注意点
ACM Private Certificate Authorityを利用する場合、プライベートCAの料金は1つのプライベートCAごとに月額400ドル発生します。
本題
まずAWS Private Certificate Authorityを利用して、AWS Certificate Managerの証明書を作成する
resource "aws_acmpca_certificate_authority" "main" {
enabled = true
key_storage_security_standard = "FIPS_140_2_LEVEL_3_OR_HIGHER"
permanent_deletion_time_in_days = 30
type = "ROOT"
usage_mode = "GENERAL_PURPOSE"
certificate_authority_configuration {
key_algorithm = "RSA_2048"
signing_algorithm = "SHA256WITHRSA"
subject {
common_name = "yuukiyo"
country = "JP"
locality = "Meguro"
organization = "YoshidaCorp"
organizational_unit = "ProServe"
state = "Tokyo"
}
}
revocation_configuration {
crl_configuration {
enabled = false
}
ocsp_configuration {
enabled = false
}
}
}
resource "aws_acmpca_certificate" "main_root" {
certificate_authority_arn = aws_acmpca_certificate_authority.main.arn
certificate_signing_request = aws_acmpca_certificate_authority.main.certificate_signing_request
signing_algorithm = "SHA256WITHRSA"
template_arn = "arn:aws:acm-pca:::template/RootCACertificate/V1"
validity {
type = "YEARS"
value = 10
}
}
resource "aws_acmpca_certificate_authority_certificate" "main" {
certificate_authority_arn = aws_acmpca_certificate_authority.main.arn
certificate = aws_acmpca_certificate.main_root.certificate
certificate_chain = aws_acmpca_certificate.main_root.certificate_chain
}
resource "aws_acm_certificate" "main" {
domain_name = "yuukiyo.com"
certificate_authority_arn = aws_acmpca_certificate_authority.main.arn
}
その後は、このSSL証明書をどう利用してもいいが、一例としてALBで利用するためには以下のような設定を入れればOK
resource "aws_lb_listener" "main" {
load_balancer_arn = aws_lb.main.arn
certificate_arn = aws_acm_certificate.main.arn
port = "443"
protocol = "HTTPS"
default_action {
target_group_arn = aws_lb_target_group.main.arn
type = "forward"
}
}