How can I create a load balancer with cert in AWS?

mick_a_thompson · January 5, 2024, 4:17pm

I’m trying to create a load balancer with ACM cert in AWS (for HA k8s cluster) as follows.

$ cat modules/lb/main.tf
resource “tls_private_key” “ca_private_key” {
algorithm = “RSA”
rsa_bits = 4096
}

resource “tls_self_signed_cert” “ca_cert” {
depends_on = [tls_private_key.ca_private_key]
private_key_pem = tls_private_key.ca_private_key.private_key_pem

subject {
common_name = var.identity_name
organization = var.identity_name
}

validity_period_hours = 24

allowed_uses = [
“key_encipherment”,
“digital_signature”,
“server_auth”,
]
}

resource “aws_acm_certificate” “cert” {
depends_on = [tls_self_signed_cert.ca_cert]
private_key = tls_private_key.ca_private_key.private_key_pem
certificate_body = tls_self_signed_cert.ca_cert.cert_pem
}

resource “aws_lb_target_group” “target_group” {
depends_on = [aws_acm_certificate.cert]
name = “${var.identity_name}-tg”
port = var.port
protocol = “HTTPS”
target_type = “instance”
vpc_id = data.aws_vpc.default.id

health_check {
enabled = true
interval = 30
path = “/”
port = “traffic-port”
protocol = “HTTPS”
timeout = 10
healthy_threshold = 5
unhealthy_threshold = 2
}
}

resource “aws_lb” “application_lb” {
depends_on = [aws_lb_target_group.target_group]
name = “${var.identity_name}-lb”
internal = false
load_balancer_type = “application”
security_groups = [var.security_group_id]
ip_address_type = “ipv4”
subnets = data.aws_subnets.all.ids

tags = {
name = “${var.identity_name}-lb”
}
}

resource “aws_lb_listener” “lb_listener” {
depends_on = [aws_acm_certificate.cert, aws_lb_target_group.target_group]
load_balancer_arn = aws_lb.application_lb.arn
port = var.port
protocol = “HTTPS”
ssl_policy = var.ssl_policy
certificate_arn = aws_acm_certificate.cert.arn

default_action {
type = “forward”
target_group_arn = aws_lb_target_group.target_group.arn
}
}

resource “aws_lb_target_group_attachment” “ec2_attach” {
count = var.master_count
depends_on = [aws_lb_target_group.target_group]

target_group_arn = aws_lb_target_group.target_group.arn
target_id = var.master_id[count.index]
}

It fails as follows.

│ Error: creating ELBv2 Listener (arn:aws:elasticloadbalancing:eu-north-1:xxxxx:loadbalancer/app/vagrant-tf-lb/xxxxx): UnsupportedCertificate: The certificate ‘arn:aws:acm:eu-north-1:xxxxx:certificate/xxxxxx’ must have a fully-qualified domain name, a supported signature, and a supported key size.
│ status code: 400, request id: da0b22fd-f424-455b-9d05-bae2d2992fa9
│
│ with module.lb[0].aws_lb_listener.lb_listener,
│ on modules/lb/main.tf line 73, in resource “aws_lb_listener” “lb_listener”:
│ 73: resource “aws_lb_listener” “lb_listener” {

Can anyone advise as to how I might resolve?

mick_a_thompson · January 7, 2024, 1:42pm

I received solution on another forum. Sharing here so that it may help someone else.
Note the ‘dns_names’ line.

resource “tls_self_signed_cert” “ca_cert” {
depends_on = [tls_private_key.ca_private_key]

private_key_pem = tls_private_key.ca_private_key.private_key_pem
dns_names = [“*.mydoman.com”]
…
…

Topic		Replies	Views
Adding a default certificate to aws network load balancer error: certificate not found Terraform	3	6462	February 28, 2020
AWS ACM certificate with domain validation AWS	0	1797	September 7, 2022
Using ACM with Vault TLS Vault vault	4	3167	November 14, 2022
Create ec2 + LB + SSL? Terraform	1	341	February 24, 2022
How to create an hetzner hcloud load balancer service with certificates Terraform Providers	1	1140	September 6, 2020

How can I create a load balancer with cert in AWS?

Related topics