个人中心
gpt4 book ai didi

amazon-web-services - Terraform 与 A​​PI-Gateway、Route53 和 SSL 认证相互依赖问题

转载 作者:行者123 更新时间:2023-12-04 08:10:52 25 4
gpt4 key购买 nike

我似乎无法从 ACM 使用 terraform 在 API-Gateway、Route53 上获得 SSL 证书。似乎存在相互依赖的问题。

data "aws_route53_zone" "root_domain" {
  name         = "${var.route53_root_domain_name}"
  private_zone = false
}

# The domain name to use with api-gateway
resource "aws_api_gateway_domain_name" "domain_name" {
  domain_name = "${var.route53_sub_domain_name}"

  certificate_arn = "${aws_acm_certificate.cert.arn}"
}

resource "aws_route53_record" "sub_domain" {
  name    = "${var.route53_sub_domain_name}"
  type    = "A"
  zone_id = "${data.aws_route53_zone.root_domain.zone_id}"

  alias {
    name                   = "${aws_api_gateway_domain_name.domain_name.cloudfront_domain_name}"
    zone_id                = "${aws_api_gateway_domain_name.domain_name.cloudfront_zone_id}"
    evaluate_target_health = false
  }
}

resource "aws_acm_certificate" "cert" {
  # api-gateway / cloudfront certificates need to use the us-east-1 region
  provider          = "aws.cloudfront-acm-certs"
  domain_name       = "${var.route53_sub_domain_name}"
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_route53_record" "cert_validation" {
  name    = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
  type    = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
  zone_id = "${aws_route53_record.sub_domain.zone_id}"
  records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
  ttl     = 60
}

resource "aws_acm_certificate_validation" "cert" {
  # api-gateway / cloudfront certificates need to use the us-east-1 region
  provider          = "aws.cloudfront-acm-certs"

  certificate_arn         = "${aws_acm_certificate.cert.arn}"
  validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}

问题似乎是:
  • aws_api_gateway_domain_name 需要 aws_acm_certificate
  • aws_acm_certificate 必须经过验证,所以步骤 3
  • aws_route53_record.cert_validation 需要 aws_route53_record.sub_domain
  • aws_route53_record.subdomain 需要 aws_api_gateway_domain_name
  • 转到 1

    • 每次尝试使用给定的配置时,都会出现以下错误:

    aws_api_gateway_domain_name.domain_name: Error creating API Gateway Domain Name: BadRequestException: Unable to associate certificate arn:aws:acm:us-east-1:yyyy:certificate/zzzz with CloudFront. This error may prevent the domain name audit-log.taspli.com from being used in API Gateway for up to 40 minutes. Please ensure the certificate domain name matches the requested domain name, and that this user has permission to call cloudfront:UpdateDistribution on '*' resources. status code: 400, request id: xxxx

    最佳答案

    我似乎通过将证书验证记录添加到根域而不是子域来解决问题。因此打破了循环依赖。

    问题似乎是没有证书就不能创建子域,没有子域就不能验证证书。因此,情况陷入困境,无法解决。

    您可以手动创建子域,但是如果您必须手动解决问题,那么自动化有什么意义。

    所以我尝试将证书验证记录添加到根目录。突然它开始工作了,因为根域是在项目外部创建的。一种可以在外部处理的全局基础设施项目。然后,您的个人项目可以根据具体情况暂停该基础架构。

    这是有效的terraform配置:

    data "aws_route53_zone" "root_domain" {
      name         = "${var.route53_root_domain_name}"
      private_zone = false
    }

    # The domain name to use with api-gateway
    resource "aws_api_gateway_domain_name" "domain_name" {
      domain_name = "${var.route53_sub_domain_name}"

      certificate_arn = "${aws_acm_certificate.cert.arn}"
    }

    resource "aws_route53_record" "sub_domain" {
      name    = "${var.route53_sub_domain_name}"
      type    = "A"
      zone_id = "${data.aws_route53_zone.root_domain.zone_id}"

      alias {
        name                   = "${aws_api_gateway_domain_name.domain_name.cloudfront_domain_name}"
        zone_id                = "${aws_api_gateway_domain_name.domain_name.cloudfront_zone_id}"
        evaluate_target_health = false
      }
    }

    resource "aws_acm_certificate" "cert" {
      # api-gateway / cloudfront certificates need to use the us-east-1 region
      provider          = "aws.cloudfront-acm-certs"
      domain_name       = "${var.route53_sub_domain_name}"
      validation_method = "DNS"
    }

    resource "aws_route53_record" "cert_validation" {
      name    = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
      type    = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
      zone_id = "${data.aws_route53_zone.root_domain.zone_id}"
      records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
      ttl     = 60
    }

    resource "aws_acm_certificate_validation" "cert" {
      # api-gateway / cloudfront certificates need to use the us-east-1 region
      provider          = "aws.cloudfront-acm-certs"

      certificate_arn         = "${aws_acm_certificate.cert.arn}"
      validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]

      timeouts {
        create = "45m"
      }
    }

    关于amazon-web-services - Terraform 与 A​​PI-Gateway、Route53 和 SSL 认证相互依赖问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55031167/

    25 4 0
    文章推荐: amazon-web-services - 向 AWS 安全组添加 TCP 自定义规则后,端口 8080 仍然关闭
    文章推荐: javascript - Discord js/检查用户是否在特定的语音 channel 中
    文章推荐: c++ - 查找 vector 数组中是否存在具有相同值的结构
    文章推荐: amazon-web-services - 在同一存储桶中使用 AWS lambda 调整图像大小
    行者123
    个人简介

    我是一名优秀的程序员,十分优秀!

    滴滴打车优惠券免费领取
    滴滴打车优惠券
    全站热门文章
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com