是否真的可以对所有子域使用相同的 SSL 证书,例如:
谢谢