[英]How do I add a list of ssl certificates to a list of of alb listeners I have created using one of the Terraform for loop contstructs?
在 AWS 上,使用 Terraform 可以將多個 ssl 證書添加到 ALB 偵聽器。 我可以通過創建偵聽器資源並創建多個 aws_lb_listener_certificate 資源來做到這一點。
所以像這樣的東西很好用:
resource "aws_alb_listener" "alb_listener" {
load_balancer_arn = aws_alb.alb.arn
port = 443
protocol = "HTTPS"
default_action {
target_group_arn = aws_alb_target_group.alb_target_group.arn
type = lookup(var.alb_listener, "action")
}
}
resource "aws_lb_listener_certificate" "testme_ssl_cert" {
listener_arn = "${aws_alb_listener.alb_listener.arn}"
certificate_arn = "${data.aws_acm_certificate.testme.arn}"
}
但是我試圖通過從配置中構建我的偵聽器來減少我用來執行此操作的代碼量。 所以我可以像這樣從 map 變量構建我的聽眾。 這很好用。
resource "aws_lb_listener" "encrypted_listener" {
load_balancer_arn = aws_alb.alb.arn
for_each = var.ssl_forwarding
port = each.key
protocol = each.value
certificate_arn = lookup(var.default_certificate,each.key)
default_action {
target_group_arn = aws_alb_target_group.alb_target_group.arn
type = "forward"
}
}
variable "ssl_forwarding" {
default = {
443 = "HTTPS"
8081 = "HTTPS"
}
現在我想將證書的 rest 添加到我剛剛創建的偵聽器中。
So I need something that looks like this (I think):
variable "additional_certificates" {
default=[
"arn:aws:acm:eu-west-1:blah_blach_ect-3ba688bab27a", #cert 1
"arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a", #cert 2
]
}
resource "aws_lb_listener_certificate" "ssl_certs"
listener_arn = //for every listener that I just created
certificate_arn = //add every certificate in additional_certificates
}
我不明白如何處理聽眾的多樣性。 證書的多樣性。 最后,證書的多樣性與聽眾的多樣性有關。
**所有關於如何解決這個問題的建議表示贊賞。 變通方法的建議也受到贊賞。 謝謝.....
更新:感謝 Marcin 的回答...但這只允許我添加一個額外的 SSL cer。 我認為 var 看起來像這樣......所以我可以將 n 個證書添加到 n 個負載均衡器。
variable "additional_certificates" {
default = {
443 = ["arn:aws:acm:eu-west-1:blah_blah_ect1",
"arn:aws:acm:eu-west-1:blah_blah_ect2"
""arn:aws:acm:eu-west-1:blah_blah_ect....n" //could be any number of certs here
]
8081 = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
}
我假設您的aws_lb_listener.encrypted_listener是有效的並且它可以工作,因為它沒有在問題中另行指定。 另外,如果additional_certificates是 map 會更好,因為您將 map 用於ssl_forwarding 。 因此,您的ssl_certs可能是:
variable "additional_certificates" {
default = {
443 = "arn:aws:acm:eu-west-1:blah_blach_ect-3ba688bab27a",
8081 = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
}
}
resource "aws_lb_listener_certificate" "ssl_certs" {
for_each = aws_lb_listener.encrypted_listener
listener_arn = each.value.arn
certificate_arn = var.additional_certificates[each.key]
}
更新
如果您可以擁有隨機數量的端口和隨機數量的證書,我可以提出以下建議:
variable "additional_certificates" {
default = {
443 = ["arn:aws:acm:eu-west-1:blah_blah_ect1",
"arn:aws:acm:eu-west-1:blah_blah_ect2",
"arn:aws:acm:eu-west-1:blah_blah_ect....n"
]
8081 = ["arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"]
9999 = ["arn:aws:acm:eu-west-1:blah_blach_ect-223332",
"arn:aws:acm:eu-west-1:blah_blach_ect-22222"]
}
}
locals {
# flatten the additional_certificates
additional_certificates_flat = merge([
for port, certs in var.additional_certificates:
{for cert in certs:
"${port}-${cert}" => {"port" = port, "cert" = cert}
}
]...)
}
扁平化為local.additional_certificates_flat的var.additional_certificates將是:
{
"443-arn:aws:acm:eu-west-1:blah_blah_ect....n" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect....n"
"port" = "443"
}
"443-arn:aws:acm:eu-west-1:blah_blah_ect1" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect1"
"port" = "443"
}
"443-arn:aws:acm:eu-west-1:blah_blah_ect2" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect2"
"port" = "443"
}
"8081-arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
"port" = "8081"
}
"9999-arn:aws:acm:eu-west-1:blah_blach_ect-22222" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-22222"
"port" = "9999"
}
"9999-arn:aws:acm:eu-west-1:blah_blach_ect-223332" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-223332"
"port" = "9999"
}
}
然后,
resource "aws_lb_listener_certificate" "ssl_certs" {
for_each = local.additional_certificates_flat
listener_arn = aws_lb_listener.encrypted_listener[each.value.port].arn
certificate_arn = each.value.cert
}
如果我在 Cloudfront 上啟用了 SSL,AWS ALB 是否需要 SSL?
[英]Is SSL required on AWS ALB if I have SSL enabled on Cloudfront?
如何使用 terraform 獲取具有給定前綴的所有 S3 存儲桶的列表?
[英]How do I get list of all S3 Buckets with given prefix using terraform?
試圖找到我在 AWS Certificates 上創建的 ssl 證書
[英]trying to find my ssl certificate I created on AWS Certificates
我是否必須在 AWS Application Load Balancer 后面的 nginx.conf 文件中配置 SSL 證書文件?
[英]Do I have to configure SSL certificates files in nginx.conf file behind AWS Application Load Balancer?
將 Terraform 與 AWS 一起使用時,如何在 ALB 上對特定 URI 路徑(或 URI 路徑的正則表達式)設置速率限制
[英]When using Terraform with AWS, how can I set a rate limit on a specific URI path (or regex of a URI path) on an ALB
如何列出執行 Terraform 應用所需的所有 AWS IAM 操作?
[英]How do I list all AWS IAM actions required to perform a Terraform apply?
如何使用 Terraform 數據源來引用托管前綴列表?
[英]How Do I Use A Terraform Data Source To Reference A Managed Prefix List?
我使用 terraform 創建了一個 Cloudtrail,但它說我在部署后缺少 S3 存儲桶策略
[英]I have created a Cloudtrail using terraform but it says I'm missing S3 bucket policy after deployment
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.