us-east-1中的Terraform AWS ACM证书用于eu-west-1中的资源 [英] Terraform AWS ACM certificates in us-east-1 for resources in eu-west-1
问题描述
我有一个terraform模块,主要在eu-west-1中提供资源.我需要ACM证书才能附加到Cloudfront发行版.该证书必须在us-east-1中设置.
I have a terraform module that provisions resources primarily in eu-west-1. I need an ACM certificate to attach to a Cloudfront distribution. The certificate must be provisioned in us-east-1.
我因此配置了两个提供程序:
I have thus configured two providers:
provider "aws" {
version = "~> 1.0"
region = "eu-west-1"
}
provider "aws" {
version = "~> 1.0"
region = "us-east-1"
alias = "us-east-1"
}
在我的模块中,我像这样配置证书:
In my module, I provision the certificate like so:
resource "aws_acm_certificate" "cert" {
provider = "aws.us-east-1"
domain_name = "${var.domain_name}"
validation_method = "DNS"
tags = "${var.tags}"
lifecycle {
create_before_destroy = true
}
}
问题1 :我尝试使用以下方式导入我现有的ACM证书:
Problem #1: I tried to import my existing ACM certificate using:
terraform import module.mymod.aws_acm_certificate.cert arn:aws:acm:us-east-1:xyz:certificate/uuid
此操作失败,并显示:找不到具有ID的证书".terraform是否在错误的区域中寻找?我通过aws CLI确认该证书确实存在(例如ARN中没有错字).
This fails with: "Could not find certificate with id". Is terraform looking in the wrong region? I confirmed with the aws CLI that the certificate does indeed exist (e.g. no typos in the ARN).
好,所以我想我可以创建一个新的证书.确实可以,并且我现在有两个证书,但是然后遇到了问题2:
Ok, so I figured I could just create new certificate. This does work, and I now have two certificates, but I then run into problem #2:
resource "aws_route53_record" "cert_validation" {
name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
zone_id = "${data.aws_route53_zone.zone.id}"
records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
ttl = 60
}
这将尝试为ACM设置DNS验证.托管区域位于eu-west-1中,因此我在这里遇到问题.但是,这仍然会失败,并显示找不到证书...",我假设terraform对区域感到困惑.我也尝试在此资源中添加 provider ="aws.us-east-1"
,但是仍然失败.
This attempts to set up DNS validation for ACM. The hosted zone exists in eu-west-1, so I'm expecting problems here. However, this still fails with "Could not find certificate ...", and I'm assuming terraform gets confused about regions. I tried adding provider = "aws.us-east-1"
to this resource as well, but it still fails the same way.
因此,无论我做什么,Terraform都无法找到我的证书,即使它是自己创建的也是如此.我在做错什么吗?
So, no matter what I do, Terraform is unable to locate my certificate, even it has created it itself. Am I doing something wrong?
推荐答案
原来我的问题出在 aws_acm_certificate_validation
上.通过在与证书相同的区域中指定提供者,可以解决所有问题.
Turns out my problem was with aws_acm_certificate_validation
. By specifying the provider in the same region as the certificate, it was all resolved.
resource "aws_acm_certificate_validation" "cert" {
provider = "aws.us-east-1" # <== Add this
certificate_arn = "${aws_acm_certificate.cert.arn}"
validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}
这篇关于us-east-1中的Terraform AWS ACM证书用于eu-west-1中的资源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!