如何在数据源的特定区域中指定ACM证书?

时间:2017-07-11 06:43:34

标签: amazon-web-services ssl terraform

我已经在两个地区为ap-northeast-1和us-east-1发布了2个相同域名的证书,因为我的主服务器位于ap-northeast-1,而CloudFront需要证书在us-east-1

我想在us-east-1中选择一个作为terraform数据源,但它们具有相同的域名。

我定义了像

这样的证书资源 
# ACM Certificate on us-east-1 (Global)
data "aws_acm_certificate" "cert_global" {
  domain = "my.example.com"
  statuses = ["ISSUED"]
}

我把它称为

resource "aws_cloudfront_distribution" "static" {
  (snip)
  viewer_certificate {
    acm_certificate_arn = "${data.aws_acm_certificate.cert_global.arn}"
    minimum_protocol_version = "TLSv1"
    ssl_support_method = "sni-only"
  }
}

原因

1 error(s) occurred:

* aws_cloudfront_distribution.static: 1 error(s) occurred:

* aws_cloudfront_distribution.static: InvalidViewerCertificate: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain.
    status code: 400, request id: ceece17f-6610-11e7-977d-114d7e67d7c1

据我所知,terraform在两个地区检测到两个具有相同域名的证书,但不知道如何指定一个。

该文件没有说明特定资源https://www.terraform.io/docs/providers/aws/d/acm_certificate.html

的区域

我怎样才能在us-east-1中使用一个?

2 个答案:

答案 0 :(得分:7)

我自己找到了答案。 data具有provider属性。

provider "aws" {
  alias = "virginia"
  region = "us-east-1"
}

data "aws_acm_certificate" "cert_global" {
  domain = "my.example.com"
  statuses = ["ISSUED"]
  provider = "aws.virginia"
}

在us-east-1中找到证书。

答案 1 :(得分:0)

在@Tomoya Kabe的上述答案中,terraform v 0.12有所更改,provider = aws.virginia必须不带引号。

相关问题
最新问题