AWSを利用してバーチャルホストでの複数ドメインアクセスからhttpsで処理したい場合はALBでの443リスナーにACMのSSL証明書を以下のように指定すれば可能になります。
今回はこれをTerraformで追加する方法をブログします。
■Resource: aws_lb_listener_certificate
https://www.terraform.io/docs/providers/aws/r/lb_listener_certificate.html
今回はALBなので、以下のように listener_arn = aws_alb_listener.xxxx.arn になるので注意しましょう。
|
1 2 3 4 |
resource "aws_lb_listener_certificate" "example" { listener_arn = aws_alb_listener.front_end.arn certificate_arn = aws_acm_certificate.example.arn } |
配列で書こうとすると Inappropriate value for attribute "certificate_arn": string required. と、Stringで書けやと怒られるので一個ずつ指定するしかないですね。
■Terraform
- acm.tf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
resource "aws_acm_certificate" "wild-adachin-com" { domain_name = "adachin.com" subject_alternative_names = ["*.adachin.com"] validation_method = "DNS" tags = { Environment = "stg" } lifecycle { create_before_destroy = true } } resource "aws_acm_certificate" "wild-adachindayo-com" { domain_name = "adachindayo-com" subject_alternative_names = ["*.adachindayo-com"] validation_method = "DNS" tags = { Environment = "stg" } lifecycle { create_before_destroy = true } } resource "aws_acm_certificate" "adachindaze-com" { domain_name = "adachindaze-com" subject_alternative_names = ["*.adachindaze-com"] validation_method = "DNS" tags = { Environment = "stg" } lifecycle { create_before_destroy = true } } } |
- elb.tf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 |
resource "aws_lb" "adachin-app" { name = "adachin-app" internal = false load_balancer_type = "application" security_groups = [aws_security_group.adachin-app-alb.id] subnets = [aws_subnet.adachin-public-1a.id, aws_subnet.adachin-public-1c.id, aws_subnet.adachin-public-1d.id] enable_deletion_protection = true tags = { Env = "stg" } } resource "aws_lb_target_group" "adachin-app" { name = "adachin-app" port = 80 protocol = "HTTP" vpc_id = aws_vpc.adachin-vpc.id target_type = "ip" deregistration_delay = "10" health_check { protocol = "HTTP" path = "/ping" port = 80 healthy_threshold = 5 unhealthy_threshold = 2 timeout = 5 interval = 10 matcher = 200 } } resource "aws_alb_listener" "adachin-app" { load_balancer_arn = aws_lb.adachin-app.arn port = "80" protocol = "HTTP" default_action { type = "redirect" redirect { port = "443" protocol = "HTTPS" status_code = "HTTP_301" } } } resource "aws_alb_listener" "adachin-app-https" { load_balancer_arn = aws_lb.adachin-app.arn port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-2015-05" certificate_arn = aws_acm_certificate.wild-adachin-com.arn default_action { target_group_arn = aws_lb_target_group.adachin-app.arn type = "forward" } } ## 追加 resource "aws_lb_listener_certificate" "wild-adachindayo-com" { listener_arn = aws_alb_listener.adachin-app-https.arn certificate_arn = aws_acm_certificate.wild-adachindayo-com.arn } resource "aws_lb_listener_certificate" "wild-adachindaze-com" { listener_arn = aws_alb_listener.adachin-app-https.arn certificate_arn = aws_acm_certificate.wild-adachindaze-com.arn } |
対象ドメインは adachindayo.com と adachindaze.com になります。elb.tfの64行目にACMで取得したSSL証明書を追記します。あとは適用しましょう。
- CircleCI
- 確認
■まとめ
そもそも aws_lb_listener_certificate なんてresourceあるの知らんかったわ。。
0件のコメント