When you are using an AWS Application Load Balancers to front your APIs or EC2 instances, you will need the right SSL certificate(s) on your ALB to encrypt traffic. For example, if your ALB handles traffic for apis.example.com and apis.example.org, you’ll need two SSL certificates.

When you request an SSL certificate, you need to prove that you are truly the owner of the domain. In many cases, this is as simple as adding a custom CNAME entry to your DNS records to show that you have control over the domain. If you are using AWS Certificate Manager for certificates and Route 53 to manage DNS, you can setup both your certificate and validation in one shot using a simple Terraform config.

You’ll need three pieces of information: The certificate configuration, a certificate validation configuration, and a reference to your hosted zone id.

A sample configuraiton looks like

resource "aws_acm_certificate" "target_cert" {
    domain_name = ...
}


resource "aws_route53_record" "cert_validation_cname" {
  zone_id = var.zone_id
  ...
}

resource "aws_acm_certificate_validation" "target_cert" {
  certificate_arn         = aws_acm_certificate.target_cert.arn
  validation_record_fqdns = [for record in aws_route53_record.cert_validation_cname : record.fqdn]
}

The aws_acm_certificate_validation connects the SSL Certificate you created with the DNS record (aws_route53_record) and will validate a certificate as owned by you after Terraform creates the corresponding entries in Route 53. Your SSL certificate is now ready to go withou any manual effort from you. Nice, right?

• AWS