Saya terjebak pada kesalahan Terraform sepanjang hari saat mencoba membuat sumber daya AWS Route53 dan sumber daya AWS Certificate Manager. 2 bit ini adalah bagian dari proyek yang lebih luas (situs web yang dihosting di s3 melalui fitur penyajian statisnya).
Khususnya kesalahan yang muncul selama validasi DNS sertifikat, ketika data CNAME dimasukkan sebagai data DNS di Route53.
Saya akan menjelaskan kesalahannya dan kemudian saya akan menjelaskan pengaturannya.
Kesalahan
terraform plan -var-file=production.vars
Creating...
module.infrastructure.aws_route53_record.idarth-validation-record: Still creating... [10s elapsed]
module.infrastructure.aws_route53_record.idarth-validation-record: Still creating... [20s elapsed]
module.infrastructure.aws_route53_record.idarth-validation-record: Still creating... [30s elapsed]
module.infrastructure.aws_route53_record.idarth-validation-record: Still creating... [40s elapsed]
module.infrastructure.aws_route53_record.idarth-validation-record: Still creating... [50s elapsed]
module.infrastructure.aws_route53_record.idarth-validation-record: Still creating... [1m0s elapsed]
module.infrastructure.aws_route53_record.idarth-validation-record: Still creating... [1m10s elapsed]
module.infrastructure.aws_route53_record.idarth-validation-record: Creation complete after 1m12s [id=ZB4TSGZTTZ3CQ__7bc5230529c8192e8e697aeab0ec0eb9.idarth.com._CNAME]
module.infrastructure.aws_acm_certificate_validation.idarth-ssl-certificate: Creating...
2019/08/24 18:32:40 [ERROR] module.infrastructure: eval: *terraform.EvalSequence, err: 1 error occurred:
* missing www.idarth.com DNS validation record: _18ff46dac48c6d852b696306dfa57093.www.idarth.com
2019/08/24 18:32:40 [TRACE] [walkApply] Exiting eval tree: module.infrastructure.aws_acm_certificate_validation.idarth-ssl-certificate
Error: 1 error occurred:
* missing www.idarth.com DNS validation record: _18ff46dac48c6d852b696306dfa57093.www.idarth.com
on ../modules/route53.tf line 14, in resource "aws_acm_certificate_validation" "idarth-ssl-certificate":
14: resource "aws_acm_certificate_validation" "idarth-ssl-certificate" {
CATATAN: Saya belum menyertakan rencana eksekusi yang membuat bagian infrastruktur lainnya, namun saya hanya melaporkan bagian yang bermasalah.
Ini file tf saya:
route53.tf
resource "aws_route53_zone" "idarth-hosted-zone" {
name = "${var.domain_name}"
}
resource "aws_route53_record" "idarth-validation-record" {
name = "${aws_acm_certificate.idarth-ssl-certificate.domain_validation_options.0.resource_record_name}"
type = "${aws_acm_certificate.idarth-ssl-certificate.domain_validation_options.0.resource_record_type}"
zone_id = "${aws_route53_zone.idarth-hosted-zone.zone_id}"
records = ["${aws_acm_certificate.idarth-ssl-certificate.domain_validation_options.0.resource_record_value}"]
ttl = "60"
}
resource "aws_acm_certificate_validation" "idarth-ssl-certificate" {
provider = "aws.us_east_1"
certificate_arn = "${aws_acm_certificate.idarth-ssl-certificate.arn}"
validation_record_fqdns = [
"${aws_route53_record.idarth-validation-record.fqdn}"
]
}
resource "aws_route53_record" "idarth-record-domain" {
zone_id = "${aws_route53_zone.idarth-hosted-zone.zone_id}"
name = "${var.domain_name}"
type = "A"
alias {
name = "${aws_cloudfront_distribution.idarth-cloudfront-distr.domain_name}"
zone_id = "${aws_cloudfront_distribution.idarth-cloudfront-distr.hosted_zone_id}"
evaluate_target_health = false
}
}
resource "aws_route53_record" "idarth-record-domain-www" {
zone_id = "${aws_route53_zone.idarth-hosted-zone.zone_id}"
name = "${var.domain_name_www}"
type = "A"
alias {
name = "${aws_cloudfront_distribution.idarth-cloudfront-distr.domain_name}"
zone_id = "${aws_cloudfront_distribution.idarth-cloudfront-distr.hosted_zone_id}"
evaluate_target_health = false
}
}
ssl_certificate.tf
provider "aws" {
alias = "us_east_1"
region = "us-east-1"
}
resource "aws_acm_certificate" "idarth-ssl-certificate" {
provider = "aws.us_east_1"
domain_name = "${var.domain_name}"
subject_alternative_names = ["${var.domain_name_www}"]
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
tags = {
Project = "${var.name}-${var.env}"
Scope = "personal-blog"
}
}
distribusi.tf
resource "aws_cloudfront_distribution" "idarth-cloudfront-distr" {
depends_on = ["aws_acm_certificate_validation.idarth-ssl-certificate"]
origin {
domain_name = "${aws_s3_bucket.idarth-static-site-host.bucket_regional_domain_name}"
origin_id = "${var.domain_name}"
/*s3_origin_config {
origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
}*/
}
enabled = true
is_ipv6_enabled = true
default_root_object = "index.html"
/*logging_config {
include_cookies = false
bucket = "mylogs.s3.amazonaws.com"
prefix = "myprefix"
}*/
aliases = ["${var.domain_name}", "${var.domain_name_www}"]
default_cache_behavior {
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "${var.domain_name}"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
compress = true
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
#price_class = "PriceClass_200"
restrictions {
geo_restriction {
restriction_type = "none"
locations = []
}
}
viewer_certificate {
acm_certificate_arn = "${aws_acm_certificate_validation.idarth-ssl-certificate.certificate_arn}"
ssl_support_method = "sni-only"
}
tags = {
Project = "${var.name}-${var.env}"
Scope = "personal-blog"
}
}
Versi Terraform: 0.12.7, versi penyedia aws: v2.25.0_x4
Analisis log kesalahan
Saat saya menghabiskan satu hari mencoba men-debug kesalahan di atas, inilah pemikiran saya:
- Sertifikat menghasilkan 2 CNAME untuk 2 domain (variabel: var.domain_name, var.domain_name_www): _7bc5230529c8192e8e697aeab0ec0eb9.idarth.com._CNAME, _18ff46dac48c6d852b696306dfa57093.www.idarth.com
- Pembuatan yang pertama, seperti yang Anda lihat di log rencana eksekusi, berhasil dibuat, sedangkan yang kedua menyebabkan masalah.
- Melihat ke konsol AWS, saya dapat melihat CNAME pertama dimasukkan ke dalam zona yang dihosting DNS, tetapi tidak yang kedua. Sekalipun zona yang di-hosting DNS dimasukkan, sertifikat untuk catatan tersebut masih mengakibatkan validasi yang tertunda.
Inilah yang dapat saya temukan sejauh ini, tetapi saya tidak tahu bagaimana cara melanjutkannya. Adakah yang pernah ke sini sebelumnya dan dapat membantu dengan hal di bawah ini?
Terima kasih!