我正在尝试使用 Terraform 0.12.0 创建 ACM 证书并将其应用于我的 Amazon ALB。我能够轻松创建没有证书的 ALB,但是现在,我添加了以下代码来创建 Route 53 验证记录、请求证书并将其分配给新的 ALB 监听器。
resource "aws_route53_zone" "main" {
name = "${var.zone_name}"
}
resource "aws_route53_record" "validation" {
name = "${aws_acm_certificate.main.domain_validation_options.0.resource_record_name}"
type = "${aws_acm_certificate.main.domain_validation_options.0.resource_record_type}"
zone_id = "${aws_route53_zone.main.zone_id}"
records = ["${aws_acm_certificate.main.domain_validation_options.0.resource_record_value}"]
ttl = "60"
}
resource "aws_acm_certificate_validation" "main" {
certificate_arn = "${aws_acm_certificate.main.arn}"
validation_record_fqdns = "${aws_route53_record.validation.*.fqdn}"
}
resource "aws_alb_listener" "front_end_tls" {
load_balancer_arn = "${aws_alb.main.id}"
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016–08"
certificate_arn = "${var.certificate_arn}"
default_action {
target_group_arn = "${aws_alb_target_group.main.id}"
type = "forward"
}
}
当我运行
terraform apply
命令时,似乎会在证书验证上卡住。我看到类似这样的信息:module.dns.aws_acm_certificate_validation.main: Still creating... [38m21s elapsed]
我已经让代码运行了超过45分钟,最终看到一个错误提示:
Error: Error creating LB Listener: SSLPolicyNotFound: SSL policy 'ELBSecurityPolicy-2016–08' not found
status code: 400, request id: a5f052c1-86df-11e9-993c-f99526fa9bba
on alb/main.tf line 25, in resource "aws_alb_listener" "front_end_tls":
25: resource "aws_alb_listener" "front_end_tls" {
Error: Expected certificate to be issued but was in state PENDING_VALIDATION
on dns/main.tf line 38, in resource "aws_acm_certificate_validation" "main":
38: resource "aws_acm_certificate_validation" "main" {
如果我登录控制台,则看到证书请求仍处于待验证状态。同时,我也按预期创建了Route 53验证记录。
为什么这个证书请求从未被处理并应用? 我在Terraform代码中漏掉了什么吗?
更新:当我使用现有的Route 53区域(其域名与上面尝试的不同)并将其作为数据资源引用到我的aws_route53_record中时,它可以无问题运行。我正在尝试此测试中的域名是今天通过Route 53购买的,因此我想知道这是否与我的问题有关。我无法对任何记录进行nslookup,即使我在Route 53控制台中看到它们列出。可能吗?我会让它保持几天,看看是否只是时间问题。