![](/img/trans.png)
[英]Is SSL required on AWS ALB if I have SSL enabled on Cloudfront?
[英]How do I add a list of ssl certificates to a list of of alb listeners I have created using one of the Terraform for loop contstructs?
在 AWS 上,使用 Terraform 可以將多個 ssl 證書添加到 ALB 偵聽器。 我可以通過創建偵聽器資源並創建多個 aws_lb_listener_certificate 資源來做到這一點。
所以像這樣的東西很好用:
resource "aws_alb_listener" "alb_listener" {
load_balancer_arn = aws_alb.alb.arn
port = 443
protocol = "HTTPS"
default_action {
target_group_arn = aws_alb_target_group.alb_target_group.arn
type = lookup(var.alb_listener, "action")
}
}
resource "aws_lb_listener_certificate" "testme_ssl_cert" {
listener_arn = "${aws_alb_listener.alb_listener.arn}"
certificate_arn = "${data.aws_acm_certificate.testme.arn}"
}
但是我試圖通過從配置中構建我的偵聽器來減少我用來執行此操作的代碼量。 所以我可以像這樣從 map 變量構建我的聽眾。 這很好用。
resource "aws_lb_listener" "encrypted_listener" {
load_balancer_arn = aws_alb.alb.arn
for_each = var.ssl_forwarding
port = each.key
protocol = each.value
certificate_arn = lookup(var.default_certificate,each.key)
default_action {
target_group_arn = aws_alb_target_group.alb_target_group.arn
type = "forward"
}
}
variable "ssl_forwarding" {
default = {
443 = "HTTPS"
8081 = "HTTPS"
}
現在我想將證書的 rest 添加到我剛剛創建的偵聽器中。
So I need something that looks like this (I think):
variable "additional_certificates" {
default=[
"arn:aws:acm:eu-west-1:blah_blach_ect-3ba688bab27a", #cert 1
"arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a", #cert 2
]
}
resource "aws_lb_listener_certificate" "ssl_certs"
listener_arn = //for every listener that I just created
certificate_arn = //add every certificate in additional_certificates
}
我不明白如何處理聽眾的多樣性。 證書的多樣性。 最后,證書的多樣性與聽眾的多樣性有關。
**所有關於如何解決這個問題的建議表示贊賞。 變通方法的建議也受到贊賞。 謝謝.....
更新:感謝 Marcin 的回答...但這只允許我添加一個額外的 SSL cer。 我認為 var 看起來像這樣......所以我可以將 n 個證書添加到 n 個負載均衡器。
variable "additional_certificates" {
default = {
443 = ["arn:aws:acm:eu-west-1:blah_blah_ect1",
"arn:aws:acm:eu-west-1:blah_blah_ect2"
""arn:aws:acm:eu-west-1:blah_blah_ect....n" //could be any number of certs here
]
8081 = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
}
我假設您的aws_lb_listener.encrypted_listener
是有效的並且它可以工作,因為它沒有在問題中另行指定。 另外,如果additional_certificates
是 map 會更好,因為您將 map 用於ssl_forwarding
。 因此,您的ssl_certs
可能是:
variable "additional_certificates" {
default = {
443 = "arn:aws:acm:eu-west-1:blah_blach_ect-3ba688bab27a",
8081 = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
}
}
resource "aws_lb_listener_certificate" "ssl_certs" {
for_each = aws_lb_listener.encrypted_listener
listener_arn = each.value.arn
certificate_arn = var.additional_certificates[each.key]
}
更新
如果您可以擁有隨機數量的端口和隨機數量的證書,我可以提出以下建議:
variable "additional_certificates" {
default = {
443 = ["arn:aws:acm:eu-west-1:blah_blah_ect1",
"arn:aws:acm:eu-west-1:blah_blah_ect2",
"arn:aws:acm:eu-west-1:blah_blah_ect....n"
]
8081 = ["arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"]
9999 = ["arn:aws:acm:eu-west-1:blah_blach_ect-223332",
"arn:aws:acm:eu-west-1:blah_blach_ect-22222"]
}
}
locals {
# flatten the additional_certificates
additional_certificates_flat = merge([
for port, certs in var.additional_certificates:
{for cert in certs:
"${port}-${cert}" => {"port" = port, "cert" = cert}
}
]...)
}
扁平化為local.additional_certificates_flat
的var.additional_certificates
將是:
{
"443-arn:aws:acm:eu-west-1:blah_blah_ect....n" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect....n"
"port" = "443"
}
"443-arn:aws:acm:eu-west-1:blah_blah_ect1" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect1"
"port" = "443"
}
"443-arn:aws:acm:eu-west-1:blah_blah_ect2" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blah_ect2"
"port" = "443"
}
"8081-arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-4fa688deb27a"
"port" = "8081"
}
"9999-arn:aws:acm:eu-west-1:blah_blach_ect-22222" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-22222"
"port" = "9999"
}
"9999-arn:aws:acm:eu-west-1:blah_blach_ect-223332" = {
"cert" = "arn:aws:acm:eu-west-1:blah_blach_ect-223332"
"port" = "9999"
}
}
然后,
resource "aws_lb_listener_certificate" "ssl_certs" {
for_each = local.additional_certificates_flat
listener_arn = aws_lb_listener.encrypted_listener[each.value.port].arn
certificate_arn = each.value.cert
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.