[英]How do I add a list of ssl certificates to a list of of alb listeners I have created using one of the Terraform for loop contstructs?
On AWS, using Terraform it has become possible to add multiple ssl certificates to ALB listerners.在 AWS 上,使用 Terraform 可以将多个 ssl 证书添加到 ALB 侦听器。 I can do this by creating a listener resource and creating multiple aws_lb_listener_certificate resources.
我可以通过创建侦听器资源并创建多个 aws_lb_listener_certificate 资源来做到这一点。
So something like this works fine:所以像这样的东西很好用:
resource "aws_alb_listener" "alb_listener" {
load_balancer_arn = aws_alb.alb.arn
port = 443
protocol = "HTTPS"
default_action {
target_group_arn = aws_alb_target_group.alb_target_group.arn
type = lookup(var.alb_listener, "action")
}
}
resource "aws_lb_listener_certificate" "testme_ssl_cert" {
listener_arn = "${aws_alb_listener.alb_listener.arn}"
certificate_arn = "${data.aws_acm_certificate.testme.arn}"
}
But I am trying to reduce the amount of code I am using to do this by building my listeners from config.但是我试图通过从配置中构建我的侦听器来减少我用来执行此操作的代码量。 So I can build my listeners from a map variable like this.
所以我可以像这样从 map 变量构建我的听众。 And that works fine.
这很好用。
resource "aws_lb_listener" "encrypted_listener" {
load_balancer_arn = aws_alb.alb.arn
for_each = var.ssl_forwarding
port = each.key
protocol = each.value
certificate_arn = lookup(var.default_certificate,each.key)
default_action {
target_group_arn = aws_alb_target_group.alb_target_group.arn
type = "forward"
}
}
variable "ssl_forwarding" {
default = {
443 = "HTTPS"
8081 = "HTTPS"
}
Now I want to add the rest of the certificates to the listeners I have just created.现在我想将证书的 rest 添加到我刚刚创建的侦听器中。
So I need something that looks like this (I think):
variable "additional_certificates" {
default=[
"arn:aws:acm:eu-west-1:blah_blach_ect-3ba688bab27a", #cert 1
"arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a", #cert 2
]
}
resource "aws_lb_listener_certificate" "ssl_certs"
listener_arn = //for every listener that I just created
certificate_arn = //add every certificate in additional_certificates
}
I don't understand how to deal with the multiplicy of the listeners.我不明白如何处理听众的多样性。 The multiplicity of the certificates.
证书的多样性。 And finally the multiplicity of the certiticates with the multiplicity of the listeners.
最后,证书的多样性与听众的多样性有关。
** All suggestions on how to attack this problem appreciated. **所有关于如何解决这个问题的建议表示赞赏。 Suggestions of work arounds apprecited too.
变通方法的建议也受到赞赏。 Thanks.....
谢谢.....
Update: Thanks foranswer from Marcin... but that only allows me add to add one extra SSL cer.更新:感谢 Marcin 的回答...但这只允许我添加一个额外的 SSL cer。 I think var is going to look like this... so I can add n certificates to n load balancers.
我认为 var 看起来像这样......所以我可以将 n 个证书添加到 n 个负载均衡器。
variable "additional_certificates" {
default = {
443 = ["arn:aws:acm:eu-west-1:blah_blah_ect1",
"arn:aws:acm:eu-west-1:blah_blah_ect2"
""arn:aws:acm:eu-west-1:blah_blah_ect....n" //could be any number of certs here
]
8081 = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
}
I assume that your aws_lb_listener.encrypted_listener
is valid and it works, as its not specified otherwise in the question.我假设您的
aws_lb_listener.encrypted_listener
是有效的并且它可以工作,因为它没有在问题中另行指定。 ALso it would be better if additional_certificates
was a map, as you are using map for ssl_forwarding
.另外,如果
additional_certificates
是 map 会更好,因为您将 map 用于ssl_forwarding
。 Thus, your ssl_certs
could be:因此,您的
ssl_certs
可能是:
variable "additional_certificates" {
default = {
443 = "arn:aws:acm:eu-west-1:blah_blach_ect-3ba688bab27a",
8081 = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
}
}
resource "aws_lb_listener_certificate" "ssl_certs" {
for_each = aws_lb_listener.encrypted_listener
listener_arn = each.value.arn
certificate_arn = var.additional_certificates[each.key]
}
Update更新
If you can have random number of ports with random number of certs, I can propose the following:如果您可以拥有随机数量的端口和随机数量的证书,我可以提出以下建议:
variable "additional_certificates" {
default = {
443 = ["arn:aws:acm:eu-west-1:blah_blah_ect1",
"arn:aws:acm:eu-west-1:blah_blah_ect2",
"arn:aws:acm:eu-west-1:blah_blah_ect....n"
]
8081 = ["arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"]
9999 = ["arn:aws:acm:eu-west-1:blah_blach_ect-223332",
"arn:aws:acm:eu-west-1:blah_blach_ect-22222"]
}
}
locals {
# flatten the additional_certificates
additional_certificates_flat = merge([
for port, certs in var.additional_certificates:
{for cert in certs:
"${port}-${cert}" => {"port" = port, "cert" = cert}
}
]...)
}
The var.additional_certificates
flattened into local.additional_certificates_flat
will be:扁平化为
local.additional_certificates_flat
的var.additional_certificates
将是:
{
"443-arn:aws:acm:eu-west-1:blah_blah_ect....n" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect....n"
"port" = "443"
}
"443-arn:aws:acm:eu-west-1:blah_blah_ect1" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect1"
"port" = "443"
}
"443-arn:aws:acm:eu-west-1:blah_blah_ect2" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect2"
"port" = "443"
}
"8081-arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
"port" = "8081"
}
"9999-arn:aws:acm:eu-west-1:blah_blach_ect-22222" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-22222"
"port" = "9999"
}
"9999-arn:aws:acm:eu-west-1:blah_blach_ect-223332" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-223332"
"port" = "9999"
}
}
Then,然后,
resource "aws_lb_listener_certificate" "ssl_certs" {
for_each = local.additional_certificates_flat
listener_arn = aws_lb_listener.encrypted_listener[each.value.port].arn
certificate_arn = each.value.cert
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.