如何将 ssl 证书列表添加到我使用 Terraform 之一为循环构造创建的 alb 侦听器列表中?
[英]How do I add a list of ssl certificates to a list of of alb listeners I have created using one of the Terraform for loop contstructs?
问题描述
On AWS, using Terraform it has become possible to add multiple ssl certificates to ALB listerners.
在 AWS 上,使用 Terraform 可以将多个 ssl 证书添加到 ALB 侦听器。 I can do this by creating a listener resource and creating multiple aws_lb_listener_certificate resources.我可以通过创建侦听器资源并创建多个 aws_lb_listener_certificate 资源来做到这一点。
So something like this works fine:所以像这样的东西很好用:
resource "aws_alb_listener" "alb_listener" {
load_balancer_arn = aws_alb.alb.arn
port = 443
protocol = "HTTPS"
default_action {
target_group_arn = aws_alb_target_group.alb_target_group.arn
type = lookup(var.alb_listener, "action")
}
}
resource "aws_lb_listener_certificate" "testme_ssl_cert" {
listener_arn = "${aws_alb_listener.alb_listener.arn}"
certificate_arn = "${data.aws_acm_certificate.testme.arn}"
}
But I am trying to reduce the amount of code I am using to do this by building my listeners from config.但是我试图通过从配置中构建我的侦听器来减少我用来执行此操作的代码量。 So I can build my listeners from a map variable like this.所以我可以像这样从 map 变量构建我的听众。 And that works fine.这很好用。
resource "aws_lb_listener" "encrypted_listener" {
load_balancer_arn = aws_alb.alb.arn
for_each = var.ssl_forwarding
port = each.key
protocol = each.value
certificate_arn = lookup(var.default_certificate,each.key)
default_action {
target_group_arn = aws_alb_target_group.alb_target_group.arn
type = "forward"
}
}
variable "ssl_forwarding" {
default = {
443 = "HTTPS"
8081 = "HTTPS"
}
Now I want to add the rest of the certificates to the listeners I have just created.现在我想将证书的 rest 添加到我刚刚创建的侦听器中。
So I need something that looks like this (I think):
variable "additional_certificates" {
default=[
"arn:aws:acm:eu-west-1:blah_blach_ect-3ba688bab27a", #cert 1
"arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a", #cert 2
]
}
resource "aws_lb_listener_certificate" "ssl_certs"
listener_arn = //for every listener that I just created
certificate_arn = //add every certificate in additional_certificates
}
I don't understand how to deal with the multiplicy of the listeners.我不明白如何处理听众的多样性。 The multiplicity of the certificates.证书的多样性。 And finally the multiplicity of the certiticates with the multiplicity of the listeners.最后,证书的多样性与听众的多样性有关。
** All suggestions on how to attack this problem appreciated. **所有关于如何解决这个问题的建议表示赞赏。 Suggestions of work arounds apprecited too.变通方法的建议也受到赞赏。 Thanks.....谢谢.....
Update: Thanks foranswer from Marcin... but that only allows me add to add one extra SSL cer.更新:感谢 Marcin 的回答...但这只允许我添加一个额外的 SSL cer。 I think var is going to look like this... so I can add n certificates to n load balancers.我认为 var 看起来像这样......所以我可以将 n 个证书添加到 n 个负载均衡器。
variable "additional_certificates" {
default = {
443 = ["arn:aws:acm:eu-west-1:blah_blah_ect1",
"arn:aws:acm:eu-west-1:blah_blah_ect2"
""arn:aws:acm:eu-west-1:blah_blah_ect....n" //could be any number of certs here
]
8081 = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
}
1 个解决方案
解决方案1
1 已采纳 2021-02-18 22:44:16
I assume that your aws_lb_listener.encrypted_listener is valid and it works, as its not specified otherwise in the question.我假设您的aws_lb_listener.encrypted_listener是有效的并且它可以工作,因为它没有在问题中另行指定。 ALso it would be better if additional_certificates was a map, as you are using map for ssl_forwarding .另外,如果additional_certificates是 map 会更好,因为您将 map 用于ssl_forwarding 。 Thus, your ssl_certs could be:因此,您的ssl_certs可能是:
variable "additional_certificates" {
default = {
443 = "arn:aws:acm:eu-west-1:blah_blach_ect-3ba688bab27a",
8081 = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
}
}
resource "aws_lb_listener_certificate" "ssl_certs" {
for_each = aws_lb_listener.encrypted_listener
listener_arn = each.value.arn
certificate_arn = var.additional_certificates[each.key]
}
Update更新
If you can have random number of ports with random number of certs, I can propose the following:如果您可以拥有随机数量的端口和随机数量的证书,我可以提出以下建议:
variable "additional_certificates" {
default = {
443 = ["arn:aws:acm:eu-west-1:blah_blah_ect1",
"arn:aws:acm:eu-west-1:blah_blah_ect2",
"arn:aws:acm:eu-west-1:blah_blah_ect....n"
]
8081 = ["arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"]
9999 = ["arn:aws:acm:eu-west-1:blah_blach_ect-223332",
"arn:aws:acm:eu-west-1:blah_blach_ect-22222"]
}
}
locals {
# flatten the additional_certificates
additional_certificates_flat = merge([
for port, certs in var.additional_certificates:
{for cert in certs:
"${port}-${cert}" => {"port" = port, "cert" = cert}
}
]...)
}
The var.additional_certificates flattened into local.additional_certificates_flat will be:扁平化为local.additional_certificates_flat的var.additional_certificates将是:
{
"443-arn:aws:acm:eu-west-1:blah_blah_ect....n" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect....n"
"port" = "443"
}
"443-arn:aws:acm:eu-west-1:blah_blah_ect1" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect1"
"port" = "443"
}
"443-arn:aws:acm:eu-west-1:blah_blah_ect2" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect2"
"port" = "443"
}
"8081-arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
"port" = "8081"
}
"9999-arn:aws:acm:eu-west-1:blah_blach_ect-22222" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-22222"
"port" = "9999"
}
"9999-arn:aws:acm:eu-west-1:blah_blach_ect-223332" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-223332"
"port" = "9999"
}
}
Then,然后,
resource "aws_lb_listener_certificate" "ssl_certs" {
for_each = local.additional_certificates_flat
listener_arn = aws_lb_listener.encrypted_listener[each.value.port].arn
certificate_arn = each.value.cert
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.