AWS has made SSL certificates a whole lot easier, cheaper and faster than it used to be, by becoming a certificate authority and issuing SSL certificates with Amazon Certificate Manager (ACM). Certificates AWS generates can ONLY be used on AWS services, such as AWS ALB, but they have got some compelling reasons to use them, such as that the certificates are publicly signed, free and renewed automatically. AWS have also made DNS quick and easy to automate with AWS Route53 providing the ability to manage DNS records via automation even if they are just a short lived server such as a demo spun up for an hour.
Prior to 2018, we could use Terraform to create DNS records, but there was a manual step to get ACM to work, which was in order to use ACM, we used to have to prove the domain ownership manually by creating the certificate in AWS ACM, then adding the DNS record or responding to the email they send.
Turns out, that in early 2018 Hashicorp started to work on adding a Terraform feature to enable full automation of ACM: aws_acm_certificate_validation, Using this, we can now automate the entire process of creating a free publicly signed SSL certificate, even when the route53 zone is in a different AWS account.
I've created a little bit of example code in github that anyone is welcome to use as a basis for setting up AWS ACM. It is demonstrating Terraform connecting to two different AWS accounts and also defines a minimal ALB to demo the certificate. If your route53 zone is in the same account, you can just remove the lines "provider = aws.account_route53" in every resource to use the example for a single AWS account.
The demo includes two providers, as it assumes that the route53 zone is in a different AWS account. If you just use one account, then you only need one provider.
Public Github project URL: https://github.com/nelg/terraform-aws-acmdemo
In this SSL ACM Terraform demo we:
- look up the route53 zone
- create an ACM certificate
- create a route53 record to validate the ACM certificate
- get AWS ACM to check route53 for the validation certificate
- create a route53 record that matches the certificate name and points at an ALB.
- print out the URL to test it with
No comments:
Post a Comment