demo project for using ACM and certificate verfication

nelg · Dec 2, 2019 · a3dbde0 · a3dbde0
commit a3dbde0
Show file tree

Hide file tree

Showing 7 changed files with 152 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+terraform.tf*
+.terraform
diff --git a/README.md b/README.md
@@ -0,0 +1,14 @@
+# How to use:
+
+terraform init
+
+1. Set your demo_dns_zone and demo_dns_name variables:  (terraform.tfvars)
+2. Setup your providers
+
+terraform plan
+terraform apply
+
+# Requirements:
+
+ - existing route53 zone in AWS
+ - terraform v0.12.16 or newer
diff --git a/minimal_alb.tf b/minimal_alb.tf
@@ -0,0 +1,64 @@
+resource "aws_alb" "mylb" {
+  # Normal ALB content, options removed for BLOG
+  subnets         = module.vpc.public_subnets
+  security_groups = [aws_security_group.myapp.id]
+}
+
+# Basic https lisener to demo HTTPS certiciate
+resource "aws_alb_listener" "mylb_https" {
+  load_balancer_arn = aws_alb.mylb.arn
+  certificate_arn   = aws_acm_certificate.myapp.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  # Default action, and other paramters removed for BLOG
+  default_action {
+    type = "fixed-response"
+
+    fixed_response {
+      content_type = "text/html"
+      message_body = "<html><body><h1>Hello World!</h1><p>This would usually be to a target group of web servers.. but this is just a demo to returning a fixed response\n\n</p></body></html>"
+      status_code  = "200"
+    }
+  }
+}
+
+# Always good practice to redirect http to https
+resource "aws_alb_listener" "mylb_http" {
+  load_balancer_arn = aws_alb.mylb.arn
+  port              = "80"
+  protocol          = "HTTP"
+  default_action {
+    type = "redirect"
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+# Open Security Group for demo
+resource "aws_security_group" "myapp" {
+  vpc_id = module.vpc.vpc_id
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
diff --git a/provider.tf b/provider.tf
@@ -0,0 +1,7 @@
+# AWS account that contains the route53 domain
+provider "aws" {
+  alias = "account_route53" # Specific to your setup
+}
+
+# your normal provider
+provider "aws" {}
diff --git a/ssl_cert.tf b/ssl_cert.tf
@@ -0,0 +1,45 @@
+# This data source looks up the public DNS zone
+data "aws_route53_zone" "public" {
+  name         = var.demo_dns_zone
+  private_zone = false
+  provider     = aws.account_route53
+}
+
+# This creates an SSL certificate
+resource "aws_acm_certificate" "myapp" {
+  domain_name       = aws_route53_record.myapp.fqdn
+  validation_method = "DNS"
+}
+
+# This is a DNS record for the ACM certificate validation to prove we own the domain
+resource "aws_route53_record" "cert_validation" {
+  name     = aws_acm_certificate.myapp.domain_validation_options.0.resource_record_name
+  type     = aws_acm_certificate.myapp.domain_validation_options.0.resource_record_type
+  zone_id  = data.aws_route53_zone.public.id
+  records  = [aws_acm_certificate.myapp.domain_validation_options.0.resource_record_value]
+  ttl      = 60
+  provider = aws.account_route53
+}
+
+# This tells terraform to cause the route53 validation to happen
+resource "aws_acm_certificate_validation" "cert" {
+  certificate_arn         = aws_acm_certificate.myapp.arn
+  validation_record_fqdns = [aws_route53_record.cert_validation.fqdn]
+}
+
+# Standard route53 DNS record for "myapp" pointing to an ALB
+resource "aws_route53_record" "myapp" {
+  zone_id = data.aws_route53_zone.public.zone_id
+  name    = "${var.demo_dns_name}.${data.aws_route53_zone.public.name}"
+  type    = "A"
+  alias {
+    name                   = aws_alb.mylb.dns_name
+    zone_id                = aws_alb.mylb.zone_id
+    evaluate_target_health = false
+  }
+  provider = aws.account_route53
+}
+
+output "testing" {
+  value = "Test this demo code by going to https://${aws_route53_record.myapp.fqdn} and checking your have a valid SSL cert"
+}
diff --git a/vars.tf b/vars.tf
@@ -0,0 +1,8 @@
+variable "demo_dns_zone" {
+  description = "Specific to your setup, pick a domain you have in route53"
+  default     = "lab.oss.nz."
+}
+variable "demo_dns_name" {
+  description = "Just a demo domain name"
+  default     = "ssldemo"
+}
diff --git a/vpc.tf b/vpc.tf
@@ -0,0 +1,12 @@
+# AZ lookup
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+# Minimal VPC config for demo
+module "vpc" {
+  source         = "terraform-aws-modules/vpc/aws"
+  cidr           = "10.211.0.0/16"
+  public_subnets = ["10.211.214.0/27", "10.211.213.0/27"]
+  azs            = data.aws_availability_zones.available.names
+}