如何 Terraform 创建和验证 AWS 证书
[英]How to Terraform Create and Validate AWS Certificate
问题描述
I am attempting to create and validate an AWS Certificate using Terraform by following the example from the Terraform documentation here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation#dns-validation-with-route-53
我正在尝试按照 Terraform 文档中的示例使用 Terraform 创建和验证 AWS 证书: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation#-dns-validation with-route-53
My Terraform file looks like:我的 Terraform 文件如下所示:
resource "aws_acm_certificate" "vpn_server" {
domain_name = "stuff.mine.com"
validation_method = "DNS"
tags = {
Name = "certificate"
Scope = "vpn_server"
Environment = "vpn"
}
}
resource "aws_acm_certificate_validation" "vpn_server" {
certificate_arn = aws_acm_certificate.vpn_server.arn
validation_record_fqdns = [for record in aws_route53_record.my_dns_record_vpn_server : record.fqdn]
timeouts {
create = "2m"
}
}
resource "aws_route53_zone" "my_dns" {
name = "stuff.mine.com"
tags = {
name = "dns_zone"
}
}
resource "aws_route53_record" "my_dns_record_vpn_server" {
for_each = {
for dvo in aws_acm_certificate.vpn_server.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = resource.aws_route53_zone.my_dns.zone_id
}
The problem is that when running terraform apply the Validation always reaches the time-out and fails with the error messages:问题是,当运行terraform apply时,验证总是达到超时并失败并显示错误消息:
aws_acm_certificate.vpn_server: Creating...
aws_acm_certificate.vpn_server: Creation complete after 8s [id=arn:aws:acm:eu-west-2:320289993971:certificate/7e859491-141f-49d5-b50e-c44cf4e1db4e]
aws_route53_zone.my_dns: Creating...
aws_route53_zone.my_dns: Still creating... [10s elapsed]
aws_route53_zone.my_dns: Creation complete after 52s [id=Z09112516IIP4OEAIIQ7]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Creating...
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [10s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [20s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [30s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [40s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [50s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Creation complete after 58s [id=Z09112516IIP4OEAIIQ7__ebd2853fcbfc7cc8bd6582e65d940d54.stuff.mine.com._CNAME]
aws_acm_certificate_validation.vpn_server: Creating...
aws_acm_certificate_validation.vpn_server: Still creating... [10s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [20s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [30s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [40s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [50s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m0s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m10s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m20s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m30s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m40s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m50s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [2m0s elapsed]
╷
│ Error: Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION
│
│ with aws_acm_certificate_validation.vpn_server,
│ on main.tf line 61, in resource "aws_acm_certificate_validation" "vpn_server":
│ 61: resource "aws_acm_certificate_validation" "vpn_server" {
│
╵
Can someone tell me what I am missing to get the Certificate Validation to complete?有人可以告诉我我缺少什么来完成证书验证吗?
1 个解决方案
解决方案1
4 已采纳 2021-08-26 15:23:16
The domain validation records need to be in a public zone that is properly delegated.域验证记录需要位于正确委派的公共区域中。 So if you owned mine.com and then wanted to create a zone called stuff.mine.com then you would need to set NS records in mine.com for stuff.mine.com that points to the stuff.mine.com zone's NS servers which you aren't doing here and aren't using an already configured zone.因此,如果您拥有mine.com ,然后想创建一个名为stuff.mine.com的区域,那么您需要在mine.com中为stuff.mine.com设置NS记录,它指向stuff.mine.com区域的 NS 服务器你在这里没有做,也没有使用已经配置的区域。
Without that, the records will be created in your zone but that zone isn't then properly delegated and so nothing will ever be able to resolve those records.否则,记录将在您的区域中创建,但该区域随后未被正确委派,因此将永远无法解析这些记录。 You should be able to test this by attempting to resolve them yourself or using an external resolver tool such as MX Toolbox .您应该能够通过尝试自己解决它们或使用外部解析器工具(例如MX Toolbox )来对此进行测试。
There's probably a lot to consider here but you might want to set up a zone that will contain the eventual records you want to create (so the record pointing to the web server/load balancer that you want the certificate for plus the ACM domain validation records) separately and then just refer to the zone by using the aws_route53_zone data source so your domain validation records are created there.这里可能有很多需要考虑的地方,但您可能想要设置一个区域,该区域将包含您想要创建的最终记录(因此记录指向您想要证书的 web 服务器/负载均衡器以及 ACM 域验证记录) 分开,然后仅使用aws_route53_zone数据源引用该区域,以便在那里创建您的域验证记录。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.