用于 eu-west-1 资源的 us-east-1 中的 Terraform AWS ACM 证书
Terraform AWS ACM certificates in us-east-1 for resources in eu-west-1
我有一个主要在 eu-west-1 中提供资源的 terraform 模块。我需要一个 ACM 证书来附加到 Cloudfront 分配。必须在 us-east-1 中提供证书。
我因此配置了两个供应商:
provider "aws" {
version = "~> 1.0"
region = "eu-west-1"
}
provider "aws" {
version = "~> 1.0"
region = "us-east-1"
alias = "us-east-1"
}
在我的模块中,我像这样提供证书:
resource "aws_acm_certificate" "cert" {
provider = "aws.us-east-1"
domain_name = "${var.domain_name}"
validation_method = "DNS"
tags = "${var.tags}"
lifecycle {
create_before_destroy = true
}
}
问题 #1:我尝试使用以下方法导入我现有的 ACM 证书:
terraform import module.mymod.aws_acm_certificate.cert arn:aws:acm:us-east-1:xyz:certificate/uuid
这失败了:"Could not find certificate with id"。 terraform 是否在错误的区域中查找?我通过 aws CLI 确认证书确实存在(例如,ARN 中没有拼写错误)。
好的,所以我想我可以创建新证书。这确实有效,我现在有两个证书,但我 运行 进入问题 #2:
resource "aws_route53_record" "cert_validation" {
name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
zone_id = "${data.aws_route53_zone.zone.id}"
records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
ttl = 60
}
这会尝试为 ACM 设置 DNS 验证。托管区域存在于 eu-west-1 中,所以我预计这里会出现问题。但是,这仍然因 "Could not find certificate ..." 而失败,我假设 terraform 对区域感到困惑。我也尝试将 provider = "aws.us-east-1" 添加到此资源,但它仍然以同样的方式失败。
因此,无论我做什么,Terraform 都无法找到我的证书,即使它是自己创建的。我做错了什么吗?
原来我的问题是 aws_acm_certificate_validation。通过指定与证书在同一地区的提供商,一切都解决了。
resource "aws_acm_certificate_validation" "cert" {
provider = "aws.us-east-1" # <== Add this
certificate_arn = "${aws_acm_certificate.cert.arn}"
validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}
自 Terraform 0.12.14 起,引用的引用已弃用。
因此,如果您使用的版本 >= 0.12.14 或 Terraform 1.x
,那么上面接受的答案应该是这样的
resource "aws_acm_certificate_validation" "cert" {
provider = aws.us-east-1 # <== Add this without quotes
certificate_arn = "${aws_acm_certificate.cert.arn}"
validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}
要避免这样的警告:
Warning: Quoted references are deprecated
52: provider = "aws.us-east-1"
In this context, references are expected literally rather than in quotes. Terraform 0.11 and earlier required quotes, but quoted references are now deprecated and will be removed
in a future version of Terraform. Remove the quotes surrounding this reference to silence this warning.
(and one more similar warning elsewhere)
有关详细信息,请参阅 hashicorp 上的发行说明讨论:https://discuss.hashicorp.com/t/terraform-0-12-14-released/3898
我有一个主要在 eu-west-1 中提供资源的 terraform 模块。我需要一个 ACM 证书来附加到 Cloudfront 分配。必须在 us-east-1 中提供证书。
我因此配置了两个供应商:
provider "aws" {
version = "~> 1.0"
region = "eu-west-1"
}
provider "aws" {
version = "~> 1.0"
region = "us-east-1"
alias = "us-east-1"
}
在我的模块中,我像这样提供证书:
resource "aws_acm_certificate" "cert" {
provider = "aws.us-east-1"
domain_name = "${var.domain_name}"
validation_method = "DNS"
tags = "${var.tags}"
lifecycle {
create_before_destroy = true
}
}
问题 #1:我尝试使用以下方法导入我现有的 ACM 证书:
terraform import module.mymod.aws_acm_certificate.cert arn:aws:acm:us-east-1:xyz:certificate/uuid
这失败了:"Could not find certificate with id"。 terraform 是否在错误的区域中查找?我通过 aws CLI 确认证书确实存在(例如,ARN 中没有拼写错误)。
好的,所以我想我可以创建新证书。这确实有效,我现在有两个证书,但我 运行 进入问题 #2:
resource "aws_route53_record" "cert_validation" {
name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
zone_id = "${data.aws_route53_zone.zone.id}"
records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
ttl = 60
}
这会尝试为 ACM 设置 DNS 验证。托管区域存在于 eu-west-1 中,所以我预计这里会出现问题。但是,这仍然因 "Could not find certificate ..." 而失败,我假设 terraform 对区域感到困惑。我也尝试将 provider = "aws.us-east-1" 添加到此资源,但它仍然以同样的方式失败。
因此,无论我做什么,Terraform 都无法找到我的证书,即使它是自己创建的。我做错了什么吗?
原来我的问题是 aws_acm_certificate_validation。通过指定与证书在同一地区的提供商,一切都解决了。
resource "aws_acm_certificate_validation" "cert" {
provider = "aws.us-east-1" # <== Add this
certificate_arn = "${aws_acm_certificate.cert.arn}"
validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}
自 Terraform 0.12.14 起,引用的引用已弃用。 因此,如果您使用的版本 >= 0.12.14 或 Terraform 1.x
,那么上面接受的答案应该是这样的resource "aws_acm_certificate_validation" "cert" {
provider = aws.us-east-1 # <== Add this without quotes
certificate_arn = "${aws_acm_certificate.cert.arn}"
validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}
要避免这样的警告:
Warning: Quoted references are deprecated
52: provider = "aws.us-east-1"
In this context, references are expected literally rather than in quotes. Terraform 0.11 and earlier required quotes, but quoted references are now deprecated and will be removed in a future version of Terraform. Remove the quotes surrounding this reference to silence this warning.
(and one more similar warning elsewhere)
有关详细信息,请参阅 hashicorp 上的发行说明讨论:https://discuss.hashicorp.com/t/terraform-0-12-14-released/3898