https://docs.aws.amazon.com/ja_jp/elasticloadbalancing/latest/application/create-https-listener.html
https://qiita.com/_aaa/items/4162435f6d8b5ef5e10d
-- 1. ALB作成
cat <<-'EOF' > main.tf
provider "aws" {
region = "ap-northeast-1"
}
variable "server_port" {
description = "The port the server will use for HTTP requests"
type = number
default = 80
}
data "aws_vpc" "vpc01" {
default = true
}
data "aws_subnets" "subnet01" {
filter {
name = "vpc-id"
values = [data.aws_vpc.vpc01.id]
}
}
resource "aws_security_group" "sg01" {
name ="sg01"
ingress {
from_port = var.server_port
to_port = var.server_port
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_launch_configuration" "lc01" {
image_id = "ami-0ed99df77a82560e6"
instance_type = "t2.micro"
security_groups = [ aws_security_group.sg01.id ]
user_data = <<-EOF
#!/bin/bash
echo $(uname -n) > index.html
nohup busybox httpd -f -p ${var.server_port} &
EOF
lifecycle {
create_before_destroy = true
}
}
resource "aws_lb_target_group" "tg01" {
name = "tg01"
port = var.server_port
protocol = "HTTP"
vpc_id = data.aws_vpc.vpc01.id
health_check {
path = "/"
protocol = "HTTP"
matcher = "200"
interval = 15
timeout = 3
healthy_threshold = 2
unhealthy_threshold = 2
}
}
resource "aws_autoscaling_group" "asg01" {
launch_configuration = aws_launch_configuration.lc01.name
vpc_zone_identifier = data.aws_subnets.subnet01.ids
target_group_arns = [aws_lb_target_group.tg01.arn]
health_check_type = "ELB"
min_size = 2
max_size = 2
tag {
key = "Name"
value = "asg01"
propagate_at_launch = true
}
}
resource "aws_security_group" "sg02" {
name = "sg02"
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_lb" "alb01" {
name = "alb01"
load_balancer_type = "application"
subnets = data.aws_subnets.subnet01.ids
security_groups = [aws_security_group.sg02.id]
}
resource "aws_lb_listener" "listener01" {
load_balancer_arn = aws_lb.alb01.arn
port = 80
protocol = "HTTP"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.tg01.arn
}
}
output "alb_dns_name" {
value = aws_lb.alb01.dns_name
description = "The domain name of the load balancer"
}
EOF
terraform init -upgrade
terraform plan
terraform apply -auto-approve
terraform output
terraform state list
-- 2. ACMで証明書作成
aws acm request-certificate \
--domain-name example.com \
--validation-method DNS \
--subject-alternative-names www.example.com hoge.example.com
Amazon Route 53 で DNS レコードを作成
新しい証明書は [Pending validation] (検証保留中) のステータスを最大 30 分間表示し続けます。
-- 3. リスナー変更
HTTPリスナー削除
aws elbv2 describe-listeners \
--load-balancer-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:loadbalancer/app/alb01/1111111111111111
aws elbv2 delete-listener \
--listener-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:listener/app/alb01/1111111111111111/1111111111111111
HTTPSリスナー作成
aws elbv2 describe-listeners \
--load-balancer-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:loadbalancer/app/alb01/1111111111111111
aws elbv2 create-listener \
--load-balancer-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:loadbalancer/app/alb01/1111111111111111 \
--protocol HTTPS \
--port 443 \
--certificates CertificateArn=arn:aws:acm:ap-northeast-1:999999999999:certificate/11111111-1111-1111-1111-111111111111 \
--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:targetgroup/tg01/1111111111111111
-- 4. 動作確認
curl http://alb01-1111111111.ap-northeast-1.elb.amazonaws.com
curl https://alb01-1111111111.ap-northeast-1.elb.amazonaws.com
curl -k https://alb01-1111111111.ap-northeast-1.elb.amazonaws.com
CNAMEレコード追加
www.example.com
↓
alb01-1111111111.ap-northeast-1.elb.amazonaws.com
-- 5. クリーンアップ
aws elbv2 delete-listener \
--listener-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:listener/app/alb01/1111111111111111/1111111111111111
CNAMEレコード削除
aws acm delete-certificate \
--certificate-arn arn:aws:acm:ap-northeast-1:999999999999:certificate/11111111-1111-1111-1111-111111111111
terraform destroy -auto-approve
