😽

AWS ACMでDNS検証を実装しようとしたら詰まった

2023/01/07に公開

AWS

Terraform

acm

tech

以下のようにTerraformでAWS ACM証明書作成と検証を実装

# ACM
## certification
resource "aws_acm_certificate" "example" {
  domain_name = aws_route53_record.example.name
  subject_alternative_names = []
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }
}

## DNS validation
resource "aws_route53_record" "example_certificate" {
  name = aws_acm_certificate.example.domain_validation_options[0].resource_record_name
  type = aws_acm_certificate.example.domain_validation_options[0].resource_record_type
  records = [aws_acm_certificate.example.domain_validation_options[0].resource_record_value]

  zone_id = aws_route53_zone.test_example.id
  ttl = 60
}

## wait until validation
resource "aws_acm_certificate_validation" "example" {
  certificate_arn = aws_acm_certificate.example.arn
  validation_record_fqdns = [aws_route53_record.example_certificate.fqdn]
}

以下のようなエラーを吐いた

web-app % terraform apply

Error: Invalid index

  on main.tf line 311, in resource "aws_route53_record" "example_certificate":
 311:   name = aws_acm_certificate.example.domain_validation_options[0].resource_record_name

This value does not have any indices.

Error: Invalid index

  on main.tf line 312, in resource "aws_route53_record" "example_certificate":
 312:   type = aws_acm_certificate.example.domain_validation_options[0].resource_record_type

This value does not have any indices.

Error: Invalid index

  on main.tf line 313, in resource "aws_route53_record" "example_certificate":
 313:   records = [aws_acm_certificate.example.domain_validation_options[0].resource_record_value]

This value does not have any indices.

どうやらAWS providerバージョンが原因みたい。

AWS Provider3.0.0以降はlistタイプからsetタイプに変更になったらしい。

TerraformによるDNS認証のレコード登録で「Invalid index」のエラー - Qiita

for each文に修正してみた

# ACM
## certification
resource "aws_acm_certificate" "example" {
  domain_name = aws_route53_record.example.name
  subject_alternative_names = []
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }
}
## DNS validation
resource "aws_route53_record" "example_certificate" {
  for_each = {
    for dvo in aws_acm_certificate.example.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }
  name            = each.value.name
  records         = [each.value.record]
  type            = each.value.type
  zone_id = aws_route53_zone.test_example.id
  ttl = 60
}

## wait until validation
resource "aws_acm_certificate_validation" "example" {
  certificate_arn = aws_acm_certificate.example.arn
  validation_record_fqdns = [for record in aws_route53_record.example_certificate : record.fqdn]
}

再度実行したが、また別のエラーが

% terraform apply    

Error: Reserved argument name in resource block

  on main.tf line 314, in resource "aws_route53_record" "example_certificate":
 314:   for_each = {

The name "for_each" is reserved for use in a future version of Terraform.

どうやらバージョンが古く、for eachが使えないっぽい

for_eachはterraform0.12.6以降に追加された機能みたいなので、アップデートが必要

https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/364

% terraform --version
Terraform v0.12.5
+ provider.aws v3.37.0

Your version of Terraform is out of date! The latest version
is 1.3.7. You can update by downloading from www.terraform.io/downloads.html

terraform0.12.6にアップデート

% tfenv install 0.12.6
Installing Terraform v0.12.6
Downloading release tarball from https://releases.hashicorp.com/terraform/0.12.6/terraform_0.12.6_darwin_amd64.zip
############################################################################################################################## 100.0%
Downloading SHA hash file from https://releases.hashicorp.com/terraform/0.12.6/terraform_0.12.6_SHA256SUMS
Not instructed to use Local PGP (/opt/homebrew/Cellar/tfenv/3.0.0/use-{gpgv,gnupg}) & No keybase install found, skipping OpenPGP signature verification
Archive:  /var/folders/qs/fyy3yr496v758vzmt7v_tdkm0000gn/T/tfenv_download.XXXXXX.4HKg53xS/terraform_0.12.6_darwin_amd64.zip
  inflating: /opt/homebrew/Cellar/tfenv/3.0.0/versions/0.12.6/terraform  
Installation of terraform v0.12.6 successful. To make this your default version, run 'tfenv use 0.12.6'

% tfenv list
  0.12.6
* 0.12.5 (set by /opt/homebrew/Cellar/tfenv/3.0.0/version)
  0.12.4

% tfenv use 0.12.6
Switching default version to v0.12.6
Default version (when not overridden by .terraform-version or TFENV_TERRAFORM_VERSION) is now: 0.12.6
% tfenv list      
* 0.12.6 (set by /opt/homebrew/Cellar/tfenv/3.0.0/version)
  0.12.5
  0.12.4

% terraform --version
Terraform v0.12.6
+ provider.aws v3.37.0

Your version of Terraform is out of date! The latest version
is 1.3.7. You can update by downloading from www.terraform.io/downloads.html

今度はうまくいった

% terraform apply
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_acm_certificate.example will be created
  + resource "aws_acm_certificate" "example" {
      + arn                       = (known after apply)
      + domain_name               = "hoge-test.com"
      + domain_validation_options = [
          + {
              + domain_name           = "hoge-test.com"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
        ]
      + id                        = (known after apply)
      + status                    = (known after apply)
      + subject_alternative_names = (known after apply)
      + validation_emails         = (known after apply)
      + validation_method         = "DNS"
    }

  # aws_acm_certificate_validation.example will be created
  + resource "aws_acm_certificate_validation" "example" {
      + certificate_arn         = (known after apply)
      + id                      = (known after apply)
      + validation_record_fqdns = (known after apply)
    }

  # aws_route53_record.example_certificate["hoge-test.com"] will be created
  + resource "aws_route53_record" "example_certificate" {
      + allow_overwrite = (known after apply)
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = (known after apply)
      + records         = (known after apply)
      + ttl             = 60
      + type            = (known after apply)
      + zone_id         = "Z07533702B9OA0PHM9C9U"
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_acm_certificate.example: Creating...
aws_acm_certificate.example: Creation complete after 6s [id=arn:aws:acm:ap-northeast-1:741420225566:certificate/8d6a2d1d-cda1-4d9c-a2b7-4b2a74eb3185]
aws_route53_record.example_certificate["hoge-test.com"]: Creating...
aws_route53_record.example_certificate["hoge-test.com"]: Still creating... [10s elapsed]
aws_route53_record.example_certificate["hoge-test.com"]: Still creating... [20s elapsed]
aws_route53_record.example_certificate["hoge-test.com"]: Still creating... [30s elapsed]
aws_route53_record.example_certificate["hoge-test.com"]: Still creating... [40s elapsed]
aws_route53_record.example_certificate["hoge-test.com"]: Creation complete after 42s [id=Z07533702B9OA0PHM9C9U__84cd1dfeb27d7fab6f21457edee2257e.hoge-test.com._CNAME]
aws_acm_certificate_validation.example: Creating...
aws_acm_certificate_validation.example: Creation complete after 1s [id=2023-01-07 12:09:49.356 +0000 UTC]

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Discussion