Provisioning ACM Certificates on AWS with Terraform
AWS Certificate Manager (ACM) is a service from AWS which provide the free on-demand TLS certificate. It’s similar to the Let’s Encrypt which provide the free cert for you, but the difference is that Amazon controls the Certificate Authority ( Amazon Trust Services, LLC) behind the certificates, as well as the accompanying API to manage them.
Unlike Let’s Encrypt, you may copy the cert into anywhere as per you like, the only bad thing about the ACM is that you can only associate with the 3 services in AWS which is ELB and ALB, CloudFront distribution and API Gateway endpoints only.
Create certificate in ACM console
To create the new cert, you may login to your AWS ACM console, click on request cert, enter the domain name that you want to create the certificate for, add any additional domain name for your cert if you like to.
Select the DNS validation for your cert as this is a simple way of validate your domain, if you using email validation, it will involve more manual step compare to the DNS validation.
Once everything is confirmed after review, you will get the verification cname entry for you to enter into your DNS server.
After that you may go to your DNS server to configure the Cname for the verification purpose, I’m using Cloudflare as my DNS server, so I need to login to my Cloudflare account and enter the cname and target as per given.
Once the DNS entry has been update and it may take some time to get validate, maybe few minutes to hours, it’s depend on the dns propagation time.
To double check the status, you may always refresh on your ACM console page, if the status showing Issued, it’s mean that your cert created successfully, you may start to associate it with your resources.
It’s easy for you to create and manage 1–2 cert using the console, but if you may need to manage more cert or may need to add on the domain into your cert, you will find it very troublesome. As ACM is not support the adding of new domain into your existing SNI cert, you may need to create a new cert which include the existing and the new domain that you wish to add into the cert.
To simplify this task, it’s better that we manage it in terraform using code, which can reduce the mistake where we may miss out any old domain in the cert when we create a new cert.
Create certificate using Terraform
To create the cert using terraform, you may need to install the AWS cli and terraform in your machine before you start.
Create a file main.tf in your working directory and enter the following code.
provider "aws" {
region = "us-east-2"
}
variable "Domain" {
default = "tech.david-cheong.com"
}
variable "AddionalDomain" {
type = list(string)
default = ["tech-cdn.david-cheong.com"]
}
resource "aws_acm_certificate" "cert" {
domain_name = var.Domain
subject_alternative_names = var.AddionalDomain
validation_method = "DNS" tags = {
Name = "Tech Sharing"
Environment = "Production"
CreatedTime = timestamp()
} lifecycle {
create_before_destroy = true
}
}
output "certvalidate" {
value = aws_acm_certificate.dicefe.domain_validation_options.*
}
In the script above, basically I set my AWS region to us-east-2 (Ohio) for demo purpose, the create 2 variable , AddionalDomain).
Next, create the certificate by supply the main domain name and addition name name using the variables, create the tags for the certificate and also lifecycle to make sure the new cert created before it’s destroy the existing.
At the end of the script, I output the CName which I need to use to create the CName record in my DNS server.
Once the script is save, you need to first initialise the terraform to download all necessary module by using terraform init.
Once the terraform being initialise, you may start to apply the change on AWS. To apply the change, just enter terraform apply -auto-approve to start the process, after the certificate request created successfully, you will get the CName record detail as the output.
You may check on your AWS ACM console, you should see the cert request is created and pending for validation.
Go to your DNS server page, for my case is Cloudflare to enter the cname record given.
After the domain being validated, you should see your cert is ready in the console. Just as simple as that.
By using Terraform, you can easily manage any new domain you wish to add to your existing cert by just enter the name domain in the AddionalDomain variable, than apply it again, get the CName record to enter into your DNS, than everything should work.
You can delete the cert created using the terraform by using terraform destroy, even the cert if free but just to clean up my AWS account, I just delete it.
Please note that to use the AWS issued certificate with Cloudfront, the certificate must be created in N.Virginia (US-East-1) region, if not, you can’t see the certificate from the Cloudfront selection box.
For more detail, you may refer to HashiCorp Terraform documentation at https://www.terraform.io/docs/providers/aws/r/acm_certificate.html
Originally published at https://tech.david-cheong.com on June 16, 2020.