logo标签列表

如何使用Terraform创建和验证AWS证书

amazon-web-servicesterraformterraform-provider-aws
6
我将尝试创建和验证AWS证书,通过遵循Terraform文档中的示例,使用Terraform进行翻译并在此处进行验证:https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation#dns-validation-with-route-53 我的Terraform文件如下:
resource "aws_acm_certificate" "vpn_server" {
  domain_name = "stuff.mine.com"
  
  validation_method = "DNS"

  tags = {
    Name = "certificate"
    Scope = "vpn_server"
    Environment = "vpn"
  }
}

resource "aws_acm_certificate_validation" "vpn_server" {
  certificate_arn = aws_acm_certificate.vpn_server.arn

  validation_record_fqdns = [for record in aws_route53_record.my_dns_record_vpn_server : record.fqdn]

  timeouts {
    create = "2m"
  }
}

resource "aws_route53_zone" "my_dns" {
  name = "stuff.mine.com"

  tags = {
    name = "dns_zone"
  }
}


resource "aws_route53_record" "my_dns_record_vpn_server" {
  for_each = {
    for dvo in aws_acm_certificate.vpn_server.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = resource.aws_route53_zone.my_dns.zone_id
}

问题在于运行terraform apply时,验证总是超时并以错误消息失败:
aws_acm_certificate.vpn_server: Creating...
aws_acm_certificate.vpn_server: Creation complete after 8s [id=arn:aws:acm:eu-west-2:320289993971:certificate/7e859491-141f-49d5-b50e-c44cf4e1db4e]
aws_route53_zone.my_dns: Creating...
aws_route53_zone.my_dns: Still creating... [10s elapsed]
aws_route53_zone.my_dns: Creation complete after 52s [id=Z09112516IIP4OEAIIQ7]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Creating...
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [10s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [20s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [30s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [40s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [50s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Creation complete after 58s [id=Z09112516IIP4OEAIIQ7__ebd2853fcbfc7cc8bd6582e65d940d54.stuff.mine.com._CNAME]
aws_acm_certificate_validation.vpn_server: Creating...
aws_acm_certificate_validation.vpn_server: Still creating... [10s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [20s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [30s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [40s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [50s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m0s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m10s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m20s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m30s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m40s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m50s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [2m0s elapsed]

╷
│ Error: Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION
│
│   with aws_acm_certificate_validation.vpn_server,
│   on main.tf line 61, in resource "aws_acm_certificate_validation" "vpn_server":
│   61: resource "aws_acm_certificate_validation" "vpn_server" {
│
╵

有人能告诉我缺少什么,才能完成证书验证吗?

2
如下回答所述,您不能仅创建一个Route53区域而没有在其他地方购买域名并将其委派给Route53。您正在创建DNS区域中的记录,但该区域实际上尚未“连接到互联网”,因此验证永远不会起作用。此外,根据我的经验,即使您已经正确设置了所有内容,验证也可能需要长达30分钟,因此设置2分钟的超时限制几乎肯定会失败。 - Mark B
2个回答
5
域验证记录需要位于正确委派的公共区域中。因此,如果您拥有mine.com并想创建一个名为stuff.mine.com的区域,则需要在mine.com中设置stuff.mine.comNS记录,指向stuff.mine.com区域的NS服务器。但您现在没有这样做,并且也没有使用已配置的区域。
如果没有这样做,记录将被创建在您的区域中,但该区域未正确委派,因此将无法解析这些记录。您可以通过尝试自己解析或使用外部解析器工具(例如MX Toolbox)来测试这一点。
这里可能需要考虑很多内容,但您可能希望单独设置一个包含最终要创建的记录(指向您想获得证书的Web服务器/负载平衡器以及ACM域验证记录的记录)的区域,然后通过使用aws_route53_zone数据源来引用该区域,以便创建您的域验证记录。
因此,我的证书仅用于与AWS Client VPN一起使用,即在Terraform中的aws_ec2_client_vpn_endpoint。我们不会在VPC内提供任何公共服务。由于我们的证书仅用于私人VPN的目的,是否没有使用私有DNS的方法? - adamretter
1
不行,因为ACM验证程序需要从公共端点解析您的记录。ACME协议的DNS挑战与此类似,您需要公共面向的记录来验证您拥有该区域。如果它能在私有区域中运作,那么您就能够为您不拥有的域发放证书,这将击败挑战的目的。您仍然可以为私有用途(例如内部ALB)发放证书,但是挑战记录需要位于等效的公共区域中。 - ydaetskcoR
1

这是专门为此设计的AWS证书管理器(ACM)Terraform模块。从它的ReadMe.md中可以看到:

Usage with Route53 DNS validation (recommended)
module "acm" {
  source  = "terraform-aws-modules/acm/aws"
  version = "~> 4.0"

  domain_name  = "my-domain.com"
  zone_id      = "Z2ES7B9AZ6SHAE"

  subject_alternative_names = [
    "*.my-domain.com",
    "app.sub.my-domain.com",
  ]

  wait_for_validation = true

  tags = {
    Name = "my-domain.com"
  }
}
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接