ALB&ACMをTerraformで管理
terraformでAL&ACMでSSL化対応を書いたのでメモ
ACMでSSL証明書の取得
resource "aws_acm_certificate" "cert" { // サブドメインを許容できる形にする domain_name = "*.${var.domain_name}" // ネイキッドドメインも保護できるようにする subject_alternative_names = [var.domain_name] // DNS認証にする validation_method = "DNS" tags = { Env = var.env } } resource "aws_acm_certificate_validation" "cert" { certificate_arn = aws_acm_certificate.cert.arn validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn] } // route53 resource "aws_route53_record" "cert_validation" { for_each = { for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type } } zone_id = aws_route53_zone.zone.zone_id ttl = 60 allow_overwrite = true name = each.value.name records = [each.value.record] type = each.value.type }
ALBの設定
resource "aws_lb" "web" { name = "web-alb" internal = false load_balancer_type = "application" security_groups = [ aws_security_group.alb.id ] subnets = [ aws_subnet.main_a.id, aws_subnet.main_c.id, ] } resource "aws_lb_listener" "web" { load_balancer_arn = aws_lb.web.arn port = "443" protocol = "HTTPS" certificate_arn = aws_acm_certificate.cert.arn ssl_policy = "ELBSecurityPolicy-2016-08" default_action { type = "forward" target_group_arn = aws_lb_target_group.web.arn } } resource "aws_lb_listener_rule" "forward" { listener_arn = aws_lb_listener.web.arn priority = 100 action { type = "forward" target_group_arn = aws_lb_target_group.web.arn } condition { path_pattern { values = ["/*"] } } } // httpのリクエストをhttpsにリダイレクト resource "aws_lb_listener" "http" { load_balancer_arn = aws_lb.web.arn port = 80 protocol = "HTTP" default_action { type = "redirect" redirect { port = "443" protocol = "HTTPS" status_code = "HTTP_301" } } }