0

我想创建一个由 AWS 签名的证书以供内部服务使用。内部服务仅在我的 VPC 内可见。我不希望内部服务(例如子域)向外部泄漏。

这是我不确定的一点 Terraform:

resource "aws_acm_certificate" "internal" {
  domain_name       = "*.internal.example.org."

  # What goes here?
}

内部服务使用这样的证书:

resource "aws_elastic_beanstalk_environment" "foo" {
  name = "foo-env"

  # ...

  setting {
    namespace = "aws:ec2:vpc"
    name      = "ELBScheme"
    value     = "internal"
    resource  = ""
  }

  setting {
    namespace = "aws:elbv2:listener:443"
    name      = "SSLCertificateArns"
    value     = aws_acm_certificate.internal.arn
    resource  = ""
  }
}

然后我分配一个内部 DNS 条目,如下所示:

resource "aws_route53_zone" "private" {
  name = "example.org."

  vpc {
    vpc_id = aws_vpc.main.id
  }
}

resource "aws_route53_record" "private_cname_foo" {
  zone_id = aws_route53_zone.private.zone_id
  name    = "foo.internal.example.org."
  type    = "CNAME"
  ttl     = "300"
  records = [
    aws_elastic_beanstalk_environment.foo.cname
  ]
}

如何让 AWS 为我创建证书?

4

0 回答 0