Создать SSL CRT и сопоставить с ELB | Terraform

Question

Создание SSL CRT и сопоставление с ELB | Terraform

Я пытаюсь создать самозаверяющий сертификат и загрузить его в корзину S3. Но как мне сопоставить этот сертификат SSL с моим ELB? Если да, как я могу загрузить эти файлы pem из корзины S3 и использовать в ELB? Ниже мой код: -

код cert.tf: -

resource "random_string" "app_keystore_password" {
  length  = 16
  special = false
}

resource "tls_private_key" "key" {
  algorithm = "RSA"
}

resource "tls_self_signed_cert" "cert" {
  key_algorithm         = "RSA"
  private_key_pem       = "${tls_private_key.key.private_key_pem}"
  validity_period_hours = 87600

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]

  dns_names = ["*.${var.region}.elb.amazonaws.com"]

  subject {
    common_name  = "*.${var.region}.elb.amazonaws.com"
    organization = "ORAG"
    province     = "STATE"
    country      = "COUNT"
  }
}

data "archive_file" "certs" {
  type        = "zip"
  output_path = "/tmp/certs.zip"

  source {
    content  = "${tls_private_key.key.private_key_pem}"
    filename = "privateKey.pem"
  }

  source {
    content  = "${tls_self_signed_cert.cert.cert_pem}"
    filename = "certificateChain.pem"
  }

  source {
    content  = "${tls_self_signed_cert.cert.cert_pem}"
    filename = "trustedCertificates.pem"
  }
}

resource "tls_self_signed_cert" "public_cert" {
  key_algorithm         = "RSA"
  private_key_pem       = "${tls_private_key.key.private_key_pem}"
  validity_period_hours = 87600

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]

  dns_names = ["*.${var.region}.elb.amazonaws.com"]

  subject {
    common_name  = "*.${var.region}.elb.amazonaws.com"
    organization = "ORAG"
    province     = "STATE"
    country      = "COUNT"
  }
}

data "template_file" "configure_system" {
  template = "${file("files/configure-system.sh.tpl")}"

  vars = {
    bucket                = "services-${var.aws_account_id}-storage"
    app_keystore_password = "${var.app_keystore_password}"
  }
}

    resource "aws_s3_bucket_object" "configure_system" {
      key     = "configure-system.sh"
      bucket  = "services-${var.aws_account_id}-storage"
      content = "${data.template_file.configure_system.rendered}"
      etag    = "${md5(data.template_file.configure_system.rendered)}"
    }

resource "aws_s3_bucket_object" "certs" {
  source    = "/tmp/certs.zip"
  bucket = "services-${var.aws_account_id}-storage"
  key = "${var.app_certs_archive_path}/certs.zip"
  server_side_encryption = "AES256"
}

Ниже мой блок ресурсов aws_lb_listener: -

resource "aws_lb" "master" {
  name            = "lb"
  security_groups = ["${aws_security_group.sg.id}"]
  subnets         = [ "${data.aws_subnet.app_subnet_0.id}", "${data.aws_subnet.app_subnet_1.id}" ]
  internal        = true
 tags = {
    Name             = "ca"
    Environment      = "${var.environment}"
  }
}

resource "aws_lb_listener" "master_lb_listener" {
    load_balancer_arn       =   "${aws_lb.master.arn}"
    port                    =   "443"
    protocol                =   "HTTPS"
    ssl_policy              =   "ELBSecurityPolicy-2016-08"
    certificate_arn         =   "WHAT SHOULD BE MY VALUE...?"

    default_action {
    target_group_arn        = "${aws_lb_target_group.master_lb_tg.arn}"
    type                    = "forward"
    }
}

Answer 1

Вы можете использовать aws_acm_certificate, и вам не нужно скачивать сертификат с S3.https://www.terraform.io/docs/providers/aws/r/acm_certificate.html

resource "aws_acm_certificate" "cert" {
  private_key      = "${tls_private_key.key.private_key_pem}"
  certificate_body = "${tls_self_signed_cert.public_cert.cert_pem}"
}

и добавьте в качестве сертификата LB

...
    certificate_arn         =   "${aws_acm_certificate.cert.arn}"
...