0

I would like to create a certificate signed by AWS for use by internal services. The internal services are only visible inside my VPC. I don't want anything about the internal services, such as the subdomain, to leak externally.

This is the bit of Terraform I am unsure about:

resource "aws_acm_certificate" "internal" {
  domain_name       = "*.internal.example.org."

  # What goes here?
}

The internal service consumes the certificate like this:

resource "aws_elastic_beanstalk_environment" "foo" {
  name = "foo-env"

  # ...

  setting {
    namespace = "aws:ec2:vpc"
    name      = "ELBScheme"
    value     = "internal"
    resource  = ""
  }

  setting {
    namespace = "aws:elbv2:listener:443"
    name      = "SSLCertificateArns"
    value     = aws_acm_certificate.internal.arn
    resource  = ""
  }
}

I then assign an internal DNS entry like this:

resource "aws_route53_zone" "private" {
  name = "example.org."

  vpc {
    vpc_id = aws_vpc.main.id
  }
}

resource "aws_route53_record" "private_cname_foo" {
  zone_id = aws_route53_zone.private.zone_id
  name    = "foo.internal.example.org."
  type    = "CNAME"
  ttl     = "300"
  records = [
    aws_elastic_beanstalk_environment.foo.cname
  ]
}

How do I get AWS to create a certificate for me?

sdgfsdh
  • 33,689
  • 26
  • 132
  • 245
  • If your domain is route53, use `validation_method = 'DNS'` and then include like this example to create the records for validation: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate#importing-an-existing-certificate – jordanm Jan 21 '21 at 17:06
  • You will also need to wait for validation. full example in the docs here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation – jordanm Jan 21 '21 at 17:07
  • @jordanm Does `validation_method = 'DNS'` create public DNS records though? – sdgfsdh Jan 21 '21 at 17:08
  • yes, you need to create a public TXT record for that domain, or be able to receive email to the domain in order to validate a certificate with ACM. If you can't do either, you will need to create a cert yourself and upload it to ACM. – jordanm Jan 21 '21 at 17:49

0 Answers0