[英]How do I add a list of ssl certificates to a list of of alb listeners I have created using one of the Terraform for loop contstructs?
在 AWS 上,使用 Terraform 可以将多个 ssl 证书添加到 ALB 侦听器。 我可以通过创建侦听器资源并创建多个 aws_lb_listener_certificate 资源来做到这一点。
所以像这样的东西很好用:
resource "aws_alb_listener" "alb_listener" {
load_balancer_arn = aws_alb.alb.arn
port = 443
protocol = "HTTPS"
default_action {
target_group_arn = aws_alb_target_group.alb_target_group.arn
type = lookup(var.alb_listener, "action")
}
}
resource "aws_lb_listener_certificate" "testme_ssl_cert" {
listener_arn = "${aws_alb_listener.alb_listener.arn}"
certificate_arn = "${data.aws_acm_certificate.testme.arn}"
}
但是我试图通过从配置中构建我的侦听器来减少我用来执行此操作的代码量。 所以我可以像这样从 map 变量构建我的听众。 这很好用。
resource "aws_lb_listener" "encrypted_listener" {
load_balancer_arn = aws_alb.alb.arn
for_each = var.ssl_forwarding
port = each.key
protocol = each.value
certificate_arn = lookup(var.default_certificate,each.key)
default_action {
target_group_arn = aws_alb_target_group.alb_target_group.arn
type = "forward"
}
}
variable "ssl_forwarding" {
default = {
443 = "HTTPS"
8081 = "HTTPS"
}
现在我想将证书的 rest 添加到我刚刚创建的侦听器中。
So I need something that looks like this (I think):
variable "additional_certificates" {
default=[
"arn:aws:acm:eu-west-1:blah_blach_ect-3ba688bab27a", #cert 1
"arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a", #cert 2
]
}
resource "aws_lb_listener_certificate" "ssl_certs"
listener_arn = //for every listener that I just created
certificate_arn = //add every certificate in additional_certificates
}
我不明白如何处理听众的多样性。 证书的多样性。 最后,证书的多样性与听众的多样性有关。
**所有关于如何解决这个问题的建议表示赞赏。 变通方法的建议也受到赞赏。 谢谢.....
更新:感谢 Marcin 的回答...但这只允许我添加一个额外的 SSL cer。 我认为 var 看起来像这样......所以我可以将 n 个证书添加到 n 个负载均衡器。
variable "additional_certificates" {
default = {
443 = ["arn:aws:acm:eu-west-1:blah_blah_ect1",
"arn:aws:acm:eu-west-1:blah_blah_ect2"
""arn:aws:acm:eu-west-1:blah_blah_ect....n" //could be any number of certs here
]
8081 = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
}
我假设您的aws_lb_listener.encrypted_listener是有效的并且它可以工作,因为它没有在问题中另行指定。 另外,如果additional_certificates是 map 会更好,因为您将 map 用于ssl_forwarding 。 因此,您的ssl_certs可能是:
variable "additional_certificates" {
default = {
443 = "arn:aws:acm:eu-west-1:blah_blach_ect-3ba688bab27a",
8081 = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
}
}
resource "aws_lb_listener_certificate" "ssl_certs" {
for_each = aws_lb_listener.encrypted_listener
listener_arn = each.value.arn
certificate_arn = var.additional_certificates[each.key]
}
更新
如果您可以拥有随机数量的端口和随机数量的证书,我可以提出以下建议:
variable "additional_certificates" {
default = {
443 = ["arn:aws:acm:eu-west-1:blah_blah_ect1",
"arn:aws:acm:eu-west-1:blah_blah_ect2",
"arn:aws:acm:eu-west-1:blah_blah_ect....n"
]
8081 = ["arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"]
9999 = ["arn:aws:acm:eu-west-1:blah_blach_ect-223332",
"arn:aws:acm:eu-west-1:blah_blach_ect-22222"]
}
}
locals {
# flatten the additional_certificates
additional_certificates_flat = merge([
for port, certs in var.additional_certificates:
{for cert in certs:
"${port}-${cert}" => {"port" = port, "cert" = cert}
}
]...)
}
扁平化为local.additional_certificates_flat的var.additional_certificates将是:
{
"443-arn:aws:acm:eu-west-1:blah_blah_ect....n" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect....n"
"port" = "443"
}
"443-arn:aws:acm:eu-west-1:blah_blah_ect1" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect1"
"port" = "443"
}
"443-arn:aws:acm:eu-west-1:blah_blah_ect2" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect2"
"port" = "443"
}
"8081-arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
"port" = "8081"
}
"9999-arn:aws:acm:eu-west-1:blah_blach_ect-22222" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-22222"
"port" = "9999"
}
"9999-arn:aws:acm:eu-west-1:blah_blach_ect-223332" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-223332"
"port" = "9999"
}
}
然后,
resource "aws_lb_listener_certificate" "ssl_certs" {
for_each = local.additional_certificates_flat
listener_arn = aws_lb_listener.encrypted_listener[each.value.port].arn
certificate_arn = each.value.cert
}
如果我在 Cloudfront 上启用了 SSL,AWS ALB 是否需要 SSL?
[英]Is SSL required on AWS ALB if I have SSL enabled on Cloudfront?
如何使用 terraform 获取具有给定前缀的所有 S3 存储桶的列表?
[英]How do I get list of all S3 Buckets with given prefix using terraform?
试图找到我在 AWS Certificates 上创建的 ssl 证书
[英]trying to find my ssl certificate I created on AWS Certificates
我是否必须在 AWS Application Load Balancer 后面的 nginx.conf 文件中配置 SSL 证书文件?
[英]Do I have to configure SSL certificates files in nginx.conf file behind AWS Application Load Balancer?
将 Terraform 与 AWS 一起使用时,如何在 ALB 上对特定 URI 路径(或 URI 路径的正则表达式)设置速率限制
[英]When using Terraform with AWS, how can I set a rate limit on a specific URI path (or regex of a URI path) on an ALB
如何列出执行 Terraform 应用所需的所有 AWS IAM 操作?
[英]How do I list all AWS IAM actions required to perform a Terraform apply?
如何使用 Terraform 数据源来引用托管前缀列表?
[英]How Do I Use A Terraform Data Source To Reference A Managed Prefix List?
我使用 terraform 创建了一个 Cloudtrail,但它说我在部署后缺少 S3 存储桶策略
[英]I have created a Cloudtrail using terraform but it says I'm missing S3 bucket policy after deployment
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.