Manage AWS SSL Certificates using Terraform
When you are using an AWS Application Load Balancers to front your APIs or EC2 instances, you will need the right SSL
certificate(s) on your ALB to encrypt traffic. For example, if your ALB handles traffic for apis.example.com
and
apis.example.org
, you’ll need two SSL certificates.
When you request an SSL certificate, you need to prove that you are truly the owner of the domain. In many cases, this is as simple as adding a custom CNAME entry to your DNS records to show that you have control over the domain. If you are using AWS Certificate Manager for certificates and Route 53 to manage DNS, you can setup both your certificate and validation in one shot using a simple Terraform config.
You’ll need three pieces of information: The certificate configuration, a certificate validation configuration, and a reference to your hosted zone id.
A sample configuraiton looks like
resource "aws_acm_certificate" "target_cert" {
domain_name = ...
}
resource "aws_route53_record" "cert_validation_cname" {
zone_id = var.zone_id
...
}
resource "aws_acm_certificate_validation" "target_cert" {
certificate_arn = aws_acm_certificate.target_cert.arn
validation_record_fqdns = [for record in aws_route53_record.cert_validation_cname : record.fqdn]
}
The aws_acm_certificate_validation
connects the SSL Certificate you created with the DNS record (aws_route53_record)
and will validate a certificate as owned by you after Terraform creates the corresponding entries in Route 53. Your SSL
certificate is now ready to go withou any manual effort from you. Nice, right?