How do I add a list of ssl certificates to a list of of alb listeners I have created using one of the Terraform for loop contstructs?

Question

On AWS, using Terraform it has become possible to add multiple ssl certificates to ALB listerners. I can do this by creating a listener resource and creating multiple aws_lb_listener_certificate resources.

So something like this works fine:

 resource "aws_alb_listener" "alb_listener" {  
      load_balancer_arn = aws_alb.alb.arn  
      port              = 443  
      protocol          = "HTTPS"
      default_action {    
          target_group_arn = aws_alb_target_group.alb_target_group.arn
          type = lookup(var.alb_listener, "action")  
       }
  } 

resource "aws_lb_listener_certificate" "testme_ssl_cert" {
  listener_arn    = "${aws_alb_listener.alb_listener.arn}"
  certificate_arn = "${data.aws_acm_certificate.testme.arn}" 
}

But I am trying to reduce the amount of code I am using to do this by building my listeners from config. So I can build my listeners from a map variable like this. And that works fine.

    resource "aws_lb_listener" "encrypted_listener" {
      load_balancer_arn       = aws_alb.alb.arn
      for_each = var.ssl_forwarding
          port                = each.key
          protocol            = each.value
          certificate_arn = lookup(var.default_certificate,each.key)
          default_action {
            target_group_arn = aws_alb_target_group.alb_target_group.arn
            type             = "forward"
          }   
    }

    variable "ssl_forwarding" {
        default = { 
            443 =   "HTTPS"
            8081 =   "HTTPS"         
      }

Now I want to add the rest of the certificates to the listeners I have just created.

So I need something that looks like this (I think):

    variable "additional_certificates" {
        default=[
            "arn:aws:acm:eu-west-1:blah_blach_ect-3ba688bab27a", #cert 1
            "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a", #cert 2
        ]
    }

    resource "aws_lb_listener_certificate" "ssl_certs" 
            listener_arn    = //for every listener that I just created
            certificate_arn = //add every certificate in additional_certificates
    }

I don't understand how to deal with the multiplicy of the listeners. The multiplicity of the certificates. And finally the multiplicity of the certiticates with the multiplicity of the listeners.

** All suggestions on how to attack this problem appreciated. Suggestions of work arounds apprecited too. Thanks.....

Update: Thanks foranswer from Marcin... but that only allows me add to add one extra SSL cer. I think var is going to look like this... so I can add n certificates to n load balancers.

variable "additional_certificates" {
     default = { 
       443 = ["arn:aws:acm:eu-west-1:blah_blah_ect1",
              "arn:aws:acm:eu-west-1:blah_blah_ect2"
              ""arn:aws:acm:eu-west-1:blah_blah_ect....n" //could be any number of certs here                                                                                                                      
             ]
       8081 = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
    }

Answer 1

I assume that your aws_lb_listener.encrypted_listener is valid and it works, as its not specified otherwise in the question. ALso it would be better if additional_certificates was a map, as you are using map for ssl_forwarding . Thus, your ssl_certs could be:

variable "additional_certificates" {
     default = {
       443 = "arn:aws:acm:eu-west-1:blah_blach_ect-3ba688bab27a",
       8081 = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
    }
}

resource "aws_lb_listener_certificate" "ssl_certs" {
    
    for_each =  aws_lb_listener.encrypted_listener

    listener_arn    = each.value.arn
    certificate_arn = var.additional_certificates[each.key]
}

Update

If you can have random number of ports with random number of certs, I can propose the following:

variable "additional_certificates" {

   default = { 
     443 = ["arn:aws:acm:eu-west-1:blah_blah_ect1",
            "arn:aws:acm:eu-west-1:blah_blah_ect2",
            "arn:aws:acm:eu-west-1:blah_blah_ect....n"
           ]
     8081 = ["arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"]
     
     9999 = ["arn:aws:acm:eu-west-1:blah_blach_ect-223332",
             "arn:aws:acm:eu-west-1:blah_blach_ect-22222"]
  }
}


locals {
  # flatten the additional_certificates
  additional_certificates_flat = merge([
      for port, certs in var.additional_certificates:
        {for cert in certs: 
          "${port}-${cert}" => {"port" = port, "cert" = cert}
        }
  ]...)

}

The var.additional_certificates flattened into local.additional_certificates_flat will be:

{
  "443-arn:aws:acm:eu-west-1:blah_blah_ect....n" = {
    "cert" = "arn:aws:acm:eu-west-1:blah_blah_ect....n"
    "port" = "443"
  }
  "443-arn:aws:acm:eu-west-1:blah_blah_ect1" = {
    "cert" = "arn:aws:acm:eu-west-1:blah_blah_ect1"
    "port" = "443"
  }
  "443-arn:aws:acm:eu-west-1:blah_blah_ect2" = {
    "cert" = "arn:aws:acm:eu-west-1:blah_blah_ect2"
    "port" = "443"
  }
  "8081-arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a" = {
    "cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
    "port" = "8081"
  }
  "9999-arn:aws:acm:eu-west-1:blah_blach_ect-22222" = {
    "cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-22222"
    "port" = "9999"
  }
  "9999-arn:aws:acm:eu-west-1:blah_blach_ect-223332" = {
    "cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-223332"
    "port" = "9999"
  }
}

Then,

resource "aws_lb_listener_certificate" "ssl_certs" {
    
    for_each =  local.additional_certificates_flat

    listener_arn    = aws_lb_listener.encrypted_listener[each.value.port].arn
    certificate_arn = each.value.cert
}