user11631346
Reputation:
How can I ensure my aws certificate is validated when using terraform
I want to provision a load balancer and a ssl certificate on AWS using terraform. At the moment the certificate validation takes forever. Here is a snippet of it.
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [11m20s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [11m30s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [11m40s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [11m50s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [12m0s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [12m10s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [12m20s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [12m30s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [12m40s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [12m50s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [13m0s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [13m10s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [13m20s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [13m30s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [13m40s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [13m50s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [14m0s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [14m10s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [14m20s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [14m30s elapsed]
module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [14m40s elapsed]
This is my main.tf file content
provider "aws" {
profile = "myprofile"
region = var.region
}
module "vpc" {
source = "./modules/vpc"
}
module "sg" {
source = "./modules/sg"
vpc_id = module.vpc.vpc_id
}
resource "aws_instance" "public_server" {
ami = lookup(var.ami, var.region)
security_groups = [module.sg.SG_id]
subnet_id = module.vpc.public_subnet_ids[count.index]
instance_type = var.instance_type
associate_public_ip_address = true
provisioner "local-exec" {
command = "echo 'instance_${count.index + 1}_IP = ${self.public_ip}' > ansible-folder/host-inventory"
}
tags = {
Name : "public_server_${count.index + 1}"
}
key_name = aws_key_pair.key-pair.id
count = 3
}
resource "tls_private_key" "pk" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "aws_key_pair" "key-pair" {
key_name = "myKey"
public_key = tls_private_key.pk.public_key_openssh
provisioner "local-exec" {
command = "echo '${tls_private_key.pk.private_key_pem}' > .aws-key/myKey.pem"
}
}
module "lb" {
source = "./modules/lb"
vpc_id = module.vpc.vpc_id
SG_id = module.sg.SG_id
subnets = [for subnet in module.vpc.public_subnet_ids : subnet]
instance_id_1 = aws_instance.public_server[0].id
instance_id_2 = aws_instance.public_server[1].id
instance_id_3 = aws_instance.public_server[2].id
}
This is the content of my Load balancer module which contains the route53 and certificate resource provisioning code.
resource "aws_lb_target_group" "target-group" {
name = "altschool-lb-target-group"
port = 80
protocol = "HTTP"
target_type = "instance"
vpc_id = var.vpc_id
health_check {
enabled = true
path = "/"
protocol = "HTTP"
matcher = "200"
healthy_threshold = 3
unhealthy_threshold = 2
timeout = 3
interval = 10
}
}
resource "aws_lb_target_group_attachment" "public-target-attachment1" {
target_group_arn = aws_lb_target_group.target-group.arn
target_id = var.instance_id_1
port = 80
}
resource "aws_lb_target_group_attachment" "public-target-attachment2" {
target_group_arn = aws_lb_target_group.target-group.arn
target_id = var.instance_id_2
port = 80
}
resource "aws_lb_target_group_attachment" "public-target-attachment3" {
target_group_arn = aws_lb_target_group.target-group.arn
target_id = var.instance_id_3
port = 80
}
resource "aws_lb" "altschool-lb" {
name = "altschool-lb"
internal = false
load_balancer_type = "application"
security_groups = [var.SG_id]
subnets = var.subnets
tags = {
Environment = "altschool-lb"
}
}
resource "aws_lb_listener" "alb-http-listener" {
load_balancer_arn = aws_lb.altschool-lb.arn
port = 80
protocol = "HTTP"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.target-group.arn
}
}
resource "aws_route53_zone" "hosted-zone" {
name = "altschoolminiproject.software"
tags = {
Environment = "terraform-test"
}
}
resource "aws_route53_record" "terraform-test" {
zone_id = aws_route53_zone.hosted-zone.zone_id
name = "terraform-test.altschoolminiproject.software"
type = "A"
alias {
name = aws_lb.altschool-lb.dns_name
zone_id = aws_lb.altschool-lb.zone_id
evaluate_target_health = true
}
}
resource "aws_acm_certificate" "alt-cert" {
domain_name = "altschoolminiproject.software"
subject_alternative_names = ["terraform-test.altschoolminiproject.software"]
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
tags = {
Environment = "altschool-certificate"
}
}
resource "aws_route53_record" "cert-record" {
for_each = {
for dvo in aws_acm_certificate.alt-cert.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = aws_route53_zone.hosted-zone.zone_id
}
resource "aws_acm_certificate_validation" "cert-validation" {
certificate_arn = aws_acm_certificate.alt-cert.arn
validation_record_fqdns = [for record in aws_route53_record.cert-record : record.fqdn]
}
resource "aws_alb_listener" "alb-listener-https" {
depends_on = [
aws_acm_certificate.alt-cert,
aws_route53_record.cert-record,
aws_acm_certificate_validation.cert-validation
]
load_balancer_arn = aws_lb.altschool-lb.arn
port = 443
protocol = "HTTPS"
certificate_arn = aws_acm_certificate.alt-cert.arn
ssl_policy = "ELBSecurityPolicy-2016-08"
default_action {
target_group_arn = aws_lb_target_group.target-group.arn
type = "forward"
}
}
resource "aws_lb_listener" "alb-listener-http" {
load_balancer_arn = aws_lb.altschool-lb.arn
port = "80"
protocol = "HTTP"
default_action {
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
}
As I write this question, certificate validation has gotten to 20m40s.
Error:
| module.lb.aws_acm_certificate_validation.cert-validation: Still creating... [30m15s elapsed]
│ Error: waiting for ACM Certificate (arn:aws:acm:us-east-1:732887255406:certificate/17f19b6e-3dd2-4234-aea8-56742d1a92da) to be issued: RequestError: send request failed
│ caused by: Post "acm.us-east-1.amazonaws.com": read tcp 192.168.123.111:57898->54.239.25.80:443: read: connection reset by peer
│
│ with module.lb.aws_acm_certificate_validation.cert-validation
My domain name in route53
Upvotes: 0
Views: 229
Answers (1)
user11631346
Reputation:
What I did was register my domain name, and then create a hosted zone with the domain before I ran the Terraform command to build the certificates.
Upvotes: 0
Related Questions
- How to "do something" if 3 buttons clicked ? (I tried with this : )
- Is it possible to summarize 3 conditionals in one function
- Javascript - multiple complex if statements
- Javascript-combine multiple condition to 1
- multiple actions from javascript if
- Creating multiple if/else conditions using javascript
- How to store 3 different results within the same function
- Creating a check using multiple arguments to produce three different results
- If else shorthand code for 3 situations
- How do I program many different conditions and actions