ALB&ACMをTerraformで管理
terraformでAL&ACMでSSL化対応を書いたのでメモ
ACMでSSL証明書の取得
resource "aws_acm_certificate" "cert" {
// サブドメインを許容できる形にする
domain_name = "*.${var.domain_name}"
// ネイキッドドメインも保護できるようにする
subject_alternative_names = [var.domain_name]
// DNS認証にする
validation_method = "DNS"
tags = {
Env = var.env
}
}
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = aws_acm_certificate.cert.arn
validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
}
// route53
resource "aws_route53_record" "cert_validation" {
for_each = {
for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
zone_id = aws_route53_zone.zone.zone_id
ttl = 60
allow_overwrite = true
name = each.value.name
records = [each.value.record]
type = each.value.type
}
ALBの設定
resource "aws_lb" "web" {
name = "web-alb"
internal = false
load_balancer_type = "application"
security_groups = [
aws_security_group.alb.id
]
subnets = [
aws_subnet.main_a.id,
aws_subnet.main_c.id,
]
}
resource "aws_lb_listener" "web" {
load_balancer_arn = aws_lb.web.arn
port = "443"
protocol = "HTTPS"
certificate_arn = aws_acm_certificate.cert.arn
ssl_policy = "ELBSecurityPolicy-2016-08"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.web.arn
}
}
resource "aws_lb_listener_rule" "forward" {
listener_arn = aws_lb_listener.web.arn
priority = 100
action {
type = "forward"
target_group_arn = aws_lb_target_group.web.arn
}
condition {
path_pattern {
values = ["/*"]
}
}
}
// httpのリクエストをhttpsにリダイレクト
resource "aws_lb_listener" "http" {
load_balancer_arn = aws_lb.web.arn
port = 80
protocol = "HTTP"
default_action {
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
}
