Thursday, December 05, 2019

Automated DNS and SSL certificates with Terraform and AWS

When building web infrastructure it used to be a really slow and often expensive process to get an SSL certificate, along with DNS records and overhead to keep the certificate from expiring.

AWS has made SSL certificates a whole lot easier, cheaper and faster than it used to be, by becoming a certificate authority and issuing SSL certificates with Amazon Certificate Manager (ACM). Certificates AWS generates can ONLY be used on AWS services, such as AWS ALB, but they have got some compelling reasons to use them, such as that the certificates are publicly signed, free and renewed automatically. AWS have also made DNS quick and easy to automate with AWS Route53 providing the ability to manage DNS records via automation even if they are just a short lived server such as a demo spun up for an hour.

Prior to 2018, we could use Terraform to create DNS records, but there was a manual step to get ACM to work, which was in order to use ACM, we used to have to prove the domain ownership manually by creating the certificate in AWS ACM, then adding the DNS record or responding to the email they send.

Turns out, that in early 2018 Hashicorp started to work on adding a Terraform feature to enable full automation of ACM: aws_acm_certificate_validation, Using this, we can now automate the entire process of creating a free publicly signed SSL certificate, even when the route53 zone is in a different AWS account.

I've created a little bit of example code in github that anyone is welcome to use as a basis for setting up AWS ACM. It is demonstrating Terraform connecting to two different AWS accounts and also defines a minimal ALB to demo the certificate. If your route53 zone is in the same account, you can just remove the lines "provider = aws.account_route53" in every resource to use the example for a single AWS account.

The demo includes two providers, as it assumes that the route53 zone is in a different AWS account. If you just use one account, then you only need one provider.  

Public Github project URL:  

In this SSL ACM Terraform demo we:
  1. look up the route53 zone
  2. create an ACM certificate
  3. create a route53 record to validate the ACM certificate
  4. get AWS ACM to check route53 for the validation certificate
  5. create a route53 record that matches the certificate name and points at an ALB.
  6. print out the URL to test it with
The remainder of the github project is just minimal configuration needed to demo this working, so it creates a minimal ALB in a VPC.