[Terraform:AWS] how to set up host-based routing with ALB and ACM(SSL cert)

Today, I am going to show how to set up host-based routing with ALB and ACM.

The version information is as follows.

$ terraform version Terraform v0.13.1 
+ provider registry.terraform.io/hashicorp/aws v3.7.0 
+ provider registry.terraform.io/hashicorp/random v2.3.0

Now let’s move on the main topic.
The resource components of ALB are follows.

  • aws_lb
  • aws_lb_listener
  • aws_lb_listener_certificate
  • aws_lb_listener_rule
  • aws_lb_target_group
  • aws_lb_target_group_attachment

There are many, but roughly there are only three. The ALB body, listeners, and target group (EC2).

The following is the tf file for alb. What I’m doing is creating a listener called test, listening on 443, and forwarding to the target_group dev on port 8080 to “dev.domain name”. The SSL certificate is defined by aws_lb_listener and aws_lb_listener_certificate. The certificate definition is written in another tf file, so it will be described later.

resource "aws_lb" "test" {
  name               = "test-lb"
  internal           = false
  load_balancer_type = "application"
  subnets            = [aws_subnet.public1.id, aws_subnet.public2.id]
  security_groups    = [aws_security_group.alb.id]


  enable_deletion_protection = false


  tags = {
    Name        = "test-lb"
    Environment = "development"
    Description = "Managed by Terraform"
  }
}


resource "aws_lb_listener" "test" {
  load_balancer_arn = aws_lb.test.arn
  port              = "443"
  protocol          = "HTTPS"
  certificate_arn   = aws_acm_certificate.test.arn


  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.dev.arn
  }
}


resource "aws_lb_listener_certificate" "test" {
  listener_arn    = aws_lb_listener.test.arn
  certificate_arn = aws_acm_certificate.test.arn
}


resource "aws_lb_listener_rule" "test" {
  listener_arn = aws_lb_listener.test.arn
  priority     = 100


  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.dev.arn
  }


  condition {
    host_header {
      values = ["dev.domain name"]
    }
  }
}


resource "random_integer" "default" {
  min = 1
  max = 9999
}
resource "aws_lb_target_group" "dev" {
  name        = "dev-${random_integer.default.result}"
  port        = 8080
  protocol    = "HTTP"
  target_type = "instance"
  vpc_id      = aws_vpc.main.id
  lifecycle {
    create_before_destroy = true
  }
}


resource "aws_lb_target_group_attachment" "dev" {
  target_group_arn = aws_lb_target_group.dev.arn
  target_id        = aws_instance.main.id
  port             = 8080
}

The certificate information is the following tf file. The validation method is DNS.

resource "aws_acm_certificate" "test" {
  domain_name       = "dev.domain name"
  validation_method = "DNS"


  tags = {
    Environment = "development"
  }


  lifecycle {
    create_before_destroy = true
  }
}

I will omit the explanation about the network surroundings such as VPC and security groups. Once you’ve done this, terraform validate, fmt and go to apply!

If you can apply it successfully, perform DNS authentication of certificate.

The DNS authentication method is to download the record information from ACM in the AWS console and add a CNAME record in Route53.
After that, register “dev. Domain name” in Route53 with the DNS name of ALB in the A record.

Then, set the server name on the Web server side to “dev. Domain name” and reload it, and you can confirm host-based routing from browser.

Thanks,

Please share this page:

Leave a Comment